Amazon green light, WHOIS access, URS proposals: six key takeaways from ICANN 63

  • ICANN 63 saw a number of key trademark community concerns take centre stage
  • Brand owners urged to engage in review of rights protection mechanisms
  • Different groups split on timings of, and urgency for, a second round of new gTLDS

Last week’s ICANN meeting in Barcelona saw a number of critical trademark community concerns take centre stage. In this exclusive guest analysis, Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, provides an exclusive behind the scenes look into the major talking points, providing an update on the state of play with respect WHOIS data access, efforts to review current trademark protections and the inside track on planning for the next round of new gTLD applications.

Guest analysis

The 63rd public meeting of ICANN took place in Barcelona, Spain, from 20 – 25 October 2018. The event provided an important forum for the community to continue discussions on a number of key topics of interest to brand owners, including: the continued development of a post-GDPR WHOIS system including a unified framework for access to non-public data; progress in the Rights Protection Mechanism (RPM) Review process including finalizing policy recommendations concerning the Uniform Rapid Suspension (URS) system and starting a review of survey data on the Trademark Clearinghouse, Sunrise, and Trademark Claims mechanisms; new gTLD subsequent rounds planning; and the delegation of the ‘.amazon’ new gTLD. Below we present the key takeaways from ICANN 63.

1. Progress continues within the EPDP on gTLD registration data

There was, unsurprisingly, substantial discussions regarding the ongoing post-GDPR WHOIS issues. The current heavily-redacted WHOIS system continues to be a hurdle for law enforcement, cybersecurity threat identification and mitigation, and intellectual property rights enforcement. The expedited policy development process (EPDP) that has been tasked with reviewing the Temporary Specification currently governing public and private access to domain name registration data continues its fervent efforts to develop a permanent WHOIS policy, including holding numerous face to face meetings and community sessions in Barcelona.

In the first phase of its work, prior to ICANN 63, the EPDP “triaged” levels of agreement on the existing terms of the Temporary Specification, which highlighted many generally acceptable provisions or provisions requiring only modest tweaks to become acceptable to the majority of the EPDP members. It then focused on the provisions where there seemed to be little agreement, including the arduous tasks of: defining legitimate purposes for processing various WHOIS data elements (including for ICANN, registries, registrars, and third parties), defining the actual processing activities involved, identifying a complete inventory of possible data elements associated with domain name registrations, and identifying the legal basis under the GDPR for such data processing. The EPDP has outlined these matters in various “workbooks” and importantly, has initially concluded that there are legitimate interests in WHOIS data for parties other than ICANN, registries and registrars, including for law enforcement and consumer protection.

As a result of these efforts, the EPDP is considering changes in published versus redacted data elements in the WHOIS database. Under the Temporary Specification, only limited WHOIS data may be published, including the registrant’s state or province and country – but not its name, street address, or email address, all of which are important for trademark enforcement purposes.

However, it will be important for the EPDP to also identify any limitations on the application of GDPR that would allow parties to publish additional data, based on the location of the registrant, registrar, and registry operator (only data with an EU processing nexus is protected under GDPR), or whether the data element represents personally identifiable information of a natural person or only non-PII of a legal entity (which is not protected under GDPR). Additional public data that adheres more strictly to the actual contours of the GDPR would greatly benefit brand and consumer protection efforts.

2. A vocal push for a unified access system for non-public WHOIS data

In addition, the Temporary Specification led to severe fragmentation in how individual ICANN contracted parties are publishing data, and how they respond to requests for non-public data. Responses to requests for non-public data are inconsistent, ranging from demanding a subpoena, to deferring abuse reports to the UDRP dispute resolution mechanism, to receiving no response at all.

Without clarity or a harmonized definition of what constitutes “reasonable access” as required under the Temporary Specification, most registrars are taking a conservative approach, typically denying disclosure, even when there are legitimate interests that outweigh the privacy rights of the registrant. While ICANN Compliance has received complaints about the lack of disclosure by registrars, Compliance has unsurprisingly taken a hands-off approach given the ambiguity in what constitutes “reasonable access” and generally deferring to individual contracted parties in their balancing of interests. These inconsistencies and overall reduction in access to key WHOIS data is increasing the risks of phishing, fraud, malware distribution, counterfeiting, and numerous other crimes and consumer abuses.

