Edgemoor Research Institute

Developing voluntary technical solutionsto complex data-related public policy challenges.

Project Description

Project Jake: Overall Project Description

Table of Contents

Domain Registration Data Collection and Disclosure

The express purpose of registering a domain name is to provide translation of the domain name into an IP address to reach registrant’s systems on the Internet. The registration of a domain requires the collection of different types of data. A typical domain registration can include 100 or more data fields to be collected, giving domain registration data many uses that go far beyond its original purpose.

All Internet users, even if they never registered a domain are deeply affected by the rules that govern the collection and disclosure of domain registration data. How we collect and disclose registration data determines the level of accountability and therefor the privacy and security of the Internet as a whole.

Effective domain registration data collection and disclosure must consolidate the vested interests of its main stakeholder groups: Registrants, Registrars and Requestors.

WHOIS was the protocol for accessing DNS registration data. A lack of strong rules and controls governing the copious amounts of domain registration data available, enabled a multitude of harmful practices that caused legislators to step in.

The current processes and instruments for accessing domain name registration data are unwieldy, uncertain, time consuming, and often unsatisfactory and needs to be replaced by a system that balances the need to know with the right to privacy and security, whilst being effective, reliable, just and economically viable. Despite many efforts, the goal has so far eluded us.

The role of Registrars and Registries

The role of Registrars and Registries is complicated. They collect numerous data elements while registering a domain name. A small portion of these data elements, primarily the DNS records, are available for anyone to access. The other portions of the data are considered “private” and are accessible only under appropriate conditions. The Registrars become custodians of their clients data and guardians of their privacy and security and at the same time the maintainer and arbiters of accountability online. In addition, they face the interests of all those who want to access domain registration data for a multitude of legal and illegal purposes.

The Challenge Registrars Face

Before a Registrar can even begin to answer the questions of how he can efficiently, accurately, safely, cheaply, in a timely manner, legally without creating liabilities for himself, respond to a disclosure request; it has to determine the intended purpose of the request, whether the requestor meets the general conditions associated with the purpose, whether the requestor is capable of protecting data that it receives against misuse and unauthorized disclosure, and whether there are processes in place to hold the requestor accountable if these conditions are violated.

Requestor Frustration

The Registrars challenge is often mirrored by the Requestors frustrations. They feel that they must go through long and complicated processes proof what is their right in the first place only to find out that my request has been denied, the data is subject to privacy proxy protection or incorrect.

Seeking Resolution

Instead of looking at domain registration data as a conflict of competing motivations and interests, and instead of giving in to the temptation to assigning blame to another, Registrars and Requestors should come to an understanding that the situation can only be resolved through collaboration and the creation of win/win situations.

The need for Requestor Agents

As it is difficult for Registrars to understand and deal with different disclosure requests, it is difficult for the individual requestor such as a police officer, online shopper or IP lawyer to make their case adequately.  But help is at hand. On and Off- line, Requestors organize themselves as  stakeholder groups, such as law enforcement agencies, consumer protection offices and trade organizations that represent the interests of their members as an empowered community. It is only natural and befitting for such organizations to represent and support their members to obtaining non-public DNS registration data. Acting as Requestor Agents for their members, in close cooperation with the registrars, they can be instrumental in the design and maintenance of a just and effective system of domain data disclosure.

Such a system will require processes to determine the Requestors identity use case and applicable laws and regulations. In many cases potential Requestor Agents  already handle and can confirm and attest the authenticity of their members registration data. Their expertise in their respective fields makes them uniquely suitable to evaluate the use case and legality of a request. In addition, Requestor Agents will be able to pre-determine the validity of a request before it is passed on to the registrar, preventing waste and frustrations and enabling a high degree of automatization and efficiency.

The goal is to create a win/win situation for all concerned:

  • Requestors needs and interests are taken into account and gain an effective and reliable system of domain name registration data disclosure.
  • Receiving answers to many of their key questions, Registries and Registrars, will make better informed registration data disclosure decisions, reducing their exposure to liability.
  • Organizations acting as Requestor Agents strengthen their standing with their members by providing a valuable service, but also ensure that the needs and interests of their specific stakeholder group are fully taken into account.
  • Registrants privacy and security maintains protected, special circumstances can be taken into account and the circumstances under which their domain registration data will be disclosed are transparent.

