Study Suggestion Number 3
Submitted By: [Redacted for privacy reasons] Topic: Analysis of compliance by registrars operating proxy services, as to their obligation to reveal registrant data when presented with reasonable evidence of actionable harm. Note: this data could be gathered as an additional step in gathering data for the analysis of privacy protection measures available today. Hypothesis: Of ICANN-accredited registrars who offer their own proxy services, some are failing to reveal shielded registrant data in accordance with the Registrar Accreditation Agreement (RAA) and/or their own Terms of Service (TOS). How the hypothesis could be falsified: This hypothesis could be falsified if the analysis found that all proxy services are quickly revealing registrant information upon being presented with reasonable evidence of actual harm. Utility: If the hypothesis were verified, ICANN should improve its contractual compliance efforts for registrars offering proxy services. ICANNâ??s response should be proportional to the quantity of registrars and affected registrants where compliance was found to be deficient. If non-compliance is confined to a small number of registrars, increased contract enforcement efforts could be limited and targeted. On the other hand, a widespread lack of compliance might indicate that ICANN should amend the RAA to increase penalties for non-compliance. Type of Study Needed: There are two types of studies needed here: 1) An analysis of privacy services offered by all accredited registrars and by third parties, to determine whether these policies comply with the RAA. This could entail a review of published reporting policies of registrars and third parties offering privacy protection services. 2) An analysis of how many registrars and third parties donâ??t comply with the RAA in actual practice. This data could be learned partly by obtaining empirical data already collected by requesting parties and consumer protection agencies. More likely, we will need to conduct our own tests by submitting properly constructed inquiries and measuring the time to relay and/or reveal true registrant information to the requester. Data that needs to be collected: For any Registrar or third party that offers privacy protection services to registrants: Data element / Suggested source(s) Domain name Survey of registrars and third-party providers Type of entity (registrar, third party) Survey of registrars and third-party providers Total registrants served Survey of registrars and third-party providers Type of privacy service offered (e.g. proxy; mail forwarding) Survey of registrars and third-party providers Date privacy service was first offered Survey of registrars and third-party providers Number of registrants currently using this privacy service Survey of registrars and third-party providers Cost ($ per month) to registrant for use of privacy service Survey of registrars and third-party providers Time to relay an inquiry to actual registrant (hours) Test of registrars and third-party providers Time to reveal actual registrant data pursuant to proper request (hrs) Survey of registrars and third-party providers Population to be surveyed: Registrars and third-party providers of privacy services. For the type 2 analysis described above, we can also query consumer protection agencies and other organizations that routinely request Whois data for purposes of brand protection and consumer protection. Sample Size: Given there are still less than 1000 ICANN-accredited registrars, we should review and compare policies for all registrars who are actively offering registration with proxy services. When testing actual compliance to requests to reveal registrant data, I defer to others to suggest how many test need to be done to form valid conclusions about a registrarâ??s performance. In order to draw any conclusions about compliance by registrars in general, we should weight our tests and conclusions towards the registrars receiving the most reveal requests. Type of Analysis: The analysis would begin with understanding the stated policies of the service providers and comparing those policies both to the RAA and their terms of service. The second analysis would evaluate empirical data on actual response to properly submitted requests to reveal shielded Whois data.