Concern is building for IP practitioners: the uncertain future of WHOIS

The EU General Data Protection Regulation (GDPR) came into effect on 25 May but organisations are still dealing with the fallout. Under the new regime, any organisation that processes personal data has to comply with the new obligations set out in the regulation. The GDPR’s main objectives are to create a unique framework for the protection of personal data within the European Union and to make organisations accountable. To this end, data processors are now obliged to:

• name a data protection officer in some cases;
• draft impact assessments in certain circumstances; and
• protect data from the outset, by default (in accordance with the principles of “privacy by default” and “privacy by design”).

The GDPR strengthens and guarantees the rights of individuals: added to rights of access, correction and opposition are the rights to data portability, to be forgotten and to compensation.

The extensive scope of the GDPR is particularly striking. Any organisation based in the European Union – or even outside the European Union but dealing with personal data concerning EU citizens – must comply with its requirements. Over the last several months, a multitude of stakeholders that previously paid little or no attention to data privacy regulations have begun to put in place measures to ensure that their processing complies.

The penalties that may be incurred in the event of breach of the GDPR are as high as 4% of the global annual turnover of a company or group (or €20 million, whichever is greater), to encourage the internet giants to take the new regulation seriously. As well, the GDPR offers organisations the opportunity to give more guarantees to users, who are becoming increasingly suspicious about the use of their personal data.

Among these, ICANN – the regulatory authority for the Internet in charge of administering TLDs – is starting to look like a bad student.

Indeed, ICANN’s contractual terms applicable before 25 May 2018 for registries and registrars of gTLDs, new gTLDs and ccTLDs clearly did not comply with the GDPR when it comes to personal data protection.

According to Article III.D of the ICANN Registrar Accreditation Agreement and Article 2.5 of the ICANN Registry Agreement, registries and registrars have to collect and make publicly available the contact details of any domain name registrant in the WHOIS database.

Fundamental incompatibility between WHOIS and the GDPR

For many years the European authorities have been drawing ICANN’s attention to the importance of lawfully processing personal data. It is therefore astonishing that ICANN has failed to take the necessary steps to bring WHOIS into compliance.

Created in 1982, WHOIS is a (relatively) free access database service, which provides information on the holder of a domain name (eg, surname, first name, postal address, email address and telephone number). However, its very existence gives rise to a significant problem with regard to privacy protection – the public nature of information held on domain name registrants automatically opens the door to the commercial exploitation of their data.

Just a few weeks ago, the processing effected by ICANN through the WHOIS service had a long way to go before it met the requirements of the GDPR, which mainly aims to strengthen citizens’ control over the use of their personal data.

In particular, the GDPR promotes the following main principles:

• There should be a legal basis and a clear and legitimate purpose for the processing of data.
• This processing should be kept to a minimum.
• There should be a limit to the length of time for which data can be stored.
• Individuals should consent to this processing.
• Individuals should be kept informed.
• The free exercise of rights by individuals should be upheld.

This inconsistency between WHOIS and GDPR is directly related to the purpose behind the creation of WHOIS, which was formed at a time when transparency was seen as a crucial aspect of the Internet. By publishing information on domain name registrants, WHOIS was intended to empower content providers and to deter the registration and use of domain names in bad faith.

Now that citizens are taking back control of their data, this principle of transparency is no longer at the top of the agenda. So WHOIS’s original objective is today in conflict with that of the GDPR.

Fresh eyes on an old problem

It is important to remember that the legal and regulatory framework for the processing of personal data was not created in 2018 by the GDPR.

France passed its first Data Protection Act back in 1978, in light of IT developments at the time. At the EU level, the Data Protection Directive (95/46/EC) is – until 25 May – the point of reference in this area and already applies to WHOIS.

As far back as 2003, the Article 29 Working Party on Data Protection (WP29) – which brings together all the European supervisory authorities – was pointing to WHOIS’s lack of compliance with the regulation on personal data and advocated for restricted access to the personal data of domain name registrants.

