As a result of measures taken by the Internet Corporation for Assigned Names and Numbers (ICANN) and registrars and registry operators to comply with the General Data Protection Regulation (GDPR) by May 25, 2018, the public WHOIS database has been significantly modified to mask important contact data of the registrant of a domain name. On May 17, ICANN approved a Temporary Specification, which sets the rules for how registry operators and registrars will collect and display registrant data. Under the Temporary Specification, the name, email address, and physical/postal address of the registrant will be hidden from public display, except for the country and region. See https://www.icann.org/resources/pages/gtld-registration-data-specs-en
This toolkit, compiled by the WHOIS/Registrant Directory Services Subcommittee of INTA’s Internet Committee, suggests ways to meet intellectual property (IP) enforcement challenges in a landscape where most WHOIS registrant data is redacted.
Below are a number of tips to assist with investigation of IP infringement, identification of the registrant, and enforcement of rights.
1. Consider using more human resources
. Protecting IP rights online will become a more resource-intensive process without WHOIS data. This means processes to identify registrant contact information will take greater time and involve more human intervention, as investigators will have to manually search websites for contact information. What used to take one or two steps may now require several steps and/or assistance from outside sources. IP rights holders should consider using additional internal and external human resources to carry out enforcement activities.
2. Explore other data sources.
a. While the name and email address of the domain registrant may be absent from the new WHOIS output, it may be possible to find out more about the source of alleged harm via other means, such as data on any active websites associated with the domain. Searching for this data will be more time consuming, particularly where there is a high volume of domains and websites. To address this issue, some vendors and companies offer tools that crawl the web and scan metadata from websites and other sources to provide information to help link particular activity to responsible parties.
Share Your Story
INTA wants to understand how the new policies are affecting INTA members. If you have a story or solution to share please contact us at WHOISchallenges@inta.org
b. You may also be able to discern additional information from the IP address associated with a particular website in the following ways:
- While the IP address will not provide details of domain registrants, using certain online tools such as those found through websites like http://cqcounter.com/whois/ and arin.net can tell you more about how the website is connected to the Internet (e.g., the Internet Service Provider (ISP) or hosting provider).
- The IP address could also provide more detail on the location of the website’s host, which may assist when seeking to identify possible fraudulent activity. (For example, if a website is purporting to be providing services from a particular territory, the IP address could reveal that the services are in fact being provided from elsewhere.)
- If there is a concern that the domain is associated with spam or phishing, using services such a https://mxtoolbox.com/blacklists.aspx you may be able to determine whether it is also associated with an IP address that has been blacklisted for similar activities.
for additional information.
c. Also, a domain name nameserver can be checked to correlate other possibly related domain names (see, e.g., http://dailychanges.domaintools.com
/). Once similar names are identified as “sitting on” the same IP or nameservers, those names can be correlated through the “thin data” that will be available in WHOIS after implementation of GDPR (e.g., registrar, state, date of registration). Through these correlation exercises, one may be able to identify if infringing or harmful domains are under common control.
d. And, finally, there are more “old-fashioned” means of identifying the source of alleged harm. Where the registrant is a corporate entity, the Temporary Specification requires the display of the name of the legal entity, although not its email address or other contact details. Even if the “address” field in WHOIS provides only the state and/or country of the registrant of the domain name, that information may still be useful to direct you to a particular U.S.-based Secretary of State corporate database, or to a particular country’s Trademark Office. While most bad actors are presumably savvy enough not to have filed corporate documents with a U.S.-based Secretary of State or applied for a trademark, not all will be.
1. Ask for it.
ICANN’s Temporary Specification for a GDPR-compliant WHOIS requires registry operators and registrars to grant access to non-public WHOIS information on the basis of legitimate interests pursued by the requesting party, except where such interests are overridden by the interests or fundamental rights of the data subject. While there is some skepticism about whether a registrar will provide such information for fear of reprisal from a data protection authority, asking for it, particularly in instances where the registrant is blatantly committing harmful illegal activity, and the request is appropriately tailored, may garner results. Failure to do so, if unreasonable, may violate the terms of ICANN’s Temporary Specification, which would warrant a complaint to ICANN’s compliance department. The process by which a registrar or registry operator receives and responds to such requests has not been standardized. However, in order to substantiate a request based on legitimate interests, the following information should be included:
2. Pursue other legal means to obtain data.
- Full name, address and contact details of the requesting party.
- The basis on which the request is being made--i.e., infringement of a trademark, copyright or other illegal activity.
- The domain or URL where the infringement is occurring.
