Late last year, the U.S. Federal Trade Commission—the governmental arm responsible for protecting Americans from unfair trade practices—opened a comment period on a proposed “Trade Regulation Rule on Impersonation of Governments and Businesses.” It’s no surprise that those who are victims of or are battling online impersonation saw this as an opportunity to highlight the importance of a working domain name registration data system (“WHOIS”)—one that at least would help more quickly track down the bad actors behind impersonation scams. This should be a wake-up call to the new leadership at ICANN to expect more regulatory proposals if access to WHOIS is not restored for legitimate purposes.

The comment forum showcased wide support—across multiple industry sectors—for a workable solution to this growing issue, including the availability of WHOIS data, domain name system (DNS) abuse mitigation requirements, and trusted notifier relationships. A sample of submitted comments reveals continued frustration over the over-aggressive interpretation of the European Union’s General Data Protection Regulation (GDPR) as it applies to WHOIS:

Anti-Phishing Working Group (AWPG)

• The scope of the rule should include the use of domain names in impersonation schemes; Domain names are used for an ever-increasing number of impersonation-related criminal schemes, including phishing, online ad fraud, “knock-off” commercial product sales, and more.
• WHOIS information is vital to the investigation of impersonation scams. The final rule should recognize the now acute issue of domain name registration data (“WHOIS”). While WHOIS data is critical to investigatory capability as it relates to online impersonation and crime, it unfortunately has been significantly truncated since the misinterpretation and over-implementation of the European Union’s General Data Protection Regulation (GDPR) by domain name registries and registrars. This underlines why a final rule is critically needed. (Emphasis added)

Coalition for a Secure and Transparent Internet (CSTI)

Clearly the connection between fraud and domain name registration information has enormous ramifications for not only identifying that an impersonation is taking place, but also ensuring that remedies can be pursued for the injured party.

USTelecom

One significant challenge to members’ efforts to combat website impersonation is the lack of access to complete Whois information. Available Whois information today either provides no information at all or points to registries and proxy services instead of the real persons or entities that register fraudulent and infringing domains. These registries and proxy services often are non-responsive to legitimate requests to access the underlying data, in turn allowing the fraud to continue to the detriment of consumers. Given the emergence of this challenge to companies’ efforts to protect consumers by themselves, it is all the more critical for government agencies to intervene. USTelecom therefore supports the FTC’s use of any new impersonation rule to protect consumers from fraud that relies on misappropriation of legitimate businesses’ brands, including but not limited to domain name abuse. (Emphasis added)

Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

This change presents huge challenges to online enforcement efforts. Meanwhile, bad actors continue to proliferate under the new privacy rules, harming the very consumers the privacy laws were intended to protect. Intellectual property assets are leveraged to sell online counterfeit goods, for phishing, and for other fraudulent schemes that dupe internet users. Without the information provided by Domain WHOIS to facilitate online enforcement efforts, brand owners are forced to find other ways to address online abuse—often adding substantial delay and costs. (Emphasis added)

The Toy Association

The Toy Association applauds the Commission for highlighting domain names and typosquatting as examples of impersonation. These are pervasive and are central to phishing schemes where the parties responsible typically use an online location (typically a fake website or email address set up to mirror a trusted website and email address) to convince consumers to provide credit card information, login credentials, or other personal information.

International Trademark Association

The net effect of making WHOIS registration information harder to find has been to enable the parties responsible for impersonation schemes to “perpetuate fraud, infringement and other illegal acts with impunity.” (Emphasis added)

The most commonly cited reason to withhold this information—privacy law—does not apply to commercial actors and privacy law is not intended to facilitate fraud. To prevent these phishing and other Internet-based impersonation scams, it is critical to ensure that such domain name information is available to the public to allow verification of the actor behind suspicious communications (before clicking on a suspect link or responding to a suspect email) and to the impersonated companies who have the means and incentive to take appropriate action when necessary. (Emphasis added)

After almost five years of virtually no WHOIS data, the input to governmental authorities about the importance of WHOIS has been accruing rapidly. Yet, hurdle after hurdle has been thrown in front of legitimate WHOIS access.

This is a new moment for ICANN Org, and one it should seize to move down a different path and actually help those being victimized by online impersonation and other scams. Org is under new leadership at the executive and board levels. The European Union’s NIS2 directive has set the stage for clarification of WHOIS data regulation. Now is the time for Org to use its unique position to actually deter further governmental incursion into the multistakeholder model and cooperate with the broader ICANN community to form a new, appropriately liberalized model for WHOIS data usage. It is important for ICANN to once again take up and act for the public interest—the very reason for its existence.