Enforcement in an era of data privacy and redacted WHOIS

Since it came into force last year, the EU General Data Protection Regulation (GDPR) has made headlines for the way in which it has affected the information available to rights holders – and is far from the only data legislation affecting enforcement efforts. In this exclusive roundtable, four trademark and domain experts – Corsearch’s Stephen Stolfi, Luc Seufer of EBRAND Services Group, MarkMonitor’s David Cooper and David Steele of Tucker Ellis – provide critical insight into the challenges emanating from the ICANN world and explore best practice in enforcement efforts, including a deep dive into URS and UDRP decisions, policing efforts in a GDPR world and how to prioritise defensive registrations.

Looking at the impact of the GDPR on WHOIS access as it currently stands, has it been as negative as first feared and why?

Stephen Stolfi (SS): Yes, it has had a negative impact, but we are productively embracing it as a company, appreciating the legal importance of the GDPR, but trying to balance and address the challenges that it brings to enforcement efforts and IP interests. The amount of time and resources that companies and law firms have had to commit in order to comply has been significant. At Corsearch, we ourselves have invested significantly. General Counsel and Privacy Officer Diane Plaut – a certified privacy professional – has lead and advised our commercial organisation to ensure that we have a fully comprehensive and legally compliant data protection framework and has educated our clients through articles and webinars on the law, what is happening within ICANN and the resulting practical commercial implications. Ms Plaut sat on the Phase 1 Expedited Policy Development Process (EPDP) Team on behalf of the Intellectual Property Constituency and now sits on the Implementation Review Team for the EPDP work generated from Phase 1 to finalise the policy to go into effect.

Unfortunately, the decrease of information through redaction caused by GDPR implementation has enabled bad actors to thrive because they are protected by restrictions on WHOIS access – permission is now needed to identify individual information – which has made it much more difficult to find and track down infringers and counterfeiters. Brand owners have had difficulties obtaining disclosure of the now-redacted registrant details and disclosure rates have been low despite their legitimate interest. So-called ‘thin’ WHOIS data is not sufficient, while ‘thick’ WHOIS data is not available because the bad actors are not going to provide consent. These bad actors continue to grow and thrive under the new framework, harming the very consumers that the GDPR was intended to protect, including through the sale of online counterfeit goods, phishing and other fraudulent activities.

David Cooper (DC): While there has not been a total WHOIS blackout, our predictions regarding the absence of vital registrant data have largely come true. Only a tiny percentage of information is now available to the public and this has had a considerable knock-on effect for brand protection professionals. Following the GDPR, many domain name registries and registrars have opted to redact registrant contact information from public display in their WHOIS records. This has affected brand protection efforts as brand owners and enforcement teams can no longer obtain the names and contact information that they need from public WHOIS databases. In fact, after the GDPR came into effect, we found that our WHOIS queries returned little or no public registrant data, so our team has had to request non-public WHOIS data from registrars and registries directly, with limited success. As a result, we have had to adjust our enforcement strategies and processes to adapt to a post-GDPR world. This has resulted in a 12% loss of operational efficiency in the performance of our brand enforcement activities.

David Steele (DS): I actually think that it is still too early to tell whether the full impact is as negative as feared. Several popular services (ie, Domain Tools) still make older data available to subscribers and not all registrars have complied with ICANN’s Temporary Specification yet. Therefore, some WHOIS data is still available for many domain names. Importantly, since WHOIS data started becoming unavailable, we have seen notable increases in domain name-related phishing campaigns. It also appears that the number of multi-domain name UDRP complaints has dropped as brand owners struggle to identify registrants and correlate commonly owned domain names. As the available WHOIS data becomes older and as more registrars disable access to it, it will become more difficult to determine the identity of domain name registrants – only then will the full impact of the GDPR on WHOIS be more fully appreciated.

Luc Seufer (LS): While the apocalyptic scenario painted by some vocal actors has not happened, it is certainly more difficult to enforce our clients’ rights as efficiently as before. Although WHOIS data was never useful for uncovering the identity of infringers – who are smart enough not to use their own details – it allowed us to discern patterns and to act by anticipation against domain names registered for, but not yet used for, infringing purposes. With the WHOIS details not readily available, we now have to find other data elements to ensure that our monitoring and reaction times remain at the level expected by our clients. The most important obstacle that we face is the fact that certain registrars refuse not only to take any action, but also to disclose the details of the registrants. Ironically, in most of those cases, the GDPR does not apply in the first place as once the information is obtained – whether through a court order or a UDRP procedure – we realise that neither the registrar nor registrant is subject to EU privacy laws.

