Sound the alarm bells: WHOIS blackout “likely” following GDPR enforcement date in May
- ICANN IPC president reports on community discussions over GDPR
- Warns we will “likely be subject to an indefinite blackout period” of WHOIS
- Outlines four steps that brand owners can take now to head off that threat
On World Trademark Review we have previously reported on the General Data Protection Regulation (GDPR) and its potential impact on rights holders’ access to accurate and reliable WHOIS data. In this guest blog, Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, provides an update on discussions at the recent ICANN meeting in San Juan, at which the spectre of a WHOIS blackout loomed large. It is a long read but an important one, in which he also outlines the practical actions that rights holders can – and should – take now in an effort to prevent the worst case scenario (if it isn’t already too late).
The collision between the privacy obligations within the GDPR and the domain name registration data that is currently publicly available through the WHOIS system remained the primary focus at ICANN through their recent meeting in San Juan, Puerto Rico. In addition to critical uses of WHOIS for law enforcement and cybersecurity, among other legitimate purposes, access to WHOIS data is critical for trademark and other intellectual property owners in enforcing their rights against illegal website content or bad faith domain name registration and use.
The ICANN community continues to scramble to finalize an interim model that would enable domain name registry operators and registrars to comply with the data privacy requirements under the GDPR, while also preserving as much of the current publicly available WHOIS system as possible. An interim model was published by ICANN ahead of the San Juan meeting, which many view as too little too late, and the death knell for a uniform or publicly available WHOIS system. The ICANN interim model was pieced together from several other models proposed by the community, leaving all stakeholders generally unhappy with, and highly concerned about, the final product.
In attempt to assuage those fears, ICANN also published a ‘Cookbook’ intended to provide its legal rationale for the elements of its proposed interim GDPR compliance model. As a result, stakeholders have been scrambling to fill in a number of gaps in the model, make certain corrections, challenge some legal conclusions, and lobby European data protection authorities to advise ICANN of recomended changes to its positions and approach. Ultimately, discussions during ICANN 61 did little to assuage brand owner concerns about the continued availability of necessary WHOIS data following the May 25 2018 enforcement date of the GDPR.
Below, we highlight some of the key takeaways from the discussions in Puerto Rico, along with some steps you should take right away to try and avert a total blackout of WHOIS.
Key GDPR takeaways from ICANN 61
Continued disagreement on elements in the interim compliance model
Members of the community expressed continued disagreement and divergence regarding various elements of the proposed interim compliance model. On one hand, certain contracted parties suggested that the proposed requirement in the interim model to continue to collect all ‘thick’ registration data may run afoul of the GDPR’s ‘data minimisation’ principle. They also argued that the proposed publication of registrant organisation could be problematic, because such a field could still contain personal data.
Of course, there has been substantial legal analysis justifying collection of all registration data, and while registrant organisation could reflect personal data, such as the name of an individual sole proprietor, clearly an organisation’s name is intended to be public-facing information and therefore justifies general publication in WHOIS. On the other hand, government, cybersecurity, and intellectual property owner representatives continued to question why the proposed interim model failed to require publication of the registrant name or registrant email, which they believe would be justified on the basis that publication of such information is essential for transparency and in furtherance of legitimate purposes that outweigh the registrant’s privacy interest. In addition, these participants continued to highlight that ICANN’s proposed model is overbroad, particularly with respect to failing to draw appropriate distinctions between natural and legal persons, and permitting global application rather than limiting application to EU processing nexus.
Substantial gaps in ICANN’s legal rationale for proposed interim model
In a related vein, contracted parties and third-party WHOIS users, including brand owners, both levied criticisms against ICANN’s ‘cookbook’ intended to provide its legal rationale for the elements of its proposed interim GDPR compliance model. Contracted parties’ primary criticism is that the cookbook contains too many gaps, failing to give registries and registrars sufficient comfort that the interim model is justifiable in the eyes of European data protection authorities (DPAs).
On the other hand, brand owners and other WHOIS users felt that ICANN failed to provide appropriate justification or otherwise took an unjustifiably conservative approach in connection with certain elements of its proposed interim compliance model. For instance, the model over-broadly permits contracted parties to make no distinctions between the registration data of legal persons versus that of natural persons, even though only the latter are covered under the GDPR.
In order for the model itself to be acceptable, ICANN will need to significantly improve its underlying legal rationale. Of course, for an as-yet untested law like GDPR, this will be challenging; however, we would urge ICANN to avoid taking an overly conservative approach that would unduly reduce WHOIS access to the significant detriment of those who rely on WHOIS to promote the public interest.
Rapid development of community-supported accreditation system and purpose statement
Another reoccurring theme throughout ICANN 61 was the urgent need to develop an implementable accreditation system, as well as an adequately granular WHOIS Purpose Statement, in order to facilitate continued access to non-public data. It is seeming less and less likely that ICANN will receive any kind of forbearance from DPAs that would enable WHOIS to continue in its current form without the risk of enforcement penalties for non-compliance with GDPR. Accordingly, unless some viable mechanism is in place from “day one” after GDPR goes into effect, substantial data currently published in WHOIS will be placed behind a gate with no means for third party access, short of a subpoena or court order applicable to the relevant registry operator or registrar who has collected the sought-after data. This kind of WHOIS blackout would be an untenable situation, breaking a multitude of tools and bringing to a halt numerous critical efforts that make the Internet a safer and more secure space.
ICANN expects WHOIS blackout period starting May 25
Nonetheless, during ICANN 61, ICANN presented a timeline which, if adhered to, would include a WHOIS blackout period starting on the GDPR effective date and likely persisting at least six months. According to ICANN’s timeline, implementation of its proposed interim compliance model would be completed by May 25, placing substantial WHOIS data behind a gate, but the accreditation mechanism to access the gated date would not be implemented until December 2018 at the earliest.
