new GDPR landscape

We want to invite you to learn more about enforcing and acquiring domains in our webinar “Domains and WHOIS in the New GDPR Landscape”. Our panel of experts including 101domain.com president, Anthony Beltran and Sr. Corporate Services Executive, Kimberly Darwin, explore the new processes involved in domain acquisitions and disputes such as UDRP, URS and abuse complaints, now that GDPR regulations limit the information available for research. The material presented will provide you with updates to better consult your clients whether they be startups, Fortune 100 brands, or domain investors.

Webinar Transcript: Domains and WHOIS in the New GDPR Landscape

August 29, 2018 presented by Anthony Beltran and Kimberly Darwin.

Anthony:
All right welcome ladies and gentlemen to 101domain’s first in a series of webinars: Domains and WHOIS in the New GDPR Landscape, that we plan on putting on, on a quarterly basis on timely topics in the domain name space and how those relate to IP rights and trademark rights in just corporate domain portfolio management. Our topic today is GDPR: The new landscape for enforcing, selling and acquiring domains.

We will be going through what exactly is GDPR and how that applies to the domain name industry, specifically WHOIS database and how registries and registrars are operating in a post GDPR landscape as well as practical information on trademark rights and enforcement and other issues that we are seeing day to day and working with our corporate clients and with our trademark professionals.

Kimberly:
And this is Kimberly saying hello as well. And whenever you’re ready Anthony we can start.

Anthony:
All right. So it looks like we have a good group with us here today. I thank you all for taking the time out of your day. My name is Anthony Beltran and I’m the president of 101domain and Kimberly who you just heard is our Senior Corporate Services Executive. She and I will be walking you through things today. So, Kimberly, can you go to the next slide.

So all about GDPR today. Many of you guys have heard this term and I’m sure a lot of you are tired of hearing about it essentially what the GDR is by definition is European Union’s data protection directive stands for General Data Protection Regulation was a policy that was published and put into place in April of 2016 which became effective on May 25th 2008. So you know the main industry and in all other industries affected have known about these directives for a couple years now and there are essentially a bulking up of existing data privacy laws that the European Union has had in place for a number of years. These new laws impose much stricter rules on controlling and processing of personally identifiable information namely a person’s name a person’s address, phone number, email address. It goes so far in some cases, as IP address and how customers and individuals are being tracked by Internet companies online.

So it’s really an all-encompassing directive that imposes very very heavy civil fines on companies for non-compliance to previous regulations didn’t have quite as much teeth in the imposition of fines in a language that was used in the directive. And this new policy created quite a few sweeping changes that really defined the scope and the responsibilities of the affected parties so the directive applies to European citizens. However, if you are a European company you are to treat all of your customers as if they were European citizens for GDPR requirements. So essentially what GDR requires is it requires companies to allow their customers to control their data much more than in the past and that you’ve seen cookie policies and privacy policies updated mostly around May 25th was the date again so I imagine most of the websites that many of you navigate to would we see cookie policies that would be accepted, privacy statements.

new GDPR landscape EU countries

You know I saw a wave of e-mails in my inbox from companies that I forgot I ever did business with updating privacy policies and so on and so forth and all that was generally a result of the GDPR directive. As a company and with 101domain being a European company our cookie policies have been updated, our privacy policies been updated as well as most companies out there to become a lot clearer and more concise in as much as how we are tracking customer information, how we’re tracking customers, what PII we are collecting and what is it being used for and who is it being shared with. The directive also provisions a right of customers to request the information from a company they do business, to request a complete dataset of the information that the company is collecting on them, to request removal of that information, and it requires companies to tighten up their data retention policies to only retain data so far as it is needed for legitimate business purposes.

As you can imagine these are sweeping changes for many many companies out there. You see the headlines in the news. You see Facebook in the news, you’ve seen Google and obviously, these are big players that were greatly affected if you go into Facebook you’ll notice that you can download a copy of all your data that they have on you. And that’s available without a lot of these larger these larger tech companies out there, and that’s part of the GDPR directive. As a registrar with many many customers, we have seen an influx of customers coming in requesting data removal, accounts closure, and it seems to come in waves as news is published in the news outlets. Otherwise, it’s somewhat of business as usual from that perspective. As you can imagine with the restriction and PII and how the domain name industry handles personally identifiable information, there are quite a few areas that these directives affect. And the biggest one is the WHOIS database and as many of you know and use that WHOIS database in your lines of work, if you are a legal practitioner or your brand owner, to research names and owners and even to acquire domain names from other parties or sell domain names, there’s a lot of changes going on and in our space right now around this and that’s what we’re going to get into here today.