In terms of the current picture, how should brand owners adapt their enforcement strategies in light of the GDPR?

DS: First, it is important to note that the GDPR and a lack of WHOIS data has not made enforcement impossible – just more difficult. So brand owners should not stop or curtail their efforts – they should simply realise that our jobs just got harder. In terms of practical advice, I would start by suggesting that brand owners increase the amount of information gathered and broaden the sources of that information. Simple WHOIS queries may no longer be possible but there is still a lot of information available. Finding and querying that information and then putting it together can still provide much of the picture needed to make informed, business-driven decisions. Also, as was mentioned earlier, archived WHOIS information is still widely available from numerous sources and is still helpful. Similarly, domain name watching services and other commercial services companies provide additional information and services (some for a fee or higher fee than the basic service) and some of that information may now be worth looking at, even if it costs a little more.

SS: Without access to complete WHOIS information, brand owners have had to adapt their strategies. The new strategies are more expensive and involve higher legal costs, resulting in an increase in using third-party providers of data. Brand owners will have to contact the registrar to disclose non-public information or to submit a cease and desist letter so that they can move more quickly in filing a UDRP or a lawsuit. Arbitration has also become more difficult because it is harder to track down a registrant’s identity. Brand owners are now seeking out alternative ways to track down infringers via monitoring online marketplaces or social media forums where the bad actors publicly identify themselves.

LS: Brand owners should make use of tools designed by IP specialists. WHOIS data is not the only source of information that allows us to discern patterns and identify the holder of a domain name. Other data elements (eg, name servers, hosting IP addresses, SSL certificates and website codes) can be cross-referenced. This is not to say that WHOIS data may not still be obtained. Most registrars and registries have set up a disclosure process to allow third parties with a legitimate interest to access the redacted WHOIS details. However, at the moment there is no uniform disclosure system or procedure and certain registries and registrars will disclose redacted data only on receipt of a court order. Therefore, it is best not to rely solely on WHOIS data to conduct an efficient enforcement strategy.

DC: Brand owners ultimately need to seek alternative methods for finding the information that they need to identify copyright and trademark infringers. This means revising methods within their traditional three-step approach of investigation, identification and enforcement. Identifying registrant contact information now takes more time and requires a greater deal of human intervention. Compliance departments and brand enforcement teams must now trawl through infringing websites to identify the necessary information, while businesses may need to hire more employees to ensure that enforcement strategies are actioned effectively. Brand owners should also look towards brand protection technology and experts to provide additional support. Many will have evolved their brand protection offering post-GDPR to ensure that customers can maintain effective brand protection while remaining compliant with the GDPR guidelines. Brands also need to be prepared to go to the courts to access any registrar or registrant information, which leads to increased litigation costs. This is something that all brands should factor into their protection plans.

What tools and systems are available to help in these endeavours?

LS: There are two types of tool available. First, monitoring tools can still be used to detect potential and actual infringements. These make it possible to minimise the harm caused to a brand by acting as soon as the infringing registration or use is detected. Second, the majority of registries and registrars redacting WHOIS details have put into place an online relay system allowing them to contact domain name registrants without having access to their personal data. While most registrants may not comply with brand owners’ requests as they were already fully aware of their infringing use, it still allows brand owners to resolve the odd case where a registrant unintentionally infringes on a third party’s right. It also serves as evidence if the judiciary or extra judiciary route is taken.

SS: Online brand protection providers offer tools and systems for monitoring brand infringement and many give access to archived WHOIS data. This information is captured as a snapshot and is helpful in providing historical WHOIS information that would otherwise not be available, although obviously it is not 100% reliable because it is not up to date. Investigation companies and traditional research can help track down identifying information not publicly available. For example, an investigator can get to an infringer’s website to find information about a potential infringer’s address or identity. Subscribing to a domain name watch service also provides early notification of an infringing domain name. In certain circumstances, take-down letters can also be sent to web hosts and brand owners, and their attorneys can perform free NSLOOKUPS to find IP addresses associated with an infringing domain name or website.

