GDPR and WHOIS: Adverse Impacts on Brand Protection

More than four months have passed since the General Data Protection Regulation (GDPR) became effective, resulting in many domain name registries and registrars moving to redact registrant information from their public WHOIS records (including information related to legal entities and persons not located in the European Economic Area; redactions that are beyond the scope of the privacy regulation).

Historically, domain name registrant information in WHOIS has been used by cybersecurity experts, brand protection service providers, law enforcement, intellectual property owners, and child protection advocates to identify, contact, and prosecute individuals who propagate websites that sell counterfeit goods and pirated movies, TV shows and music, malware, illegal pharmaceuticals, fraud, child pornography and other forms of illegal content. Internet watch dog groups predicted that redacted WHOIS information would impede the efforts of law enforcement and IP protection advocates to enforce criminal and civil laws.

Until recently, however, there has not been a sufficient amount of data collected to prove the impacts on these efforts. Last week two cybersecurity organizations, the Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) were able to publish a survey of cyber investigators who revealed how their security efforts have been affected.

MarkMonitor has also been tracking the impact of redacted WHOIS on our AntiCounterfeit, AntiPiracy, and AntiFraud services since GDPR went into effect on May 25th, and although our data continues to mature, a picture of the impacts is emerging which we can now share.

The implications

Prior to May 25th, the MarkMonitor enforcement team would regularly query public WHOIS databases to find the registrant’s name and contact information so we could address and send a cease and desist letter or infringement takedown notice. If the contact information in WHOIS was false or hidden behind a privacy or proxy service, we would send a notice to the abuse contact at the registrar and/or to the company hosting the infringing website. After GDPR went into effect, however, WHOIS queries often returned little or no public registrant data, so MarkMonitor had to request non-public WHOIS data from registrars and registries directly.

Unfortunately, the success rate for obtaining registrant information has been very low, 22% as shown below:

Obtaining contact info

From the data we have collected over the previous four months, only 9% of full publicly available WHOIS records searched have un-redacted registrant information after GDPR. Of the number of complete WHOIS records that have been successfully obtained, most have been provided by registrars compared to registries.

Most registrars, however, have simply denied or ignored requests for registrant information. Of more than 350 requests made to more than 70 registrars, registrars have responded with WHOIS data only 26% of the time. 74% of the WHOIS requests were either ignored (no response to the request was acknowledged) or denied. Requests that were ignored or pending for more than 30 days without any response, were deemed to have been denied.

info rqst

As required by ICANN’s Temporary Specification for gTLD Registration Data, some registrars have developed anonymous email addresses or web forms that enable third parties to send notices to the registrants without disclosing registrants’ personal information. However, in many cases registrars have been slow to implement these mechanisms, which are insufficient as they merely enable registrant contact (without being able to confirm message delivery or receipt), and which still do not identify the registrant, making this an unreliable approach for our enforcement team. Registrant identification is also useful for enforcing IP rights under the UDRP and bringing litigation under the Anti-Cybersquatting Consumer Protection Act (ACPA).

Additionally, MarkMonitor has seen a slight rise in the number of detected infringements as compared to pre-GDPR levels, a trend running contrary to an expected decrease corresponding to summer seasonality observed in the past. It’s difficult to attribute this rise specifically to GDPR and the lack of WHOIS data, but MarkMonitor is watching this trend closely and doing further internal analysis in order to ascertain and understand the factors contributing to the increase.

With access to registrant information in publicly available WHOIS severely inhibited, MarkMonitor has had to adjust its enforcement strategies and processes to adapt to a post-GDPR world. Currently, MarkMonitor has witnessed a 19% loss of operational efficiency when it comes to performing brand enforcement activities. Without reliable access to WHOIS data, and despite significant enhancements in our website owner detection technology, it takes more time for our enforcement teams to find reliable contact data to enable sending takedown notices to website owners.

What’s being done

While the lack of WHOIS information has made it more difficult for MarkMonitor to combat fraud and enforce the IP rights of its clients, we are still able to take down infringing and fraudulent websites at the same level of success per attempt due to our substantial investment in enforcement training and detection technology.

MarkMonitor has hired additional brand analysts in order to address the reduction of efficiency caused by more manual searching for registrant contact data and more manual requests for WHOIS data. Additionally, we have trained personnel to treat each infringing or fraudulent domain as if the WHOIS information was hidden by a privacy or proxy service triggering alternative enforcement methods.

MarkMonitor has also reached out to numerous registrars and registries, individually, leveraging our vast network of high-level industry connections to understand what information or assurances they need in order for them to grant us access to the registrant data. From these consultations, MarkMonitor has drafted a WHOIS request letter and process that we believe is narrow in its scope and is GDPR compliant. Our use of this form has significantly improved our success in obtaining registrant contact information, and we continue to partner with our registrar colleagues to improve further.

What’s ahead

While these crucial mitigating steps have lessened the impact of GDPR on MarkMonitor fraud detection and brand enforcement efforts, these steps have come with substantial financial cost and compromised efficiency. The longer it takes to finalize ICANN’s Expedited Policy Development Process (EPDP), establish a definition of “reasonable access” with registrars and registries, and implement an accreditation and access policy, the more adverse the impacts will be to brand owners, consumers, and Internet users, generally.

With the passage of time, MarkMonitor will continue to collect and analyze more data that will, in turn, allow law enforcement, ICANN Compliance, registrars, registries and brand protection experts to shape policies, procedures, and activities that protect consumers from fraud and abuse while preserving the privacy rights of individuals under GDPR and future data privacy regulations. 

We look forward to the opportunity for open dialogue with these groups and others to help our clients protect their customers and their businesses online.