Similar concerns were subsequently raised by the WP29 in 2006 and 2014.

So why did ICANN only start to take account of these a few months ago?

First and foremost, it is not the usual practice for EU laws to apply to US authorities in this way. ICANN is a not-for-profit organisation under US law and, since its inception in 1998, has been dependent on the US Department of Commerce. The US administration only agreed to partially give up control of this authority in September 2016, which it did accepting that ICANN now falls within the realm of the United Nations.

A second reason for ICANN to finally sit up and take notice is the high amount of penalties provided for by the GDPR for breaches of its regulation, as well as the impact that a breach may have on reputation – especially in the current climate.

Third is the fact that the WHOIS service has long been used by a multitude of stakeholders to combat cybercrime (ie, counterfeiting, phishing and online fraud) and to defend rights, including IP rights. ICANN no doubt feared the reaction of these users if it were to anonymise personal data held on WHOIS, in compliance with the GDPR. Today, it has no choice but to face them.

Stakes and consequences of the GDPR applying to WHOIS

WHOIS and IP rights

From its creation, the WHOIS service made it possible to identify any person who initiated a transfer of information on Arpanet, the ancestor of the Internet.

In the vast majority of domain name extensions (whether generic or geographic) the information entered in the WHOIS database is declarative in nature. However, accurate entries still provide valuable information about domain name registrants.

Someone seeking a domain name can easily contact the registrant to make an offer of purchase, while consumers can use WHOIS to check the trustworthiness of a website. However, the database is perhaps of most interest to rights holders and IP professionals.

Due to the democratisation of domain names, rights holders and IP professionals have increasingly had to cope with action that infringes IP rights. The imagination of cybersquatters seems limitless. So far rights holders have had to deal with typosquatting, dotsquatting and pornsquatting, with the latest refinement being IDN homograph attacks. Nowadays, it is almost impossible for a well-known trademark not to have repeatedly faced such issues.

On being confronted with such actions, the first reflex of aggrieved rights holders or IP professionals is to seek evidence about the domain name registration (eg, the geographical origin and age of the domain name and, above all, details identifying the holder).

They can then use this to contact the registrant to settle disputes amicably or else to defend trademarks through court proceedings or alternative dispute resolution (ADR) procedures. However, it is clear that many malicious registrants publish false data in order to avoid being identified.

According to a 2016 study published by ICANN, only 35% of domain names listed in the WHOIS database provided a correct telephone number, email address and postal address.

Contact information anonymisation services: a first step

In addition, there are the privacy implications. Clearly, WHOIS is not just used for legitimate purposes. Some companies today specialise in sucking up WHOIS data and selling it on to dubious third parties. Many domain name holders are subject to extensive spamming campaigns that have been facilitated by the dissemination of their WHOIS details.

This is why, over time, the registration of domain names via proxy services provided by registrars has become widespread. This private procedure for registration has developed as a way to protect domain name registrants from their data being used for illegal purposes (eg, spamming, scams or identity theft).

WHOIS proxy services certainly protect the privacy of registrants. However, they also complicate the task of the professionals who intervene to protect IP rights. While these professionals may request that registrars disclose registrants’ data for legitimate purposes, if the registrars refuse, the IP professionals’ only recourse is to obtain a court order.

At the ICANN meeting in San Juan, the GAC stated that the systematic masking of email addresses should not go ahead Picture: Gary Ives/Shutterstock.com

Applying the GDPR to WHOIS

The full anonymisation of WHOIS data would indeed comply with the GDPR’s requirements. However, preventing direct contact between rights holders and their representatives on the one hand and registrants of disputed domain names on the other will deprive the former of an invaluable course of action – or else significantly increase the time and the associated costs. It could lead rights holders into lengthy and costly procedures (eg, requests for anonymity to be lifted or the commencement of court proceedings or ADR for the transfer of the domain name or the conviction of the registrant). There are fears that this could have a chilling effect and discourage rights holders from acting in cases where a mere formal notice could have enabled them to recover an infringing domain name simply and quickly.