DC: Following the implementation of the GDPR, there will no doubt be an evolution in brand protection technology that aims to replace the need for WHOIS. We expanded our own data technology to help businesses access the information that they need to maintain their brand protection efforts, which will only become more essential as time goes on. There are other methods that brand owners can use to help improve the enforcement process, such as checking the domain name nameserver to correlate other possibly related domain names. By doing so, they may be able to identify where infringing or harmful domains are under common control. Similarly, even if the address field in WHOIS provides only the state or country of the registrant of the domain name, that information may still be useful to direct to a US-based secretary of state corporate database or a country’s trademark office.

DS: I would say that there are a number of tools; some are fee-based services and others are free. The most commonly used ones are Domain Tools’ collection of services, including WHOIS and historic WHOIS data. Domain Tools also offers reverse WHOIS tools, which allow a brand owner to search an email address or name and find all the domain names associated with it. These tools are still helpful, even with access to current WHOIS data being restricted. However, there are also a number of other tools available for finding historic WHOIS data. For instance, an internet search for “tuckerellis.com WHOIS” may show cached copies of the WHOIS data for that domain name. Another often overlooked source of WHOIS data for domain names at GoDaddy is ‘https://www.godaddy.com/WHOIS’. While the company has turned off port 43 access to most WHOIS data, single WHOIS records can still be obtained via its website.

Another tactic that a brand owner can employ when a domain name is being used for malware or a phishing attack is to contact the hosting company and the registrar’s abuse emails. This often results in the website being promptly disabled, and sometimes the domain name is simply deleted by the registrar. I often purchase Snapnames’ backorder service to register domain names when they expire (or are deleted by the registrar). Similarly, when appropriate, I will report a domain name to phishtank.com.

Looking ahead, the ICANN community is due to formulate an access model for parties that need to use WHOIS data for enforcement purposes. How would you like that to look, and how positive are you that a favourable model will be created?

DS: I would like to see licensed attorneys have access to data using a much more streamlined process. Having to obtain additional licensing or additional access credentials or having undue technical constraints will significantly deter access by many brand enforcement professionals who clearly need this information. Unfortunately, I am not at all confident that a favourable model will be created.

SS: I am in favour of allowing access for legitimate purposes and the plan that has been circulated makes sense if it can be implemented expeditiously and judiciously. Setting a uniform method giving access to full thick WHOIS data to a defined set of user groups (ie, authenticated users with a legitimate interest), rather than needing to request data from registries or registrars on an individual request basis, makes sense. I think the two categories proposed – public law enforcement and other governmental authorities, and defined categories of private third parties that are bound by codes of conduct to protect personal data – sound reasonable and I believe that setting up an accreditation process for third-party providers with proper oversight is sensible to allow query access of complete WHOIS data for accredited/sanctioned users.

LS: There is no doubt that phase 2 of ICANN’s Expedited Policy Development Process will give birth to a standardised system for access and disclosure. However, this will be more useful to law enforcement authorities than to IP owners. In order to comply with the GDPR and other data privacy laws, this system will most probably be solely a conduit for requesters to address their disclosure requests to registries and registrars via a single point and according to a pre-defined template. However, the decision to disclose will remain with the data controller of the personal data (ie, the registries and registrars). While it will be helpful to have a single point of contact instead of having to deal with the maze that is currently WHOIS, this system will never restore the level of access available pre-GDPR.

DC: Ultimately, it is vital that a proper, centralised accreditation and access model is developed. With a universal access model, requirements for access will be consistent, so all requesting parties will know where they stand and legitimate brand protection efforts will be much easier to carry out. The current model proposed by ICANN provides a decent foundation but there is still more work to be done. Therefore, it will be a considerable time before we finally see a uniform accreditation and access model in place.

Are there other data or privacy developments that could affect future enforcement efforts?

LS: The fast adoption of privacy acts in more and more countries will undoubtedly lead to the redaction of more WHOIS databases. But in the meantime, it seems that legislators are also trying to provide tools for rights holders to defend their rights. In Europe, the so-called E-evidence Directive and the Copyright Directive may be helpful as they put more responsibility on technical intermediaries such as hosting companies, domain name system hosting providers and registrars. Nonetheless, rendering technical intermediaries liable instead of the actual infringers is not ideal for obvious reasons.

