“WHOIS as we know it could go dark”: assessing ICANN’s proposed GDPR compliance models
- ICANN’s GDPR compliance efforts could significantly impact enforcement
- Question raised over ICANN’s ability to assess community input in two days
- Brand owners urged to submit comments to preserve access to WHOIS data
On World Trademark Review we have previously reported on the General Data Protection Regulation (GDPR) and its potential impact on rights holders’ access to accurate and reliable WHOIS data. In this guest blog, Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, analyses the proposed models for compliance - one of which would effectively result in the WHOIS database as we know it today going dark.
Winterfeldt previously authored a guest piece highlighting how – with the GDPR becoming enforceable on May 25 2018 – access to current levels of WHOIS data could be under threat. In this follow-up, he assesses the three community-proposed interim models for compliance with the new data regime, and how they could impact on the online enforcement efforts of trademark counsel the world over. Crucially, he explains why rights holders need to have their say, now, in a bid to preserve access to critical WHOIS data.
In our initial article, we explained how Europe’s General Data Protection Regulation (GDPR) requires ICANN to make some big changes to domain name registration information that is now publicly available under the WHOIS system. ICANN is now in a difficult position of figuring out how to best comply with the GDPR while providing users with as much access as possible to the WHOIS system – without cutting off critical access to WHOIS to the many stakeholders, including businesses, consumers, law enforcement and consumer protection agencies who rely on WHOIS.
ICANN has called for community input on the compliance models by January 29 2018. It is unclear how ICANN will come to a decision, but it appears unlikely that ICANN could realistically consider all such input from the community in a two day window, between the January 29 deadline and its stated decision date of January 31 2018.
While the ICANN models are valuable additional input into the process of developing an interim compliance solution for GDPR and WHOIS, there must be room for ICANN to take careful account of the different community models and other input, including suggestions for hybrid models that combine various elements from all eight models that are on the table. In the meantime, certain stakeholders, including from the IP and business communities, are asking ICANN to provide a reasonable extension of time to allow the community to share their input before it makes its decision.
Given the fast-moving timeline, it will be critical for brand owners to engage at ICANN immediately to ensure that GDPR compliance does not become an excuse to shut off access to WHOIS data. Written comments may be submitted to ICANN at [email protected].
Below we provide an overview – and analysis - of the three GDPR compliance models that ICANN has presented for community input, as well as a brief overview of various independent compliance models community stakeholders independently developed and shared with ICANN. We also suggest solutions that would best serve ICANN’s goal of complying with GDPR while preserving as much of the current WHOIS system as possible.
We briefly summarize the three ICANN proposed compliances models below:
This model is arguably a proposal that most resembles the WHOIS system we have today. Consistent with the GDRP’s definitions, this model applies only to personal data in the registration data of a ‘natural’ (as opposed to ‘legal’) person. It only applies where the registry operator and/or registrar are established in the European Economic Area (EEA) or use a data processing vendor in the EEA, or are established outside the EEA but provide services involving the processing of personal data from registrants located in the EEA.
Under Model 1, unless the registrant otherwise grants permission for publication of a broader set of information, the registrar and registry operator would be required to display the following minimum data in public WHOIS: (1) the domain name, (2) the primary and secondary nameserver(s), (3) the registrar, (4) the original creation date of the registration, (5) the expiration date of the registration, (6) the name and postal address of the registrant, (7) the email address, telephone number and fax number (where available) of the administrative contact, and (8) the email address, telephone number and fax number (where available) of the technical contact. This set of data is nearly the same as the data currently publicly available in WHOIS, with the notable exception that it lacks a registrant email address, telephone number, or fax number.
The registry operator and registrar would need to retain registration data for two years beyond the life of the registration. To access registration data not published in the public WHOIS, registries and registrars would respond to requests from third parties on a timely basis. The requestor would be required to submit an application to the registrar or registry stating the specific purpose for accessing the data. The requestor would self-certify that the requested access is necessary for a legitimate purpose and that the data would only be used for the limited purpose for which it was requested. Under Model 1, registries and registrars may, but would not be required by ICANN, to provide additional access to non-public WHOIS so long as it complies with GDPR and other applicable laws.
Compared to Models 2 and 3 below, Model 1 goes the furthest in meeting ICANN’s stated goal of preserving as much of the current WHOIS system as possible while complying with GDPR. If ICANN has determined that this model should be GDPR-compliant, we see no reason to adopt a more restrictive model. Model 1, arguably, would require the least changes, be the lowest in cost to implement and provide users with relatively non-burdensome access to much of the same WHOIS data they have today.
