PwC wants to be your Whois gatekeeper

PricewaterhouseCoopers has built a Whois access system that may help domain name companies and intellectual property interests call a truce in their ongoing battle over access to private Whois data.
Its new TieredAccess Platform will enable registries and registrars to “outsource the entire process of providing access to non-public domain registration data”.
That’s according to IP lawyer Bart Lieben, partner at the Belgian law firm ARTES, who devised the system and is working with PwC to develop it.
The offering is designed to give trademark lawyers access to the data they lust after, while also reducing costs and mitigating domain name industry liability under the General Data Protection Regulation.
TieredAccess would make PwC essentially the gatekeeper for all requests for private Whois data (at least, in the registries plugged into the platform) coming from the likes of trademark owners, security researchers, lawyers and law enforcement agencies.
At one end, these requestors would be pre-vetted by PwC, after which they’d be able to ask for unredacted Whois records using PwC as an intermediary.
They’d have to pick from one of 43 pre-written request scenarios (such as cybersquatting investigation, criminal probe or spam prevention) and assert that they will only use the data they obtain for the stated purposes.
At the other end, registries and registrars will have adopted a set of rules that specify how such requests should be responded to.
A ruleset could say that cops get more access to data than security researchers, for example, or that a criminal investigation is more important than a UDRP complaint.
PwC has created a bunch of templates, but registrars and registries would be able to adapt these policies to their own tastes.
Once the rules are put in place, and the up-front implementation work has been done to plug PwC into their Whois servers, they wouldn’t have to worry about dealing with Whois requests manually as most are today. The whole lot would be automated.
Not even PwC would have human eyes on the requests. The private data would only be stored temporarily.
One could argue that there’s the potential for abusive or non-compliant requests making it through, which may give liability-nervous companies pause.
But the requests and response metadata would be logged for audit and compliance, so abusive users could be fingered after the act.
Lieben says the whole system has been checked for GDPR compliance, assuming its prefabricated baseline scenarios and templates are adopted unadulterated.
He said that the PwC brand should give clients on both sides “peace of mind” that they’re not breaking privacy law.
If a registrar requires an affidavit before releasing data, the assertions requestors make to PwC should tick that box, he said.
Given that this is probably a harder sell to the domain name industry side of the equation, it’s perhaps not surprising that it’s the requestors that are likely to shoulder most of the cost burden of using the service.
Lieben said a pricing model has not yet been set, but that it could see fees paid by registrars subsidized by the fees paid by requestors.
There’s a chance registries could wind up paying nothing, he said.
The project has been in the works since September and is currently in the testing phase, with PwC trying to entice registries and registrars onto the platform.
Lieben said some companies have already agreed to test the service, but he could not name them yet.
The service was developed against the backdrop of ongoing community discussions within ICANN in the Expedited Policy Development Working group, which is trying to create a GDPR-compliant policy for access to private Whois records.
ICANN Org has also made it known that it is considering making itself the clearinghouse for Whois queries, to allow its contracted parties to offload some liability.
It’s quite possible that once the policies are in place, ICANN may well decide to outsource the gatekeeper function to the likes of PwC.
That appears to be what Lieben has in mind. After all, it’s what he did with the Trademark Clearinghouse almost a decade ago — building it independently with Deloitte while the new gTLD rules were still being written and then selling the service to ICANN when the time came.
The TieredAccess service is described in some detail here.

EURid inks trademark protection deal for non-trademark owners

.eu registry EURid is partnering on an alerts service for would-be trademark owners.
The company this week announced a deal with the EU Intellectual Property Office that will see applicants for European trademarks being able to receive alerts if and when somebody else registers the .eu domain matching their desired mark.
EURid said in a statement:

Some people have taken advantage of early publication of EUTM applications and registered the EUTM as a .eu domain name in bad faith. Effectively reducing the risk of such cyber-squatting infringements requires adopting preventive actions such as raising awareness and pro-actively informing the EUTM holders.
As of 18 May, holders and applicants of a EUTM can opt-in to receive alerts as soon as a .eu domain name is registered that is identical to their EUTM (application). By receiving such alert, EUTM holders are informed much faster and may take appropriate action much sooner.

It sounds a little like the Trademark Claims service new gTLD registries are obliged to offer during their launch, but for companies that not not yet actually own the trademarks concerned.
Offered by EUIPO itself, the service is also available to holders of EU trademarks.