DS: I think there are numerous developments of note. The first is the California Consumer Privacy Act 2018, which will take effect on 1 January 2020. This state law, which is similar in scope and effect to the GDPR, has a broad reach beyond California and will likely affect the privacy/WHOIS landscape (especially given that ICANN is located in California). Moreover, there are numerous other similar state laws being drafted around the United States, while several other countries have similar laws coming down the pipeline (countries where registries or registrars are located will likely cause another level of complexity).

SS: I agree that the European Union’s efforts are just the beginning of increased legislation regarding data privacy. The California Consumer Privacy Act has significant geographic scope, which will broadly apply to businesses (regardless of location) that collect personal information about California residents, including customers and employees that meet certain numeric thresholds. This will require significant compliance measures and result in investment for companies globally. Several other US states are expected to pass comprehensive privacy laws in 2019-2020 as well. Further, many countries around the world are enacting laws that are similar to the GDPR, which will affect the global economy, the legal landscape and enforcement capabilities. For example, the General Data Protection Law takes effect in Brazil in February 2020. Like the GDPR, this applies extra-territorially and grants broad individual rights of privacy to citizens.

DC: Domain name data has always been shared using traditional Port 43 WHOIS, but in August the Registration Data Access Protocol (RDAP) was announced as the new mechanism for formatting domain name ownership information going forward. The main benefit of this new protocol will be the consistent labelling and display of all the various data fields. For example, whereas Port 43 WHOIS allowed for free-form data, RDAP does not, meaning that there can be no confusion in the country field listing. For example, ‘US’ will always be listed as such, rather than any other variants (eg, USA or United States). In addition, RDAP also requires that the country code output match the ISO 3166-1 alpha-2 standard, which is conveniently used for ccTLD assignment. This makes it far easier for brand owners and cybersecurity professionals to identify trends in cybersquatting, phishing, botnets and other threats. The timeline for implementing the new protocol has not yet been confirmed but it is anticipated that it could be as early as 2020.

There is an ongoing review to rights protection mechanisms (RPMs), with the UDRP also due for review. Are there changes that you would recommend in light of the impact of the GDPR?

DC: ICANN is currently evaluating all of the new RPMs that were implemented for the new gTLD programme, as well as historic RPMs, such as the UDRP. We do not see the UDRP or URS fundamentally changing in terms of the RPMs because rights holders are finding them reasonably effective and helpful. However, there are a couple of things that could alter. First, the expansion of the number of UDRP/URS providers – some argue that there are not enough providers for these kinds of claim. ccTLDs are not required to follow UDRP processes in the same way that gTLD providers are; therefore, ccTLDs registrants have no dispute resolution mechanisms. One change that we might see is that ccTLD operators facilitate administrative UDRP providers to allow for more global coverage. Second, there are always discussions about the cost for brand owners to file UDRP proceedings in order to protect their trademark. So we could see changes in the costs, although these would need to be substantial. The filing fees have to be high enough that you do not have spurious claims, but at the same time not too financially damaging to brands that have multiple marks and are independently filing UDRPs.

SS: The protection mechanisms in place are sensible but they need to be improved to be practical and effective tools for rights holders in the long term. The trademark claims process also needs improving. There should be an option for blocking the registration of registered marks, in addition to notifying brand owners of the mark. While some blocking mechanisms are available, there is no reason that they should not be connected with and accessible through the Trademark Clearing House. Finally, the URS is a mechanism that nicely complements the UDRP process, but it is under-utilised because the burden of proof is high, so it is not that fast or simple to use. In addition, it provides a suspension mechanism only and has procedural limitations. So this is not a fully adequate solution. For the URS to do what it was meant to do, it must be totally overhauled and simplified. The GDPR implementation has only amplified the need for more practical and effective solutions.