Full anonymisation is also likely to give rise to a major problem for trademark owners and their counsel further down the line: the impossibility of determining whether a registrant is acting in good or bad faith.

When a domain name appears identical or confusingly similar to a prior IP right but the infringement is not clear cut, the answers to the following questions can be crucial when it comes to deciding whether action should be taken:

• Does the registrant have prior rights or at least a legitimate interest in the disputed domain name?
• Does the registrant have a competing or complementary business?
• Has the registrant demonstrated a pattern of such conduct?

Currently, it is often possible to learn the answers to these with a WHOIS search. However, if rights holders can no longer access such information without having to initiate proceedings to lift anonymity, they may run out of steam and be tempted either to multiply domain name recovery procedures without first checking the possibility of limiting the action to the most troublesome domain names or to simply leave domain names in the hands of malicious registrants.

The UDRP allows a trademark owner to include several domain names in a single UDRP provided that they have been reserved by the same person (or are under the effective control of the same person, a principle known as ‘consolidation’). In 2017 the average number of domain names per complaint was about 2.1 according to the website www.dndisputes.com. However, if rights holders are unable to easily identify the registrant of a domain name, there is likely to be a sharp fall in the number of complaints made using this consolidation mechanism. This in turn would force rights holders to file more complaints merely to obtain the same number of name transfers.

According to statistics provided by WIPO’s Arbitration and Mediation Centre, four countries in the European Union (the United Kingdom, Spain, France and the Netherlands) figure among the top 10 countries with the highest number of UDRP respondents. This demonstrates a clear interest in accessing the contact information of numerous registrants in jurisdictions covered by the GDPR.

Cookbook – first proposed provisional model

Conscious of the penalties that the GDPR is going to expose it to and having been warned on numerous occasions by the WP29, over several months, ICANN has put in place a tedious process to ensure that WHOIS complies with the GDPR:

• Since 31 July 2017 registrars have been required by ICANN to obtain the consent of domain name registrants with regard to the publication of their personal data in WHOIS.
• On 2 November 2017 ICANN – in view of the contradiction between the GDPR requirements and the contractual terms imposed on registrars – undertook, under certain conditions, not to act against registries or registrars that failed to comply with their contractual obligations with respect to data registration.
• A leadership dialogue was then opened between the WP29 and ICANN to seek clarification on the GDPR’s application.
• Having proposed several models, ICANN finally turned to a provisional model – the so-called ‘Cookbook’, a draft of which was published on 8 March 2018.

The Cookbook was intended to ensure that – as a matter of urgency – WHOIS complies to a minimal extent and in the short term with the GDPR’s requirements before the current system is overhauled. It was setting out proposals designed to make the WHOIS service comply with the GDPR.

This provisional model was based on some key specificities, such as:

• the anonymisation of certain categories of WHOIS data, especially the registrant’s identification number, surname and first names, postal address, email address, telephone number and fax number – these could either be anonymised or replaced by a contact form;
• differentiated access to data by layers; and
• the development of an accreditation programme for access to the WHOIS database.

In this way, ICANN not only planned to restrict access to certain information and to reserve access to trusted third parties, but also to carry out – with the help of registries and registrars – an impact assessment on the data of individuals affected by the processing.

Clearly, such a procedure would be implemented over a long period, during which ICANN would remain under the threat of penalties being imposed by European data protection authorities.

ICANN thus requested leniency from the European authorities and a moratorium on compliance by WHOIS in a letter addressed to the WP29 on 26 March 2018. This letter was subsequently denied.

