ICANN Seeks Independent Proposals relating to WHOIS Data

The Internet Corporation for Assigned Names and Numbers (ICANN) has issued public requests for proposals for the following studies relating to WHOIS data:

* WHOIS Misuse studies (deadline to respond – November 27, 2009 – has closed).
* WHOIS Registrant Identification studies (deadline to respond – December 22, 2009).

In both instances, the susbtantive study would begin in early 2010, with a completion goal of June 2010 or December 2010, to coincide with regularly-scheduled ICANN meetings.

There are apparently two other studies that ICANN will pursue, but requests for proposals have not yet been issued. See Generic Names Supporting Organization. These two are Proxy and Privacy Services and Implications of non-ASCII Registration Data in WHOIS records. See ICANN Policy Update ¶ 11 (Nov. 2009) (summary description of the first three study areas and related links).

The ICANN Staff is currently managing a fifth study area, which seeks to determine the feasibility of addressing public concerns of deficiencies in the WHOIS service, including with regard to “data accuracy and reliability, as well as in other technical areas noted in recent SSAC reports, such as accessibility and readability of WHOIS contact information in an IDN environment.” See Generic Names Supporting Organization.

Background of Concerns about WHOIS Data

WHOIS data can generally be defined as the full contact information for domain name registrants, including contacts for administrative and technical purposes. A WHOIS record relating to an individual domain name can also include the IP address of the associated web site, date of creation, renewal and expiration of the domain name, and the name of the registrar used to register and maintain the domain name.

Legitimate Uses of WHOIS Data

There are several legitimate uses of WHOIS data, among them the enforcement of intellectual property rights and criminal law enforcement. Accurate WHOIS information is necessary, for instance, to determine whom a trademark owner should contact if there are concerns about unfair competition or that the domain name may be infringing upon the holder’s existing rights. This information may also be used by law enforcement agencies to police instances of fraud, identity theft and other crimes. See e.g., Federal Trade Commission Press Release, FTC Calls for Openness, Accessibility in WHOIS Database System, Continues to Recommend Enactment of the US SAFE WEB ACT, Sept. 20, 2006 (prepared statement also available); Federal Trade Commission Press Release, Accuracy of “WHOIS” Internet Database Essential to Law Enforcement, FTC Tells Congress, May 22, 2002 (prepared statement also available). There may be other legitimate business reasons to use the WHOIS registration data to contact the owner of a particular domain.

Several years ago, the results of searches of the WHOIS database for domain name owners provided robust contact information. Recently, however, the amount of information that appears in WHOIS search results has been significantly limited, most likely due to public concern about the protection of private information and conformance with other jurisdictions’ privacy laws, including foreign privacy laws such as the EU Directive 95/46/EC (officially, the “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” available in multiple languages and formats through the European Commission Justice and Home Affairs page).

The method of performing WHOIS searches also has changed recently, particularly to block automated search engines (i.e., crawlers and bots) from harvesting the data contained in the records. Specifically, each time you perform a search, you are prompted to manually enter the characters that appear within a graphic image – something the automated search tools apparently cannot do.

Related Legislation

In 2004, Congress enacted the Fraudulent Online Identity Sanctions Act, Pub. L. No. 108-482 (Dec. 23, 2004) (codified in scattered sections of Titles 15 and 18). The Act did not create an independent right of action, but it provided certain enhancements to existing civil and criminal causes of action: specifically, 1) it provided a rebuttable presumption of “willfulness” if a trademark infringement action is brought against a registrant who has supplied false registration information in connection with the domain name in question (15 U.S.C. § 1117); and 2) if the registrant had been convicted of a felony (“other than offense of which an element is the false registration of a domain name”) in which the domain name at issue was registered and used in the course of committing the crime, the maximum penalty for the offense shall either be doubled or increased by 7 years, whichever is less. 18 U.S.C. § 3559. While this Act has apparently not had any wide-reaching impact, the mere fact that it was enacted demonstrates the value placed on the accuracy of this database.

Dispute Resolution

In addition, under certain circumstances, a plaintiff filing a complaint against a domain name in U.S. federal court (an “in rem civil action”) may serve the complaint by: “sending a notice of the alleged violation and intent to proceed under [15 U.S.C. § 1125(d)(2)(A)] to the registrant at the postal and e-mail address provided by the registrant to the registrar” and by “publishing notice of the action as the court may direct promptly after filing the action.” 15 U.S.C. § 1125(d)(2)(A)(ii). In this instance, the “registrant” is the person or entity who registered the domain name.

A problem arises, however, when a plaintiff attempts to contact directly the domain name owner through the “postal and e-mail address provided by the registrant to the registrar” if no such valid addresses are displayed in the WHOIS results. Specifically, if plaintiffs or their counsel attempt to reach out to the domain name owner – short of instituting litigation – to investigate whether infringement or unfair competition claims would be legitimate, the lack of valid contact information can be a significant barrier to resolution. If domain name owners invoke the private WHOIS or proxy services to shield their contact information, then it may not be possible to resolve valid claims about the legitimacy and/or non-infringement of the domain name without the investment of substantial extra time and cost. See Ian J. Black, “Hidden Whois and Infringing Domain Names: Making the Case for Registrar Liability,” 2008 U Chi. Legal F. 431, 432 (2008); see also Network Solution’s explanation of its private registration services (which provides alternate contact information to prevent the delivery of spam e-mails and telemarketing phone calls to the registrant, but distinguishes itself from proxy services in that it allows the registrant to remain the domain name owner and be listed in the public WHOIS database).