DS: The UDRP has been extremely effective for brand owners over many years, so I would be hesitant to recommend substantive changes to policy. However, the impact of the GDPR on the WHOIS system has created several problems with the UDRP complaint process, which I believe should be corrected. As one can imagine, it is more difficult to draft a complaint when you are not sure who the actual respondent is. However, these issues can be more easily addressed by the ICANN community by changing the UDRP rules (not the UDRP policy). One change I would recommend would be to permit complainants more time to amend their complaints to correct so-called ‘deficiencies’ that result from not knowing the true identity of the domain name registrant. Such an extension would also allow complainants to conduct additional research (with the registrar’s cooperation) to identify other infringing domain names owned by the registrant. A related change would be to loosen the standard for combining multiple respondents (registrants) in a single complaint.

LS: The UDRP review is separate from the other RPMs and will not happen within the next couple of years. The review of other RPMs is mostly finalised. From a data privacy perspective, RPMs are easy to deal with as the purpose and role of every actor in the personal data handling process is clearly defined. If the standardised system for access/disclosure does not include it, a lighter and cheaper process based on the UDRP administrative process should be made accessible to brand owners so as to allow them to access redacted registrant data for the sole purpose of assessing the registrant’s right to – and any bad faith associated with – its registration.

What arguments could counsel make for an increased budget to meet enforcement challenges in the ever-evolving online and data environment?

DS: Brand values continue to soar and companies must protect that value now more than ever. Moreover, as consumers and commerce continue to move online, the importance of online brand protection has never been higher. Unfortunately, the GDPR makes those efforts harder and more expensive, but cutting back enforcement efforts due to costs is unlikely to be in the brand owner’s best interests. Brand owners can also quantify the value of enforcement to the company – similar to a return on investment calculation. For example, one client tracked the number of consumers who landed on mistyped domain names that had been recovered from cybersquatters and then tracked the income from those consumers. There are a number of studies on the financial harm to brands from online abuse, and these should be reviewed and cited where appropriate. Many brand owners could also take steps to be more cost efficient with their online brand protection efforts; they could then reference these efforts when advocating for increased budgets. An important step is to develop an actual online brand protection strategy for the company (ie, identify what really matters for your company and why, then focus on that). Knowing what problems exist and need to be fixed, as well as problems that are likely to crop up, can help to create certainty and stability. Selecting the right vendors, firms and attorneys specialised and experienced in the space will help to keep costs down; not only have these specialists done this before, but they also have tips and shortcuts and often know the right people to get matters resolved quickly and for less money.

SS: There are numerous arguments for increased budgets given that the world of brand protection has become more challenging and more time consuming as traditional brand marketplaces vanish and there are even more outlets for infringement and more information and resources to sift through, follow and police. Counsel needs to work with service providers that have sophisticated tools to aid them in the journey of brand protection. As the technological complexities grow, the cost of creating better and more effective tools will also increase.

DC: Brand protection budgets will always have their limits and not every abuse will have an appreciable impact on revenue, reputation or marketing budgets. As a result, brand owners need to identify the most egregious abuses, set priorities and focus efforts where they will have the most impact. Worryingly, in our recent research report, more than half (54%) of legal professionals reported that they do not have a dedicated budget for online brand protection.

LS: The redaction of WHOIS data has forced IP specialists to use other data elements to conduct performance-monitoring actions. The collection and analysis of those elements require more technical and human resources. Gaining access to redacted WHOIS data is more difficult and where the registry or registrar has no disclosure process in place or refuses to disclose, other means of action must be taken. Further, an important aspect that should not be disregarded is the purpose and retention period of the disclosed data. Once the personal data obtained from the registrar or registry has served its purpose, it may not be retained indefinitely and needs to be pseudonymised, at least.

The tightening of privacy rules highlights how important access to, and possession of, data has become. In what ways do you feel that data is, or could become, its own form of intellectual property? Where should responsibility for its protection reside?

DS: Data has been an IP asset for most companies for quite some time. Many companies, including non-tech companies, are embracing this new paradigm. We are living in what has become known as the information age because of the unprecedented amount of information that is available to each of us, but also because, more than ever before, that same information has become a commodity to be bought, sold and protected. As the adage about the Internet goes: “If you’re not paying for something, you’re not the customer, you’re the product.” Like other IP assets, responsibility for identifying, protecting and, importantly, using these assets for the company’s benefit is often overlooked. However, data in today’s environment has both value and risk for a company. Responsibility for data, by its nature, most often falls under the umbrella of most companies’ IT department (after all, it is computer information, and few attorneys understand data structures and storage, or databases). Marketing professionals also bear some responsibility, since they are the ones who determine what data should be retained and then utilised. Regardless, lawyers must be involved in decisions about data at every step (collection, storage, use, disposition, and sometime destruction). These lawyers must also stay on top of this fast-changing area of law. Best practice is to involve a diverse group of professionals, including someone from the legal team or outside counsel, to develop appropriate procedures for company data. Company plans for data should be well documented and then reviewed periodically to ensure legal compliance, as more laws are enacted.

