The ICANN 75 meeting in Kuala Lumpur is upon us and WHOIS data access issues continue to be of significant concern for businesses and other stakeholders. One of the recent concerns that has been raised in connection with access to WHOIS data is whether some registrars still require legal process/orders to be submitted to get redacted WHOIS information.
Since the implementation of the General Data Protection Regulation (GDPR), some registrars have been requiring a legal process/order to deliver this redacted WHOIS data to brand holders. While some registrars have moved away from this requirement, our data shows that over 89 registrars of the 340 registrars to whom we have made requests still require some form of legal action or process. Here is a sampling of some of the responses received:
- If you seek user or account information of a…customer in connection with a civil legal matter, you must personally serve us with a valid subpoena.
- …we require a Subpoena or a U.S. Court Order to be issued by Law Enforcement in the U.S… Please contact the U.S. Department of Justice (USDOJ) and follow the MLAT process, which would grant us approval to present the data to the U.S. DOJ, who in turn would share the data with you.
- ...in regards to the information you have requested from our users, we require a duly issued and valid subpoena, warrant, or court order…
In addition, as it has done in the past, Appdetex has aggregated statistics of the registrar compliance rates in response to verified requests for redacted registrant information using the Appdetex WHOIS Requestor System which statistics are set forth below. These requests were sent on behalf of brand holders citing intellectual property violations.
Our most recent report (from January 1, 2022, to August 31, 2022) shows the compliance rate for responses is 14% based upon a total of 2751 requests which were sent to 340 registrars. While this data demonstrates that some registrars are able and willing to work within the Temporary Specifications in complying with requests, there still is no standard process for obtaining the requested information. In fact, each registrar has created their own separate and often detailed list of requirements that must be met before they will comply with a request. Navigating these requirements can be complicated, and responses can be slow, which is of concern in cases requiring urgency.
In addition, we have consistently seen registrars who do not respond to any requests. Of the 2751 total requests sent to the 340 registrars, we did not receive a response to 761 of these requests; 194 registrars failed to respond to at least one request. In addition, we received an auto-response for 327 of these requests (from 73 registrars). On the other hand, we did receive 237 responses (from 55 registrars) that contained compliant registrant information.
The advent of GDPR resulted in registrars’ redacting WHOIS information that had been publicly available previously. This redaction has caused difficulties in abating domain name abuse for professionals such as law enforcement, brand holders, and investigators with a legitimate need for information about malicious behavior, consumer protection, and security-related issues. Thus, it is critical that ICANN address these WHOIS data access issues in order to protect the privacy rights of individuals without compromising the ability of law enforcement, security, and IP professionals to obtain the critical information they need.