Whois, We Hardly Knew Ye: GDPR Spells Doom For Domain Name Ownership Transparency

Cross-posted from our sister blog, Trademark and Copyright Law.

By now, our readers are likely familiar with the General Data Protection Regulation (“GDPR”), the sweeping, European Union-wide legal and regulatory regime that provides enhanced protections for personal data.  The GDPR, which goes in effect on May 25, 2018, is expected to reshape the digital data landscape in the EU and beyond.  My colleague Catherine Muyl provided a helpful GRPR overview back in January, and you can check out our Security, Privacy, and the Law blog for more information on GDPR implementation and its far-reaching effects on personal data.

Among such far reaching effects, it seems likely that the GDPR is going to adversely affect Whois and its critical role in intellectual property enforcement.

Whois? What’s That?

The domain name system is overseen by the Internet Corporation For Assigned Names and Numbers (ICANN), which contracts with domain name registries (the operators of top-level domains such as .com, .org, .co.uk, .ninja, and so forth) and domain name registrars (the entities that manage the reservation/sale of domain names).  Registries and registrars are contractually obligated to maintain databases of domain name registrant (owner) information via an ancient-by-internet-standards query and response protocol known as WHOIS, commonly spelled as “Whois” and pronounced “who is.”  In case you’re wondering, WHOIS is not an acronym, but merely the two words designed to answer the question, “who is the domain name registrant?”

Whois information provides a host of domain name ownership information, including so-called “thin” registration information including domain creation and expiration dates, and registrar identity, as well as “thick” information, including the registrant’s name and organization, contact information including physical address, telephone number, and email address, and the same information for administrative and technical contacts.  Thanks to the “thick” information, the Whois system is often a crucial tool for intellectual property policing and law enforcement.

Existing Whois Limitations

It should be acknowledged that Whois isn’t the perfect tool even in the best of times.  Despite the requirement that registrants provide complete and accurate ownership information and the (somewhat anemic) efforts by registrars to periodically confirm that accuracy, Whois information is frequently incomplete or incorrect.  Availability of Whois data varies by registrar and registry – there is no centralized Whois database for all domain names – and hunting for the right database can be a pain.

Additionally, Whois data can optionally be protected (for a fee) by a privacy service – this is a service, typically provided the registrar of record or an affiliate, which will “hide” a registrant’s true identity using generic Whois information specific to the privacy service, and with an email address that typically forwards emails to the “true” registrant.  Since they shield the registrant’s identity, privacy services can be particularly frustrating for intellectual property owners looking to enforce their rights against cybersquatters or otherwise infringing websites.  And while such services often have complaint procedures by which an aggrieved party can request the registrant’s identity if the registrant has engaged in unlawful activities, privacy service providers are not uniformly responsive to such complaints, and they often present a frustrating delay to enforcement activities.

First, The Bad News

So what happens when you combine a continent-wide, sweeping data privacy law and an already imperfect domain name ownership information system?  I’ll bet you can see where this is going.  For intellectual property owners, the results are likely to be predictably unpleasant in the short term, and probably won’t be much better going forward.

To start with, ICANN itself – with its various constituencies and stakeholders of sometimes clashing interests – has not yet finalized an interim compliance model for GDPR, with less than a month remaining until the May 25 implementation deadline.  A proposed interim model, distributed back in March for comment and discussion purposes, shows us what Whois might look like post-GDPR, but discussions are very much ongoing, and it seems increasingly likely that a good amount of Whois data is going to simply “go dark” as of May 25, 2018.  While Whois information availability is likely to vary by registrar and registry, here is what we’re likely to see on May 25 (if not sooner):

  • Registrant name and contact information will be redacted, missing, or otherwise inaccessible.
  • In the short term, it may not be possible to access such information, even for legitimate IP or other law enforcement purposes, absent a subpoena.
  • Similar to the existing privacy services, there will probably be a proxy email address where registrants can be contacted.
  • “Thin” Whois data, including technical information such as the name of the registrar, registration status, and creation and expiry dates, should generally remain available.

As you can see, the short-term landscape seems inconvenient at best.  Now what about the good news?

Sorry, More Bad News

I couldn’t helpful myself.

Now, since the GDPR only applies to the personal data of natural persons residing in an EU member country, you might reasonably expect two things to be the case: first, that Whois information for domain names owned by companies and organizations in the EU will be unaffected, and second, that all Whois information for persons and located outside of the EU will remain unchanged.

At least for now, this appears not to be the case.  First, ICANN’s interim model requires that, for various reasons, the restrictions apply to legal persons – that is, entities – as well.  Second, the interim model permits registries and registrars to implement the restrictions more broadly in any event.  Third, the time crunch combined with the practical and technical difficulties of implementing different Whois availability based on registrant location means that registries and registrars are going to err on the side of over-inclusion to avoid running afoul of the GDPR.  Finally, as it appears that the GDPR may be but the first of many similarly sweeping data privacy laws being rolled out in various jurisdictions worldwide, some registries and registrars are going to choose to implement restrictions as widely as can be permitted, anticipating multi-jurisdictional alignment on privacy concerns.

The upshot is that the GDPR-imposed Whois limitations are unlikely to stay confined to EU-based registrants, and that widespread adoption of these limitations, however they ultimately and officially manifest, is foreseeable.

What Does the Future Hold for Whois?

Over the next month and beyond, the ICANN community will work to develop and tweak a long-term Whois model.  As suggested in the interim model, it is likely that there will be some manner of “gated” access for “accredited,” authorized parties to access “thick” data, assuming such data continues to be routinely collected (which is hardly a foregone conclusion).

Many questions remain.  If there is an accreditation process, who can be accredited?  What will the accreditation process look like?  How will an accredited party request thick data?  What data will they receive, and how quickly?  Will it end up being more efficient to seek a subpoena?  All very good questions, and all frustratingly difficult to answer at present.  But it seems relatively certain, at this point, that the Whois we’ve come to know and love – despite its imperfections – is about to be a thing of the past.

How to Be Involved

If you are inclined to be proactive in addition to nostalgic with regard to Whois, brand owners and others concerned about these unfortunate Whois developments are encouraged to become actively involved in the ICANN community and policymaking process, either via commenting directly to ICANN after a long-term Whois model is proposed; joining the Intellectual Property Constituency (the ICANN stakeholder group representing the views and interests of IP owners); or by working with one of the many bar and industry associations, such as the International Trademark Association and the Intellectual Property Owners Association, dedicated to brand owner advocacy.

Leave a Reply

Your email address will not be published. Required fields are marked *