Accordingly, many in the community leveraged ICANN 63 to vehemently raise the critical and urgent need for a unified access system for non-public data. Members of the brand protection, law enforcement, and cybersecurity communities repeatedly raised the need for ICANN and the broader community to create a centralized user interface for efficient access to non-public data for legitimate third-party purposes. Efforts have been underway for many months to design such a system, but inertia for these efforts have largely been stymied by, or rolled into, the EPDP, which is slated to reach the question of “accredited access” only in its third phase of work – potentially six months or more in the future. ICANN and others have insisted that further work to develop a unified access system must rely on the assistance of European data protection authorities, to ensure such an approach is legally permissible under the GDPR. Ultimately, both an interim and long-term solution for uniform access to non-public data are sorely needed.

In one fairly promising development from ICANN 63, however, the Commercial Stakeholders Group and the Contracted Parties House held a meeting in which both sides agreed to exploring possible voluntary guidance regarding what constitutes “reasonable access” to non-public WHOIS data. This recognition of legal risks on various parts of the community as a result of the current state of WHOIS is important to ensure the timely success of the EPDP to adopt a permanent solution and solve the problem of consistent and reliable access to non-public data.

3. Efforts and challenges to provide WHOIS data for legitimate purposes

In order to bolster policy positions concerning WHOIS and the need for access to non-public data, a number of parties in the brand protection and cybersecurity communities have begun to submit data on hurdles to obtaining data necessary for these efforts. For example, corporate registrar AppDetex prepared a report summarizing the results of thousands of attempts to obtain non-public data for brand protection purposes. In a summary of its efforts, it found exceedingly low rates of responses that facilitated these efforts, and identified the need for an agreed-upon process consistent across all accredited registrars that includes: a format of request, identification of information required to be set forth in that request, email addresses where requests can be sent, specifications of documentation required for authenticating requests, and time limitations for response to requests.

In response to AppDetex, commercial registrar Tucows stated that some requests veer into dangerous territory that require registrars to make a legal determination regarding the content of certain domain names or websites, which is beyond their scope of expertise and outside of ICANN’s DNS-related mandate. Tucows’ letter criticizing the AppDetex study also suggested that the requests show a lack of care in identifying appropriate enforcement targets, based on automated mechanisms. AppDetex was quick to point out that its enforcement targets are actually handled through a manual process, and that requests for disclosure do not actually require an evaluation of nuanced intellectual property doctrines, but merely an application of the GDPR balancing test as to whether the legitimate interest of the requestor in pursuing the data for its enforcement purposes outweighs the privacy right of the particular registrant in each instance. This would save registrars from being placed in a legally risky position of judging whether a request is an infringement under applicable law, and further highlights to the need for a uniform access system that minimizes the burden on all parties in making such case-by-case evaluations. Similar data to that of AppDetex was also published by the Anti-Phishing Working Group and the Messaging, Malware and Mobile Anti-Abuse Working Group, from a cybersecurity perspective.

4. Ongoing RPM review policy considerations

The RPM Review working group continues to move forward on a number of important topics, including reaching agreement on the set of Uniform Rapid Suspension (URS) system policy proposals to be included in the group’s Initial Report. A number of proposals were prepared by the brand community, including favorable proposed updates to the URS such as a “loser pays” system, enhanced penalties for repeat offenders, and minimizing the duplicative post-default de novo review periods currently available under the URS.

However, a number of proposals were also provided by members who are not sympathetic to brand concerns. For example, one such proposal would impose a statute of limitations on filing URS complaints of two years from the creation date of the domain name, potentially barring valid claims where abusive use only occurs more than two years after registration. Another such proposal would require complainants to prove that a domain name was “created” in bad faith, replacing the current “registered” in bad faith standard (where “registered” has been found to mean original registration or acquisition by a new registrant).

This proposal is problematic because registrants who acquire a domain name from another could escape URS liability if the original owner did not create the name in bad faith, but the new registrant acquired it in order to use it for a nefarious purpose. A full set of the URS policy proposals is available here. The Initial Report is likely to be released at the end of Q1 2019, where it will be critical for brand owners to provide input in support of proposals that would strengthen the URS for brand owners, and in opposition to proposals that would weaken the URS (particularly as a prelude to similar efforts to undermine the UDRP).