But Model 1 does not include the registrant’s email address as a published data element, which does not make sense. WHOIS users need the email address of the registrant to contact that person quickly and many registrants want their email address published to ensure they can be found and contacted. There should be no reason why email address is somehow more sensitive than the other data elements in WHOIS, particularly where the model would include publication of the registrant’s physical address. But, if the registrant’s actual email address is established as sensitive personally identifiable information (and thus subject to GDPR requirements), an anonymized public email address that is auto-forwarded to registrant’s actual email address could be used as a possible workaround.
Model 2 is essentially a middle ground between Model 1 and Model 3. Unlike Model 1, Model 2 would apply to personal data included in the registration data without regard to whether the registrant is a natural or legal person. But like Model 1, Model 2 would apply only where the registrar and/or registry operator are established in the EEA or use a data processing vendor in the EEA, or are established outside the EEA but provide services involving the processing of personal data from registrants located in the EEA. Alternatively, another proposed variation of Model 2 would apply to all registrations on a global basis without regard to location of the registrant, registry, registrar or a processor of the registration data.
Unless the registrant otherwise grants permission, registrars and registries would be required to display the following minimum data in public WHOIS: (1) the domain name, (2) the primary and secondary nameserver(s), (3) the registrar, (4) the original creation date of the registration, (5) the expiration date of the registration, (6) the email address of the administrative contact, and (7) the email address of the technical contact.
Model 2 would not publish the name of the registrant, whether legal or natural person, unless the registrant opts in. Unlike Model 1, which requires data to be retained for two years after the life of the registration, under Model 2, registrars and registry operators would only need to retain registration data for one year. Registrars and registries would provide access to the non-public registration data to a specific set of third-party requestors who are certified under a formal accreditation/certification program.
It is unclear how certification or accreditation would work, but user groups, such as law enforcement agencies and intellectual property lawyers, could arguably access certain non-public data based on criteria and limitations that would be established in the future. The user groups eligible for the certification program, and the process for providing access to the nonpublic WHOIS data would be developed in consultation with ICANN’s Governmental Advisory Committee (GAC). Under Model 2, registries and registrars may, but would not be required by ICANN, to provide additional access to non-public data so long as it complies with GDPR and other applicable laws.
Although Model 1 is clearly the preferred model, Model 2 is the next best option, especially as compared to the draconian approach suggested in Model 3 (summarized below). But Internet users who rely on critical access to WHOIS should not be forced to accept a compromise for the sake of compromise. ICANN has a duty to select the model that best meets its stated goal of preserving as much of the current WHOIS system as possible while complying with GDPR (ie, Model 1). That said, if future discussions result in widespread community support for Model 2, many issues and questions would remain. For example, it would be necessary to obtain greater clarity on how the mechanism would work for legitimate parties, such as brand owners, to obtain any non-public registration WHOIS data from registrars. Because Model 2 still restricts much of the data that legitimate users need when accessing WHOIS, registrars could expect to be flooded with requests for such information, such as requests from IP owners for a registrant point of contact or even something as simple as the registrant’s country of origin in order to assess jurisdictional issues. Additionally, the Model 2 variant that would apply to all registrations globally regardless of the location of the data subject or the registry or registrar is an overbroad remedy that steers well away from the goal of basic GDPR compliance.
Of the three models suggested, Model 3 is the most extreme and is of the most concern. By far, the biggest difference is that Model 3 requires a third party user of WHOIS data to present a subpoena or any other court order (or similar order from a judicial tribunal of competent jurisdiction) before anyone can access any nonpublic WHOIS data. Model 3 essentially means that the WHOIS database as we know it today would go dark. The many legitimate users of WHOIS including consumers, law enforcement, consumer protection agencies, brand owners and businesses would need to go through the burdensome and costly process of seeking a subpoena or court order each time they wish to query the WHOIS database. It is critical to understand that for most of these parties, querying WHOIS is just the first step in their investigation online. Consumer protection agencies, law enforcement and businesses, for example, need quick access to WHOIS to stop cybercrimes, including phishing attacks. The costs, time and inefficiencies of dealing with a flood of subpoenas, court orders and potential lawsuits that follow would equally burden registries and registrars who would have to review and respond to every single request for data.
In addition to this fundamental flaw, Model 3 as proposed would apply to all registrations on a global basis, without regard to location of the registrant, registry, registrar or a processor of the registration data. Again, it is important to understand that the GDPR only applies to EU data subjects and processors established in the EU, so this approach is overbroad.
