When a website infringed your trademark or copyright, or otherwise violated your rights, the first place you likely went was to the WHOIS database, to find out who owned and operated that website. That database has been a great tool for intellectual property owners, and others who have fought misuse of their rights on the Internet.
But many parts of the WHOIS database are likely to slip out of public view. Because of the European General Data Protection Directive (GDPR), domain name registrars (the companies that sell the rights to use particular domain names) will soon be limiting the information they disclose about their customers, the owners of domain name registrations.
GDPR, of course, protects only the privacy of European citizens and residents, but many of the practices that it requires for Europe are likely to be adapted worldwide. Domain name registrars are unlikely to want to analyze each domain name registration for European connections, and are likely to set up their practices in all areas of the world so that they are GDPR compliant.
The WHOIS database goes back to the early days of the Internet. Each domain name registrar updates it with each new domain name registration, and the shared, updated database has long been available to the entire Internet community.
It is particularly valuable to IP owners, because websites that infringe intellectual property often don’t identify their true owners or operators on the website itself. By consulting WHOIS, you could find out who owned the domain name, which was usually the website operator, or someone closely allied with the operator. Because WHOIS gave names, physical addresses, and email addresses for the domain name registrations, an IP owner could contact the registrant about infringement occurring on the website that used the domain name.
The task of identifying website operators became a bit harder when about 10 years ago registrars began offering proxy registration services. A proxy registrar registers the domain name in its own name, shielding its real client’s identity. But legitimate proxy registrars have permitted disclosure of the true owner in particular circumstances, such as when they fail to respond to infringement claims. There are also, unfortunately, proxy registrars around the world that rarely, if ever, voluntarily reveal their clients’ identities, thus effectively shielding fraudulent operators.
The GDPR changes will, in a sense, shield every registrant from disclosure almost as fully as proxy registrations. Under the GDPR-compliance program currently being implemented by the Internet Corporation for Assigned Names and Numbers (ICANN), full information will be collected by the registrar when a domain name is sold. But the WHOIS database available to the public will show the registrant’s name only for organizations, not for natural persons. Instead of physical address, the public database will show only State or Province and Country. And instead of the registrant’s true email address, an anonymized email will be displayed to allow the registrant to be contacted.
These changes are likely to make it harder to fight infringers. Without a physical address, it will be more difficult to identify the persons committing the infringement. And infringers may simply ignore emails sent to them through the anonymized email addresses, knowing that the IP owner will have a hard time tracking down who they really are.
In this environment, access to the full non-public WHOIS data will be particularly valuable. ICANN is currently considering accreditation programs that would allow access to the non-public data for law enforcement officials and investigators who have particular needs for it. IP owners and lawyers, and other regular users of WHOIS data will be paying special attention to this program as it is developed.
The WHOIS changes now being implemented by ICANN are part of an “Interim Model”, and may be changed or updated as ICANN continues to work with its own Internet user community and with European regulators.