As we reported in our Post-GDPR Compliance Rate retrospective in January 2020, registrar compliance rates in response to verified requests for redacted registrant information using the Appdetex WHOIS Requestor System was 25 percent. Our most recent report shows the compliance rate has increased to 27 percent, based upon a total of 243 requests for redacted WHOIS information sent to 68 registrars over the period starting January 1, 2020, through February 24, 2020.
While this rate is an improvement over the initial single-digit results seen immediately after the implementation of GDPR and the Temporary Specifications for gTLD Registration Data (Temporary Specifications), it’s clear there is still a need for improvement.
While seventy percent of the registrars we contacted in this reporting period acknowledged our requests, only 11 actually provided registrant data. Furthermore, 20 registrars have not responded in any manner. We want to recognize the efforts of the 11 registrars who have complied with our requests in working for a safer and more secure internet.
As readers of this blog know, the advent of GDPR and the Temporary Specification resulted in the redaction of WHOIS information that had been publicly available previously. This overly conservative approach continues to cause difficulties in abating domain name abuse for professionals such as law enforcement, brand holders, and investigators with a legitimate need for information about malicious behavior, consumer protection, and security-related issues. Resolving these issues often requires swift and decisive action in order to protect consumers and brands.
In anticipation of these difficulties, prior to the introduction of GDPR and the Temporary Specification, Appdetex developed our Whois Requestor System (AWRS), an efficient workflow process that allows us to submit customer-verified, legitimate WHOIS requests directly to the associated registrars. This system was designed to be used by our customers to obtain non-public WHOIS data for cybersecurity, consumer protection, and intellectual property enforcement activities.
While the data demonstrates that some registrars are able and willing to work within the Temporary Specifications in complying with requests, in the absence of industry protocols for the request process, each registrar has created their own separate and often detailed list of requirements that must be met before they will comply with a request. Navigating these requirements can be complicated, and responses can be slow, which is of concern in security cases requiring urgency. Adding to this concern, we have consistently seen registrars who have neither published their process for requesting registrant data nor responded to any requests, creating virtual safe-havens for nefarious activity.
These factors make it difficult, if not impossible, in some cases, for law enforcement, investigators, and intellectual property rights holders with a legitimate need for registrant contact data to collect this vital information.
To reduce domain abuse and fraud, the community needs to agree on a transparent, consistent, and expedient system for providing access to registrant information in response to legitimate requests. Such a system can protect individual privacy while providing access to legitimate requests from brand holders, law enforcement, and investigators in order to close the loophole of anonymity that criminals continue to exploit.