The WHOIS system pre-dates the first domain name registrations. It can trace its roots to 1982, when the Internet Engineering Task Force published a set of protocols for ARPANET, the first public packet-switched computer network that had been established in the late Sixties. The first WHOIS was simply a list of contacts of anyone transmitting data across the ARPANET. When the ICANN organisation was created in 1998, they took over the system which was a fundamental building block for the move to allow third parties to provide domain name registration services.
Historically, anyone searching for a domain name could use the free-to access WHOIS to reveal the person or company behind a registration, including their name and address. The WHOIS was vital for the intellectual property community to help discover the identity and contact details of infringers, including cybersquatters.
WHOIS has been a major bone of contention for two decades, with advocates for tighter control on internet abuse and data privacy on opposing sides. Any database is only as good as the information in it and here was one of the major problems with the WHOIS – the accuracy of the domain registrant data. Whilst each TLD registrar had an obligation to ensure that all domain registration data was accurate, there were few mechanisms that could be rigorously enforced – the evolution of the internet had presented its fair share of challenges as well as opportunities, including compliance, data privacy, abuse and access, which had led to questions being posed about the design of the WHOIS being fit for purpose to meet the requirements of the digital future.
ICANN’s hand was forced in some respects to address the future of WHOIS with the introduction of the General Data Protection Regulation (GDPR) in May 2018, considered as the world’s strongest set of data protection rules, which although only applicable to personal data held in Europe, and of European individuals, effectively limited the access and usefulness of the WHOIS.
Whilst the implementation of these new data privacy regulations had been on the cards for some time, the ICANN community had not come up with a workable GDPR-compliant solution, meaning that in May 2018 ICANN was forced to issue temporary amendments to its policies. This resulted in large swathes of data within the WHOIS database being redacted, with only some less than useful data being publicly available, such as date of registration and registrar details, irrespective of whether the data was covered by GDPR or not.
For the intellectual property community, who were the front line in the ongoing battle against infringers and abuse, the restriction on the availability of domain registration data was a major blow, and their voices have been some of the loudest and most passionate in the ongoing discussions about what a GDPR-compliant solution could look like.
However, requesting non-public WHOIS data should be about to get easier with the upcoming rollout of ICANN’s Registration Data Request Service, or RDRS for short. The system will provide a one-stop-shop for brand holders, attorneys, law enforcement and other interested parties to file registration data disclosure requests and have them transmitted on to the relevant registrar for the name.
RDRS is effectively a case management system for handling WHOIS data disclosure requests, rather than a database which can be interrogated, as WHOIS has been. Anyone can make a request, via the system, for certain non-public domain registration data. RDRS identifies the sponsoring registrar for the domain name and routes the request to them, subject to the registrar having signed up to be part of the system. Then, subject to applicable law, the registrar will make a determination on what, if any, requested data will be disclosed.
Whilst RDRS will allow requests to be handled by participating registrars, it is not perfect. It is not mandatory for registrars to sign up to the system. It will still be possible to make requests to non-participating registrars but that will be through standard communication methods, such as email. The system only covers gTLDs (both legacy gTLDs including .com, .net, .org etc, as well as the new gTLDs such as .xyz, .online and .horse), though it is often in the hard-to-reach local language ccTLDs where infringements happen.
There are still some open issues to be resolved before the system can begin operation, most notably, finalising the system terms and conditions governing requestors’ access. ICANN has just announced that the system will be live for requestors to begin submitting requests from 28 November 2023, so the terms will need to be published very soon if that date is to be met.
Despite these drawbacks, many of the big domain registrars, including Com Laude, are supporting the initiative because the RDRS will provide ICANN with valuable information about the demand and utility of such a request system: in addition to measuring numbers of requests, each time a request is marked as closed in the system by the registrar, the requestor will receive a short satisfaction survey. If there is sufficient demand, ICANN’s Board will hopefully be empowered to build a more sophisticated system and require all registrars to use it, simplifying the process to request non-public domain registration data. Conversely, if the system is not used, there is the risk this is interpreted as demonstrating no demand for, and no challenges in obtaining, registration data, and therefore no need for such a system. We encourage brand owners to use it or lose it.