SECRECY v TRANSPARENCY
Secrecy v transparency… that’s essentially what the whole GDPR v WHOIS controversy is all about. Some background is in order.
GDPR: The EU’s General Data Protection Regulation (GDPR), adopted on 14 April 2016 and due to take effect on 25 May 2018, is now very much in the news. On the face of it GDPR does good things – it protects the citizens and residents of the EU from privacy and data breaches. GDPR has very wide reach, applying not only to EU companies, but also to all companies (wherever they may be located) that process and hold the personal data of EU subjects. Under GDPR consent is key: personal data can be stored if the person involved has given informed and unambiguous consent to that storage. GDPR is no laughing matter – the EU authorities will be able to impose fines of up to €20 million or 4% of turnover (whichever is the greater) on companies that fail to comply with GDPR.
So GDPR is all about privacy. Or is that secrecy?
WHOIS: What is? WHOIS is something that’s been with us since the 1980’s, ever since those early days of the internet. WHOIS is the system whereby the companies that register domain names (domain name registries, GoDaddy would be an obvious example) not only take the personal information of those people and companies registering domain names, but also list that information in publicly-accessible WHOIS directories, making the information easy to find through free WHOIS search tools. Transparency has always been at the heart of the system.
So why exactly are the domain name registries so wedded to WHOIS? Simple, they’re contractually required to do it. The domain name registries acquire their authority to register domain names from the international body that’s responsible for the entire domain name system, the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN has licenced a large number of domain name registries to register domain names and it is one of ICANN’s requirements that they all follow WHOIS.
WHOIS is regarded as a very important, if not invaluable, tool for those involved in, inter alia, enforcement activities, security research, WHOIS data analytics and journalism. An obvious example who be brand enforcement – anyone wanting to find out who is behind the online counterfeiting of a brand would start off by establishing who registered the domain name through which the counterfeiting operation is conducted. WHOIS unfortunately also has a negative side, in that the information it contains is also a source of great interest to spammers and hackers.
So on balance WHOIS is laudable. Although it is worth bearing in mind that secrecy is still available at a cost – domain name registries do offer users an option of hiding data, but they do need to pay for that privilege.
The problem: The problem is fairly obvious – whenever anyone registers a domain name with a domain name registry the two parties are entering into a contract. So when it comes to EU subjects, GDPR kicks in and states that the person applying for registration is entitled to privacy. Which means that the domain name registry can’t take and publish the personal information of the registrant without that person’s consent. But domain name registries have never sought consent from registrants. And even if they now start requiring consent, people will clearly have the right to decline. In short, WHOIS is incompatible with GDPR.
This leaves ICANN with a dilemma. The organisation is under pressure from various law enforcement agencies and other bodies to make sure that domain name registration information remains available. But ICANN must also accommodate GDPR.
Domain name registries are starting to get twitchy. Some European domain name registries have told ICANN that they simply won’t be complying with WHOIS in the future – insofar as there are contractual terms that require the domain name registries to do so, they argue that these terms will in future be invalid because they contravene EU law. ICANN acknowledges that there is a problem- in November 2017 it announced that it would not take legal action against domain name registries that do not comply with WHOIS.
The solution: Right now there isn’t one. ICANN has been aware of the privacy issue for years and it has been working on solutions including a complete replacement of WHOIS with a Next Generation gTLD Registration Directory Services (RDS). ICANN has suggested that domain name registries get consent from registrants, but the objection to this is that EU law requires that consents be freely given. ICANN has also come up with some fairly desperate sounding stop-gap measures. One of these is a system of self-certification, whereby people or organisations who self-certify that they have a legitimate interest in accessing the personal information of domain name registrants are able to access it. Another is a system of formal accreditation, whereby only formally accredited third party requesters can access the information of domain name registrants. The third is a system whereby only those who obtain subpoenas or other court orders are given access to domain name registrant information. These proposals are unlikely to fly. The EU authorities have said that ‘the level of abstraction’ of the models make them difficult to assess. They’ve basically asked ICANN to go back to the drawing board.
The pressure is on ICANN. On the very day that the organisation announced these interim solutions the largest domain name registry in the world, GoDaddy, announced that it would effectively redact details of its 17 million customers by withdrawing bulk searches of the WHOIS details. Other domain name registries are likely to follow suit.
Pointer Brand Protection is in contact with major registries and registrars to overcome the issue. Identity theft and sales of counterfeit goods are at a high. Too often, we see unknowing consumers being duped by these infringers. WHOIS information provides brand owners and cybersecurity investigators the needed data to protect consumers from these fraudulent activities. To safeguard brands from online trademark and IP infringements, it is important that the involved parties step up. The best way going forward is to open up WHOIS for certain companies that can show reasonable cause. This way consumers’ privacy is protected, and brand owners are protected online from IP infringements
Watch more videos here.