Sound the Alarm: WHOIS Data Blackout Is Likely to Follow Effective Date of European GDPR

INTABULLETIN, APRIL 01, 2018
Brian Winterfeldt, Winterfeldt IP Group, Washington, D.C., USA,

The collision between the privacy obligations within the European General Data Protection Regulation (GDPR) and the domain name registration data that is currently publicly available through the WHOIS system will have broad implications for the trademark and brand community. This issue remained the primary focus at ICANN’s 61st International Public meeting in San Juan, Puerto Rico, which concluded on March 15, 2018. 

The WHOIS system is ICANN’s free, publicly available directory containing the contact and technical information of registered domain name registrants. In addition to critical uses of WHOIS for law enforcement and cybersecurity, among other legitimate purposes, access to WHOIS data is critical for trademark and other intellectual property (IP) owners in enforcing their rights against illegal website content or bad faith domain name registration and use.

The ICANN community continues to scramble to finalize an interim model that would enable domain name registry operators and registrars to comply with the data privacy requirements under the GDPR, while preserving as much of the current publicly available WHOIS system as possible. The model is considered “interim” because the final result for any ongoing WHOIS policies would typically take place through a policy development process in accordance with ICANN’s bylaws. Discussions about how much data should be open and publicly available have been going on for nearly two decades. ICANN currently has a working group dedicated to the “next generation” of registration directory services. However, the immediacy of GDPR implementation has propelled the ICANN organization to come up with an interim model that circumvents the normal policy development process. 

Many view ICANN’s model as too little too late and the death knell for a uniform or publicly available WHOIS system. The ICANN interim model was pieced together from several other models proposed by the community, leaving all stakeholders generally unhappy with, and highly concerned about, the final product. In an attempt to assuage those fears, ICANN also published a “Cookbook” intended to provide its legal rationale for the elements of its proposed interim GDPR compliance model. The end result has been a mad scramble to fill in crucial gaps in the model, correct critical errors, challenge biased legal conclusions, and lobby European data protection authorities to tell ICANN that their proposed solution is unworkable. 

As of May 25, the publicly available WHOIS data will be limited to the registered domain name, registrant’s organization (if applicable), registrant’s state or province, registrant’s country, and an anonymous email address or web form from which an email could be forwarded. There will be no real names, telephone numbers, or email addresses for direct communications with the domain name registrant. Also visible to the public will be information about the name servers, registrar’s information, and the creation and expiration date of the domain. There will be no names of natural persons or actual email addresses. All other information will be available subject to accreditation. However, ICANN has not put forth any accreditation model.

Below are some of the key takeaways from the discussions in Puerto Rico, along with some steps you should take right away to attempt to avert a total blackout of WHOIS after May 25, 2018.

The Key Takeaways

The ICANN61 meeting concluded with much unfinished business, as there is continued disagreement on elements in the interim compliance model. This is based on what INTA believes to be substantial gaps in ICANN’s legal analysis and an over-interpretation of the requirements of the law. The Intellectual Property Constituency (IPC) of ICANN, of which INTA is a founding member, commissioned an independent legal analysis of the GDPR that has helped inform the debate. Two main factors of debate are: (1) whether the interim model should apply universally; and (2) whether it should distinguish between information of natural and legal persons. The current ICANN model makes no distinctions. Further, ICANN has not proposed any accreditation model nor has it concretely identified how it will ensure compliance from registrars and registries under current ICANN contracts. Known as the “contracted parties,” certain registrars and registries have indicated that they may walk away from ICANN’s model if they do not feel adequately protected from the harsh remedies that could be applied under the GDPR.

ICANN has kicked the ball down the road to governments as it has said that governments should be forming accreditation and access models based on the needs of law enforcement, IP owners, journalists, etc. Governments do not draft policy; however, they play an advisory role in the ICANN system. Further, ICANN has encouraged all members of the community to contact EU Data Protection Authorities (DPAs) directly to express concerns about the implementation of GDPR in relation to WHOIS. INTA is contacting all 28 DPAs to explain the urgency of the situation and recommend immediate improvements to the interim model.

The Business Constituency and the IPC have stepped up and independently drafted a proposed accreditation model based on an Expert Working Group submitted to ICANN several years ago. While it is not a panacea for the problem, it is a step in the right direction, and INTA is advocating for an accreditation model to be in place before May 25. The likelihood of that happening is slim and the risk of WHOIS essentially becoming dark is real.

Next Steps for the IP Community

No matter what happens next, INTA members will almost certainly be preparing for a world in which the WHOIS system as we know it today goes away. We may be left with a modicum of useful public data, such as domain creation and expiration dates, name servers, and registrant countries, but the vast majority of the information we use today to conduct trademark enforcement investigations, send cease and desist letters and similar communications to registrants, or even prepare and prosecute Domain-Name Dispute-Resolution Policy complaints, will likely be hidden behind a gate. And the key to the gate—the accreditation system—may not be ready for another six months, if not longer.

