I’ve always been a strong believer in being honest and transparent with our clients. Lying to them or misleading them, be that in our communications or our marketing, in my mind was never going to be a winning strategy. As a company this is an ethos we’ve tried to instil with all our staff and it is something that we push in all aspects of our operations. Do we always get it right? No. But we try to learn from our mistakes. That’s why we’ve embraced things like reviews over which we have zero control.
But I think we can do more.
Several times over the last couple of years we’ve been asked if we were planning on publishing a transparency report. At the time while I was not opposed to the concept I didn’t see any need. It would have been a fairly boring report.
What exactly is a “transparency report”?
A transparency report is often published by a company to give some insights into the number of requests for user data and other requests from both government agencies and private actors:
A transparency report is a statement issued on a regular basis by a company, disclosing a variety of statistics related to requests for user data, records, or content. Transparency reports generally disclose how frequently and under what authority governments have requested or demanded data or records over a certain period of time. This form of corporate transparency allows the public to discern what private information governments have gained access to through search warrants and court subpoenas, among other methods. Some transparency reports describe how often, as a result of government action or under copyright provisions, content was removed. Disclosing a transparency report also helps people to know about the appropriate scope and authority of content regulation for online discussions. (Source: Wikipedia)
So why the change?
Over the last couple of years we’ve seen a growth in the number of requests for either user data or challenges to our users’ ability to publish content. For example, in late 2017 we received requests from agencies of the Spanish government to handover data related to our clients who were involved in the referendum in Catalonia.
Our position in relation to disputes between two 3rd parties, which is often the case where content and copyright or matters of “speech” are involved, is that these should be resolved without our involvement between the parties directly involved.
However we also have a number of policies that are in our contracts and terms of service about what types of activity we will not tolerate on our platform and network. We won’t for example, tolerate child abuse material (often referred to as CAM or CSAM or erroneously as “child pornography”). Most internet companies won’t. We also take a very dim view of network abuse, spam and other types of activities that have a detrimental impact on our network and the internet as a whole.
Since the end of May of this year the General Data Protection Regulation is in effect. While GDPR does not explicitly oblige us to publish a transparency report it does oblige us to provide more transparency and clarity on how we handle personal data. We are an ICANN accredited registrar, so we collect and process personal information in line with our contractual obligations with ICANN. As of May 25th we have redacted the bulk of personal information available in our public whois and provide instead a web form that people can use to contact our registrants. We are logging the volume of these requests. We will also be logging any requests for non-public information about any of our registrants. This is something we were doing anyway, as I’d requested that our management team start logging all requests in advance of us doing anything with transparency reports.
Later this year we intend to publish our first transparency report. We will be working with Article 19 and their staff in doing the preparatory work for this and I’m really excited to be able to do this. (I know, I know, I’m probably more excited about this than I really should be!)
So what kind of things do you think we should include?
We obviously will be including things like:
- any formal litigation
- any requests from law enforcement (Irish or foreign)
- any requests from Irish consumer protection agencies
- volumes of contacts to gTLD registrants via our web form
- volume of requests for non-public whois information
We won’t be listing specifics of the requests, but more about the volumes and how we handled them ie. did we provide the data or not or did we take action. You can have a look at example transparency reports from other companies like Twitter and Google to get an idea of how these things are usually reported.