LS: Personal data is by its sheer nature not public. Therefore, it cannot become an IP right, which must be public to be enforceable.

DC: To me, there is no doubt that data is its own form of intellectual property. For many businesses, it is data that provides a competitive advantage and thus is a true asset. Regardless of industry and regardless of what this data might be – whether it is sales data, customer behaviour data or supply chain information – anything that a brand gains insights and intelligence from is intellectual property. Protecting this data becomes paramount to the brand, not just in meeting legislative requirements but also in building brand equity and customer trust. Responsibility for keeping this data safe also lies with the data owner.

SS: There is a fine line between balancing the individual freedoms of privacy and the importance of protecting IP rights. Data access is so critical and openness to data is the only way that bad actors can be taken down and brought to justice in a court of law. Trusted service providers can provide this data as long as they are properly vetted and have put in place proper governance and oversight. I do not believe that one governing body can properly protect this data, but there should be a way for legitimate brand owners to gain access in order to protect their interests so that they can provide authentic products to consumers and protect their brands and products from infringement.

Given the move to increase privacy, how can data protection rules compliance be used as an opportunity to build consumer trust and strengthen your brand?

SS: Consumer trust is paramount to building a brand’s acceptance and value in the marketplace. Consumers do not want to be exploited and it is important that companies comply with the legal rights of consumers. Brand reputation can be tarnished if the owners do not respect consumer privacy, so brands that compete and comply have better long-term prospects than brands that exploit and manipulate the rules to their benefit. Brands that promote being on the right side of privacy, in my view, stand a better chance of survival in a highly competitive marketplace.

DS: It is hard for a company to develop consumer trust and brand awareness through data protection, since this should generally be invisible – almost like insurance. Consumers will not use your product because you have good data protection, but they certainly will stop using your product if you have bad data protection. It is also difficult to develop consumer trust through data protection, because so many companies will be hacked sooner or later, so any company that advertises the strength of its data protection will only lose that much more consumer trust when, not if, an incident occurs. Good data protection simply keeps the figurative waters calm, to allow your business to enjoy smooth sailing as much as possible.

DC: Today’s consumers are more aware than ever before of their rights when it comes to data and privacy. As a result, brands and organisations that deal with consumer data are expected to do so in a compliant manner – one that safeguards the data. For brands, data protection is a regulatory requirement, but it can also be used to build trust with consumers. Brands can use data compliance as a way to demonstrate to consumers that they have the right processes and practices in place to safeguard their information. Looking specifically at MarkMonitor and the way that we use data to fight brand infringement on behalf of our clients, we believe that increased legislation is a positive step forward. While elements such as accessing WHOIS data have been affected by regulations such as the GDPR, we are constantly innovating to ensure that we can find new ways to tackle infringement and keep our clients better protected. In fact, with WHOIS data no longer in the public domain and only accessible on request, consumer data is being better protected.

LS: As a European group, EBRAND has always complied with European and national laws on data privacy. The GDPR was merely an opportunity to conduct a more thorough internal audit, to document its results and to write down in layman terms the manner in which we handle personal data. For companies established in countries where there were no such data privacy laws, it was a chance for them to put into place all necessary processes and safeguards and to communicate this to their customers.

Are there any other issues that you would like to raise?

LS: While WHOIS data is an important element for investigation purposes, the actual enforcement of IP rights online relies eventually on the hosting element. After all, a domain name in itself cannot cause harm, it needs to be associated with another service, such as a website, an email or an application. Suspending one domain name will have a limited effect. For example, if the domain name ‘ebrandservice.fr’ was to be suspended, ‘ebrandservices.com’ would still be available. What would need to be taken offline is the server associated with IP address 88.99.23.52. It does not appear to be widely known, but IP addresses are also registered in their own WHOIS database and user information can be retrieved to allow brand owners to take action.