Whois, We Hardly Knew Ye: GDPR Spells Doom For Domain Name Ownership Transparency

by Foley Hoag LLP - Trademark, Copyright & Unfair Competition

Foley Hoag LLP - Trademark, Copyright & Unfair Competition

By now, our readers are likely familiar with the General Data Protection Regulation (“GDPR”), the sweeping, European Union-wide legal and regulatory regime that provides enhanced protections for personal data.  The GDPR, which goes in effect on May 25, 2018, is expected to reshape the digital data landscape in the EU and beyond.  My colleague Catherine Muyl (from our Paris office) provided a helpful GDPR overview back in January, and you can check out our Security, Privacy, and the Law blog for more information on GDPR implementation and its far-reaching effects on personal data.

Among such far reaching effects, it seems likely that the GDPR is going to adversely affect Whois and its critical role in intellectual property enforcement.

Whois? What’s That?

The domain name system is overseen by the Internet Corporation For Assigned Names and Numbers (ICANN), which contracts with domain name registries (the operators of top-level domains such as .com, .org, .co.uk, .ninja, and so forth) and domain name registrars (the entities that manage the reservation/sale of domain names).  Registries and registrars are contractually obligated to maintain databases of domain name registrant (owner) information via an ancient-by-internet-standards query and response protocol known as WHOIS, commonly spelled as “Whois” and pronounced “who is.”  In case you’re wondering, WHOIS is not an acronym, but merely the two words designed to answer the question, “who is the domain name registrant?”

Whois information provides a host of domain name ownership information, including so-called “thin” registration information including domain creation and expiration dates, and registrar identity, as well as “thick” information, including the registrant’s name and organization, contact information including physical address, telephone number, and email address, and the same information for administrative and technical contacts.  Thanks to the “thick” information, the Whois system is often a crucial tool for intellectual property policing and law enforcement.

Existing Whois Limitations

It should be acknowledged that Whois isn’t the perfect tool even in the best of times.  Despite the requirement that registrants provide complete and accurate ownership information and the (somewhat anemic) efforts by registrars to periodically confirm that accuracy, Whois information is frequently incomplete or incorrect.  Availability of Whois data varies by registrar and registry – there is no centralized Whois database for all domain names – and hunting for the right database can be a pain.

Additionally, Whois data can optionally be protected (for a fee) by a privacy service – this is a service, typically provided the registrar of record or an affiliate, which will “hide” a registrant’s true identity using generic Whois information specific to the privacy service, and with an email address that typically forwards emails to the “true” registrant.  Since they shield the registrant’s identity, privacy services can be particularly frustrating for intellectual property owners looking to enforce their rights against cybersquatters or otherwise infringing websites.  And while such services often have complaint procedures by which an aggrieved party can request the registrant’s identity if the registrant has engaged in unlawful activities, privacy service providers are not uniformly responsive to such complaints, and they often present a frustrating delay to enforcement activities.

First, The Bad News

So what happens when you combine a continent-wide, sweeping data privacy law and an already imperfect domain name ownership information system?  I’ll bet you can see where this is going.  For intellectual property owners, the results are likely to be predictably unpleasant in the short term, and probably won’t be much better going forward.

To start with, ICANN itself – with its various constituencies and stakeholders of sometimes clashing interests – has not yet finalized an interim compliance model for GDPR, with less than a month remaining until the May 25 implementation deadline.  A proposed interim model, distributed back in March for comment and discussion purposes, shows us what Whois might look like post-GDPR, but discussions are very much ongoing, and it seems increasingly likely that a good amount of Whois data is going to simply “go dark” as of May 25, 2018.  While Whois information availability is likely to vary by registrar and registry, here is what we’re likely to see on May 25 (if not sooner):

  • Registrant name and contact information will be redacted, missing, or otherwise inaccessible.
  • In the short term, it may not be possible to access such information, even for legitimate IP or other law enforcement purposes, absent a subpoena.
  • Similar to the existing privacy services, there will probably be a proxy email address where registrants can be contacted.
  • “Thin” Whois data, including technical information such as the name of the registrar, registration status, and creation and expiry dates, should generally remain available.

As you can see, the short-term landscape seems inconvenient at best.  Now what about the good news?

Sorry, More Bad News

I couldn’t helpful myself.

Now, since the GDPR only applies to the personal data of natural persons residing in an EU member country, you might reasonably expect two things to be the case: first, that Whois information for domain names owned by companies and organizations in the EU will be unaffected, and second, that all Whois information for persons and located outside of the EU will remain unchanged.

At least for now, this appears not to be the case.  First, ICANN’s interim model requires that, for various reasons, the restrictions apply to legal persons – that is, entities – as well.  Second, the interim model permits registries and registrars to implement the restrictions more broadly in any event.  Third, the time crunch combined with the practical and technical difficulties of implementing different Whois availability based on registrant location means that registries and registrars are going to err on the side of over-inclusion to avoid running afoul of the GDPR.  Finally, as it appears that the GDPR may be but the first of many similarly sweeping data privacy laws being rolled out in various jurisdictions worldwide, some registries and registrars are going to choose to implement restrictions as widely as can be permitted, anticipating multi-jurisdictional alignment on privacy concerns.

The upshot is that the GDPR-imposed Whois limitations are unlikely to stay confined to EU-based registrants, and that widespread adoption of these limitations, however they ultimately and officially manifest, is foreseeable.

What Does the Future Hold for Whois?

Over the next month and beyond, the ICANN community will work to develop and tweak a long-term Whois model.  As suggested in the interim model, it is likely that there will be some manner of “gated” access for “accredited,” authorized parties to access “thick” data, assuming such data continues to be routinely collected (which is hardly a foregone conclusion).

Many questions remain.  If there is an accreditation process, who can be accredited?  What will the accreditation process look like?  How will an accredited party request thick data?  What data will they receive, and how quickly?  Will it end up being more efficient to seek a subpoena?  All very good questions, and all frustratingly difficult to answer at present.  But it seems relatively certain, at this point, that the Whois we’ve come to know and love – despite its imperfections – is about to be a thing of the past.

How to Be Involved

If you are inclined to be proactive in addition to nostalgic with regard to Whois, brand owners and others concerned about these unfortunate Whois developments are encouraged to become actively involved in the ICANN community and policymaking process, either via commenting directly to ICANN after a long-term Whois model is proposed; joining the Intellectual Property Constituency (the ICANN stakeholder group representing the views and interests of IP owners); or by working with one of the many bar and industry associations, such as the International Trademark Association and the Intellectual Property Owners Association, dedicated to brand owner advocacy.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Trademark, Copyright & Unfair Competition | Attorney Advertising

Written by:

Foley Hoag LLP - Trademark, Copyright & Unfair Competition

Foley Hoag LLP - Trademark, Copyright & Unfair Competition on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.