Accordingly, INTA urges everyone in the brand owner community, as well as our allies in the broader consumer protection and IP rights community, in law enforcement and government, and in the cybersecurity community, to:

Contact European DPAs to voice concerns about the possible WHOIS blackout, seek as much guidance as possible as to what DPAs would allow in terms of data publication through WHOIS, and request that DPAs commit to providing ICANN and contracted parties with an abeyance on GDPR enforcement while the community works in good faith to implement a balanced system that respects privacy rights enshrined in the GDPR while also enabling continued public interest work that relies on WHOIS. A list of European DPAs and how to contact them is available here. 

Contact ICANN Governmental Advisory Committee (GAC) members and other governmental representatives with an interest in preserving WHOIS, such as law enforcement or regulatory agencies, to call on them to apply pressure on ICANN to preserve more of the current WHOIS system and ensure a mechanism is in place for access to any non-public data before data is put behind a gate. In the United States, we know that interested agencies include the Department of Commerce National Telecommunications and Information Administration, Federal Trade Commission, United States Patent and Trademark Office, Department of Justice Computer Crime and Intellectual Property Section, and the Federal Bureau of Investigation. In Europe, we know that Europol and the European Commission have been involved in GDPR and WHOIS discussions, as has Interpol. A list of GAC members is available here.

Immediately join efforts to develop a consensus interim accreditation system as well as refine a proposed WHOIS Purpose Statement. INTA urges the brand owner community to publicly support the accreditation model proposal and purpose statement, and urges ICANN to adopt some operational mechanism for access to non-public WHOIS data to avoid a total blackout after May 25. Comments on these documents can be sent directly to ICANN at gdpr@icann.org.

Continue to supply comments to ICANN highlighting concerns with the proposed interim model, including lack of public registrant name or email address, lack of requisite distinctions between natural and legal persons, global application instead of appropriately limiting territorial scope to registrations with a European Union nexus (via the registry, registrar, or registrant), and lack of any commitment to continue providing searchable bulk WHOIS data via port 43 or similar technical protocol. Comments on the model can be sent directly to ICANN at gdpr@icann.org
In short, it is time to sound the alarm bells: WHOIS as we know it will soon be gone, and we will likely be subject to an indefinite blackout period where online brand enforcement will be nearly impossible. This must be an urgent advocacy priority for all trademark owners, and the time to act must be now—it is already nearly too late. 


Although every effort has been made to verify the accuracy of items in the INTA Bulletin, readers are urged to check independently on matters of specific concern or interest. Law & Practice updates are published without comment from INTA except where it has taken an official position. 

Link :



Comments

Post a Comment

Popular posts from this blog

ED tracks Swiss Bank A/Cs of Agusta scamster

The Poineer February 10,2019 Rakesh K Singh The Enforcement Directorate (ED) has tracked a dozen Swiss bank accounts in the name of Rajiv Saxena, who is key accused in the Rs 3,600 crore AgustaWestland VVIP chopper scam. The ED has also found out accounts held by  his family members and associates where the kickbacks in the now scrapped deal were allegedly parked. Two bank accounts are in the name of Rajiv Saxena’s  associates Pankaj Jain and Sumita Jain who are also the authorised signatories. The  third is in the name of another associate Ajit Singh Bubber, but Rajiv and his family members are authorised signatories. The remaining nine accounts are largely owned and operated by Rajiv, his family members and associates. Rajiv Saxena was deported by the UAE authorities on January 30 and the ED formally arrested him the next day and a court later granted his remand to the agency. He is currently undergoing custodial interrogation by the ED. The agency had in 2017 arrested his
Read more

J&K Cricket Board Scam: Chargesheet Filed Against Farooq Abdullah, 3 Others By CBI

OUTLOOK July 16, 2018 The agency has levelled charges of criminal conspiracy and criminal breach of trust under the Ranbir Penal Code against Abdullah and three others. The CBI on Monday filed a chargesheet against former Jammu and Kashmir chief minister Farooq Abdullah and three others in a special court in Srinagar in connection with alleged irregularities and misappropriation of funds in the Jammu and Kashmir Cricket Association. After the fall of the Peoples Democratic Party (PDP) and the BJP government, this is the biggest development that has taken place in the state. The National Conference has not reacted to the chargesheet so far. The agency has levelled charges of criminal conspiracy and criminal breach of trust under the Ranbir Penal Code against Abdullah, the then president of JKCA, Md Saleem Khan - the then general secretary, Ahsan Ahmad Mirza - the then treasuer and Bashir Ahmad Misgar, an executive in the J&K Bank. The BCCI gave Rs 112 crore t
Read more

As financial insecurity rises in urban India, so does investment in insurance

Image
Scroll.in March 13, 2020 Urban Indians are becoming less confident about their financial security. Up to 58% of them fret over financial independence post retirement, which is a 4% increase from last year. An equal share of urban Indians worry about meeting their daily medical expenses and sustaining their current lifestyle once they stop working. The findings are part of a survey published by Delhi-based Max Life Insurance in association with London-based consultancy Kantar. The firms surveyed 7,014 respondents in 25 cities, including six metros, nine tier-1 cities, and 10 tier-2 cities, between December 2019 and January 2020. Source: Max Life Insurance via Quartz The trends Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz A significant share of urban Indians also say their families will have no financial support in the event of the breadwinner’s death. In such a scenario, around 57% believe the family sav
Read more