|
The implementation of the General Data Protection Regulation (GDPR), and ICANN’s conservative temporary policy, which favors privacy and limits registrar liability, has made domain enforcement against cybersquatters, cyber criminals and infringement more difficult, expensive and slow.
With heightened concerns over privacy following high-profile breaches of consumer data and its subsequent illicit use and distribution, there is no question that consumer data protection practices would come under scrutiny. GDPR is an attempt to address consumer privacy, and ICANN’s temporary specification, which implements GDPR, allows wholesale redaction of registrant contact data for both consumers and those with malicious intent. The unintended result of ICANN’s action is that, in most cases, little more than the registrant’s country and state or province is now available in WHOIS records.
This has made it easier for individuals and/or entities with less than honorable intentions to operate anonymously. Fulfillment of requests from law enforcement, investigators, and intellectual property rights holders with a legitimate need for registrant contact data has been vastly reduced, and in many cases, has resulted in the doors being left wide open for the rampant abuse of domain registration.
Although this landscape might appear bleak at first glance, there are options for intellectual property holders and their legal teams to employ in a post-GDPR domain naming system (DNS). The redaction of the WHOIS records, while frustrating, doesn’t necessarily mean effective brand protection in the DNS is out of reach.
Since the implementation of GDPR, by working with registrars and making requests for our clients, we’ve developed best practices on how to format, transmit, and justify registrant contact requests. We’ve discovered that there is a tremendous variety in how each request must be constructed. Each registrar has specific steps, leading to a diverse set of requirements that varies from registrar to registrar and in some cases, situation to situation. And, there are varied results depending upon the registrar and circumstances of the request.
As a result of this work, we’ve developed a set of notices that have assisted our clients in obtaining speedier and more efficient resolution of domain infringement issues. Brandholders can adapt and modify these notices to fit their strategies and goals.
Brands and their customers suffer the effects of fraud and the betrayal of trust when bad actors are allowed to operate with impunity online. To help combat abuses and make digital channels safer for everyone, we’ve decided to make those notices and observations about their application available to brandholders and their legal teams with an accompanying guide to domain enforcement post-GDPR.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Absolutely agree, the decision to redact specific information about who holds individual domain names is a huge issue and deserves more attention.
Access to that information is not always a nefarious thing and probably more often a good thing. For example, if problems arrise from a University or other educational entity, an ISP or even company network, it can sometimes be the only way to reach the correct people for a resolution. The whois was such a useful tool to do exactly that.
As Mr. Felman so correctly stated it also creates even more opportunity for bad actors to hide in relative safety.
Doubtful that very many take issue with individuals who chose to register a domain and place privacy on the name to avoid being harassed, if such a concern exists. After all, it is the individual’s choice to seek privacy for their domain and themselves. When businesses chose to subscribe to a privacy notice, it was, at least in this commenter’s experience, more than often a huge red flag for said bad actors.
In addition, the choice has apparently also created a huge problems within the community of people who buy and sell domains. For those individual and legitimate businesses, it makes good sense to allow for registrars providing something of a reverse privacy policy. Such a policy would allow individuals and companies to say, yes, for domain example.com, my whois information should be public. Doing so would certainly go a long way to help protect brands from exploitation and other foreseeable damage.
Though perhaps formed with good intentions, the EU GDPR appears not at all well thought out as to how it might conceivably break processes on and off the Internet. A lot of the ideas behind it are indeed good ones for the Internet consumer (the right to know how personal data is used up and down a given site’s supply chain, the right to be forgotten, right to access any data related to the individual by the individual, etc.), but it is in these kinds of cases, where huge issues can occur for a variety of other legitimate and good reasons.
