EU flags in front of European Commission (Photo: Shutterstock.com)WHOIS—Web Tool Used by IP Attorneys, Law Enforcement—In Peril After EU Privacy Regulators Reject Proposed Fix
The public directory that contains information about who has registered every domain on the web looks increasingly at risk of going dark next month due to a clash with the GDPR.
April 17, 2018 at 07:16 PM
5 minute read
The public directory that contains information about who has registered every domain on the web looks increasingly at risk of going dark next month, after European data protection regulators rejected a proposal to make it compliant with the EU's new privacy law.
The WHOIS directory is relied upon by many intellectual property and cybersecurity attorneys, as well as law enforcement authorities, as a tool to help fight infringement and track malicious activity online. Some say its demise or fragmentation would make doing so significantly harder.
“We do use WHOIS quite a bit to figure out who's behind online infringement,” said Linda Joy Kattwinkel, an IP lawyer at Owen, Wickersham & Erickson in San Francisco who represents large brands like Sanrio Co. as well as independent artists.
But the way WHOIS works now is at odds with the European Union's General Data Protection Regulation (GDPR), which comes into effect May 25 and gives individuals greater control over how their personal data can be used. The law also carries steep monetary penalties for violations, totalling up to 4 percent of a company's global revenue or 20 million euros.
Under the law, EU personal data can only be used for the express purpose for which it is given, and users cannot be pressured to give consent for broader purposes. In other words, if a French national provides a name and address in order to register a domain name, for example, that personal data cannot simply be posted onto the internet for everybody to see.
The Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the WHOIS system, in March unveiled a proposal for an interim fix that would create tiered levels of access to WHOIS data for IP holders and law enforcement, along with an accreditation system.
Last week, however, ICANN said that it had received a letter from European Union data protection authorities organized under what is called the “Article 29 Working Party” that rejected the proposed justifications for continuing to share certain personal data with the public and accredited third parties.
“While the WP29 welcomes ICANN's efforts to identify in greater detail which legal bases may be relevant in the context of the WHOIS system, it is clear that the legal bases are not always clearly linked to a specified purpose,” the regulators wrote.
Enforcement Moratorium?
With GDPR implementation just around the corner, ICANN is now hoping to buy more time to find a solution regulators can live with. “If the [data protection authorities] are willing to give us a moratorium, then we will work with them on defining milestones and we will deliver on the milestones,” Akram Atallah, president of ICANN's global domains division, said Monday.
ICANN executives will be meeting with the Article 29 Working Party's technical committee next week on April 23, he noted. But whether they will find a way forward that doesn't involve disabling WHOIS—at least temporarily—is so far unclear. Atallah said he thinks it might still take ICANN six months to a year to come to a working solution.
What ICANN wants to avoid in the meantime is for individual domain name registries, the .coms and .orgs of the world, to take matters into their own hands and craft a patchwork of different WHOIS systems out of fear of being hit with enforcement actions.
“Different providers having different solutions would actually make the work of law enforcement, security researchers and the like much more difficult,” Atallah said. “It might also be taken advantage of by some of the bad actors on the internet.”
Kolvin Stone, a privacy attorney with Orrick, Herrington & Sutcliffe in London, said EU data protection authorities are likely to get their way in pushing for greater restrictions to public data, especially in light of the large penalties they are empowered to impose under the GDPR.
Difficult Balance
The clash between the GDPR and WHOIS has been apparent for at least a year, but finding a solution has been difficult in part because the positions of the various stakeholders are almost diametrically opposed. On one hand, IP lawyers and companies—represented by ICANN's “Intellectual Property Constituency”—have wanted to maintain essentially unfettered access to data. Many governments and law enforcement authorities have taken the same position.
On the other hand, privacy activists and the EU regulators insist that data collection for domain registration must be minimized and not be made available to be collected for alternate ends, such as marketing. They argue that law enforcement and aggrieved parties can seek access to the information that domain registries and registrars have through court proceedings.
“ICANN is getting heat from both directions,” said Jeremy Malcolm, a senior global policy analyst at the Electronic Frontier Foundation who has participated in ICANN's working group on the future of WHOIS. “But at the end of the day, as is kind of clear from the Working Party's letter, the law is the law.”
Not everyone thinks the situation is a crisis. Alexander Urbelis, a lawyer at the Blackstone Law Group in New York who works on cybersecurity and domain name issues, said WHOIS is an important resource for both law enforcement and private attorneys. But he noted that much of the information available through the directory is already obscured by proxy services that anonymize the true identity of the domain registrant.
There are also other ways to piece together information about domain registrants, he noted, although they sometimes require more technical know-how. “WHOIS information going dark … should not make or break an investigation,” Urbelis said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Bolstering Southern California Presence, Sidley Austin Settles Into Revitalized Downtown LA Office
Apple Asks Judge to 'Follow the Majority Practice' in Dismissing Patent Dispute Over Night Vision Technology
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
