Keep calm and carry on: tips for online enforcement and advocacy after GDPR
- GDPR resulted in public WHOIS data no longer offering personal contact information
- ICANN IPC president identifies five enforcement strategies available to rights holders
- Provides action plan to make voices heard as future WHOIS regime formulated
On May 25, the European Union General Data Protection Regulation (GDPR) became enforceable. As a result, rights holders have been left to grapple with an enforcement environment in which access to full WHOIS data is, in many instances, either restricted or blocked altogether. In this guest blog, Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, and Phil Marano, senior associate at the Winterfeldt IP Group, identify five tools that can be utilised in the absence of public WHOIS data. Crucially, they also explain how rights holders can make their voices heard as the ICANN community seeks to formulate a longer term, GDPR compliant model for WHOIS access.
Investigation and enforcement against fraud, malicious conduct, pirated content, counterfeit goods, and even routine intellectual property infringement, just became much more difficult on the Internet.
As a general matter, that is because publicly accessible domain name registration data (WHOIS data) no longer includes any personal contact information. The disappearance of publicly accessible WHOIS data represents over-compliance with the GDPR, enforcement of which came into effect on May 25 2018. Compounding this problem further, the actors who collect and control WHOIS data remain disinclined to coalesce around a uniform means to access it, even for legitimate intellectual property enforcement purposes. There currently are zero contractual obligations that would require them to provide such access.
The current landscape for access to WHOIS data is therefore fractured and discordant. Conscientious registrars have attempted (with limited success) to mask only personal data that belongs to individuals in Europe who are data subjects under the GDPR. Unfortunately, some registrars have walled off access to all personal data, and will only unmask their customers in response to a court order or subpoena from a local governmental authority. And truly apathetic or recalcitrant registration authorities refuse to provide registration data under any circumstances, even in contravention of contractual obligations to ICANN (including in the context of formal domain name dispute resolution proceedings like the URS and the UDRP). Nevertheless, despite the currently chaotic landscape, intellectual property owners retain at least five valuable tools to investigate problems online in order to enforce their rights against parties that are directly or indirectly responsible for infringement or other abusive activity (beyond merely asking registration authorities to reveal nonpublic WHOIS data).
- Web Hosts. The optimal and appropriate way to redress problematic website content remains through the intermediaries who hosts that content. Fortunately, webhosts can still be easily identified through the Internet Protocol Address (IP Address) associated with each domain name and website. Simply use a free online webhost lookup tool, or perform an NSLOOKUP Command Prompt from your computer. It also remains possible to correlate individual domain names within unsophisticated illegal networks of websites in the event that they all use the same web hosts and IP Addresses. Once the web host has been identified, reports of infringement or abuse can be filed with their abuse point of contact or other appropriate complaint contact.
- Website Contacts. Very few fraudsters include legitimate point of contact information within their website content; they prefer amorphous ‘contact us’ web forms, or usually nothing at all. Moreover, many acts of online abuse do not involve a website at all (such as email phishing). Nevertheless, innocent infringers sometimes do include functional contact information within their websites or on their domain name parking pages, so be sure to always check there first.
- Archived WHOIS Data. Robust archived WHOIS data remains available from the not-so-distant past when it was still predominantly published online. However, access to archived WHOIS data usually comes commensurate with subscription fees from the service providers who originally archived it. Most practitioners will tell you that any modest price paid is well worth it when performing necessary due diligence chain of title research in an acquisition scenario, and even in certain types of infringement scenarios where historical data is relevant. Of course, such archived data cannot always be relied on to remain accurate over time.
- Registration Authority Abuse Points of Contact. All domain name registration authorities (including both registrars and registry operators) have a contractual obligation to publish an abuse point of contact, and registrars are required to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.” (Registrar Accreditation Agreement, Section 3.18.1 (September 17 2013)). This language should be cited in any takedown demand or demand for registration authorities to reveal nonpublic WHOIS data. Despite pervasive industry recalcitrance and a laissez faire compliance attitude with respect to this language over the past several years, this contractual provision is undoubtedly more important than ever without access to key WHOIS data.
- Arbitral Domain Name Disputes. Domain name registrars also have a contractual obligation to provide dispute resolution service providers, like WIPO, with full registration data once a complaint has been filed under the URS, the UDRP, or various corollary country-code specific proceedings. It would not be surprising to see such complaint filings increase exponentially (particularly complaints against numerous domain names in bulk) in order to reveal underlying non-public WHOIS data. The caveat is that a single complaint against multiple respondents is only proper where some credible evidence of co-ownership or common control exists. Nevertheless, initiation of lower cost proceedings, like the URS, could prove more useful than ever as an alternative form of revealing underlying domain name registration data, even if they cannot ultimately proceed on the merits against all named domains.
While helpful, these remaining tools simply do not, and cannot, get the job done as effectively as under the prior WHOIS regime when it comes to intellectual property enforcement online. No one (apart from privacy maximalists) is generally satisfied with the currently fractured and uncertain landscape for WHOIS data.
That is why numerous regulatory, legislative, legal and policy initiatives remain underway to help obtain ready access to full WHOIS data for legitimate purposes like intellectual property enforcement. To help fuel those efforts for change, it is crucial that intellectual property rights holders fully document and leverage the harm that they have felt due to the disappearance of publicly accessible WHOIS data. Demonstrated harm can be as simple as an anecdote about a domain name registrar that refused to disclose WHOIS data shy of a subpoena or court order. It can also include any inaccurate WHOIS data that does remain accessible. And it can also be as complex as asking your brand protection vendors to perform a comparative study to document any recent decreases in effectiveness rates in your online enforcement programs. In all cases, documented harms should be reported to the ICANN contractual compliance department via email to [email protected].
Contemporaneously, it is equally vital that intellectual property rights holders participate and make an impact within those same regulatory, legislative, and policy initiatives. For example, work continues within ICANN to develop an accreditation and access model to WHOIS data for intellectual property rights holders. Anyone can join this initiative with an email to [email protected].
As another example, the launch of an expedited policy development process is imminent within ICANN. That policy development process could potentially redefine the contours of public WHOIS data. Indeed, registration authorities are currently contractually obliged to do little beyond publish an anonymized email or web form to help contact domain name owners, or publish in full any privacy or proxy registration data. Anyone can subscribe with an email to [email protected] once this initiative has been formally launched.
Finally, intellectual property owners in the United States should file public comments with the US National Telecommunications and Information Administration (NTIA), which recently published a notice of inquiry on (among other important topics) what privacy issues they should focus on in international venues. Public comments to the NTIA can be emailed to [email protected] by July 2 2018. Intellectual property owners abroad should likewise make their views known to comparable governmental authorities on the need to access to WHOIS data for enforcement purposes.
This is merely an illustrative list, and no matter which method for advocacy you select, the important thing is that you do not merely spectate and instead make your voice heard.