What happened to the proposed domain name privacy reforms?

Ed Seaford

Last year, the intellectual property community lost an important battle in the war against IP abuse and infringements on the Internet.

The battle was the issue of domain privacy – an outdated and, until recently, largely unregulated service that had limited rules or guidelines to govern it.

Domain privacy services are provided by accredited domain name registrars that list alternative Whois details, providing anonymity to the registrant of a domain name. A similar product is called a proxy service, where the organization that provides the service (such as the domain name registrar) is the actual registrant and licenses the domain name to the user.

The Internet’s Whois system is almost as old as the Internet itself, and wasn’t designed for the hundreds of millions of domain names now being used, or the complexities associated with the rights to privacy and protection of intellectual property. Debate has been fierce, but has thus far rendered no significant structural change to the Whois system. 

The Internet Corporation for Assigned Names and Numbers (ICANN), the main Internet governance institution whose primary responsibility is to manage the Internet's core infrastructure, acknowledges that the proxy and privacy services are among “the least developed of the Whois policy area”[1] and that there are limited rules or guidelines to govern these services, which at times results “in unpredictable outcomes for stakeholders affected by these services.” In other words, it is a mess and they cannot agree on a way forward.

Domain privacy has been a thorn in the side of IP owners and law enforcement officials for many years. It is abused by miscreants ranging from cyber-squatters, counterfeiters, and copyright infringers to trademark violators, spammers and scammers, providing them with a safe harbor to conduct their online operations with relative anonymity and impunity.    

Examination of the issue puts two distinct groups at odds: those who advocate for the right to protect users’ privacy (pro-privacy); and IP owners and industry bodies who advocate for the greater protection of intellectual property rights (IPR groups) on the Internet.

There is clear discord, and with each push from IPR groups to reform domain privacy, there seems to be a visceral response from the pro-privacy camp that effectively halts any attempt to change the status quo.

Although many B2C domain name registrars fall into the pro-privacy camp, and have to date largely resisted changes to domain privacy, B2B domain name registrars (such as NetNames) generally support improved domain policy that protects the rights of IP owners.

Over the past five years, we have seen a much greater resolve by ICANN and government officials to address this issue. We have seen ICANN incorporate regulation into its Registration Accreditation Agreement (RAA) for the first time, a working group established to look at reform, studies that have provided unequivocal evidence as to the activity occurring behind domain name privacy services, and despite not achieving the reform IP owners desired, it has put the service in the spotlight and created more accountability – and there will undoubtedly be other processes in the future.

B2C domain registrars and domain privacy

Most B2C domain name registrars agree that changes to the outdated Whois model are needed, but argue that Whois privacy is actually a better model than the public database because it reduces the provision of fake Whois details. They argue that criminals who give false details today will continue to give false details tomorrow, regardless of what the Whois model looks like.

So while IP owners want less stringent disclosure mechanisms for copyright and trademark complainants/infringements, many registrars have implemented very strict processes in order for registrant information to be accessed – specifically:

  • a court order (in the same jurisdiction as the proxy provider)
  • a subpoena (in the same jurisdiction as the proxy provider)
  • proof of a pending civil action
  • a decision from a WIPO (World Intellectual Property Organization) court in respect of a UDRP (Uniform Dispute Resolution Policy) case

Even in clear cases of intellectual property infringements, IP owners are often forced to wait for weeks – sometimes months – for proceedings to conclude and domain name information to be released.

Of course, a proportion of B2C domain registrars have a vested interest in not changing the current domain privacy system.

The reality is that many B2C registrars sell domain names at very close to cost, so margins are generally very thin. The B2C domain name industry is an extremely competitive sector, and often add-ons such as domain privacy represent the difference between making a profit or a loss. In other situations, domain privacy is given away as a loss leader to improve the registrar’s overall domain name value proposition. It is an important product offering for many B2C registrars, and creates stickiness with their clients, so naturally they want to keep it.

Also, changes to the domain privacy system would likely put greater strain on the governance of the service, increase the resources required to manage domain name privacy and therefore erode the profitability of domain transactions. The decreased profits and increased work that reform represents make B2C domain registrars a very vocal opponent on this matter.

2013 RAA addresses privacy and proxy services for the first time

In 2011, privacy and proxy services became hot topics for policy makers when ICANN and the Registrars Stakeholder Group began negotiations over the 2013 Registrar Accreditation Agreement (RAA).