In a letter of 11 April 2018, the WP29 welcomed ICANN’s proposals with regard to the principle of putting in place accreditation measures and a system of differentiated tiered access to data. However, it also pointed again to the overly general nature of the measures evoked by ICANN. In particular, the letter made the following points:

• With respect to the purpose of the processing, the WP29 blamed ICANN for having failed to have set out, in an exhaustive list, sufficiently clear and explicit purposes.
• With regard to the legal basis of Article 6 of the GDPR – which exhaustively lists the terms on which personal data may be processed lawfully – the WP29 states that each purpose must have its own legal basis and takes the opportunity to remind ICANN that consent can be valid only if it is unconditional and given with the possibility of withdrawal (in accordance with Article 7).
• With regard to the tiered access system proposed by ICANN, the WP29 encouraged ICANN to go further in this direction and to make headway in preparing the accreditation programme.
• The WP29 further encouraged ICANN to explore a range of mechanisms in the form of codes of conduct to be used to identify third parties with a legitimate interest in accessing the non-public WHOIS data.

Finally, just a few days before the entry into force of the GDPR, ICANN adopted its provisional model by deliberation on 17 May 2018.

A contested provisional model

The provisional model adopted by ICANN was supposed to reconcile respect for the GDPR with the interests of IP practitioners.

As expected, this model introduced stratified access to the registrant’s personal data. The personal data is hidden by default but remains accessible to third parties with a “legitimate purpose”. In addition, the registrant can consent to the publication of their personal data. In this case, the WHOIS of the domain name will display the same information as in the past.

However, despite the time and resources that have gone into its development, it is clear that this provisional model is far from satisfactory to everyone.

In particular, the process for accessing the contact details of a domain name registrant is costly and time-consuming for professionals who will have to practise it on a daily basis – although it does at least usually result in the communication of the requested contact information. It is also possible that under the new system, some services may even become unavailable, including reverse WHOIS, registrant watches, domain monitoring or UDRP consolidation.

Clearly, the rights holders, who will bear the cost of this process, are the real victims of this increase in the burden of the procedure.

There are also fears that the provisional model does not even comply with the GDPR’s requirements with regard to the amount of identification information that ICANN requires registries to collect and the legal basis of this processing (in this case the consent of the person whose data is being processed).

As a result of this inconsistency between the provisional model and the GDPR, the first conflict has already arisen.

On 25 May 2018, the same day as the GDPR entered into force, ICANN filed an action against the registrar EPGA in Bonn (a TUCOWS company) – the second most important registrar in the world – for non-compliance with its contractual commitment, which EPGA considered inconsistent with the GDPR.

In addition to its desire to take action against this breach of its contract, there may be other reasons to explain ICANN’s behaviour.

First, the action was a means for ICANN to quickly obtain a judicial opinion on the level of compliance of its provisional model and to integrate this into a final, future model.

Moreover, it enabled ICANN to pressurise other registrars, which might have been hesitating over whether to follow its requirements.

On 29 May 2018 a Bonn court ruled in EPGA’s favour, considering that the provisional model of ICANN is contrary to the GDPR because it breaches the principle of minimisation of processing; in addition, it does not clearly set out a legal basis for the processing. The judges thus considered that ICANN could not impose an illegal contract on its co-contractor, so the EPGA’s refusal to apply it was legitimate.

After this setback, it is likely that other registrars will follow EPGA and refuse to apply ICANN’s provisions, contributing to the further fragmentation of the domain name system.

A delicate balance of interests

Achieving compliance remains difficult because ICANN is under pressure from all stakeholders whose interests it is trying to reconcile: on the one hand, those related to the entry into force of the GDPR and the accompanying penalties and, on the other hand, the many users of the WHOIS service – the foremost of which are judicial authorities and rights holders, which wish to continue to have access to WHOIS data.

If the draft model provided by ICANN does not suit the WP29, it does not seem to suit defenders of IP rights either.

