More than a year has passed since the General Data Protection Regulation (GDPR) came into effect.
As a result, the Internet is littered now with articles about the fines Data Protection Authorities have levied against big data processors. However, there is at least one GDPR news angle that has not garnered as much attention – the adverse impact that GDPR has had on those who work daily to clean up the Internet.
Following the GDPR, domain name registries and registrars have opted to redact, from public display, registrant contact information from their WHOIS records. As we reported in our blog post last October, domain name registrant information is used by cybersecurity experts, brand protection service providers, law enforcement agencies, intellectual property owners, and child protection advocates to identify, contact, and prosecute individuals who publish various forms of illegal or harmful content.
The lack of access to registrant data has greatly impacted efforts to protect, not just for Internet users, but all of civil society. Just this week, an article appearing in Bloomberg reported on how GDPR may be impeding the pursuit of terrorists. For more than a year, MarkMonitor has been tracking the impact of redacted WHOIS records on our AntiCounterfeit, AntiPiracy, and AntiFraud services.
An updates on the impact
In response to identified IP infringement, phishing attacks, and other forms of fraud targeting our clients and their customers, the MarkMonitor enforcement team regularly queries public WHOIS databases to find the registrant’s name and contact information in order to send a cease and desist letter or infringement takedown notices. After GDPR went into effect, however, WHOIS queries returned little or no public registrant data, so MarkMonitor had to request non-public WHOIS data from registrars and registries directly.
MarkMonitor’s current success rate for obtaining registrant information is 49% as shown below:
From the data we have collected over the past year, merely 44% of WHOIS records searched have full, un-redacted registrant information. Further, this data point is skewed due to high success rates in our early data collection, as a result of initial publication by registrars and registries that would later redact this data.
To show a clearer picture, we have found full, un-redacted registrant information for just 6% of infringing domains searched in 2019 to date. Of the number of complete WHOIS records that have been successfully obtained by request, most have been provided by registrars compared to registries.
Most registrars, however, have simply denied or ignored requests for registrant information. Of more than 1,200 requests made to more than 70 registrars, registrars have responded with WHOIS data only 13% of the time. Eighty-seven percent of the WHOIS requests were either ignored (no response to the request was acknowledged) or denied.
For analysis purposes, requests that were ignored or “auto-acknowledged and pending” for more than 30 days without any response are deemed to have been denied.
As required by ICANN’s Temporary Specification for gTLD Registration Data, some registrars have developed anonymous email addresses or web forms that enable third parties to send notices to the registrants without disclosing registrants’ personal information. Unfortunately, registrars have been slow to implement these mechanisms, and some do not yet have such these mechanisms in place.
Even with a registrar-facilitated contact mechanism available, brand owners are still unable to identify the registrant and cannot contact the registrant confidentially if forced to use a registrar-facilitated contact platform.
With access to registrant information in publicly available WHOIS severely inhibited, MarkMonitor has had to adjust its enforcement strategies and processes to adapt to a post-GDPR world. Currently, MarkMonitor has witnessed a 12% loss of operational efficiency when it comes to performing brand enforcement activities.
Successes in spite of the challenge
Without reliable access to WHOIS data, and despite significantly mitigating these impacts with enhancements in our website owner detection technology, it takes more time for our enforcement teams to find reliable contact data to enable sending takedown notices to website owners.
MarkMonitor has hired additional brand analysts to address the reduction of efficiency caused by more manual searching for registrant contact data and more manual requests for WHOIS data. Additionally, we have spent hundreds of thousands of dollars to train personnel to treat each infringing or fraudulent domain as if the WHOIS information was hidden by a privacy or proxy service, triggering novel, alternative enforcement methods.
While the lack of WHOIS information has made it more difficult for MarkMonitor to combat fraud and enforce the IP rights of its clients, we are still able to take down infringing and fraudulent websites at the same level of success per attempt due to our substantial investment in enforcement training and detection technology.
EPDP: What’s happening now
ICANN’s expedited development process working group (EPDP) is currently working on a policy that will allow law enforcement agencies, cybersecurity organizations, and IP rights holders access to the registrant data, but implementation of such a policy is more than a year away as show by ICANN’s latest timeline.
MarkMonitor continues to advocate through the EPDP, through other industry groups in which we actively participate, and directly with registrars and registries for access to the domain registration data our clients need to protect their brands and their customers from counterfeits, cybersecurity issues, fraud, and worse.
We welcome continued input and collaboration with our clients on this important work and invite you to join us for a GDPR Impacts webinar to learn more.