browser windows

 

The May 2018 implementation of the General Data Protection Regulation (GDPR) was a win for online privacy advocates, particularly with the “right to be forgotten”—the GDPR's declaration that European Union citizens can request to pull their data from online hosting.

But there's one area that some attorneys say the increased privacy has made their lives harder: Internet domain hosting. Since the GDPR's implementation, the “WHOIS” service by which the general public could search registration information—including names and contact info—has been largely in a state of flux. It's now even tougher to find information, attorneys who work with domain registration say, which could concern intellectual property holders who want to go after infringing websites.

No Easy Information

Missing WHOIS information has always been a problem; there are few enforcement mechanisms to ensure that people who sign up for a website actually disclose correct information. The regulating nonprofit organization ICANN (The Internet Corporation for Assigned Names and Numbers) reported this year that inaccurate WHOIS complaints accounted for more than 60 percent of informal complaints filed with registrars between June 2017 and June 2018.

But with the GDPR, that problem could be exacerbated. John McElwaine, partner at Nelson Mullins, said the domain registration process itself hasn't changed, just what you can see afterwards. Currently, he explained, “even if you don't ask for a privacy or proxy registration, there's going to be no ability to see who registered that domain name.”

The result is a Wild West scenario. “It's a registrar by registrar basis in terms of how much information they're allowing for non-EU individuals,” McElwaine added. “A lot of them don't even want to bother with having to mine their records for that type of data, so they are blocking even people that GDPR doesn't apply to.”

International organizations such as ICANN have long been the stewards of this type of information; it was ICANN that was largely behind the introduction of new top-level domains in 2012. But currently, said Husch Blackwell attorney Caroline Chicoine, ICANN is “waiting to see what they're obligated to do under the law and what not, and if there's ways to allow people to request the information for legitimate reasons, and then deciding what those legitimate reasons might be.”

Those legitimate reasons currently include intellectual property concerns, as well as criminal activity for law enforcement. On May 17, 2018, ICANN adopted a Temporary Specification for gTLD Registration Data, aimed at bringing WHOIS in line with the GDPR and allowing a mechanism by which rights holders can ask for information. But the key word there is “temporary,” as the expedited policy development process will not be finalized until one year from the GDPR's implementation, May 2019.

Issues for IP Holders

So what are rights holders left to deal with in the interim? “Right now, if there's a website with infringing content, whether it's pirated movies or music or it's the sale of counterfeit products, there is no easy way,” said McElwaine. “You used to be able to just look it up, and if there was a privacy or proxy, you could write a letter or fill in a form. If it was a responsible service, it would trigger a requirement that the registrant at least respond to you, or else their information was going to be disclosed. Now, that does not happen, although some registrars are setting up a similar form.”

McElwaine said the process now takes extra steps, as IP holders need to try and find other access points into an infringing party like contacting the hosting company or the registrar of domain name and explain why information should be disclosed.

If all else fails, one could file a UDPR (Uniform Domain-Name Dispute-Resolution Policy) complaint with ICANN, which McElwaine said have been on the rise since May. Chicione agreed, saying that proxy services, where registrars placed themselves as a domain owner in WHOIS, have long been an issue for finding out information, and now those who want to withhold information have even more ammo to hold out against a request.

“We're used to not knowing, but at least in that case, you could file a UDRP against GoDaddy, and they'll say, 'No, it's not us who's the bad guy. Now we'll disclose.' … But even that takes time and money for companies to get that information. We would like to not have to file UDRPs every time to figure out who's behind a domain name,” she said.

And the extra steps add up. “It takes time to write a report to ICANN. It's not a complicated thing and it's not a time-consuming thing, but it does take more than a minute to go into the site and submit a complaint,” Chicoine added.

While these new rules are being finalized, Chicoine stressed that companies should be collecting data to show to ICANN and other organizations exactly why withholding registration information is an issue. She said to “think of ICANN like the U.S. government,” and to prove any point, “we need the data to back up that this is a problem, that this is not just normal brand policing.”

She added, “If you want policies in ICANN that allow you to have legitimate interest to reveal who it is, we need to show them that right now there is a lack of that, what the consequences of that are, and the problems that it creates.”

McElwaine noted that it's important to point out the uptick in mischief and scams being run with this hidden information as well: “That was trending up already, and now the regulators have ironically given cover for people to steal information.”