Following the May 25th, directive the effective date, ICANN published what they’re calling their temporary specification addressing the community’s response to GDPR. Now the background behind this is that ICANN in its agreements with registries registrars who are contracting parties as they’re referred to, we are required to collect, retain, and pass on certain personally identifiable information that our customers submit to us in relation to their domain name registration. That PII is found primarily in the WHOIS database records so you have four records for a domain name. You have the registrant, administrative, technical, and billing contacts. Those contacts are required by us as a registrar and registries to publish in public-facing databases which we term as WHOIS for the public to look up. So this temporary spec went into place on May 20th and we’ll get into the details here shortly. So that’s the ICANN universe as far as the GDPR goes. We then have the other half of the domain name system out there in country code where we’re really seeing all kinds of different things going on. These country codes generally do not adhere to ICANN policies, some of these country codes do follow those policies and mirror some of them but they really get to set their own rules and in a lot of cases and being accredited in most of the countries around the world, we are seeing these changes day in and day out and communicating this with our customers when issues arise in the horizon and help them navigate through some of these changes.

So on the next slide we’re just going to talk about the WHOIS database a little bit, you know the WHOIS database was originally created to show domain ownership and the change of domain ownership, meaning that someone registers domain name, the record gets published online, somebody can go to the database or a database somewhere and look up who owns the name, when the name was created, when the information on the name was last changed, what the name servers are. So there’s some transparency in who owns the website that you’re looking at or who owns the domain name that you’re wanting to do something with. The original intention was very sincere. As many of you know throughout the years, and WHOIS has been around for quite a while, throughout the years the use cases for the WHOIS database has morphed into a number of areas. First and foremost, WHOIS is used primarily as trademark rights and IP enforcement, you know looking up who owns domain names for our clients, are they squatting on the name, is it you know, a name a client owns, it’s important information to catalog and keep.

Law enforcement agencies also use this information day in and day out to track the various activities online. There is an illegal pharmacy somewhere. That’s one dataset they turn to, to track down the culprits and try and enforce laws against. You also have some government agencies and security firms that are constantly doing research on the domain name system and dealing with things like DDoS attacks and government-sponsored terrorism, things like that. We also, as many of you know, if you’ve ever registered a domain name, you may have gotten a credit card offer in the mail a week later. That is one use of the WHOIS database that has developed over time and that there are companies out there that mine this data and use it for marketing purposes, for unsolicited marketing purposes. I know in one case with myself, I had registered a domain name years ago for a business idea, to put a business name on it and got a credit card offer in the mail a week later and I hadn’t even told anybody about this idea at the time and it’s things like that I’m sure many of you have experienced.

Additionally, domain acquisition we do a lot of acquisition work and one of the sources of data that we look at to contact the owner of the domain name is the WHOIS database. And then finally, fraud and abuse, as I mentioned security firms or as legal practitioners, if you see a domain name infringing on a client’s brand or a clients rights, that’s one of the first places you typically go to determine how to enforce what you’re looking to enforce. Now post GDPR and post temporary spec has really changed the WHOIS database in a number of ways. We’ll go through some examples here on the next slide but essentially most of the data that we as practitioners and legal practitioners and users are used to seeing in a WHOIS database is simply no longer there. ICANN’s temporary specs laid out the minimum elements required to be published in a WHOIS database and that essentially boils down to redacting pretty much all personally identifiable information. So if you’re an individual registering a domain name, you’re not going to see your data on the WHOIS database, if you’re a company you’re going to see part of the company’s data on the database.

Many registries and registrars because the temporary spec was published and rushed through with ICANN being behind the ball on addressing this issue, many of us were scrambling at the deadline to implement something so you’re going to see various implementations throughout the domain name space with different registries, registrars, they’re going to differ in some ways. There are some things on these WHOIS database records that are required and you’ll see similarities between them but it’s really at this point, navigating the landscape out there to find who owns domain names in order to enforce rights, or to tackle fraud and abuse or to simply acquire the domain name that you are interested in. Some of the main things you’ll see are since individual information is no longer being published on the WHOIS for ICANN sponsored names, there’s not going to be an email address on that record for each contact the domain name. There will be email addresses for you to contact the registrar, registrars are required to publish an abuse email address so that you may contact the registrar is there is a website for example that needs to be taken down for illegal practices but you cannot get the email address of the individual registrant anymore so in that place registrars have implemented a contact form.