Under Model 3, unless the registrant otherwise grants permission, registrars and registries would be required to display the following minimum data in public WHOIS: (1) the domain name, (2) the primary and secondary nameserver(s), (3) the registrar, (4) the original creation date of the registration, and (5) the expiration date of the registration. Clearly, the public data displayed under Model 3 is the least of the three models. If other models are considered GDPR-compliant, there is no obvious reason to minimize the WHOIS public data set any further.
Registries and registrars would only be required to retain the registration data for a mere sixty days beyond the life of the domain name registration. This would make key tools like reverse WHOIS service or historical WHOIS data, which aid significantly in IP infringement and law enforcement investigations, nearly impossible.
Model 3 should be a non-starter for the community. Although ICANN’s stated goal is to comply with GDPR while preserving as much of WHOIS as possible, this model fails both prongs of its stated goal. Model 3 over-complies to the extreme while stripping away needed access to much of the current WHOIS system.
The community compliance models
In advance of ICANN publishing its three GDPR compliance models, community members were asked by ICANN to develop their own models. To date, five such models were submitted for ICANN’s consideration. These models represent a range of different stakeholders and divergent views on how to best comply with GDPR.
Of the five community models, several seem to respect the balance between GDPR compliance and access to WHOIS. The model submitted by the Coalition for Online Accountability (COA), a trade association representing copyright industry stakeholders, preserves the most of the current WHOIS system. It proposed keeping WHOIS as is and publicly available for data that is considered non-personally identifiable information (eg, the domain name itself, name of the registrar, domain creation and expiration dates, and nameservers). The model also keeps public any WHOIS data of ‘legal persons’ (for example, a domain name registered in the name of a corporation or nonprofit entity). The COA model sensibly suggests that registrants self-identify when they register a domain name whether they are a natural person or are registering on behalf of a legal entity. The model also keeps continued public access to registrant name, physical address, and email address. In cases where an email address is personally identifiable, COA suggests that data field be substituted with an anonymized email address, which could still be used to contact the registrant. This model also proposes mechanisms for disclosure to facilitate legitimate third party interests including for law enforcement, consumer protection, intellectual property enforcement, and domain name transactions and management.
A model submitted by AppDetex, an online brand protection firm, draws from the final report of the ICANN Expert Working Group on Registration Data Directory Services, which spent over two years discussing how to update and improve the WHOIS system. This model is similar in many respects to the COA model, including drawing distinctions between natural and legal person registrants, keeping certain data elements that are non-personally identifiable in a public database, and proposing a system of accredited access to non-public data for certain requestors who state a legitimate purpose and agree to be held accountable for the appropriate use of that data.
Another model, called the ‘ICANN Redaction Model’, proposes that natural and legal persons have the option to fully publish their data (including personally identifiable information collected from natural persons), hide such data through a proxy service, or use a new ICANN redaction service. The redaction service would work to hide certain data elements within an otherwise-public database. Where any registrant opts to use the proposed ICANN redaction service, such registrant would create an account with ICANN, provide its information to ICANN, and be subject to ICANN’s terms of service. The terms of service would establish a direct contract between ICANN and the registrant, which would serve as a basis for further processing of the registrant’s data under GDPR. ICANN would then validate the registrant’s information, provide an authorization code to the registrar, and then the public WHOIS record for such registration would replace personally identifiable information with the words ‘ICANN redaction’. ICANN would also administer a credentialing program for third party access to redacted data, including for intellectual property owners, cybersecurity professionals, law enforcement agents, and other legitimate users.
A model submitted by iThreat Cyber Group provides yet another variation, creating a clear line between personally identifiable and non-personally identifiable information. The model proposes keeping public WHOIS accessible as it is today for registration data of legal persons, and ‘thin’ WHOIS data including the name of the registrar, creation/expiration dates, nameservers and status. Any sensitive data fields in WHOIS, such as the name of a natural person, should merely be replaced with the words ‘data withheld for privacy law compliance’.
In contrast to the four community models discussed above, a model submitted by eco, a German Internet industry association primarily representing ICANN contracted parties, takes a much more restrictive approach. We discussed this model in detail in a prior article. In short, however, this model makes no attempt to distinguish between processing of data of a natural person versus a legal entity. It strips out a registrant’s email address in WHOIS and fails to consider anonymized email addresses or other methods for gaining access to this information. The eco model recognizes that mitigating abuse is a legitimate interest for WHOIS users, but assumes that the only parties who will be responsible for handling such abuse are registries. The model ignores the many legitimate purposes such as cybersecurity, consumer protection, intellectual property enforcement, or law enforcement. These communities and users need quick and easy access to WHOIS. This model will clearly be a non-starter for a vast swath of the community, including intellectual property rights holders, law enforcement, consumer protection agencies, and general business and individual internet users.