Alan Maitland
Thanks Alan - This is a heated debate in the ICANN community - most either state that they are concerned about liability (largely registrars) or are aghast at the escalating levels of abuse (IP & Security interests). I appreciate your balanced view that considers operational and security issues as well as the good intent of GDPR. - Fred
Can you back up that statement with data? Our abuse desk has actually seen a reduction in abuse complaints. Let's face it, there is a balance to be reached here. The rights to privacy of domain name registrants and the rights of internet users to a more secure infrastructure. For years, one was sacrificed to the other even though many have been vocal about the unsustainability of providing private data to the world. Suggestions or requests for change were rebuffed by those who were served best by the status quo and made (usually) legitimate use of it. On the EPDP the ICANN community is currently working to bringing an ordered process for disclosure to those who have legitimate interests or legally enforceable rights. But as there are many interests to balance that process is taking longer than any of us would like. In the meantime, it may be time to lobby your local governments to implement the best solution for the loss of whois data: mandating the provision of essential data on the website and in the emails served by those domain names. in the EU, the loss of whois data has been much less of an issue due to the requirement to provide this information right on the website in an easy to find place. The domain is only used for email? Good, since the same applies to business emails. Whois was rendered near superfluous years ago. Time for other countries to follow that example.
Volker – Let me address your remarks to M. Malland: Your registrar may have seen a decrease in complaints, because it may not be the specific target of complaints. Based on research by Interisle Consulting Group as cited in their blog and here on CircleID, it appears that specific registrars and TLDs are subject to more abuse than others. However, fewer abuse complaints don't mean that there's less abuse, it may mean that those that suffer abuse and are trying to abate it don't see registrars as part of the solution and are taking other action. Many registrars aren't terribly responsive or helpful taking down abusive domains, nor is registrant contact data returned in an expedient manner in response to legitimate requests for registrant contact data as a result of abusive domains. See for example the results published by MarkMonitor and which we have also confirmed. In fact, statistically, based upon requests on behalf of our clients through June 1, 2019 the majority of registrars did not respond to requests for registrant data (196 responded, 217 did not). And of the total requests, only just over 4% were satisfied with a reveal of underlying contact data for abusive and malicious domain names. Knowing that registrars often aren't part of the solution, organizations that suffer domain name abuse and want to protect Internet users are seeking resolution elsewhere. They've gotten practical, they ask ISPs to remove to offending content as fast as they possibly can to reduce harm and ISPs respond. Responsible actors are taking action in the face of potential danger -- they mitigate the risks posed by fraud, phishing, fake product sites selling dangerous knock-off goods including toxic pharmaceuticals, malware distribution sites as well as child and human exploitation sites, not to mention hundreds of other scams that are often enabled by malicious registrations. However the underlying problem, unmitigated by registrars, the infringing or malicious domain remains registered awaiting a new host and a new scam. How about some more data? Security professionals predicted issues as a result of GDPR implementation by ICANN and the Registrars, were proved right while the FBI has discussed the growth of scams that rely on domain names and the Wall Street Journal found that consumers were easily fooled by websites that also, often rely on domain names to fool consumers:
- Early in the process the APWG polled security professionals in a survey that predicted less blocking due to ICANN's reaction and registrars action on GDPR.
- Later IBM X-Force research demonstrated that there was in fact less blocking of malicious domains validating that earlier research by the APWG.
- The FBI has recently announced that scams targeting businesses and individuals that often rely on malicious domains, Business Email Compromise, are on the rise, showing that there are actual victims -- though most, too embarrassed to come forward, don't report their victimization.
- The Wall Street Journal and Stanford research and writings show that people are more likely to fall victim to fraud on fake social and fake sites -- almost three times more likely than email or phone scams - fake sites often rely on malicious and abusive domain names to defraud internet users with support scams, fake goods, user-self-compromise schemes.
So, rather than doubting publicly that abuse occurs, is growing, and that the domain name system has a part to play in abating it, perhaps we could hustle along work at the EPDP creating truly balanced system that hastily deals with the crime that is occuring, impacting the defenseless Internet users who don't understand fakes from real, are losing their savings, having their computers rendered useless by ransomware and are left to pick up the pieces of their lives. Because at 18 months since the implementation of GDPR we still don't have a workable solution that abates real user harm. Best, FredThanks for the article and the very helpful PDF.
In our daily investigation and intelligence work we try to compensate this problem with intensive DNS-Investigations, but still we need current and historic whois information.
This guide is very welcome!
Not sure if it’s a local problem, but the links in the PDF don’t work. Maybe worth a check?
Jörn Weber
corma GmbH
Thank you for the kind words, Jorn, as well as the ‘heads up’ re: the links in the PDF. All the links should be working now and we appreciate you mentioning the issue.