Acting to protect online privacy concerns, a district court recently issued a preliminary injunction against DomainTools, LLC enjoining it from accessing the register for the .nz top-level domain or publishing any .nz register data it had stored in its own databases. But the decision threatens to make investigations of online trademark infringement and cybercrime more difficult.

The case was brought by Domain Name Commission Limited (“DNCL”), the New Zealand entity that regulates the use of .nz for domain names. DomainTools collects domain name registration information from around the world and, using its current and historic domain name databases, sells monitoring and investigative services and products, such as contact information for domain name registrants (referred to as WHOIS records). DNCL alleged that the way DomainTools accessed, stored, and/or used .nz domain and registrant information constituted a breach of DNCL’s Terms of Use, as well as the Computer Fraud and Abuse Act and the Washington Consumer Protection Act. The court granted DNCL’s motion for a preliminary injunction, finding that DNCL was likely to succeed on the merits of its breach of contract claim. Several points in the court’s order are worth noting.

First, DNCL cited as a likely irreparable harm its inability to attract New Zealand customers if it could not guarantee increased privacy regarding personal contact information. DNCL had conducted a review of its privacy services that showed New Zealanders were concerned about online privacy issues and believed that personal information was too readily available. In 2017, DNCL had created an option for noncommercial registrants to request that their information be kept private. The court found that DomainTools’ activities were “sabotaging [DNCL’s] efforts [to respect the privacy concerns of its customers] by continuing to publish the contact information and historical data it collected in violation of [DNCL’s Terms of Use].”

Second, balancing the hardships, the court noted that DNCL did not demand that DomainTools delete all .nz data from its database, but only adjust its search criteria or, alternatively, scrub from search results all information with a .nz domain name. Notably, DomainTools argued that if a preliminary injunction issued here, that could precipitate “an avalanche of litigation as other registers attempt to protect the privacy of their registrants.” The court was unmoved, stating: “It would be ironic . . . if a plaintiff who has shown a likelihood of success and irreparable injury were deprived of preliminary relief simply because defendant may have acted wrongfully toward others as well.”

Finally, the court dismissed DomainTool’s argument that the data it provides “are critical cybersecurity resources and that the public interest would be harmed if the reports provided to government, financial, and law enforcement entities were incomplete because the .nz data were excised.” The court weighed the public’s privacy and security interests more heavily, finding that DomainTools “and its customers can access the registration information directly through DNCL’s website if it appears that a bad actor is using an .nz domain.’ On the other hand,” the court continued, “the .nz registrants’ privacy and security interests are compromised as long as defendant is publishing non-current or historical .nz information out of its database.”

But the decision may adversely affect the investigation of wrongful and illegal conduct. Current and historical WHOIS records are a vital investigative tool that brand owners and law enforcement authorities use to quickly research and respond to cases of online trademark infringement, counterfeiting, cybersquatting, phishing, and other cybercrime. The privacy concerns animating the court’s decision, however, reflect a growing world-wide trend. Earlier this year, Europe’s General Data Protection Regulation (“GDPR”), which protects against privacy breaches and data thefts, went into effect. Different domain name registrars have taken different approaches to compliance: some selectively redact WHOIS data for EU residents only, while many have removed data for all domains save for an anonymous email address directed to the registrar. But the impact has been clear. Prior to the GDPR, DomainTools estimated that the identities of less than 25% of domain registrants were concealed (principally because they used privacy protection services). Post-GDRP, however, the identities of a majority of registrants are concealed—either by the registrars or the registrants—making information that used to be readily available far more difficult to obtain. As a result, domain registrants with criminal or infringing intents are granted an added layer of anonymity.

At minimum, the court’s decision suggests that privacy concerns—which may gain greater protection in the future—will continue to complicate domain name investigations. Brand owners, as a result, will need to devote increased time and resources to ascertain identifying information about online counterfeiters and trademark infringers.

The case is Domain Name Commission Ltd. v. DomainTools, LLC, Case No. 2:18-cv-00874-RSL (W.D. Wash. Sept. 12, 2018). DomainTools has appealed the decision to the Ninth Circuit.