Study Suggestion Number 3

[study-suggestion-response@xxxxxxxxx]

Submitted By:
[Redacted for privacy reasons]

Topic:
Analysis of compliance by registrars operating proxy services, as to their 
obligation to reveal registrant data when presented with reasonable evidence of 
actionable harm. 
Note: this data could be gathered as an additional step in gathering data for 
the analysis of privacy protection measures available today.


Hypothesis:
Of ICANN-accredited registrars who offer their own proxy services, some are 
failing to reveal shielded registrant data in accordance with the Registrar 
Accreditation Agreement (RAA) and/or their own Terms of Service (TOS).

How the hypothesis could be falsified:
This hypothesis could be falsified if the analysis found that all proxy 
services are quickly revealing registrant information upon being presented with 
reasonable evidence of actual harm.  

Utility:
If the hypothesis were verified, ICANN should improve its contractual 
compliance efforts for registrars offering proxy services.  ICANNâ??s response 
should be proportional to the quantity of registrars and affected registrants 
where compliance was found to be deficient.  If non-compliance is confined to a 
small number of registrars, increased contract enforcement efforts could be 
limited and targeted.  On the other hand, a widespread lack of compliance might 
indicate that ICANN should amend the RAA to increase penalties for 
non-compliance.



Type of Study Needed:
There are two types of studies needed here: 

1) An analysis of privacy services offered by all accredited registrars and by 
third parties, to determine whether these policies comply with the RAA.   This 
could entail a review of published reporting policies of registrars and third 
parties offering privacy protection services.

2) An analysis of how many registrars and third parties donâ??t comply with the 
RAA in actual practice.  This data could be learned partly by obtaining 
empirical data already collected by requesting parties and consumer protection 
agencies.  More likely, we will need to conduct our own tests by submitting 
properly constructed inquiries and measuring the time to relay and/or reveal 
true registrant information to the requester.



Data that needs to be collected:
For any Registrar or third party that offers privacy protection services to 
registrants:

Data element / Suggested source(s)

Domain name     
    Survey of registrars and third-party providers      
Type of entity (registrar, third party)
    Survey of registrars and third-party providers      
Total registrants served        
    Survey of registrars and third-party providers      
Type of privacy service offered (e.g. proxy; mail forwarding)   
    Survey of registrars and third-party providers      
Date privacy service was first offered  
    Survey of registrars and third-party providers      
Number of registrants currently using this privacy service      
    Survey of registrars and third-party providers      
Cost ($ per month) to registrant for use of privacy service     
    Survey of registrars and third-party providers      
Time to relay an inquiry to actual registrant (hours)   
    Test of registrars and third-party providers        
Time to reveal actual registrant data pursuant to proper request (hrs)     
    Survey of registrars and third-party providers      



Population to be surveyed:
Registrars and third-party providers of privacy services.  

For the type 2 analysis described above, we can also query consumer protection 
agencies and other organizations that routinely request Whois data for purposes 
of brand protection and consumer protection.


Sample Size:
Given there are still less than 1000 ICANN-accredited registrars, we should 
review and compare policies for all registrars who are actively offering 
registration with proxy services.

When testing actual compliance to requests to reveal registrant data, I defer 
to others to suggest how many test need to be done to form valid conclusions 
about a registrarâ??s performance.   
In order to draw any conclusions about compliance by registrars in general, we 
should weight our tests and conclusions towards the registrars receiving the 
most reveal requests. 


Type of Analysis:
The analysis would begin with understanding the stated policies of the service 
providers and comparing those policies both to the RAA and their terms of 
service.   

The second analysis would evaluate empirical data on actual response to 
properly submitted requests to reveal shielded Whois data.