How to solve a problem like WHOIS? Is a centralised domain name registration database on the horizon?

One of the (to many) unexpected consequences of the GDPR coming into force in May 2018 was that information about the owners of domain names became very much more difficult to obtain. This has caused problems for anyone looking to conduct due diligence in connection with corporate transactions as well as in relation to trade mark, passing off and other disputes where it can be important to know who is behind a particular domain name. Previously of course a simple search of the WHOIS database against a particular domain name revealed details of the owner.

In their design paper published last month, the Internet Corporation for Assigned Names and Numbers organisation (“ICANN”) have shown their commitment to tackling this problem, by taking a further step in the creation of the WHOIS Disclosure System – a system aimed at simplifying and streamlining the process of submitting, evaluation and receiving access requests to non-public generic top-level (“gTDL”) domain registration data (for example, .com or .org websites), for both requestors and ICANN-accredited registrars.

GDPR and domain name registration data

Prior to 25 May 2018 (the date the GDPR came into force in the EU), ICANN required each registry to maintain a ‘WHOIS’ public database, accessible by anyone at any time, containing a comprehensive snapshot of domain names registration and ownership, including registrant, administrative, billing and technical contact information.

This streamlined framework for data information was beneficial for the wider public, especially for those involved in corporate deals (as it allowed them to instantly find out if a domain name was owned by a particular person or company), or for those with an interest in commencing proceedings against a party infringing their trade mark or copyright.

Following the tightening of data laws via the implementation of the GDPR, the widely held view became that there was no legal basis for the personal data of domain name registrants to be made freely available on the WHOIS database and with that of course came the threat of heavy fines for those that broke the law. As a result most publically available domain name registration information was redacted for data privacy.

The default position post-GDPR is therefore that the owner’s details will not be displayed on the public WHOIS database unless that owner has consented to their details being displayed which of course is very much the owner’s own decision and in our experience consent is rarely given. As a result the utility of the public WHOIS is now limited.

Internal state by state solution to domain registration data availability

Some solutions to the WHOIS problem are available but these tend to be available on a Registry or Registrar specific basis. The availability of information therefore depends on what the domain name is and in some circumstances, the Registrar that is looking after it, as well as of course why the information is required.

The Internet of Assigned Numbers Authority (IANA) is an organisation which delegates the responsibility of managing top level domains such as gTLDs like .com and country-code TLDs such as .uk. A full list of gTLD and ccTLDs and who they are managed by can be found on IANA’s website.

For example, in the United Kingdom, Nominet has been tasked with the management of UK gTLDs. Nominet are responsible for the .uk, .co.uk, .org.uk, .me.uk and .wales/.cymru related domain names.

Nominet offer three separate tools which the public can utilise to carry out domain registration data:

1. Public WHOIS lookup

Nominet’s free to use “Lookup” search tool allows parties to search almost any domain name available, at any time. This is Nominet’s most limited tool however, as results are generally limited to the name of the domain’s registrar. Key details, such as who ultimately owns the domain, are usually not found via this search.

2. Data release request

Nominet will not publish registrant’s details unless the registrant has given consent, or, if there is a legal basis for disclosing the information to a third party. Third parties can therefore obtain registrant data from Nominet by completing Nominet’s data release request form.

Below is a non-exhaustive list of examples of when Nominet will release registrant data:

• A trade mark holder wants to identify the registrant of a domain name so they can be included in a dispute under Nominet’s Dispute Resolution Service complaint;
• Solicitors acting for a party that is trying to enforce their Intellectual Property rights; and
• A law enforcement agency requesting the data on a domain name.

Data release request of this nature can be submitted via other popular registrars, such as GoDaddy. More information on GoDaddy’s data release request policy can be found using the following link.

3. Searchable WHOIS subscription

Nominet’s searchable WHOIS tool which allows members of the public based in the European Economic Area (“EEA”) to search the .uk, .cymru and .wales registers for exact and similar domain names via a paid subscription service of £400 plus VAT per year.

The Searchable WHOIS service is updated daily and allows for: (1) searches using wildcards; (2) subscribers to view up to 21,000 results per week; and (3) the storage of regular searches as favourites.

EEA members can apply to this service via Nominet’s online application form.

