The Temporary Specification requires that registrars provide “reasonable access” to nonpublic data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the registrant. However, no further guidance or criteria set out what constitutes “reasonable access” or a “legitimate interest,” nor how or in what manner the balancing test should be applied and requests for access granted or denied (and subject to what level of scrutiny and issuance of any rationale for any such decision).
These substantial changes to the WHOIS system have inevitably led to significant obstacles to online trademark enforcement. The only way now to identify the registrant is through the voluntary registrant organization field, which is merely optional and therefore often unavailable. While state and country remain available, mailing and e-mail addresses as well as fax and phone numbers are not. Although the new ICANN rules require registrars to provide either a web form or anonymized e-mail address, these alternative means of e-mail contact do not provide the same level of certainty that e-mail communications actually reach the registrant (for instance, they may not provide an automated delivery failure response). The lack of a registrant name or e-mail address also effectively prevents trademark owners from performing a “reverse WHOIS” search to identify the full portfolio of domain names owned by the same registrant to establish patterns of bad faith conduct.
Many registrars are not even complying with the continuing mandatory minimum information requirements of ICANN. Instead, many have redacted every single WHOIS data field relating to registrant contact information as the default. And the lack of any parameters around “reasonable access” to nonpublic data has led to disjointed approaches and no reliable recourse mechanism for denials of even well-founded disclosure requests.
Since ICANN adopted the Temporary Specification, the ICANN community launched an Expedited Policy Development Process (EPDP) to create a permanent consensus policy on domain name registration data that is compliant with the GDPR and, presumably by extension, other applicable data protection and privacy law. The EPDP’s work is intended to be completed before the May 25, 2019, date on which the Temporary Specification will expire, per ICANN rules.
Impact of WHOIS System Changes on Online Intellectual Property Enforcement
In short, stopping bad actors online has become increasingly difficult since the WHOIS blackout. The Temporary Specification and the fractured registration data environment it has created in response to the GDPR have led to many impediments across all anti-abuse efforts. Miscreants engaging in counterfeiting, piracy, phishing, fraud, and distribution of malware, among other abuses, are able to carry on longer, and are generally harder to take down at all. Large networks and other patterns of abusive domain names and websites are harder to detect or combat in a comprehensive fashion. Enforcement costs to intellectual property owners have increased, and more consumers are being harmed.
Even if there are grounds for enforcement, a brand owner has no ability to identify a proper point of contact to notify the registrant of the brand owner’s concerns and potentially resolve the issue amicably. A brand owner must now contact the registrar to disclose nonpublic information, or submit a cease and desist letter or similar communication through an online web form (which may have insufficient word limits or inability to attach supporting materials) or anonymized e-mail address (which may not actually reach the registrant). As a result, there is a greater incentive for brand owners to proceed directly to filing domain name disputes like the Uniform Domain Name Dispute Resolution Policy (UDRP) or proceed to litigation, especially where the registry operator or registrar is unresponsive or refuses to disclose the relevant contact information.
The lack of available public WHOIS data makes the domain arbitration process more difficult as well. Brand owners cannot develop a comprehensive case against a registrant—including whether the registrant has other or prior infringements or indicators of bad faith registration and use of a domain name—without knowing the registrant’s identity. In some cases, the dispute resolution provider can obtain the full registration data from the registry operator or registrar and convey it to the complainant, who can then develop an amended complaint using the full data. However, this is not always the case and adds further time and expense in preparing the amended complaint. Similarly, in litigation, plaintiffs must spend substantial time and expense seeking subpoenas to reveal the proper defendant(s) to name, and amend complaints filed against “John Doe” defendants to name the proper registrant.
Strategies and Best Practices for Online Enforcement in the Post-GDPR World
Despite the current landscape, intellectual property owners retain a number of key tools and strategies to investigate and address online infringement and other abuses involving their intellectual property assets, beyond mere registration data disclosure requests.
Archived WHOIS Data
Robust archived WHOIS data remains available from the not-so-distant past when it was still predominantly published online. However, access to archived WHOIS data usually comes commensurate with subscription fees from the service providers who originally archived it. Most practitioners will tell you that any modest price paid is well worth it when performing necessary due diligence chain of title research in an acquisition scenario, and even in certain types of infringement scenarios where historical data is relevant. Of course, such archived data cannot always be relied on to remain accurate over time.
Very few fraudsters include legitimate point of contact information within their website content; they prefer amorphous “contact us” web forms, or usually nothing at all. Moreover, many acts of online abuse do not involve a website at all (such as e-mail phishing). Nevertheless, innocent infringers sometimes do include functional contact information within their websites or on their domain name parking pages, so it remains useful to check.