So there’s typically a URL in the WHOIS record that directs you to contact form that once you fill out the register will pass that contact inquiry along to the domain name owner. But there at that point, the communication may end, you may not get a response and many times don’t. Some registrars have taken the stance of redacting all possible PII information across their entire customer base and as I mentioned, EU based registrars and registries are required to do that for all customers. Registrars and registries outside of the EU, some have taken that approach. Others have decided only to redact their EU customer’s information. So I believe GoDaddy had come out and said, our European businesses will fully redact everything but our U.S. business will only be redacting European customer’s information. U.S. and non-European information will still be published as it was before. So the takeaway here is that regulations and what the domain name industry is required to do as a contracting party of ICANN, it’s on a temporary specification right now and the industry is working through finalizing these things. This temp spec expires on May 25, 2019 at which point they are required to have a final specification or final working model of WHOIS and we will talk a little bit towards the end about what that may look like.

Now when we look at the next slide here. You’re going to see various examples of WHOIS output variations are due to the registrant being an EU company, an individual, non-EU companies and non-EU individuals. We still have private registration and in many cases with country codes as I’ve mentioned, they don’t necessarily adhere to GDPR regulations. We know many country codes out there that are still publishing full WHOIS information in certain cases and so that gets into a little private registration concern.

So moving to the next slide. Here are some examples of domain names at 101domain and our WHOIS database output so on the left you have a domain name with privacy, or without privacy, my mistake. And this happens to be an organization’s, this happens to be the domain name 101domain.com which is our website name. You see in the registrant section, halfway through, that it publishes the company’s information here. As it had in the past but you notice there’s no e-mail address. Now we’ve determined, it’s been determined that your email addresses may fall under personally identifiable information because if it’s an individual’s email address which many times it is for a company registration, we err on the side of caution not to publish that information. So in lieu of that, we’ve created this contact form which I’ve mentioned previously. So you would go to this URL, submit a contact inquiry, that inquiry will get passed to the registrant and it’s 100 percent in their court whether to respond or not to that. So as you can imagine in enforcement cases that’s a very quick dead end. If you take a look at the right, you’ll see a domain name with privacy in our system. And this is following ICANN’s temporary spec in that it states that if the domain name has privacy all of the WHOIS record must be published because the privacy contacts are of a business that is not personally identifiable information. So you have an e-mail address here that you can reference even though it’s a randomized e-mail address that is tied to the domain name in our system. And so that gives you a little bit more wiggle room and if you go to the next slide we have a couple more examples.

new GDPR landscape slide 1

Here are a couple domain names without privacy. This really depicts the difference between an organization and an individual registration. So again, we have 101domain.com. on the left. You have the full organization name in the registrant data, sans the email address and to point out one other thing, you notice that the admin, billing, and technical contacts are not published here either which we are not required to do under the temporary spec. If you take a look at the right and this domain name delmar.fun. Which is a cool domain name. This is an individual that has registered this name and the information is even more redacted.

new GDPR landscape slide 2

Kimberly:
So a lot of you I’m sure are involved in trademark or IP enforcement whether that be for your clients or for your own brand and with a lot of that redaction from the WHOIS database it makes some of your work a little bit harder. One of the main things is the UDRP or URS processes which are disputes that were created according to ICANN regulations that allow trademark owners to dispute the ownership of a name. Those would apply mostly to your major CCLDs excuse me, your major GTLDs like .com, .net, .org plus the new gTLDs like .ninja. That sort of thing. And then any country codes that may have chosen to adopt those processes so it’s pretty big. It’s commonly used for a lot of major brands in order to acquire domains that they can prove are infringing upon their brand.

