GDPR, WHOIS and impacts to brand protection: Nine months later

Director of Internet Policy and Industry Affairs

Last October, we posted an article describing the impacts of redacted registration data (“WHOIS”) on its domain name protection, anti-counterfeit, anti-piracy, and anti-fraud services.

As explained in that post, MarkMonitor uses WHOIS data for several legitimate purposes, including investigating infringing domain names, identifying the source of phishing attacks, and issuing cease & desist letters to cybercriminals, counterfeiters, and infringers. When GDPR became effective, ICANN issued a Temporary Specification for the collection, storage and display of registration data and, since that time, MarkMonitor has been working with registrars and registries to obtain WHOIS data needed to stop infringement and other forms of abuse.

Nine months later, while some progress has been made in terms of obtaining the domain registration data, there remain significant challenges which still need to be addressed and overcome.

Some Success in Obtaining WHOIS Data

Since ICANN enacted the Temporary Specification, MarkMonitor has successfully obtained WHOIS data for 45% of infringing domain names.

As reflected in the chart below, some registrars publish full, unredacted, WHOIS information for registrants to whom GDPR does not apply (e.g. registrants based in jurisdictions not subject to GDPR, such as the US or China). MarkMonitor appreciates the efforts undertaken by these registrars who make a distinction between geolocation of the registrants and apply the European regulation only where it is jurisdictionally applicable.

chart1

Fig. 1: Success of obtaining unredacted WHOIS for infringing domain names:
If unpublished, requests are sent to registrars. Minimal requests are made to registries due to low success rates, and the fact that thin registries (e.g. .com and .net) do not have registrant data. Considering all cases where we have been able to get WHOIS data: it is nearly eight times more likely to come from published WHOIS than from a registrar request.

Redacted WHOIS Disclosure Requests

MarkMonitor also appreciates the fact that several registrars, during the last nine months, have been instructive and cooperative including many who have taken the time to meet with our team and collaborate on improvements to our WHOIS data requests process. We value this cooperation from our fellow members of the Registrar Stakeholder Group and we look forward to continuing our collaborative efforts to make processing these data requests more efficient.

However, where WHOIS is publicly redacted, requesting this data about infringing domains has proven unsuccessful in 86% of our 1,000+ requests across more than fifteen client brands.

chart2

Fig. 2: Outcomes of analyst-reviewed requests made to registrars

While our brand protection analysts carefully review each infringement and do their best to submit complete and actionable requests each time WHOIS data is needed, we acknowledge that the Temporary Specification requires registrars to perform a balancing test between the legitimate interest of our request and the privacy interests of the registrant. We accept that, in a very few cases, the outcomes of this test may result in MarkMonitor not being given all of the data that it requests. MarkMonitor continues to engage with registrars to understand how to make requests that are more likely to pass registrars’ balancing test assessments.

Frustratingly, however, one out of every five requests we send to registrars are met with an auto-reply acknowledgement or just ignored altogether. Nine months after the Temporary Specification’s effective date, many registrars still do not perform a balancing test nor have they created the required web forms for contacting registrants, and many registrars who do respond merely issue blanket rejections, refusing to even consider requests or provide any redacted WHOIS data absent a subpoena or UDRP filing. Here are a few examples of some registrar responses we believe do not comply with the Temporary Specification because they reject the balancing test requirement:

Hello,

Please note, we are not in a position to assist you in this matter. Kindly contact the registry for further assistance.

Feel free to contact us for further queries or concerns.

Regards,

 

Hello,

The domain's contact information is protected under GDPR. We have closed this Whois Inaccuracy complaint as the visible details are accurate.

Thank You,

 

Hello Client,

As much as we wanted to assist you with your concern, but we are not allowed to provide you the details of our client. It is our policy to respect the privacy of our clients. The only details that we can provide you are the details shown in the whois lookup.

Have a great day!
Regards,

 

These types of responses are common. In fact, we have received over twenty different variations of this rejection from over twenty different registrars. These responses are problematic, and we raise this point to show that without enforceable requirements to provide registrant data where required, many registrars will default to the most risk-averse position possible.

MarkMonitor does not report these non-compliant rejections to ICANN Contractual Compliance because we reject the approach of dragging registrars through ICANN compliance proceedings but, instead, favor collaboration and good faith efforts to develop a unified/accredited access model, which we believe is the best long-term solution. We continue to call for ICANN to step up and shoulder this burden in line with its role as coordinator of the global DNS, and to stop pushing off these legally complex and potentially risky personal data processing decisions onto registrars. We look forward to continuing these discussions with many of our colleagues in Phase 2 of the EPDP as part of the solution to this problem.

Enforcement Efficiency Impacted

About ten weeks after the Temporary Specification’s effective date, MarkMonitor reported a nearly 20% decrease in enforcement efficiency as a result of GDPR-influenced WHOIS redaction. We are pleased to report that the hiring and training of additional analysts, coupled with significant investment in our detection technologies, has somewhat mitigated these impacts. In post-GDPR weeks eleven through forty, we have successfully mitigated GDPR’s impact to just over 6% loss in operational efficiency, averaging to a 10% efficiency loss since May 25, 2018.

While we have made some progress against initial setbacks caused by the Temporary Specification, especially in our infringement-focused brand protection business where results are measured in days and compiled across months, we have seen an increase in takedown times in our more time-sensitive anti-fraud (phishing) business. The average time it takes us for us to receive a fulfilled WHOIS data response is fifteen days. In line with the recent M³AAWG Survey showing difficulties experienced by cybersecurity professionals resulting from the Temporary Specification.

The lack of access to real-time WHOIS data has negatively impacted our 24/7 threat response timelines. These phishing attacks are measured in effectiveness per minute, and cannot wait for registrars to perform a balancing test, which further evidences the need for reliable, unified access to WHOIS data.

MarkMonitor will continue to monitor closely the impacts of GDPR on its work and inform the domain name and brand protection communities about the challenges that remain for cybersecurity professionals, brand protection advocates and law enforcement agencies that seek to investigate and prevent various forms of abuse to protect consumers and Internet users.

Search

Follow Us

Get all the latest updates

Subscribe
Get all the latest updates
Interests

Featured Author

Stefanie Ellis
Stefanie has over ten years’ experience in anti-fraud, brand protection and vendor relations, she has worked with a wi... More