It is against this background that at a meeting in San Juan, Puerto Rico in March, the Governmental Advisory Committee (GAC) – ICANN’s advisory committee – asked ICANN to review its project, underlining the particular need:

• to refrain from the systematic masking of email addresses, which would have a disproportionately negative impact on cybersecurity;
• not to use the GDPR to justify purely pragmatic decisions (eg, data masking registrants that are legal persons), since the GDPR applies to individuals only – on this point, the GAC seems to have ignored the fact that the reservation of a domain name on behalf of a legal person is likely to be carried out by an individual whose data may appear in the WHOIS database (eg, the administrative contact listed in the WHOIS database) and who must therefore comply with the GDPR; and
• to review the territorial application of the measures envisaged, so that they would apply only to registrants in the European Union and to registries and registrars based in the European Union (a so-called ‘Facebook’ approach to the problem) – on this point, more and more ccTLD registries, even outside the European Union, are modifying their own WHOIS policies to comply with the GDPR (most recently, the Taiwan Network Information Centre on 9 May).

ICANN’s proposed Cookbook largely leaves open the question of how the accreditation programme – presented as being the solution to legitimise access to certain users – would be implemented in practice.

Given the lack of time to implement such a programme, ICANN has only two options. First, to set up a temporary self-accreditation procedure. Second, to block all access to WHOIS data until an appropriate accreditation system is in place.

In our opinion, the second option is unthinkable.

However, ICANN’s current proposals not only fail to satisfy the authorities in charge of enforcing the GDPR, but are also a cause for concern among IP stakeholders, which are protesting against the current draft scheme.

On 1 April 2018 INTA published a statement urging the entire trademark community to ask the GAC to pressure ICANN into maintaining as much of the current WHOIS as possible and, in any event, to quickly provide a suitable solution to allow legitimate access to masked data. For INTA, the overly broad scope of the current model (in particular, because of its application to both natural and legal persons with no geographical restrictions) exceeds the scope of the GDPR. INTA also asked all parties to combine their efforts to reach an agreement on a provisional accreditation system which, as it stands, would probably not be ready for six months or more.

On 29 March 2018 digital threat protection company RISKIQ published an open letter asking the GAC and ICANN’s board to amend the proposed model so as to ensure the stability and security of the Internet.

Also in March, the US Department of Commerce – reacting to a decision by GoDaddy (the world’s largest domain registrar) to mask the personal details of over 50 million domain name registrants and to restrict access to its WHOIS service – made public a letter to ICANN in which it put pressure on the organisation to investigate the measures taken by GoDaddy that it considers contrary to ICANN’s standpoint and the terms of its contract with ICANN.

It remains to be seen whether the European authorities will be lenient with ICANN in light of its recent efforts, or whether they will use its tardy action as grounds for punishment in order to make an example of it.

Possible solutions

Finding a solution that would enable both compliance with the new European legal framework on the protection of data privacy and WHOIS to be used legitimately by the IP industry is a daunting challenge and seems achievable in part only.

Given the WP29’s strict interpretation of the GDPR, it is likely that there will be a swing towards personal data protection, to the detriment of the future use of WHOIS.

In order to ensure that WHOIS complies with the GDPR, it seems that ICANN will need to review part of its provisional model, particularly with regard to the points raised by the Bonn judges, namely limiting the data collected by registrars to what is strictly necessary. This data could, for example, be limited to personal details without extending to technical and administrative contacts.

It seems that ICANN will also need to find a real legal basis for WHOIS data processing. According to the GDPR, the processing of personal data is lawful only if it is based on one of the legal bases listed in the text with restrictions, namely where processing is:

• necessary for the execution of the contract;
• justified by a legal obligation;
• justified by a public service mission;
• justified by a vital interest;
• justified by a legitimate interest; or
• justified by the data subject’s free consent.

At the moment ICANN is attempting to justify the collection of personal data by securing the consent of the data subject.

However – as highlighted by EPAG’s lawyers – the registrars’ current methods of obtaining consent do not meet the requirements of the GDPR’s principle of ‘free consent’ since providing consent is a condition to accessing the service offered by ICANN.

It appears that ICANN needs to come up with a solution to meet the strict requirements of the GDPR on this point, either by ensuring that a person can freely give their consent (which means that, in the event of refusal, they can still acquire a domain name), or by using another legal basis.