Similar service problems occur when a plaintiff relies on the Uniform Dispute Resolution Policy adopted by ICANN to arbitrate a domain name dispute. The Rules for UDRP Proceedings provide for service of a domain name dispute complaint through the e-mail addresses for the administrative, technical and billing contacts, to the postmaster of the domain name, and any other e-mail address the defendant identifies in response. Although the domain name dispute resolution provider (and not the plaintiff) is responsible for this service (see Rules ¶ 2(a)), the absence of valid or readily-discernable e-mail addresses for the domain name holder can create problems in reaching a resolution of a dispute short of filing an arbitration complaint.

In both instances, pre-complaint discussions between the parties – or between counsel for the parties – is much more difficult when the contact information for the domain name holders is hidden. Certainly, parties can appeal to the registrars for permission to see the underlying contact information, but whether the registrar must disclose this information, and the timing of their disclosure, is not clear.

In some cases, proof of a valid dispute (e.g., service of a subpoena on the registrar) may be required before such information is released. See, e.g., Domains By Proxy’s explanation of legal issues associated with a private registration and its Proxy Agreement, ¶ 4 (providing that Domains by Proxy “has the absolute right and power, in its sole discretion and without any liability to You whatsoever, to . . . [among other remedies]: . . . ii. Reveal Your name and personal information that You provided to DBP when: A. Required by law, in the good faith belief that such action is necessary in order to conform to the edicts of the law; B. To comply with a legal process served upon DBP; or C. In order to comply with ICANN rules, policies or procedures.”) (emphasis added).

Invasive/Objectionable Uses of WHOIS Information

In its request for proposal, ICANN identified several inappropriate uses of WHOIS data that have spurred the investigation into the extent of Misuse: for example, “generation of spam, abuse of personal data, intellectual property theft, loss of reputation or identity theft, loss of data, phishing and other cybercrime related exploits, harassment, stalking or other activity with negative personal or economic consequences.” Terms of Reference for WHOIS Misuse Studies, Sept. 25, 2009, at 1; see also id. at 5 (providing definitions of e-mail spam, postal and telephone spam, phishing, abuse of personal data and identity theft).

Other Organizations Concerned about CyberCrimes and Consumer Protection
(as identified in ICANN’s Terms of Reference for WHOIS Misuse Studies RFP)

Cybercrime Researchers:
* Anti Phishing Working Group
* Privacy Rights Clearing House
* Online Trust Alliance (AOTA)

Consumer Protection, Regulatory, and Law Enforcement Organizations:
* U.S. Federal Trade Commission
* FBI/NWCC Internet Crime Complaint Center (IC3)
* Identity Theft Assistance Center (ITAC)

Resources for Conducting WHOIS Searches

Most domain name registrars offer a WHOIS search tool that they use in connection with determining whether a domain name you wish to register is actually available. Sometimes, the link to the WHOIS tool is hidden on a particular page, so you may need to hunt to find it. A few examples of the over 500 domain name registrars currently authorized to register new US domain names are: GoDaddy.com, Network Solutions, Inc., PrivateDomains and Register.com. Registration fees vary wildly between registrars, so if you are conducting a WHOIS search with the expectation of registering a domain name, shop around for the best deal that provides you with all of the tools that you need (such as web site hosting, development of web pages, e-mail management, etc.) before making a decision about which registrar to search for availability and registration of a domain name.

If you conduct a WHOIS search and find that a particular domain was registered through a particular registrar, you may wish to view the registrar’s specific WHOIS report because they sometimes contain more information about the domain name owner than the report that you find from another WHOIS tool.

Note that if you conduct a WHOIS search for a domain name through certain registrars, they may put the domain on “hold” for a short period if the domain name is available. Network Solutions describes this as a customer service benefit, allowing a customer to come back up to four days later to register a domain name that they searched. See Network Solutions Adds Customer Protection Measure. During the four-day hold period, the domain name can only be registered through Network Solutions. Id. This “hold” service may not be what you intended when you performed the WHOIS search, so be aware that the possibility exists before you conduct your search.

In addition, here are some other available tools for WHOIS searching:

* Domain Tools – offers basic WHOIS searching, as well as some other custom tools that are available for a fee.

* DomainIt – also provides a WHOIS Privacy registration. Explanation of the service (which masks your contact information and randomizes your e-mail address) can be found here. Among the reasons identified for registering the domain using this privacy service is the prevention of spam and identity theft, as ICANN raised in its own reports, above.

* InterNic’s WHOIS tool can search for domain names with the following gTLDs: .aero, .arpa, .asia, .biz, .cat, .com, .coop, .edu, .info, .int, .jobs, .mobi, .museum, .name, .net, .org, .pro, and .travel. The most commonly used in the US for general purposes are .com, .org and .net. (Note that the .edu extension generally is restricted to educational institutions.)

* Ripe NCC – WHOIS database that covers European domains, as well as those in the Middle East, Central Asia and northern Africa.

* Universal Whois Searches – also provides links to country code TLDs registrars for purposes of country-specific WHOIS searches.

* WIPO’s summary of procedures for resolving domain name disputes re ccTLDs (country code Top Level Domains). Click on the relevant country code link and you will be brought to the appropriate site for registry, WHOIS and dispute resolution. You can also access various international trademark databases through WIPO to search for potentially competing applications/registrations before filing for registration of your own mark.