The 2013 RAA included temporary measures for privacy and proxy services while more permanent policy could be developed. One of the measures (which was an important step forward) required providers of the privacy and proxy services to publish and abide by terms of service and description of procedures on their own website to handle complaints of abuse or trademark infringement. This was the first time privacy and proxy services were made to conform to any meaningful regulation, and although terms of service varied from provider to provider, it was a promising sign that policy makers were starting to address the issue.

The University of Cambridge and NPL study into domain privacy abuse

In 2013, ICANN commissioned a study that highlighted the current ad-hoc privacy controls in place with the Whois system. The study was conducted by the University of Cambridge and the National Physical Laboratory (NPL), and concluded – to no one’s surprise – that privacy/proxy services were being abused by criminals. 

It showed that the percentage of domain names used to conduct illegal or harmful Internet activities that were registered via privacy or proxy services is significantly greater than those used for lawful online activities. 

NPL attempted to contact a sample of registrants using a privacy service that did not seem to be engaging in criminal activity, and found that up to 55% of the time they were unable to be contacted. For domain names that were being used in illegal activity, that number rose to up to 93%. This highlights the problems IP owners have in attempting to resolve issues of IP infringements directly with domain name registrants, who generally have to resort to subpoenas, litigation or dispute resolution to get access to this information.

The study also found that

  • 55% of sampled unlicensed pharmacies used privacy/proxy-registered domain names
  • 46% of sampled advanced fee fraud cases used privacy/proxy-registered domain names
  • 28% of sampled websites hosting illegal child abuse sexual images used privacy/proxy-registered domain names
  • by comparison, just 9% of licensed pharmacies and 13% of law firms studied by NPL used privacy/proxy services; on the other hand, 44% of lawful websites hosting adult content and 28% of legitimate banks studied by NPL used privacy/proxy-registered domain names

Some IP owners publicly supported the conclusions of the reports, such as the InterContinental Hotels Group, which responded to the report that the “study provides objective evidence to support urgent need for ICANN to initiate processes to oversee and regulate privacy and proxy services providers.”   

General Electric Company (GE) also responded that the findings were generally unsurprising, but also commented that the study did not fully elaborate on issues of media and software privacy, or trademark infringement (i.e. counterfeiting), and called on ICANN to undertake a full study that looked at the full gambit of IP abuse on the Internet via domain privacy and proxy settings.

Despite the report’s limited scope, it provided clear evidence that the domain name privacy service was being abused by criminals and IP infringers, and encouraged ICANN to take steps to start to address the issue.

Lost battle: the Working Group recommendations

In October 2013, the Privacy & Proxy Services Accreditation Issues Working Group was established to review the current domain privacy service. Fast forward 18 months and 60-odd meetings later, it published an initial report on the proxy services issues and policy development process, and invited feedback from the Internet and IPR communities.

The report’s biggest coup for the IPR groups was the recommendation to clamp down on the availability of privacy and proxy services by domain registrars – particularly for commercial purposes.

This section in the proposal caused fierce opposition among the Internet community, small business, privacy advocates and organizations such as Google, which added its weight to the pro-privacy arguments (see its response here).

Two separate pro-privacy campaign websites were set up: www.RespectOurPrivacy.com and www.SaveDomainPrivacy.org. These campaigns were effective in raising public awareness of their concerns with these reforms, and garnered thousands of responses from a cross-section of the community (but mainly private persons) opposing the plans, which included several petitions. Over 11,600 responses were received, the large majority of which opposed the Working Group’s key reforms.

There were some organizations in the community that generally supported the changes, including the International AntiCounterfeiting Coalition (IACC), Facebook, Motion Picture Association of America (MPAA), Unifab and other IPR owners, industry bodies and advocates, but they were definitely the minority voice in the formal feedback process.

Due to the fierce opposition, the Working Group was not able to reach a level of consensus as to whether domains used for commercial or financial transactions should be allowed to use privacy and proxy domain services. This was the key article in the reforms.

In the Working Group’s final report, released in December 2015, it was concluded that the status of a domain name registrant as a commercial organization, non-commercial organization, or individual should not be the driving factor in whether privacy and proxy services are available to the registrant. Fundamentally, privacy and proxy services should remain available to registrants irrespective of their status as commercial or non-commercial organizations or as individuals.

