Regulating Privacy Proxy Services Under the 2013 RAA
- by Staff
The 2013 Registrar Accreditation Agreement (RAA), established by the Internet Corporation for Assigned Names and Numbers (ICANN), marked a critical evolution in the regulatory landscape for domain name registrars and, by extension, the privacy and proxy services associated with them. Privacy and proxy services enable domain registrants to obscure their personal contact information from public WHOIS databases, substituting it with alternate credentials provided by the service provider. While these services offer legitimate protections—especially for individuals concerned about doxxing, harassment, or unsolicited marketing—they have also been criticized for enabling anonymity in cases of abuse, cybersquatting, phishing, and intellectual property infringement. The 2013 RAA introduced a structured framework to begin addressing these challenges by tightening oversight and establishing groundwork for future policy development concerning privacy and proxy services.
One of the most significant features of the 2013 RAA was its inclusion of specific obligations for ICANN-accredited registrars with respect to the providers of privacy and proxy services operating under their control or within their reseller networks. For the first time, ICANN required registrars to disclose whether they offered privacy or proxy services directly or through affiliated entities. Moreover, registrars were required to ensure that any such services they facilitated complied with basic operational standards, even before the adoption of a formal accreditation regime. This change acknowledged the integral role these services play in the domain ecosystem and the need for transparency and accountability.
Under Section 3.4.1 of the 2013 RAA, registrars are obligated to retain accurate and complete records for each registered domain, including information about the person or entity for whom the domain is ultimately registered, even when a privacy or proxy service is used. This means that while the public WHOIS database might reflect a proxy provider’s contact information, the registrar must still collect and store the actual registrant’s data, subject to data protection laws and access controls. This behind-the-scenes accountability mechanism allows registrars and, by extension, ICANN or law enforcement, to identify the true domain holder in appropriate circumstances, such as in response to a court order or subpoena.
In addition to these data retention obligations, the 2013 RAA imposed new requirements on the responsiveness of registrars and affiliated privacy/proxy services. Section 3.18 requires registrars to investigate and respond to reports of abuse, including those related to domains shielded by privacy or proxy services. Registrars must maintain a designated abuse contact and respond to well-founded abuse complaints within a reasonable timeframe, typically within 24 to 72 hours. These provisions extend to domains using privacy or proxy services, closing a common loophole where malicious actors would hide behind anonymized registrations to delay or deflect takedown efforts.
Perhaps the most transformative step toward regulating privacy and proxy services under the 2013 RAA was the mandate for the creation of a formal Privacy and Proxy Services Accreditation Program (PPSAI). Annexed to the agreement was a provision stating that once such a program was developed and approved through ICANN’s consensus policy process, registrars would be required to use only accredited providers for any privacy or proxy services they offered or referred customers to. This laid the foundation for the PPSAI policy development process, initiated by ICANN’s Generic Names Supporting Organization (GNSO) in 2014. The final PPSAI recommendations, adopted by the ICANN Board in 2016, established eligibility criteria, operational standards, and disclosure procedures for providers of privacy and proxy services. However, as of 2025, the full implementation of the PPSAI accreditation program remains delayed due to complex negotiations around data protection compliance, particularly with regard to the General Data Protection Regulation (GDPR) and other privacy laws.
The envisioned PPSAI framework builds upon the principles introduced in the 2013 RAA, requiring privacy and proxy providers to maintain validated contact information for their customers, implement clear terms of service, and publish standardized procedures for responding to legal or administrative requests. It also obliges providers to have policies for disclosing the underlying registrant’s data in cases of actionable complaints, such as trademark infringement or court orders, subject to due process and procedural fairness. These mechanisms aim to strike a balance between protecting user privacy and ensuring that anonymity does not become a shield for unlawful or abusive conduct.
The regulatory push under the 2013 RAA has had tangible effects on the domain marketplace. Some registrars, in anticipation of further regulatory tightening, have revised their proxy service offerings to increase transparency or introduced tiered privacy options that allow users to voluntarily disclose partial information. Others have chosen to centralize their privacy and proxy services under clearly branded entities with published policies, distancing themselves from opaque or fly-by-night providers. These developments not only improve trust among legitimate registrants but also aid investigators, trademark owners, and other stakeholders who require reliable mechanisms for identifying bad actors.
However, the continued fragmentation of privacy laws across jurisdictions complicates enforcement. The rise of regional data protection regimes—most notably GDPR in the European Union—has constrained the ability of registrars to disclose registration data, even when compelled by legitimate complaints. In some cases, registrars interpret these laws conservatively, refusing to respond to third-party complaints without a formal court order. This has led to tension between the need to comply with privacy law and the broader internet governance objective of maintaining accountability in the DNS. The 2013 RAA attempted to bridge this gap, but practical implementation has required continuous adaptation as legal interpretations evolve.
From a policy standpoint, the 2013 RAA set the precedent that privacy and proxy services are not peripheral, optional components of the DNS—they are essential intermediaries that must be governed with rigor and transparency. The agreement’s provisions, while foundational, were never intended to be the final word on the matter. Instead, they were designed to initiate a transition toward a more structured ecosystem in which privacy and accountability could coexist. The regulatory journey since 2013 has been one of incremental steps, shaped by stakeholder negotiation, legal constraints, and the technical realities of DNS operations.
As ICANN, registrars, and global regulators continue to refine the balance between data protection and DNS transparency, the principles embedded in the 2013 RAA remain central to the debate. They reflect a recognition that privacy, while fundamental, is not absolute in the context of internet infrastructure. By mandating due diligence, recordkeeping, abuse response, and ultimately accreditation, the 2013 RAA laid the groundwork for a future where privacy and proxy services operate within a robust, enforceable framework—one that protects users without compromising the integrity and accountability of the domain name system.
The 2013 Registrar Accreditation Agreement (RAA), established by the Internet Corporation for Assigned Names and Numbers (ICANN), marked a critical evolution in the regulatory landscape for domain name registrars and, by extension, the privacy and proxy services associated with them. Privacy and proxy services enable domain registrants to obscure their personal contact information from public…