Brand-blocking service plotted for porn gTLDs

MMX wants to offer a new service for trademark owners worried about cybersquatting in its four porn-themed gTLDs.
The proposed Adult Block Services would be similar to Donuts’ groundbreaking Domain Protected Marks List and the recent Trademark Sentry offering from .CLUB Domains.
The service would enable big brands to block their marks from registration across all four TLDs for less than the price of individual defensive registrations.
Prices have not been disclosed, but a more-expensive “Plus” version would also allow the blocking of variants such as typos. The registry told ICANN:

The Adult Block Services will be offered as a chance for trademark owners to quickly and easily make labels unavailable for registration in our TLDs. For those trademark owners registering domain names as a defensive measure only, the Adult Block Services offer an easy, definitive, and cost-effective method for achieving their goals by offering at-a-stroke protection for TLDs included in the program. The Adult Block Services are similar to the Donuts’ DPML, Uniregistry’s EP and EP Plus and the .Club UNBS and should be immediately understood and accepted by the trademark community.
The Adult Block will allow trademark owners to block unregistered labels in our TLDs that directly match their trademarks. The Adult Block Plus will allow trademark owners to block unregistered, confusingly similar variations of their trademarks in our TLDs.

It seems more akin to DPML, and Uniregistry’s recently launched clone, than to .CLUB’s forthcoming single-TLD offering.
The Registry Service Evaluation Process request was filed by ICM Registry, which was acquired by MMX last year.
It only covers the four porn gTLDs that ICM originally ran, and not any of the other 22 gTLDs managed by MMX (aka Minds + Machines).
This will certainly make the service appear less attractive to the IP community than something like DPML, which covers Donuts stable of 242 TLDs.
While there’s no public data about how successful blocking services have been, anecdotally I’m told they’re quite popular.
What we do have data on is how popular the ICM gTLDs have been in sunrise periods, where trademark owners showed up in higher-than-usual numbers to defensively register their marks.
.porn, .adult and .sex garnered about 2,000 sunrise regs each, more than 20 times the average for a new gTLD, making them three of the top four most-subscribed sunrise periods.
Almost one in five of the currently registered domains in each of these TLDs is likely to be a sunrise defensive.
Now that sunrise is long gone, there may be an appetite in the trademark community for less-expensive blocks.
But there have been calls for the industry to unify and offer blocking services to cover all gTLDs.
The brand-protection registrar Com Laude recently wrote:

What brands really need is for registry operators to come together and offer a universal, truly global block that applies across all the open registries and at a reasonable price that a trademark owner with multiple brands can afford.

Quite how that would happen across over 1,200 gTLDs is a bit of a mystery, unless ICANN forced such a service upon them.

Pricey .inc does quite well in sunrise

The new gTLD .inc, which goes into general availability today, had a better-than-average number of sales in its sunrise period.
Intercap Registry, which runs .inc, said today that it had “over 270” sunrise registrations.
It’s not a massive amount, but it’s probably enough to put the TLD into the top 50 sunrises to date.
There had been 491 sunrise periods as of December 2018, according to ICANN data. The average number of sunrise regs was 137. The median was 77.
The largest sunrise to date was Google’s .app, which sold 2,908 domains during its sunrise last year.
Only five new gTLDs have racked up more than 1,000 sunrise sales, and three of those were porn-related. The fifth was .shop.
Based on 270 domains .inc would rank alongside similarly themed .llc, but also the likes of .solutions, .world and .team, where the case for a defensive reg is less clear.
While one can see a clear risk for companies whose names end in “Inc”, the expected retail price of .inc will be around $2,000, which Intercap says will deter cybersquatters.
Sunrise registrants will have paid a substantial markup on this regular price.
For those without zone file access, Intercap is actually posting the names and logos of the companies that have registered on its web site.

