IP Alert: ICANN WHOIS Privacy Updates Change the Process for Locating Infringing Domain Owners

• Print PDF

Since the adoption of the European Union’s General Data Protection Regulation (GDPR), many IP rights holders have feared that the enforceability of their intellectual property rights (e.g., trademark and copyright) would become markedly more complicated and that the public ICANN WHOIS database would “go dark.” Now that the GDPR is in effect, significant changes have been made to WHOIS, and the ability to identify and take action against registrants of infringing domain names has become more complicated. This article will focus on the various options now available to IP rights holders for enforcing their rights.

On May 17, 2018, ICANN adopted a Temporary Specification that significantly limited the availability of contact information for domain name registrants on the public WHOIS database. The changes were made to comply with the GDPR, which went into effect on May 25, 2018. Previous versions of the WHOIS database provided fast and free access to the names and contact information of domain owners, making it easy to contact potential infringers. The exception was where the registrant had utilized a proxy (a/k/a privacy) service, such as GoDaddy’s Domains By Proxy, to hold the registration.

Under the Temporary Specification, the available information is limited to the registrar’s corporate name, country and state location, and an anonymized email address or web contact form. This has serious implications for IP rights holders who have come to rely on the WHOIS database as a one-stop shop for identifying and contacting potentially infringing domain registrants. Without access to detailed contact information on WHOIS, IP rights holders will have to utilize a patchwork of other available resources to identify domain registrants. Moreover, at present, it appears that many of the domain name records on ICANN’s WHOIS do not even list an anonymized email address or web contact form.

The most useful workarounds are summarized below, but IP rights holders and professionals should be prepared for increased time and cost to identify and contact domain name registrants.

1. Search Active Websites Associated with the Domain
   

   An easy way to find the contact information for the owner of an infringing domain is to look for contact information on the infringing site or associated websites. Although infringers rarely provide accurate contact information, this could be a potential cost-effective route to obtaining the necessary information.
   

    

2. Search Another WHOIS Database
   

   While ICANN has taken an aggressive approach to GDPR compliance on its own WHOIS database by restricting access to all personal registrant information, other sites appear to be attempting a more tailored approach. For example, GoDaddy WHOIS complies with the GDPR by only listing technical domain information and the country and state or province of domains residing in the European Economic Area (EEA) or in countries whose data is routed through the EEA. For domains registered in countries outside the EEA, such as the United States, GoDaddy ICANN looks the same as it always has—for now.
   

    

3. Ask the Registrant or Registry Operator
   

   ICANN’s Temporary Specification requires that registrars and registry operators provide non-public WHOIS data to those with a legitimate interest in the information. The requestor’s legitimate interest will be weighed against the privacy interests of the registrant to determine if the request should be granted. Registrars may resist releasing personal data, so requests should be carefully tailored to persuade registrars that refusing to release the information would be unreasonable. If a request is refused, IP rights holders can and should complain to ICANN’s compliance department. A persuasive request should include the name, address, contact information, and interest of the requesting party; the basis for the request (e.g., trademark or copyright infringement); the domain name or URL where the infringement is occurring; and a brief statement detailing why the requestor believes use of the domain constitutes IP infringement.
   

   
   

   When contacting the registrant via an anonymized email or web form, the response will be forwarded to the registrant by the registrar by email. This could prove problematic, since there is no way to ensure that the complaint was received unless the registrant responds. If the registrant or registrar does not respond in a timely manner, a follow-up request to the registrar and, if necessary, a complaint to ICANN, would be appropriate next steps.
   

    

4. Search the Secretary of State’s or Country’s Corporate Database
   

   If the registrant is a corporation or other legal entity, ICANN’s WHOIS is supposed to continue to display the name of the legal entity. Combined with country and state location information, this may enable users to locate the entity’s contact information through a particular Secretary of State or country online corporate database.
   

    

5. Complain to the Web Host
   

   Another point of contact is the company that hosts the infringing content on the web. Web hosts can be easily identified using the IP address and any free online web host lookup tool. Once identified, IP rights holders should be able to locate the complaint contact point on the host’s website and lodge their complaint about the domain name and/or website contact. Some web hosting companies are good about taking down sites with infringing contact. Others are not.
   

    

6. Review Internet Archives
   

   There are several online services that archive historic versions of WHOIS data and will share it with IP rights holders. These services usually require a monthly access fee, and there is no guarantee that the archive will have the relevant information. For example, if the WHOIS data was anonymized by privacy shield or proxy service prior to the archive date, the requestor would see anonymized data just like the current version of the WHOIS.
   

    

7. File a UDRP Dispute Against the Registrant
   

   The UDRP arbitration dispute resolution mechanism will continue to function under the Temporary Specification, with the exception that, when registrant data is anonymized on WHOIS, the UDRP complaint notification will be forwarded by the registrar to the underlying email of the domain owner. In theory, the procedure should then operate in the same manner as it did before the Temporary Specification but, as discussed above, there is no way to ensure that the complaint was received unless and until a response is received. If no response is received, the UDRP provider (e.g., WIPO, NAF) will presumably follow its standard default procedures.

   A little-used second arbitration mechanism, the Uniform Rapid Suspension (URS), can also be used under the Temporary Specification.

8. Commence Legal Action
   

   A legal action for infringement can be brought against an unknown defendant (Jane or John Doe). Once the lawsuit is initiated, the plaintiff can use the tools of discovery to compel the registrar to release the name and contact information of the domain owner.
   

    

9. Document and Report all Problems
   

   Filing a complaint with ICANN is appropriate where registrant data on WHOIS is false, or where the requestor does not receive a response from the registrar in a timely manner. If the information on WHOIS is incorrect, submit a “WHOIS Data Problem Report” via the form at http://wdprs.internic.net/. The form will be forwarded to the sponsoring registrar, who should investigate and correct the incorrect information. If the registrar fails to respond to requests in a timely manner, ICANN accepts problem reports via the general ICANN complaint form at https://survey.clicktools.com/app/survey/response.jsp. ICANN will not assist in resolving individual disputes but will track complaints for compliance monitoring and statistical analysis.

Conclusion

IP rights holders and professionals have come to rely on WHOIS for critical contact information about infringers. ICANN’s response to the GDPR has made policing infringing domain names more complicated, but a number of options remain for investigation, identification, and enforcement of IP rights. Although commonly used tools are changing, IP rights remain enforceable under the new WHOIS.

For more information, contact the Gray Plant Mooty Intellectual Property, Technology & Privacy team.

• Back to Previous Page

Professionals