WHOIS Terms of Service highlight that their Searchable WHOIS service can only be used for the following activities, which may be amended at a future date, but are unlikely to be blacklisted:

1. To assist in the establishing or defending of intellectual property rights and other similar matters;
2. To assist in the maintenance of your existing domain name portfolios;
3. To assist in gathering information for cases under the Dispute Resolution Service (.uk disputes), Uniform Dispute Resolution Service (.com and gTLD disputes) or other similar system;
4. To assist in academic research;
5. Detecting, preventing, investigating, prosecuting criminal offences and possible offences;
6. Detecting, investigating and preventing use of false identities (e.g. fake universities, impersonation of police forces etc.);
7. Governmental functions and administration of justice; and
8. To spot patterns of domain registration associated with spam or other antisocial internet behaviour.

Nominet has also blacklisted a variety of activities, which cannot be carried out on the searchable WHOIS service. The lengthy list includes, for example, for advertising, marketing or copying purposes. A full blacklist can be found at Schedule 1 of WHOIS Terms of Service.

For those seeking data on .uk domain names or domains where Go Daddy is the Registrar there is a process available. No solution is however available for most international domains which come up so regularly.

The WHOIS Disclosure System and why it was commissioned

ICANN’s design paper serves as the next stage in the creation of a System for Standardised Access/Disclosure (“SSAD”) aimed at replacing the current state by state solution (seen via the Nominet services discussed above), and enabling brand owners to centrally request international non-public registration data. The creation of such system has been a priority for ICANN since the implementation of the GDPR.

In October 2020, ICANN published a report containing policy recommendations for a SSAD that would facilitate the routing of requests for non-public gTLD registration data. In light of the resource investment required to implement such recommendations, an operational design assessment was carried out and it revealed that there was an inability to predict usage volumes and general related costs in the creation of an SSAD.

Such inability to predict led ICANN to commission the WHOIS Disclosure System – a temporary system for gathering data to gauge the demand for a system that would streamline the process for submitting and evaluating requests for access to non-public gTLD registration data. The data it will gather will subsequently serve to inform the ICANN board and the Generic Names Supporting Organisation (“GNSO”) Council regarding whether the cost consequences of building a SSAD are worthwhile.

Key WHOIS Disclosure System features

Below is a list of key features emerging from ICANN’s design paper:

• The system would connect requestors seeking non-public gTLD domain registration data with ICANN-accredited registrars;
• Participation by registrars will be optional;
• Registries are not envisioned to be included in this system (as the party with the direct registrant relationship is the registrar itself);
• Participating registrars will use ICAAN’s existing “Naming Services portal” to review requests;
• Any identity verification or additional materials necessary for registrars to make a data disclosure determination will not be supported, and will have to happen outside the system;
• Disclosures between registrars and requests will take place outside ICAAN’s portal;
• There will be no fee charged to the requestors for use of the system;
• Each registrar will decide whether registration data should be disclosed following their own application of the appropriate balancing test;
• The system will allow requestors to set a priority level on each request as follows:
  • Priority 1 – Urgent requests: Limited to circumstances that pose imminent threat to life, serious bodily injury, critical infrastructure of child exploitation;
  • Priority 2 – ICAAN Administrative Proceedings: Requests that are the result of administrative proceedings under ICANN’s contractual requirements or existing Consensus Policies (such as UDRP and URS verification requests); and
  • Priority 3 – All other requests.

ICANN have projected a three month ramp-up period to successfully launch the project, with a further 9-month period to develop the system. The system is initially proposed to be maintained for two years, at an estimated total cost of £3.3 million, with a review of usage and effectiveness period at the end of the first year.

Comment

The Intellectual Property community’s opinion regarding the WHOIS Disclosure System is generally quite divided.

Dissenters argue that the data the system gathers will not be reliable, given it will not be compulsory for registrars to join and the system will not capture requests made to non-participating registrars. Members of the GNSO team working on the design have generally agreed with this, arguing that requests to all registrars should be tracked to ensure the volume of information is complete.

Proponents for the system argue that large volumes of domain registration data requests would be a valuable first step in the creation of a centralised registration data platform, which has been a necessity for over 4 years. The fact this system is projected to cost significantly less than the GNSO original plans for a complete SSAD (which ICANN projected could cost up to $27 million to build, and anywhere between £14-106 million a year to run) lends the community to look at this project in a more positive light.

As the jury is still out regarding whether the WHOIS Disclosure System will be the saviour of the domain registration data issues present since the GDPR’s implementation, the Intellectual Property community will have to wait for ICAAN’s next report to formulate a more conclusive view.

If you have any questions regarding this subject please contact Nick Phillips or any member of the Intellectual Property team.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now