.CLUB to let brands block “trillions” of domains for $2,000

.CLUB Domains has launched a service for trademark owners that will enable them to block an essentially infinite number of potential cybersquats for a $2,000 payment every three years.
But the restrictions in place to avoid false positives mean that some of the world’s most recognizable brands would not be eligible to use it.
The service is called Trademark Sentry. In February, .CLUB asked ICANN for approval to launch it under the name Unlimited Name Blocking Service.
It’s cast by the registry roughly as a kind of clone of Donuts’ five-year-old Domain Protected Marks List, which enables brands to block their marks across Donuts’ entire portfolio of 242 gTLDs for far less than they would pay defensively registering 242 domains individually.
But while Donuts has a massive stable of TLDs, .CLUB is a one-horse town, so what’s going on?
Based on promotional materials .CLUB sent me, it appears that Trademark Sentry is primarily a way to reduce not defensive registration costs but rather UDRP costs.
Instead of blocking a single trademarked string across a broad portfolio of TLDs — for example google.ninja, google.bike, google.guru, google.charity… — the .CLUB service allows brands to block any domain that contains that string in a single TLD.
For example, Google could pay .CLUB $2,000, and for the next three years it would be impossible for anyone to register any .club domain that contained the substring “google”.
Any potential cybersquatter who went to a registrar and tried to register domains such as “mygooglesearch.club” or “googlefootball.club” or “bestgoogle.club” or “xreegtegooglefwrreed.club” would be told by the registrar that the domain was unavailable.
It would be blocked at the registry level, because it contained the blocked string “google”.
Customers will be able to add typos to the blocklist for a 50% discount.
To the best of my knowledge, this is not a service currently offered by any other gTLD registry.
It’s precisely the kind of thing that the IP lobby at ICANN was crying out for — albeit without the obligation to pay for it — prior to the 2012 application round.
.CLUB reckons it’s a money-saver for brand owners who find themselves filing lots of UDRP complaints.
UDRP complaints cost at least $1,500, just for the filing fees with outfits such as WIPO. They can cost many hundreds more in lawyers fees.
Basically, if you expect your brand will be hit by at least one UDRP in .club in the next three years, $2,000 might look like a decent investment.
.club domains have been subject to 279 UDRP complaints over the last five years, according to UDRPSearch.com.
But .CLUB has put in place a number of restrictions that are likely to seriously restrict its potential customer base.
First, the trademark will have to be “fanciful”. The registry says:

To qualify for Unlimited Name Blocking a trademark must be fanciful as defined by the USPTO and meet the .CLUB Registry’s additional requirements and subject to the .CLUB Registry’s discretion. Marks that are not fanciful but when combined with another word become sufficiently unique may be allowed.

“Apple” would not be permitted, but “AppleComputer” might be.
.CLUB told me that any trademark that, if blocked, would prevent non-infringing uses of the string would also not qualify for the service.
If you look at a UDRP-happy brand like Lego, which has already filed several complaints about alleged cybersquats in .club, it would certainly not qualify. Too many words end in “le” and begin with “go” for .CLUB to block every domain containing “lego”.
Similarly, Facebook would likely not qualify because one can imagine non-infringing uses such as facetofacebookmakers.club. Twitter is a dictionary word, as is Coke. Pepsi is a substring of dyspepsia. Amazon is primarily a geographic term. McDonald’s is derived from a common surname, as are Cartier and Heinz.
For at least half of the famous brands that pop into my head, I can think of a reason they will probably not be allowed to use this service.
.CLUB also won’t allow trademarks shorter than five characters.
Still, for those brands that do qualify, and do have an aggressive UDRP-based enforcement policy, the service seems to be priced at a point where an ROI case can be made.
Like Donuts’ DPML domains, anything blocked under Trademark Sentry is not going to show up in zone files, so we’re not going to have any objective data with which to monitor its success.

ICANN to approve new UDRP provider

ICANN is set to approve a new UDRP provider at a board of directors meeting next week.
May 3, the board will approve the Canadian International Internet Dispute Resolution Centre as its sixth approved provider and the second based in North America.
The resolution to approve its now year-old application is on the consent agenda for next week’s meeting, meaning the decision to approve has basically already been made.
CIIDRC is a division of the British Columbia International Commercial Arbitration Centre, a non-profit set up by the BC government in the 1980s.
It’s been exclusively handling cybersquatting disputes over .ca domain names since 2002, under a deal with local registry CIRA.
The organization reckons it will be ready to start accepting complaints within a few months of approval, and could handle up to 200 cases per month.
It had a roster of 26 panelists in rotation at the time it applied to ICANN for UDRP approval, many of whom also provide their expertise to other UDRP providers such as WIPO and NAF.