Sensitivity and Disclosure

Project Jake is divided into two main parts, Collection and Disclosure. The Collection part focuses on the rules governing what data elements are collected at the time of registration, what validation is applied to each collected data element, and the sensitivity level assigned to each data element.

Determination of Domain Registration Data Sensitivity level

  1.       The Stakeholders develop a standardized list of domain registration data fields.
  2.     Each data field is assigned a predetermined general level of sensitivity. (publicly available data – low sensitivity level, personal data – high sensitivity level).
  3.      The sensitivity of registration data may vary between different types of registrants. The general sensitivity levels of the data fields of a particular domain can be adjusted given special circumstances of the domains registrant and domain use. Requestor Agents and Registrars/Registries jointly develop and update lists of registrant types and domain use-cases that assign heightened sensitivity levels to individual or groups of data fields. Different requestor types are assigned different disclosure levels. (general requestor- low disclosure level, law enforcement requestor – high disclosure level). (Use Case: generic research – low disclosure level, prevention of imminent harm – highest disclosure level).
  4. Applicable laws and regulations. The sensitivity level is further adjusted by considering applicable laws and regulations.

In this way the sensitivity level of a domain’s individual or groups of data fields can be quickly and efficiently established.

Determination of Disclosure level

The Disclosure process focuses on the rules governing disclosure of subsets registration data in response to legitimate requests from authorized parties.

  1. Establish Requestor identity. To initiate a request, Requestors will have to establish their identity. Requestors can establish their identity through the Requestor Agent. If the Requestors identity cannot be established, the disclosure request is rejected as invalid. Requestors can protect their anonymity by obtaining tokens as proof of verified identity when forwarding their request to a Registrar/Registry.
  2. Request domain or registration fields data value. The requestor states the specific domain and the data fields or groups of data fields requested, or in case of a general request for data values, the specific values requested contained in all or a group or specific of domain name registration fields.
  3. Establish Requestor Types and Use Case. Based on

 Requestor Agents and Registrars/Registries jointly develop and updated lists of registrant types and domain use-cases, the Requestor Agent certifies Requestor type and use case.

  1. Applicable laws and regulations. The disclosure level is further adjusted by considering applicable laws and regulations.

The requested data should be disclosed when the disclosure level of a request, (Requestor type +use-case) matches or is higher than the established sensitivity level.

Prozess:

Requestor registers with RqA

  1.       Requestor specifies his request and use case.
  2.       RA Verifies Requestors identity itself or through Identity Provider.

RA evaluates Use case and issues to Requestor ticket containing a) identity token, b) Use case classification, c) Requestor type classification, d) Policy considerations, (using tool), e) analyses of ticket specific sensitivity/disclosure level.

  1.       Requestor sends ticket and signs non-disclosure agreement to RR.
  2.       RR analyses the ticket and makes a disclosure decision.
  3.       RR sends requested data to the Requestor.
  4.       RR sends the tickets disclosure profile to RA for process improvements.

Tools

In addition to the conceptual frameworks and mechanism ERI/Jake is offering, developing, and improving tools that support effective data directory systems, such as a unified and authoritative list of domain registration data fields, registrar collection rules, request forms, a rules normalization and application tool, and an online request precheck application. Through the collaboration with other stakeholders these tools will be further adapted and improved.

Implementation:

Project Jake has initiated a development and implementation process with three defined phases. Individual organizations and Stakeholder groups with Jake subject experts form working groups to define:

Phase 1: Establishes stakeholder specific needs, interests, and objectives, analyses the ecosystem in which the stakeholder group operates., evaluates available tools and mechanisms, concludes with a summary report that contains recommendations.

Phase 2: Brings together stakeholders with Registrars/Registries, to share Stakeholder group specific positions, establish differences and grievances. Create an understanding for each others needs, evaluate proposed solutions, tools, and mechanisms to establish win/win situations. Culminating in recommendations and a joint Implementation:

Phase 3: Establishes joint mechanism and operational parameters, plan of operation and sustainability, Agreements, Implementation.

Contact: info@edgemoorresearch.org

Copyright, All Rights Reserved: ERI 2025