Protecting your brand in a world with limited WHOIS data

GDPR has impacted all areas of business, but for brand protection professionals and those concerned with protecting intellectual property rights, the consequences have been tremendous.

No longer able to view domain registrant contact information for IP enforcement efforts, law enforcement and brand protection professionals need to seek alternative methods for finding information necessary to identify copyright and trademark infringers. So when faced with a lack of access to critical information from the WHOIS database and data privacy issues around GDPR, brand owners should revise methods within their traditional three-step approach which includes investigation, identification and enforcement.

A toolkit for brand owners and enforcers

Methods we have found to be most helpful in obtaining crucial information for brand protection activities include:

1. Investigation

  • Add more human resources to conduct the research.
    What used to take one or two steps now requires several steps and/or assistance from outside sources. Identifying registrant contact information takes more time and involves a greater degree of human intervention as investigators have to manually search websites for contact information or request it from registrar and registry operators.
  • Explore other data sources.
    ICANN’s new Temporary Specification for the display of Registrant Data, designed to replace WHOIS for the time being, allows registries and registrars to redact the name and email address of the domain registrant, but there may be other ways to get this information:
      – Check the domain name nameserver to correlate other possibly related domain names. You may be able to identify if infringing or harmful domains are under common control.
      – There are more old-fashioned means of identifying the source of alleged harm. Even if the address field in WHOIS provides only the state and/or country of the registrant of the domain name, that information may still be useful to direct you to a U.S.-based Secretary of State corporate database, or to a country’s trademark office.

2. Identification

  • Ask for it!
    The Temporary Specification requires registry operators and registrars to grant reasonable access to non-public WHOIS information upon request, so long as the requestor has a legitimate interest in making the request and where such interests are not overridden by the interests or fundamental rights of the data subject. In making a non-public WHOIS request from a registrar or registry, MarkMonitor advises the following:
      – Identify yourself and your connection with the rights holder.
      – Explain legal basis for processing the data
      – Identify the specific IP being infringed and how it is occurring
      – Make each request unique; it will be reviewed by a real person
      – Commit to processing in accordance with GDPR principles
      – Request only the information necessary to enforce and explain why; no fishing expeditions!
  • Pursue other legal means to obtain data.
    Most jurisdictions permit a plaintiff that does not yet know a defendant’s identity to file suit against “John Doe” and then use the tools of the discovery process to seek the defendant’s true name, as well as other details. You can file a UDRP or a URS complaint naming “John Doe” and the registrar will provide the underlying registrant data to the UDRP or URS provider.
  • Review WHOIS history.
    Databases of historical WHOIS information still exist and can be obtained, subject to GDPR regulations and other privacy policies.

3. Enforcement

  • Engage with other relevant intermediaries.
    Registries, hosting providers, and ISPs can contact the registrant if abuse has occurred and the registrant is itself a victim of wrongdoing. Maintain good relationships with the compliance department of these registries and registrars.
  • Contact registrants using an anonymized email address or web form.
    Under ICANN’s Temporary Specification, registrars must include an anonymized email address or a web form from which messages could be forwarded to the registrant email address. You can send your cease and desist letter or breach notice to the registrant through these means.

The future
Brand enforcement takes longer and is a costlier exercise than it was pre-GDPR. However, there is recognition that the ICANN Temporary Specification is only fit for what it says – temporary use. A policy development group has been formed with the purpose of finalizing a permanent policy for the display and access of registration data within a year post-GDPR. Until this occurs, brand owners will continue to face these obstacles.