UDRP complaints hit new high at WIPO

The World Intellectual Property Organization handled 3,447 UDRP cases in 2018, a new high for the 20-year-old anti-cybersquatting policy.
The filings represent an increase of over 12% compared to the 3,074 UDRP cases filed with WIPO in 2017. There were 3,036 cases in 2016
But the number of unique domains complained about decreased over the same period, from 6,370 in 2017 to 5,655 domains in 2018, WIPO said today.
The numbers cover only cases handled by WIPO, which is one of several UDRP providers. They may represent increases or decreases in cybersquatting, or simply WIPO’s market share fluctuating.
The numbers seem to indicate that the new policy of redacting Whois information due to GDPR, which came into effect mid-year, has had little impact on trademark owners’ ability to file UDRP claims.
UPDATE: This post was updated a few hours after publication to remove references to the respective shares of the UDRP caseload of .com compared to new gTLDs. WIPO appears to have published some wonky math, as OnlineDomain noticed.

At eleventh hour, most .uk registrants still don’t own their .uk names

Less than a quarter of all third-level .uk registrants have taken up the opportunity to buy their matching second-level domain, just a few months before the deadline.
According to February stats from registry Nominet, 9.76 million domains were registered under the likes of .co.uk and .org.uk, but only 2.27 million domains were registered directly under .uk, which works out at about 23%.
Nominet’s controversial Direct.uk policy was introduced in June 2014, with a grandfathering clause that gave all third-level registrants five years to grab their matching .uk domain before it returns to the pool of available names.
So if you own example.co.uk, you have until June 25 this year, 110 days from now, to exercise your exclusive rights to example.uk.
Registrants of .co.uk domains have priority over registrants of matching .org.uk and .me.uk domains. Nominet’s Whois tool can be used to figure out who has first dibs on any given string.
At least two brand protection registrars warned their clients this week that they will be at risk of cybersquatting if they don’t pick up their direct matches in time. But there’s potential for confusion here, after the deadline, whether or not you own a trademark.
I expect we could see a spike in complaints under Nominet’s Dispute Resolution Service (the .uk equivalent of UDRP) in the back half of the year.
Nominet told DI in a statement today:

The take up right now is roughly in line with what we envisaged. We knew from the outset that some of the original 10 million with rights would not renew their domain, some would decide they did not want the equivalent .UK and some would leave it to the last minute to decide or take action. The feedback from both registrants and registrars, and the registration data, bears this out.

The statement added that the registry has started “ramping up” its outreach, and that in May it will launch “an advertising and awareness campaign” that will include newspapers, radio and trade publications.