So I did include the three points that must be proven. The likelihood of confusion meaning that if a visitor goes to that site could they be persuaded to purchase something that perhaps isn’t the actual product, misled in any other way. And if the registrant has an interest in the domain, so the problem with a lot of the WHO is database now is that it’s very difficult to research that. Now let’s say you’re looking at bobsshoes.com and you used to be able to go to the WHOIS database and look up bobsshoes.com you see it’s owned by Bob’s Shoes Inc, now you can recognize that there is a legitimate interest in that domain. So that might not be such a great option for dispute. And then thirdly that the domain was purchased in bad faith and that would be your squatters or your counterfeiters, that sort of thing, with the intention of maybe selling the domain back, and again without that who is information it does make it a little bit more difficult to do that research.

So since this information is mostly hidden in WHOIS the disputes may need to be filed before you even know who that registrant is. Now once the dispute is filed, then the registrar has to lock the name and disclose that information. So then you might have more opportunity to do some more research but you’ve already filed your dispute by then and upon further research, you may send in an amendment which may cost you or your client more money. So as you can see there are quite a few challenges in researching what used to be so much easier for us all to prove that you or your client’s trademark is being infringed upon. So one more option that a lot of clients are doing, are using the DMCA takedown process to immediately halt a domain. Meaning if there is a counterfeit or other infringement rather than going the UDRP process to try and take the domain away they just want that domain shut down, they want that site down and so that process is a little bit different in which you’re appealing both to the domain registrar and to the hosting provider where the site is. So the regulations. I mean it’s almost like the Wild West out there with respect to that because every hosting provider has their own regulations, their own policies and not such an easy process and not being able to even know who the registrant of the domain name is, is harder and that’s because they are not required to release that information to you for a DMCA takedown process. They’re supposed to be taking care of that on their own. I put the supposed in quotes. So there are times when they actually do follow through with that.

new GDPR landscape UDRP/URS

And for instance, we had a client who wanted to do a UDRP on a domain but upon further research outside of the WHOIS database we realized that that was a reseller of theirs that was authorized to sell their products but because they didn’t have access to that WHOIS that was something they couldn’t find out right away. So the next thing we’re finding issues with, with the redacted information is acquiring domains for clients and if you are a law professional and you are helping your clients perhaps with their new product or a service, then you might go to the WHOIS database to research the owner of that name and try to purchase the name from them. That can be difficult now when even the people who legitimately own a domain, legitimately want to sell it can’t be found makes a little bit more difficult for you and your client. So there are other options than WHOIS for researching it but it definitely does add a little bit of time and detective work necessary in order to find that domain owner. So if you do have issues with that there are domain brokers that can assist. They have a bunch of a very large network a bunch of owners in their network, in which case they can recognize these patterns and make a good educated guess as to who the owner is, as there are owners that own you know half a million names. So you know the acquiring domains for clients is also a way to avoid the UDRP or URS process and so you might consider that over the dispute if you can find that information. It is out there it just takes a little bit more work. Okay.

And so, in summary, we have gone over the challenges of the new WHOIS database and how it’s going to be different for you moving forward at least until May 25th 2019. We’ve also discussed the benefits of maintaining privacy and I wanted to add one thing to that, that Anthony explained, is that if you do have a client that has a new product or service and they are looking to acquire these domains and it’s something that they want to keep secret for now, consider that privacy and you want to ask your registrar is there is privacy available for this. Because as you’ve seen and all the different WHOIS examples it is a little bit varied. And so if you really must maintain secrecy make sure that you check to see if privacy is available for that need. And that will protect your client and his new brand or service. So we’ve also discussed trademark and IP enforcement and how there might be a few more challenges for you if you do need to file disputes as well as reaching the owners of domains who really do want to sell them and have the ability to help your client move their brand forward with that name.

And Anthony I think you were going to kind of talk a little bit about gated WHOIS? Yes?

Anthony:
Yeah so to wrap up here and you guys will notice on your webinar Domains and WHOIS in the New GDPR Landscape there is a place to submit questions. So if you do have any questions we have about 15 minutes of time allotted to that so just type your question in there and we’ll answer it as best we can.

But as far as looking forward, as I mentioned the temporary spec expires in May of 2019 and the domain industry is working towards final structures and models for WHOIS that will apply to all registries and registrars, because there are a lot of questions still up in the air as far as what European registries and registrars are required to do according to the letter of the law versus what ICANN is requiring of them contractually. There have been a couple of lawsuits filed in Germany to attempt to shed light on some of these grey areas which are still outstanding. In conversation with the industry, it looks like we’re moving towards a gateway WHOIS model. And by that I mean, having a WHOIS database that contains all the records but restricts who is able to access those records to parties with a legitimate interest, law enforcement, IP practitioners, governments, different things like that. The question of who and how to vet that access is a fairly daunting task.