This was obviously a win for the pro-privacy camp and a disappointing result for IPR groups given the progress made on this issue up until then. 

It seemed that the pro-privacy camp was able to mobilize supporters to object collectively to the proposed changes to domain privacy, while the IPR camp failed to encourage IP owners and brands to voice their support of the proposed model loudly enough. 

Essentially, the disparity in responses received – and the overwhelming opposition to the proposed changes – tied the Working Group’s hands and it had no choice but to dump the commercial restrictions clause. 

Political intervention

Some IPR lobby groups did not trust that the Working Group process would lead to any meaningful change, and ran parallel activities to lobby the US government to change the Whois system to better protect trademark and copyright owners.

In May 2015, the Coalition for Online Accountability (COA), which consists of members from various entertainment industries, made a testimony to the US House of Representatives’ Judiciary Subcommittee on Courts, Intellectual Property and the Internet, strongly arguing for much greater accountability and transparency for domain name private and proxy registrations. It was damning of the current privacy and proxy registration system:

“Tens of millions of gTLD registrations – one-fifth or more of the total – lurk in the shadows of the public Whois, through a completely unregulated proxy registration system that is the antithesis of transparency. These registrations need to be brought into the sunlight. While there is a legitimate role for proxy registrations in limited circumstances, the current system is manipulated to make it impossible to identify or contact those responsible for abusive domain name registrations.”

Whether this lobbying has had an impact on policy makers’ view on Whois accountability is hard to say, but what we do know is that at the same time the Working Group was changing heart on the issue, it was reported by the Electronic Frontier Foundation (EFF) that the US government was advocating through the OECD to restrict domain privacy for websites engaging in commercial activity.

Through an article on the EFF website, it stated that on the same day the Working Group had accepted domain privacy should remain generally available for both private and commercial persons and entities, the US government held closed-door sessions in Paris to push through language for a new revision of the OECD E-commerce Recommendation that would require domain name registration information to be made publicly available for websites that are promoting or engaged in commercial transactions with consumers.

It seemed to many at the time that the US government was taking the position that if the Internet community could not address this issue through the Working Group process, then political intervention would be considered as the only way to address the issue.

Many within the domain name industry at the time remonstrated and publicly voiced ‘deep concerns’ about the US government and the OECD ignoring an open, multi-stakeholder consultative process. Although the OECD’s recommendations are not binding, they are influential in the development of public policy. 

There were also concerns raised by the EFF that the Trans-Pacific Partnership (TPP) policy makers would also be pressured to include language that would restrict commercial use of domain privacy for TPP members’ ccTLDs; however, the latest version of the draft TPP document seems to have left the subject alone and not required domains to prohibit the use of privacy and proxy services (as the .au space does in Australia).

Where are we today?

Fast forward to 2016 and the debate seems to be for the most part over for the time being.  The Working Group is in the process of coordinating the implementation process of the approved recommendations, and not much else has been heard from the US government or the OECD on the matter. The TPP avoided the issue, and the public debate seems to have subsided for now.

Some IP owners have vented their frustrations at ICANN for the lack of progress on this issue, but although partly responsible for the governance of the Internet, it does not dictate its policy to the community. 

One of ICANN’s clear guiding principles is to achieve broad representation of the global Internet community; and to develop policies appropriate to its mission through bottom-up, consensus-based processes. This means that in the case of domain privacy, when the Working Group received 11,600 plus responses to its proposal – and 95% were critical of the key reform clauses – it had to listen and act accordingly. 

If there is another opportunity to address this issue, much greater participation is required from brand owners – not just by industry bodies, but by the individual members themselves.   

One letter from a representative body does not have the same impact on policy reform that a thousand letters from its members would have. 

This issue has very sensitive elements to it, and both the IPR groups and pro-privacy camp are equally passionate about their respective positions. The difference on this occasion was a well-executed campaign by the pro-privacy brigade, and a lack of participation in the debate from individual IP owners.

The Working Group process will tighten some controls over the privacy and proxy service, but it will not have the same impact IP owners had hoped. This is a topic that will likely continue to play out in the public forum, courts and perhaps even in political chambers. 

Watch this space.

[1] https://whois.icann.org/en/privacy-and-proxy-services