- The interest of the requesting party--i.e., owner of the trademark/copyright which is being infringed, or authorized representative.
- Statement of reasonable belief that the domain in question is being used to infringe IP rights.
Most jurisdictions permit a plaintiff that does not yet know a defendant's identity to file suit against John Doe and then use the tools of the discovery process to seek the defendant’s true name, as well as other details. Without access to registrant contact information, rights holders will turn to a common practice when a registrant is not known—serving subpoenas on registries and registrars that hold that information. Subpoenas provide for the ability to obtain disclosure of more detailed data elements from over a much longer period of time about potentially malicious registrants—so while more expensive and time consuming than the current “self-serve” WHOIS system, more information can be garnered from the process to assist with prosecuting bad actors.
3. Review WHOIS history
. Much of the discussion has focused on what will happen to the current WHOIS system, but as we know, databases exist of historical WHOIS information maintained by parties
which are not in the European Union, and which are not contractually obligated to ICANN. To the extent that such databases exist, this may prove to be a valuable source for enforcement, at least for as long as it is relevant and reasonably timely.
1. Engage with other relevant intermediaries.
Registries, hosting providers, and ISPs are in a position to contact the registrant in the event that some abuse has occurred and the registrant is itself a victim of wrongdoing. Maintain good relationships with the compliance department of the largest registries and registrars.
2. Contact registrants using an anonymized email address or web form.
Under ICANN’s Temporary
Specification, the public WHOIS must include an anonymized email address or a web form from which messages could be forwarded to the registrant email address. This approach will enable non-accredited users to contact the registrant. However, as many have experienced, where communication is relayed by the registrar, there is no way for the requesting party to determine whether the email has been received by the registrant unless it receives a response.
3. Don’t forget about the registrar’s abuse contact email address and WHOIS accuracy obligations.
Section 3.18 of ICANN’s Registrar Accreditation Agreement, registrars are required to maintain an abuse contact email address to receive complaints of abuse, and are obliged to take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse, including any illegal activity involving the use of a domain. The abuse contact email address still will be provided in WHOIS search results post-GDPR. Furthermore, under ICANN’s Temporary Specification, a smaller subset of WHOIS data will still be made available (“thin” data as opposed to “thick” data
). This includes the name of the registrant organization (if any provided by the registrant), province, and country. To the extent any of this information is obviously inaccurate, it is advisable to report any inaccuracy to the registrar, which is contractually obligated to terminate, lock, or suspend the domain if it does not hear from the registrant to correct the information within 15 days.
Any failure to include an abuse contact email address, or to investigate and respond to reports of abuse, should be reported to ICANN compliance here: https://forms.icann.org/en/resources/compliance/complaints/registrars/standards-complaint-form
Report inaccurate WHOIS info to ICANN here: https://forms.icann.org/en/resources/compliance/complaints/whois/inaccuracy-form
4. File a Uniform Rapid Suspension System (URS)/Uniform Domain Name Dispute Resolution Policy (UDRP) dispute.
Under the Temporary Specification for a GDPR-compliant WHOIS, the dispute resolution mechanisms—the UDRP and the URS—will continue in their current policy requirements. Consequently,
when these rights protection mechanisms are triggered, registrars will have to disclose the registrant information to the complaining party just as they do today. This, of course, doesn’t resolve the issue of the complainant trying to obtain registrant information in the first instance to prepare and file a UDRP or URS complaint.
5. Report Issues to WHOISchallenges@inta.org.
INTA encourages its members to share their stories at WHOISchallenges@inta.org
and report any problems obtaining a registrant’s information from registrars or registries. INTA is collecting this data for informational and advocacy purposes, as well as possible public relations efforts, and will not use members' names nor disclose any personally identifiable information without the permission of members and/or members' clients. INTA wants to understand how the new policies are affecting INTA members. Reports will be anonymized and data will be used to inform INTA’s advocacy positions moving forward. Please note that your responses may appear in a public document even if information is anonymized. If you do not wish to be quoted anonymously, you will have an opportunity to notify INTA through the WHOISchallenges@inta.org
email upon submission of your story. In the event that INTA desires to disclose any member’s name or personally identifiable information, the member or member’s representative will be contacted for their express, written permission for the intended purpose.
As the effects of the implementation of ICANN’s new WHOIS policies become clearer, INTA will be updating the toolkit and providing timely advice to help members navigate the new world of a closed WHOIS system.
Although every effort has been made to verify the accuracy of items in the INTA Bulletin, readers are urged to check independently on matters of specific concern or interest. Law & Practice updates are published without comment from INTA except where it has taken an official position.
© 2018 International Trademark Association