If ICANN were to permit this extended blackout period, it would be abdicating its mission to “ensure the stable and secure operation of the Internet's unique identifier systems” and its duty to act in the “global public interest.” Although ICANN has repeatedly stated that its obligation to comply with applicable law takes precedence over its other bylaws obligations, it is taking a shockingly passive role in achieving an interim system capable of serving to both needs. According to ICANN, concerns around timing should also be raised directly by the community to the DPAs, requesting clear guidance on what data can continue to be provided after May 25 should an accreditation model not yet be in place.
ICANN compliance claims it will enforce final interim compliance model
Ultimately, whatever model is in place and when, ICANN has unequivocally stated that it will enforce adherence to this model by all of its contracted parties. But numerous contracted party representatives have indicated that they would deviate from ICANN’s model if they believe they must do so based on their own internal legal advice and risk assessments. These conflicting stories, as well as previous experience with lax or unpredictable contractual compliance by ICANN, provides little assurance that ICANN will actually have any appetite or teeth to bring all contracted parties into conformity with the model ICANN ultimately adopts. That said, ICANN’s model is likely to remain intentionally high-level, vague, and over-broad so contracted parties will naturally have the flexibility to implement their own gap-filling measures or take favorable interpretations that insulate them from GDPR enforcement risk at the expense of facilitating access to WHOIS data for legitimate purposes of third parties.
ICANN encouraged community to confer directly with DPAs
Finally, but most importantly, ICANN’s recurring mantra throughout ICANN 61 was for members of the community to confer directly with DPAs to gain guidance and clarity on the contours of GDPR compliance. Yet ICANN itself has been woefully non-transparent with respect to its own discussions with DPAs. It has provided only minimal updates, lacking in substantial detail, concerning prior meetings with DPA representatives, typically after the meeting has already taken place with virtually no prior notice to the community. Accordingly, the community has no way of knowing specifically what ICANN and the DPAs have discussed, what guidance or clarifications the DPAs have provided, and whether or not ICANN has presented conflicting community viewpoints with respect to various aspects of the interim model or if ICANN has given the false impression that the entire community has endorsed the model in its current state.
In addition, it is notoriously difficult for individual stakeholders to even get any kind of audience with DPAs, who are intentionally insulated so as to preserve the independence and impartiality of their work. ICANN itself has previously suggested that the only way it has managed to establish any dialogue with the DPA community is because it is a global multi-stakeholder organization with a public interest mission. Thus, while ICANN’s suggestion for community members to individually reach out to DPAs is somewhat disingenuous, it is likely the only way to obtain any further clarity on what would be permissible under the GDPR in terms of WHOIS data collection, publication, and access.
No matter what happens next, we will almost certainly be preparing for a world in which the WHOIS system as we know it goes away. We may be left with a modicum of useful public data – such as domain creation and expiration dates, name servers, and registrant country. But the vast majority of the information we use today to conduct trademark enforcement investigations, send cease and desist letters and similar communications to registrants, or even prepare and prosecute UDRP complaints, will likely be hidden behind a gate. And the key to the gate – the accreditation system – may not be ready for another six months, if not longer.
Accordingly, we urge everyone in the brand owner community (as well as our allies in the broader consumer protection and intellectual property rights community, in law enforcement and government, and in the cybersecurity community) to:
- Contact European DPAs to voice concerns about the possible WHOIS blackout, seek as much guidance as possible as to what DPAs would allow in terms of data publication through WHOIS, and request that DPAs commit to providing ICANN and contracted parties with an abeyance on GDPR enforcement while the community works in good faith to implement a balanced system that respects privacy rights enshrined in the GDPR while also enabling continued public interest work that relies on WHOIS. A list of European DPAs and how to contact them is available here.
- Contact ICANN Governmental Advisory Committee (GAC) members and other governmental representatives with an interest in preserving WHOIS, such as law enforcement or regulatory agencies to call on them to apply pressure on ICANN to preserve more of the current WHOIS system and ensure a mechanism is in place for access to any non-public data before data is put behind a gate. In the United States, we know that interested agencies include the Department of Commerce National Telecommunications and Information Administration, Federal Trade Commission, United States Patent and Trademark Office, Department of Justice Computer Crime and Intellectual Property Section, and the Federal Bureau of Investigation. In Europe, we know that Europol and the European Commission have been involved in GDPR and WHOIS discussions, as has Interpol. A list of GAC members is available here.
- Immediately join in efforts to develop a consensus interim accreditation system as well as refine a proposed WHOIS Purpose Statement. We urge the brand owner community to publicly support the accreditation model proposal and purpose statement, and urge ICANN to adopt some operational mechanism for access to non-public WHOIS data to avoid a total blackout. Comments on these documents can be sent directly to ICANN at [email protected].
- Continue to supply comments to ICANN highlighting concerns with the proposed interim model, including lack of public registrant name or email address, lack of requisite distinctions between natural and legal persons, global application instead of appropriately limiting territorial scope to registrations with a European Union nexus (via the registry, registrar, or registrant), and lack of any commitment to continue providing searchable bulk WHOIS data via port 43 or similar technical protocol. Comments on the model can be sent directly to ICANN at [email protected].
In short, it is time to sound the alarm bells: WHOIS as we know it will soon be gone, and we will likely be subject to an indefinite blackout period where online brand enforcement will be nearly impossible. This must be an urgent advocacy priority for all trademark owners, and the time to act must be now – it is already nearly too late.