Currently, the way this is working is if a registry a registrar gets a request for information on a WHOIS record that has been redacted. It’s essentially up to that registry or registrar to make a determination if they grant that request if that request is legitimate. So we’re seeing companies develop their own policies in the interim on this. Now things like law enforcement, requests we require many other registrars are the same. So it would be the stuff that you would expect. You can’t expect to be an attorney representing a brand, calling up a registrar, or sending a forcefully worded letter and really see much progress going that route. You’re typically going to be asked for a subpoena or a court order of some sort to furnish that information. Because again, registries and registrars with the gravity of the fines imposed by the European Union are erring on the side of caution. You know most of the players in this industry aside from the big few are small players that you know definitely don’t want to get their hands tangled in any mess here.

We’re also going to see over time, many of you are aware of companies like domainstools.com and other websites that aggregate WHOIS data, historical data, and obviously that historical data is then aggregated so it’s there, but we’re seeing this data being replaced with redacted data or incomplete information and we’re going to continue to see that until that historical data is no longer easy to obtain. But it is in summary. We know, WHOIS that we are all used to is never going to return to what it was. So, unfortunately, that makes our jobs and many of your jobs more difficult in many aspects as we’ve gone over, but there are still ways to address these things and as we work with generally every registry in the world, you know we have insight into a lot of the moving parts and we are here to offer advice and any questions that your clients have. So feel free to reach out to us at any time. You’ll get our contact information in the webinar Domains and WHOIS in the New GDPR Landscape and we will send a follow-up e-mail. So Kimberly are there any questions?

Q&A Portion

Kimberly:
Yes, there are. There are a couple from Bob and this one might be for you, Anthony.

Question: He wants to know can SSL cert issuers such as DigiCert see the WHOIS information and permit SSL certs to be issued. Are they, what are they doing now?

I’m guessing that’s going to be gated WHOIS if that ever happens.

Anthony:
That will be gated. We do have a process with that but that process is still able to be done with the SSL issuers.

Kimberly:
So right now it’s still happening with… I’m seeing the requests come in so they must have a way.

Anthony:
So we get requests for example or when private registration is enabled and that’s another argument for private registration in that there is a published email address there so they know how to contact you and then you can contact them back, and in a lot of times the register will get involved in that process, as well as we do. So we haven’t seen any major effect in that.

Kimberly:
Okay perfect. And there’s question from Aaron.

Question: If I find a domain that is very similar to my own what should the first step, what should first steps should I take if I am unable to contact the website owner through their own website? What methods have you found most effective?

Well, that’s a big question. You know there’s a lot of different, the WHOIS database is mostly redacted, however, there are other ways. I mean I have gone to social media, I have gone to other, you can sometimes do some research as to ownership of that registrant of other domains and reach them that way. There have been times when you know before I became a domain broker and I was buying domains I had to contact a domain broker because of the network aspect of it and that’s probably the most important part is having that network because with many millions of websites as there are out there it’s pretty hard to find that needle in a haystack unless you know you’ve got some paths to follow.

So we’re always happy to help you with that. If that’s a question you have about reaching a registrant you can always contact us and we can help guide you in that direction.

And we have a question from Maria. If we checked a person has registered a domain name under a trademark held by our client and we are interested in sending a cease and desist letter before starting a proceeding, how come we know the contacts details? Anthony, you want to answer that one?

Anthony:
Yeah, that’s a very difficult one and in many cases, you will not be able to get that contact information. One other avenue in looking at that is to look at the chain of providers in the situation. You have the registry and the registrar, as well as the hosting provider. Each of these entities has their own terms and conditions in dealing with trademark infringement. I know our terms and conditions prohibit trademark infringement or infringing content. So when we get an inquiry or cease and desist we will pass it along the registrant ourselves on your behalf, when you’re inquiring. Now our policies specifically state that if we don’t get a response from the registrant then I believe 15 days that we will put the domain on hold. So in our system, you’ll minimally get a response. Unfortunately, other registrars don’t follow those practices, especially when you’re dealing with the smaller ones you know in a smaller country or on the other side of the world that that’s that is one of the downsides here with GDPR is the ability to send out a C&D. And so, as Kimberly mentioned before, what one tactic is really filing starting that UDRP process the registrar will pass that information along and then you’re then you’re going through that process. So it’s somewhat trial and error when you’re getting into country codes, it could be a whole different story. So UDRP is generally ICANN sponsored names if you’re looking at country code names, different registries have different policies, we are familiar with all these policies and we can perhaps provide some guidance on any cases that come up for you.