In addition to concluding initial efforts on the URS, the RPM Review working group also began its evaluation of survey data prepared by third-party vendor the Analysis Group concerning the Trademark Clearinghouse, Sunrise, and Trademark Claims mechanisms. The surveys left a bit to be desired in terms of response rates, but the responses received still provide useful – if not statistically significant – information about these mechanisms from the perspectives of registry operators, registrars, domain name and would-be domain name registrants, and trademark owners.

The data suggests that while many brand owners are using the Trademark Clearinghouse, many have either opted not to use it or are unaware of it and its benefits in terms of protecting trademarks in new gTLDs. In addition, the data suggests that Trademark Claims notices have not be a major deterrent to registration, most likely because registrants do not fully understand the notice or its legal implications.

While this illustrates the need for more comprehensible notice language on one hand, on the other hand, exaggerated claims that notices were imposing an intolerable chilling effect on legitimate domain name registrations can likely be put to bed. In addition, the data supports initial working group conclusions that high Sunrise registration prices were deterring brand owners from participating in this mechanism for early defensive registration. The working group will continue to review the Analysis Group report in the months ahead and ultimately use this information to complete its policy recommendations and conclusions concerning these mechanisms for inclusion in the Initial Report.

5. Additional considerations for new gTLD subsequent application rounds

The new gTLD subsequent procedures working group continues to deliberate and expects to publish a “supplemental initial report” very soon, after the closure of a robust public comment period on its initial report. The supplemental initial report is expected to focus on new gTLD auctions of last resort and alternatives to auctions within ICANN, private auctions to resolve contention sets, the role of new public comments on gTLD applications, requests to change applications, and registrar support for new gTLDs. The working group suggested that new gTLD applicants should continue to be permitted to change their business plans, and even their new gTLD strings, under certain circumstances. If permitted, such changes could have a material impact on both string confusion and legal rights objections filed by brand owners to protect their rights.

In addition, the subsequent procedures geographic names work track provided lively discussion in Barcelona. Governmental representatives maintained a firm stance on national sovereignty concerns about names with geographic significance. Conversely, the concern and desire to grant governments priority over geographic names as TLDs, such as ‘.amazon’, ‘.persiangulf’, or ‘.patagonia’, are not aligned to international trademark legal norms of priority, exclusivity, and presumptive validity. Furthermore, representatives argued that geographical indications should be accorded the same protections as trademarks within the new gTLD program. However, geographic indications are only to be treated as trademarks within the new gTLD program to the extent they are used or registered as trademarks, as not all parties to the Paris Convention recognize or implement protection for geographic indications in the same way.

While this work continues, many in the community are pushing hard for an accelerated timeline for the opening of yet another new gTLD application window, as the primary profit generator for their businesses. Meanwhile, the Security and Stability Advisory Committee (SSAC) recently published its SAC 103 report which advised that the New gTLD Subsequent Procedures PDP is moving too quickly, overlooking some key outstanding issues from the 2012 round, notably: reserved names and string similarity, internalized domain names (IDNs), root scaling, name collisions, evaluating service providers, and domain name abuse.

The brand community is not pushing for an additional round of new gTLD applications, which simply invites more cybersquatting and infringement spaces just like the 2012 round, although some brand owners looking to apply for a ‘.brand’ TLD have waited quite some time for a new application window to open (and will likely need to wait at least an additional year if not more).

6. ICANN finally green lights the delegation of ‘.amazon’

After years of back-and-forth debates, governmental interventions, and ICANN accountability mechanism disputes and complaints, the ICANN Board finally approved’s application for the ‘.amazon’ new gTLD, against the continued opposition of Amazon Cooperation Treaty Organization (ACTO) member states. The Board decision was reached subsequent to the negotiation of a mutually agreeable solution between Amazon and the ACTO members, primarily involving Amazon’s agreement to implement special public interest commitments to prevent possible Internet user confusion surrounding the TLD and any relationship with the ACTO member governments or the Amazon geographical region.

Speculation abounds as to the exact contours of the settlement, although prior proposals have included a reservation of culturally sensitive strings in the ‘.amazon’ TLD and support for future ‘.amazonas’ applications for the geographic region and its governments and indigenous peoples.

The specific timetable for delegation of ‘.amazon’ is unclear, but it appears that this long protracted battle is finally coming to a positive conclusion – and an important lesson for all brand owners and the general ICANN community in devising enhanced rules for future new gTLD application rounds.

Unlock unlimited access to all WTR content