“John Doe” Cease and Desist Letters
Even where a domain name registrant’s identity cannot be confirmed through available WHOIS data or on the website itself, it may still be possible to send an anonymous cease and desist letter using an available anonymized registrant e-mail address or online web form, as required under the Temporary Specification. If an anonymized registrant e-mail address or web form is not being provided by the registrar, this is a violation of the Temporary Specification and should be reported to the ICANN contractual compliance department. In many cases, registrars are simply replacing the original WHOIS data with proxy service provider information, including a proxy service e-mail address—this can also be used in a similar manner to direct a cease and desist letter toward the domain name registrant.
Notice and Takedown Letters to Web Hosts
The optimal and appropriate way to address problematic online content remains through the intermediaries who host that content. Fortunately, web hosts can still be easily identified through the Internet Protocol (IP) addresses associated with each domain name and website. Free web host lookup tools are available online, or anyone can perform an NSLOOKUP from his or her computer command prompt application. It also remains possible to correlate individual domain names within unsophisticated illegal networks of websites in the event that they all use the same web hosts (or other ISPs) and IP addresses. Once the web host has been identified, reports of infringement or abuse can be filed with its abuse point of contact or other appropriate complaint contact. If a web host itself is problematic in complying with takedown demands, it may be possible to report further up the IP address supply chain by reporting web host abuse or recalcitrance to Regional Internet Registries (RIRs), which actually coordinate the supply of IP addresses to downstream service providers. As the name implies, RIRs are responsible for allocating IP addresses to service providers according to global geographic region, and typically the appropriate RIR will be the one in the same region as the web host.
Registration Authority Abuse Points of Contact
All domain name registration authorities (including both registrars and registry operators) have a contractual obligation to publish an abuse point of contact, and registrars are required to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.”10 This language should be cited in any takedown demand or demand for registration authorities to reveal nonpublic WHOIS data. Despite pervasive industry recalcitrance and a laissez-faire compliance attitude with respect to this language over the past several years, this contractual provision is undoubtedly more important than ever without access to key WHOIS data.
Arbitral Domain Name Disputes
Domain name registrars also have a contractual obligation to provide dispute resolution service providers, like WIPO, with full registration data once a complaint has been filed under the Uniform Rapid Suspension System (URS), the UDRP, or various corollary country code specific proceedings. It would not be surprising to see such complaint filings increase exponentially (particularly complaints against numerous domain names in bulk) in order to reveal underlying nonpublic WHOIS data. The caveat is that a single complaint against multiple respondents is only proper where some credible evidence of co-ownership or common control exists. Nevertheless, initiation of lower cost proceedings, like the URS, could prove more useful than ever as an alternative form of revealing underlying domain name registration data, even if they cannot ultimately proceed on the merits against all named domains.
While helpful, these remaining tools simply do not, and cannot, get the job done as effectively as under the prior WHOIS regime when it comes to intellectual property enforcement online. In any event, it is critical for all intellectual property owners to document the various challenges associated with WHOIS data redaction (directly and/or in conjunction with their brand protection or corporate registrar vendors), especially to support ongoing policy development on the issue within ICANN as well as in connection with legislative efforts in the United States and EU to try and carve out WHOIS or website ownership data from privacy law requirements for transparency, accountability, cybersecurity, law enforcement, and general anti-abuse purposes in the greater global public interest.
1. More specifically, a data “controller” is a person or legal entity that determines the purposes and means of the processing of personal data. A data “processor” is a person or legal entity that processes personal data on behalf of the controller. “Processing” in this context refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Commission Regulation 2016/679, art. 4, 2016 O.J. (L 119) 1 [hereinafter GDPR]. Under the GDPR, “personal data” is “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. . . . Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymized, the anonymisation must be irreversible.” What Is Personal Data?, Eur. Commission, https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en (last visited Feb. 14, 2019).
2. GDPR, supra note 1, at art. 83.
3. Id. at art. 3.
4. Id. at art. 5.
5. Id. at art. 6.1(a).
6. Id. at art. 6.1(b).
7. Id. at art. 6.1(f).
8. A “registry operator” is the entity that enters into an agreement with ICANN to operate a top-level domain (TLD), such as .com, .net, or .london. Registry operators are akin to the wholesaler of domain names. A “registrar” is the entity that enters into an agreement with ICANN to be authorized to register domain names to members of the public. Registry operators enter into agreements with registrars to authorize the registrars to sell domain names to the public in the TLD(s) operated by the registry operator. Registrars are akin to the retailers of domain names.
9. ICANN, Temporary Specification on gTLD Registration Data (May 25, 2018), https://www.icann.org/resources/pages/gtld-registration-data-specs-en/.
10. ICANN, Registrar Accreditation Agreement § 3.18.1 (Sept. 17, 2013), https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en.