One month until GDPR deadline: INTA and US government call for urgent rethink over WHOIS approach
- ICANN meet with the WP29 in bid to gain clarity over future access to WHOIS data
- Produces letters from US government and INTA calling for rethink over key issues
- Absent a common approach, registries start to implement own WHOIS policies
This week ICANN representatives met with the Article 29 Working Party (WP29), seeking clarity over the future of WHOIS in light of the General Data Protection Regulation (GDPR). With the enforcement date of May 25 fast approaching, and registries rolling out different policies in a bid to be compliant, the US government and INTA have expanded on their concerns with the WP29 guidance – with the latter warning that “a WHOIS blackout on May 25 will result in a field day for bad actors to purchase and misuse domain names at the public’s expense”.
As we have reported on extensively, earlier this month the Article 29 Data Protection Working Party (WP29) responded to ICANN’s initial request for feedback on its proposed interim model for ensuring that the treatment of WHOIS data is compliant with GDPR. While welcoming the decision of ICANN to propose an interim model which involves layered access, as well as an “accreditation program” for access to non-public WHOIS data, the WP29 raised a number of concerns with the proposal. In the meantime, the prospect of WHOIS effectively going dark next month, with a fragmented approach taken to the availability of data by different registries, remains very real.
Responding to the WP29 letter in an op-ed on CircleID late last week, Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, warned that the guidance “seems to imply that a fragmented WHOIS system, with no reasonable way to access critical information to facilitate legitimate goals such as preventing fraud and the distribution of malware, is simply an inevitable consequence of implementing the GDPR”. He went on to issue a rallying cry, stating “it is time to fight back, and demand a balance of the right to protect personal information with other fundamental rights” and suggesting that “businesses, intellectual property owners, consumer advocates, cybersecurity professionals and law enforcement and government representatives marshal additional comments to ICANN and the DPAs further illustrating the problems that a fragmented WHOIS system would create”.
For its part, in the immediate aftermath of the letter, ICANN warned that a fragmented approach to WHOIS would “stymie trademark holders from protecting intellectual property” (amongst other concerns) and asked the WP29 to spend more time considering the balance between the right to privacy and the need for information. This week, ICANN representatives met with WP29 Technology Subgroup and hand delivered communications from stakeholders, including the US government and INTA.
The former backs ICANN’s call for a temporary moratorium on enforcement of GDPR with respect to WHOIS, arguing that the collection and disclosure of data to law enforcement, cyber security, and IP professionals is essential to ICANN’s core mandate. Going further it states that “it would be helpful if the WP29 could address the GAC’s concern that the proposal not to publish the registrant email addresses may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity, and intellectual property rights protection”.
In a letter from Lori S Schulman, senior director, internet policy, INTA also added its weight to calls for a more nuanced approach to data access, with particular concern over the prospect that bulk data transfers would no longer be available: “Denying spammers access to registrant’s data is certainly in line with the objectives of GDPR. However, there is a glaring omission as to the counterbalance of allowing trusted, credentialed entities automated access to WHOIS directories. Such access is crucial to identifying patterns and trends that lead to the take down of domain names that are used exactly for the illegal activities that give rise to privacy concerns in the first place… It is impossible to identify such clusters of abuse without access to multiple data sets and the ability to analyse trends across them. Tying a legal basis and purpose to each point of data rather than a full record will create an unwieldy and unworkable system”.
In its meeting with the WP29, Göran Marby, president and CEO of ICANN, reports that it was made clear “that registrant, administrative, and technical contact email addresses must be anonymized”. Reflecting on the outcome of the gathering, Marby concludes: “We appreciate the feedback we received during the meeting. From our discussions, we agreed that there are still open questions remaining, and that ICANN will provide a letter seeking additional clarifying advice to better understand our plan of action to come into compliance with the law.”
In short, the back and forth will continue. In the meantime, a number of registries have announced new WHOIS data policies – resulting in charges for trademark owners seeking access to certain information. Domain Incite recently reported on the news that CoCCA is to redact the name, email, phone and physical address of EU residents, or non-EU residents who use an EU registrar. For intellectual property owners, with a “legitimate interest” historical abstracts can be ordered for a nominal fee (subsequently revealed to be $3). Last week, Nominet revealed that – from May 22 – it will redact registrant data for ‘.uk’ domains from WHOIS. While law enforcement can access all registry data free of charge, Nominet have stated that others “will continue to have access to the [search] service on a charged-for basis, however the registrant name and address will be redacted”. Parties requiring unpublished information will be able to request access to this data via the registry’s data disclosure policy, operating to a one working day turnaround.
Already, then, fragmentation is occurring, and other registries could well follow suit. With GDPR becoming enforceable one month from today, the race is on to find a solution that does not result in either WHOIS going dark or rights holders navigating a costly and complicated environment for investigating illegal activity.