ICANN also needs to reflect on how to better facilitate access to WHOIS data for legitimate third parties, such as IP practitioners.

To meet the different interests involved, it will be necessary to guarantee continuous access to WHOIS where this is legitimate. This is at the core of the WHOIS reform and, frankly speaking, it should always have been, even if there were no GDPR.

As can be seen from the exchanges between the WP29 and ICANN, the goal is to allow stratified access to domain name holders’ contact details so as to restrict data access to legitimate third parties only, thus respecting the privacy of domain names registrants.

Nevertheless, as discussed above, finding the right balance remains tough. Those with legitimate reasons should be able to access WHOIS without being subject to an offputting procedure. At the same time, it is necessary to ensure that WHOIS can cope with processing a considerable volume of new types of requests by registries and registrars.

It remains to be seen whether ICANN can develop an accreditation process that is both reliable and effective.

One possible route for ICANN would be to distinguish between two types of access, depending on the applicant’s needs. For instance, one group might include individuals who need regular access to WHOIS data. This might include, for example:

• cybersecurity professionals;
• IP rights holders and law professionals; and
• public security organisations, as proposed by the Intellectual Property Group, Business Constituencies and the At-Large Advisory Committee working on this topic at ICANN.

Members of this group could be given a personal and secure identification key to facilitate data access. They would not be allowed to access all WHOIS data in a generalised manner – otherwise, the accreditation would be so extensive as to be meaningless. It would also be better that the need for such individuals to demonstrate their legitimate interest in accessing particular data be subject to a simplified procedure.

This accreditation, and therefore identification, would make holders of this privilege more accountable and thus avoid possible malicious exploitation of the data. Obviously, the granting of such access should also be subject to strict, supervised and up-to-date procedures.

The second group might include individuals who do not regularly fall into the first category. So any person could occasionally make a request for access to a registry or registrar WHOIS service, which would apply a series of pre-defined and objective criteria to determine whether the applicant has a legitimate interest in accessing the data.

ICANN intervention to avoid access models fragmenting

Whatever system ends up being put in place, it is essential that the different procedures for accessing WHOIS data be harmonised and effective on an international level, so that they do not constitute a barrier to the defence of IP rights.

Before the entry into force of the GDPR, the threat of penalties hovering over registries and registrars had already led to some fragmentation of the system. Some registrars had decided to apply the anonymisation required by the GDPR (eg, dot.Amsterdam and FRL Registry in the Netherlands, Nominet in the United Kingdom and NIC.PL in Poland). Others had chosen to open up their WHOIS data to registrants who pay for access only (eg, CoCCa) or filter access to WHOIS by requiring the signing of a service contract (eg, dot.Amsterdam). Still, others were continuing to allow free access to the personal data of domain name holders.

Since 2006 – when registrations in the ccTLD ‘.fr’ were opened up to individuals – the French registry, Association Française pour le Nommage Internet en Coopération (AFNIC), had put in place a procedure for the anonymisation of WHOIS data known as ‘restricted dissemination’. This applied by default to any natural person registering a ‘.fr’ domain name. Under it, the contact details were accessible only in the event of a legitimate and reasoned request addressed to AFNIC’s management. This model was (requested and) validated by the French Data Protection Authority.

A similar mechanism was operated by DNS BELGIUM since 1 March 2008 for domain names in the ccTLD ‘.be’.

Given the diversity of these existing practices, ICANN had all the cards in place to bring the WHOIS service into line with the GDPR. It was ICANN’s responsibility to lead the way and explain precisely to registries and registrars how they could ensure that legitimate third parties could access information necessary to protect their best interests, while meeting their new obligations to protect individuals’ data.

However, just a few weeks after the entry in force of the GDPR, the weakness of the provisional model has led to fresh cracks in the domain name system. So how will ICANN get out of this impasse? It has committed to publishing a new model within the next 12 months. Hopefully this will do a much better job of meeting not only the GDPR’s requirements but also those of IP practitioners and rights holders.