Special to DNIB.com

Nearly 90% of the internet’s generic top-level domain (gTLD) names do not have identifying contact information in the Registration Data Directory Services (RDDS) system, according to a report by Interisle Consulting Group.

Interisle researchers examined the registration data of 3,000 domain names and visited the domains’ websites to see if the registrants were identified. Even after manually examining the websites of the domains in the study, the registrants of about two-thirds of the gTLD domain names could not be identified.

According to the study, the use of privacy mechanisms has dramatically shifted since 2018, when the European Union’s General Data Protection Regulation (GDPR) went into effect. Before GDPR, only 18% of gTLD domain names were registered by unidentifiable parties, the researchers wrote.

“In early 2018, prior to the adoption of EU GDPR and the associated ICANN domain registration policy, 75.7% of domain records in RDDS provided an identifiable registrant – a record that revealed the identity (including the name) of the registrant. The rest were privacy/proxy-protected,” the study says. “In our 2021 study, we determined that only 13.5% of domain records had an identifiable registrant. The other 86.4% of domain records had redacted contact data or were privacy/proxy-protected. In early 2024, we observed that only 10.8% of domain records identified the actual registrant.”

The study, which follows the same methodology as years of previous Interisle research, also estimates that “23.3% of gTLD domains are currently covered by the GDPR’s jurisdictional reach. This is virtually the same as in 2020. These are the domains for which the registrant, registrar, registry operator, or registry back-end provider is located in the [European Economic Area].”

There are three methods to remove domain contact data from public view: redaction, privacy services and proxy services.  Redaction, in the case of domain name registration data, is when the content of certain fields is not published and replaced with the words “Redacted for Privacy.”  The Internet Corporation for Assigned Names and Numbers (ICANN) defines privacy services and proxy services. 

“A Proxy Service allows a customer to use a domain name without displaying any of the customer's information in WHOIS. The proxy service provider is the registrant of record (the registered domain name holder) and provides alternative, reliable contact information. This service is legally distinct from a privacy service because the proxy service provider is the registered domain name holder (which attaches certain legal rights and responsibilities for a domain). The proxy service provider licenses use of the domain name to the customer via its agreement with the customer,” ICANN says. “A Privacy Service allows a customer to register a domain name as the registered domain name holder (meaning that the customer's name appears in the “registrant name" field in WHOIS). Alternative, reliable contact information (such as a mail-forwarding email address) is published by the service provider in place of the customer's personal contact information.”

Of the latter two options, Interisle researchers found proxy services have become almost ubiquitous, with registrars providing the vast majority of proxy services to registrants as part of their overall set of offerings.

Interisle data documents registrars shifting a large number of their customers’ domain name records to proxy protection between 2021 and 2023. Of the domain name records in the survey, 58.2% were behind proxy-protection services in January 2024 compared to 29.2% in November 2020, and 31.0% had redacted contact data in January 2024 compared to 57.3% in November 2020.

When GDPR went into effect on May 25, 2018, organizations of all types – including registrars and registries – had an obligation to protect and lawfully process the personal information of EU residents, or registrants whose information was processed in the EU – potentially facing large penalties for failing to do so. ICANN adopted the Temporary Specification for gTLD Registration Data, directing registrars and registries to redact the Whois contact information of registrants subject to GDPR. This temporary specification also provided “…flexibility to Registry Operators and Registrars to choose to apply the requirements on a global basis where commercially reasonable to do so or where it is not technically feasible to limit application of the requirements to data governed by the GDPR.” 

Since 2018, registrars also have expanded and promoted free privacy proxy service offerings. Of the 20 largest registrars included in the study, which collectively account for more than 70% of gTLD registrations, a majority offer free proxy services, removing financial barriers to proxy use for the majority of gTLD registrants. According to the Interisle study, “The data indicates that registrars have significant control over how much contact data is available via RDDS, and what Contact Data Publication Category its registrants fall into. The numbers demonstrate that registrars are making very different choices as allowed by ICANN policy, even when they do business under similar circumstances.”

In response to ongoing trends in registrant contact data privacy, ICANN launched a new service and standardized format for handling requests to access non-public registration data in November 2023. The two-year pilot program for Registration Data Request Service (RDRS) offers information from participating registrars, as well as monthly usage reports on the system itself. ICANN also updated its registration data lookup tool, which provides access to public registration data, to the Registration Data Access Protocol (RDAP) standard.

Another shift in the availability of registrant contact data is on the horizon with the EU’s NIS 2 Directive. The new rules, which are being incorporated into member state laws, require availability of contact data for registrants who are legal persons in an effort to raise the coalition’s common cybersecurity levels.

“In 2025, NIS 2 may boost identifiable contact data availability from 10.8% of all gTLD domains to an estimated 22.5%,” the Interisle study says. “The results may depend significantly on compliance by registrars and registry operators.”

More from the DNIB

DNIB Staff | 8 min. read