Latest news of the domain name industry

Recent Posts

Facebook clashes with registrars after massive private data request

Kevin Murphy, July 26, 2018, 13:50:53 (UTC), Domain Policy

Facebook is on the warpath, testing the limits of personal data disclosure in the post-GDPR world.
Via an intermediary called AppDetex, the company recently filed 500 requests for non-public Whois contact information with various registrars, covering potentially thousands of domains, and is now complaining to ICANN that almost all of the replies it received were “non-responsive”.
DI has learned that Facebook is not only asking registrars for Whois data on specific domains it believes infringe its trademarks, however. It’s also asking them to provide complete lists of domains owned by the same registrant, along with the Whois data for those domains, something registrars have never been obliged to provide, even pre-GDPR.
It’s now pissed that almost all of its requests were blown off, with registrars giving various reasons they could not provide the data.
AppDetex is a brand protection services firm and ICANN-accredited registrar. It’s built an automated system for generating Whois disclosure requests and sending them to registrars.
Ben Milam, its general counsel, wrote to ICANN last week to urge the organization to come up with, and more importantly enforce, a framework for brand owners to request private Whois data.
The company has stopped short of filing formal complaints against the registrars with ICANN’s compliance division, but Milam said it will in future:

we do plan to file complaints in the future, but not until ICANN has (i) established proper disclosure guidelines for non-public WHOIS requests for the registrar base to follow, and (ii) implemented an enforcement process that will ensure that brand holder requests are being satisfied.

The letter says that only one registrar responded adequately, to three of its disclosure requests. That was FBS Inc, which I believe is Turkey’s largest registrar. Turkey is not in the EU.
One registrar on Facebook’s naughty list is Ireland-based Blacknight Solutions, which received three disclosure requests but did not provide AppDetex with the information it wanted.
Blacknight CEO Michele Neylon shared a copy of one of these requests, which he said was received via email July 2, with DI.
In my view, the request is clearly automated, giving the registrar a deadline to respond 48 hours in the future accurate to the second. It cites five Facebook trademarks — Facebook, FB, Instagram, Oculous and WhatsApp.
At Blacknight’s request, I won’t disclose the domain here, but it begins with the string “insta”. At first glance it’s not an clear-cut case of cybersquatting the Instagram trademark. It’s currently parked, displaying ad links unrelated to Instagram.
The email asks the registrar to turn over the full non-public Whois contact information for the registrant, technical contact and administrative contact, but it goes on to also ask for:

4. All other domain names registered under this registrant’s account or email address
5. All information in requests 1, 2, and 3 for all domains provided in response to request 4

This would increase the volume of Whois records requested by Facebook from 500 to, very probably, thousands.
This reverse-Whois data was not previously available via vanilla registrar-provided Whois, though it may be under successor protocol RDAP. Brand owners would have to use a commercial third-party service such as DomainTools in order to connect a registrant to the rest of his portfolio.
It’s debatable whether registrars will be obliged to provide this reverse-Whois capability on non-public data to brand owners even after RDAP becomes the norm.
The request says Facebook needs the data in order “to investigate and prevent intellectual property infringement and contact infringing parties and relevant service providers” and “to facilitate legal action against the registrant”.
Facebook says it’s entitled to the data under Article 6(1)(f) of the GDPR as it’s “necessary for the purposes of our legitimate interests, namely (1) identifying the registered holder of a domain name and their contact information to investigate and respond to potential trademark infringement and (2) enforcing legal claims.”
Currently, registrars are governed by ICANN’s Temporary Specification for Whois, a GDPR-related Band-Aid designed to last until the ICANN community can create a formal policy.
Access to non-public Whois data is governed by section 4 of the Temp Spec, which reads in part:

Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

In the absence of a formal ICANN policy, legal precedent, or specific guidance from data protection authorities, it’s not abundantly clear how registrars are supposed to comply with this clause of the spec, which may explain why Facebook is getting different responses from different registrars.
Neylon said that Blacknight responded to the disclosure requests by asking Facebook to produce an Irish court order.
He said the requests were overly broad, did not provide any contact information for the requester, did not provide a specific complaint against the registrants, and did not specify what privacy safeguards Facebook planned to subject the data to once it was handed over.
It seems Blacknight was not alone. According to AppDetex’s letter to ICANN, at least six other registrars replied denying the requests and saying:

complainant (Facebook) must utilize legal process of a subpoena or court order; complainant must file a UDRP action; complainant must file an action with WIPO; complainant must contact WIPO; and/or complainant’s request has been forwarded to the domain owner.

Milam said (pdf) that he expects the volume of requests to increase and that registrars’ responses will be forwarded to ICANN Compliance to help create a normalized framework for dealing with such requests.



Tagged: , , , , , , , ,

Comments (6)

  1. David Cake says:

    I think where you say RDDS, you probably mean RDAP (the new protocol that will replace RDAP), RDDS as a term refers to ‘the system of things that do WHOIS type things’ – I.e. the RDDS is the thing that is being changed, not the thing it is changing too. And the change in protocol should change very little about the data – the policy to change what data is exposed was to be determined by the Next Geberation RDS working group, now it will be by the temporary specification that is the subject an the new EPDP.

  2. Marc McCutcheon says:

    Facebook own AppDetex right?

    • Kevin Murphy says:

      Not to my knowledge.

    • Jim Prendergast says:

      I think that’s right – http://domainincite.com/20286-facebook-bought-a-registrar Unless its Fake News

      • Kevin Murphy says:

        You know I don’t lie, Jim, and I’d appreciate it if you don’t use the phrase “fake news” here again, even as a joke.
        Focus IP, Inc. dba AppDetex, obtained the accredited registrar IANA ID 2475 from ICANN in 2015.
        In March 2016, the accreditation 2475 was transferred to RegistrarSEC LLC.
        RegistrarSEC is now owned by Facebook (see https://registrarsec.com)
        That’s the story I wrote that you linked to (http://domainincite.com/20286-facebook-bought-a-registrar).
        In September 2016, Focus IP, Inc. dba AppDetex — the same company that sold its original accreditation to Facebook — obtained a new registrar accreditation, IANA ID 3235.
        In the article about Facebook buying up the first accreditation, I wrote, clearly speculating, that: “My guess is that Facebook is interested in RegistrarSEC’s parent’s intellectual property, rather than its registrar.”
        In the terms of that story, I was dead, dead wrong. As far as I know, Facebook did not acquire any intellectual property as part of that deal. I was speculating and I was, to the best of my current knowledge and with hindsight, wrong.
        What Facebook did get with the acquisition of AppDetex’s first accreditation was a quick way to avoid Chinese law, which I wrote about here http://domainincite.com/20290-facebook-under-chinese-court-threat-transfers-instagram-com-to-its-new-registrar
        I have no information whatseover to suggest that Facebook has acquired any IP from AppDetex.
        But Facebook’s head of domain strategy is married to AppDetex’s general counsel, so I’m going go out on a limb and and suggest they’re kinda on the same page in many respects when it comes to AppDetex’s IP.

Add Your Comment