Kimberly:
Okay, and Jeff has a question.

Question: Why do registrars allow the registration of trademark terms to begin with?

Anthony:
That’s a good question and one that we get asked by employees when they come in. And generally registrars are not the authority and they’re not the arbiter on enforcement of trademark rights. There’s no real way for a registrar to know or be knowledgeable of all the trademarks registered out there. Obviously, we can be knowledgeable of the bigger brands out in the world. But it really is something that registers are not in the job of doing. Now, if there are patterns with customers and registering infringing names, many registrars again, go back to their terms and conditions and there may be some options there, to enforce that if you see a pattern. But unfortunately, that’s really where it ends.

Kimberly:
And we have a question from David. Hi David.

Question: With the disappearance of WHOIS as we once knew it, what are currently some of the best ways for domain owners interested in selling their names to make themselves accessible to buyers?

I love this question because I love hooking up buyers and sellers. So here’s what I’ve seen some people do, David is rather than just leave the page as parked. They will put up the one-pager that has the contact information on it, a contact form, content, anything like that. If you have a bunch of websites you can link to other websites, you can put up some content to help with SEO at the same time. And so as most of us will research we will eventually go to the site. Don’t go to the site first. Don’t go to the site first. Go to the site later because if it’s not registered then the eye, your IP provider is actually selling that information.

So you would put up a little site for that. When people are visiting they will be able to contact you directly. You don’t necessarily have to put a price up there, just say, are you interested in the site contact us. And you know there also is hopefully in this next round of regulations the ability for domain registrants to opt-in to their information being shown which would alleviate the whole problem. But until then you know put up those little single page sites and hopefully, that will get you some more buyers.

Anthony:
Further to that Kimberly, the opt-in process, it actually is in the temporary spec, but the wording and language state that registrars must implement as soon as practically possible. So the wording really gives a big scope on to when registers can implement that, we are working on the implementation on our site. So the way it would work in the system is when you register your domain name you can opt-in to having your information, your personal information published on WHOIS. So I imagine with the final spec that wording will be tightened up and it will be a requirement by a certain date so that that will help those that are looking to sell names.

Kimberly:
Ok, we have a question from Johann, I hope I pronounced your name right.

Question: When you said that you ask a domain broker to get information about the owner of a domain, isn’t the domain broker breaking the rules of GDPR, giving out personal information that you need, or did I misunderstand the question?

That’s a good question. Generally, the domain broker will be doing the contacting for you meaning that they won’t be handing over information. Now domain brokers aren’t, it depends on for whom they’re working, right? If it’s a European company then that may be a little bit different. But Anthony you may want to explain that a little bit more. I would personally not be handing out that information to someone but maybe perhaps guiding them to find it on their own.

Anthony:
Correct. I haven’t seen brokers, they tend to keep client information confidential but they will they will act as a liaison between.

Kimberly:
Ok.

Question: Simon is wondering is it possible to start a UDRP proceeding without knowing who the respondent is? If so, which information does one submit?

Yes. You can submit it without knowing. You can simply, I don’t have the legal terms for right now, but you’re basically saying the registrant of this domain name and that’s how you would submit your dispute prior to knowing who the registrant is. OK. Any other questions? Looks like we are right on time here. Anything else for you, say Anthony?

Anthony:
No, I just want to thank everybody for attending. There will be a recording this webinar Domains and WHOIS in the New GDPR Landscape available shortly after, and like I said, we plan on doing these once per quarter on a timely topic so hopefully, you found this information useful and helpful in your daily practice. And thank you for taking the time out of your day. Have a wonderful afternoon.

Kimberly:
Thank you all. Bye.

Thank you for attending our first webinar on Domains and WHOIS in the New GDPR Landscape. For more information please visit our Corporate Brand Services.