ICANN 63, Day 0 — registrars bollock DI as Whois debate kicks off

Blameless, cherubic domain industry news blogger Kevin Murphy received a bollocking from registrars over recent coverage of Whois reform yesterday, as he attended the first day of ICANN 63, here in Barcelona.
Meanwhile, the community working group tasked with designing this reform put in a 10-hour shift of face-to-face talks, attempting to craft the language that will, they hope, bring ICANN’s Whois policy into line with European privacy law.
Talks within this Expedited Policy Development Process working group have not progressed a massive amount since I last reported on the state of affairs.
They’re still talking about “purposes”. Basically, trying to write succinct statements that summarize why entities in the domain name ecosystem collect personally identifiable information from registrants.
Knowing why you’re collecting data, and explaining why to your customers, is one of the things you have to do under the General Data Protection Regulation.
Yesterday, the EPDP spent pretty much the entire day arguing over what the “purposes” of ICANN — as opposed to registries, registrars, or anyone else — are.
The group spent the first half of the day trying to agree on language explaining ICANN’s role in coordinating DNS security, and how setting policies concerning third-party access to private Whois data might play a role in that.
The main sticking point was the extent to which these third parties get a mention in the language.
Too little, and the Intellectual Property Constituency complains that their “legitimate interests” are being overlooked; too much, and the Non-Commercial Stakeholders Group cries that ICANN is overstepping its mission by turning itself into a vehicle for trademark enforcement.
The second half of the day was spent dealing with language explaining why collecting personal data helps to establish ownership of domains, which is apparently more complicated than it sounds.
Part of this debate was over whether registrants have “rights” — such as the right to use a domain name they paid for.
GoDaddy policy VP James Bladel spent a while arguing against this legally charged word, again favoring “benefits”, but appeared to eventually back down.
It was also debated whether relatively straightforward stuff such as activating a domain in the DNS by publishing name servers can be classed as the disclosure of personal data.
The group made progress reaching consensus on both sets of purposes, but damn if it wasn’t slow, painful progress.
The EPDP group will present its current state of play at a “High Interest Topic” session on Monday afternoon, but don’t expect to see its Initial Report this week as originally planned. That’s been delayed until next month.
While the EPDP slogs away, there’s a fair bit of back-channel lobbying of ICANN board and management going on.
All the players with a significant vested interest in the outcome are writing letters, conducting surveys, and so on, in order to persuade ICANN that it either does or does not need to create a “unified access model” that would allow some parties to carry on accessing private Whois data more or less the same way as they always have.
One such effort is the one I blogged about on Thursday, shortly before heading off to Barcelona, AppDetex’s claims that registrars have ignored or not sufficiently responded to some 9,000 automated requests for Whois data that its clients (notably Facebook) has spammed them with recently.
Registrars online and in-person gave me a bollocking over the post, which they said was one-sided and not in keeping with DI’s world-renowned record of fairness, impartiality and all-round awesomeness (I’m paraphrasing).
But, yeah, they may have a point.
It turns out the registrars still have serious beef with AppDetex’s bulk Whois requests, even with recent changes that attempt to scale back the volume of data demanded and provide more clarity about the nature of the request.
They suspect that AppDetex is simply trawling through zone files for strings that partially match a handful of Facebook’s trademarks, then spamming out thousands of data requests that fail to specify which trademarks are being infringed and how they are being infringed.
They further claim that AppDetex and its clients do not respond to registrars’ replies, suggesting that perhaps the aim of the game here is to gather data not about the owner of domains but about registrars’ alleged non-compliance with policy, thereby propping up the urgent case for a unified access mechanism.
AppDetex, in its defence, has been telling registrars on their private mailing list that it wants to carry on working with them to refine its notices.
The IP crowd and registrars are not the only ones fighting in the corridors, though.
The NCSG also last week shot off a strongly worded missive to ICANN, alleging that the organization has thrown in with the IP lobby, making a unified Whois access service look like a fait accompli, regardless of the outcome of the EPDP. ICANN has denied this.
Meanwhile, cybersecurity interests have also shot ICANN the results of a survey, saying they believe internet security is suffering in the wake of ICANN’s response to GDPR.
I’m going to get to both of these sets of correspondence in later posts, so please don’t give me a corridor bollocking for giving them short shrift here.
UPDATE: Minutes after posting this article, I obtained a letter Tucows has sent to ICANN, ripping into AppDetex’s “outrageous” campaign.
Tucows complains that it is being asked, in effect, to act as quality control for AppDetex’s work-in-progress software, and says the volume of spurious requests being generated would be enough for it ban AppDetex as a “vexatious reporter”.
AppDetex’s system apparently thinks “grifflnstafford.com” infringes on Facebook’s “Insta” trademark.
UPDATE 2: Fellow registrar Blacknight has also written to ICANN today to denounce AppDetex’s strategy, saying the “automated” requests it has been sending out are “not sincere”.

Registrars still not responding to private Whois requests

Registrars are still largely ignoring requests for private Whois data, according to a brand protection company working for Facebook.
AppDetex wrote to ICANN (pdf) last week to say that only 3% of some 9,000 requests it has made recently have resulted in the delivery of full Whois records.
Almost 60% of these requests were completely ignored, the company claimed, and 0.4% resulted in a request for payment.
You may recall that AppDetex back in July filed 500 Whois requests with registrars on behalf of client Facebook, with which it has a close relationship.
Then, only one registrar complied to AppDetex’s satisfaction.
Company general counsel Ben Milam now tells ICANN that more of its customers (presumably, he means not just Facebook) are using its system for automatically generating Whois requests.
He also says that these requests now contain more information, such as a contact name and number, after criticism from registrars that its demands were far too vague.
AppDetex is also no longer demanding reverse-Whois data — a list of domains owned by the same registrant, something not even possible under the old Whois system — and is limiting each of its requests to a single domain, according to Milam’s letter.
Registrars are still refusing to hand over the information, he wrote, with 11.4% of requests creating responses demanding a legal subpoena or UDRP filing.
The company reckons this behavior is in violation of ICANN’s Whois Temporary Specification.
The Temp Spec says registrars “must provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party”.
The ICANN community has not yet come up with a sustainable solution for third-party access to private Whois. It’s likely to be the hottest topic at ICANN 63 in Barcelona, which kicks off this weekend.
Whois records for gTLD domains are of course, post-GDPR, redacted of all personally identifiable information, which irks big brand owners who feel they need it in order to chase cybersquatters.