Lutz Berneke

On May 25, 2018 the General Data Protection Regulation (GDPR) entered into force, impacting every entity handling the personal data of European residents. The WHOIS system, a public directory filled with personal data seems, at first, incompatible with this new regulation. So how does the GDPR affect the fight against online infringements and abuse?

To try to get a clearer picture, we interviewed Luc Seufer, Chief Legal Officer of the EBRAND Services Group. 

First of all, could you tell us whether EBRAND Services has been impacted by the GDPR?

Because of our clientele type and the range of services we provide, EBRAND Services knows first hand the concerns the GDPR creates for the domain name industry.

As a domain registrar, the protection of our clients’ personal data is paramount, so we have always complied with all applicable laws in this regard. Aside from the redaction of certain data in our WHOIS databases, the Regulation has not imposed drastic changes to the manner in which we operate but rather a more thorough documentation.

As a brand protection services provider, however, the aforementioned redaction does constitute a hindrance we would prefer not exist.

In the last few months, a constant stream of articles from intellectual property protection groups  have been published to warn the public and lawmakers of the dire consequences of what they call the “WHOIS shutdown”. Could you tell us more about it?

To understand the current state of affairs, allow me to give you a brief history of ICANN and data privacy. For many years, data privacy specialists have formally and informally told ICANN that certain policies were infringing on European data protection laws.

The former Article 29 Working Party, now rechristened European Data Protection Board, sent several letters to each successive ICANN CEO.

Unfortunately, none took those warnings seriously and necessary reforms were never initiated.

Goran Marby, the current CEO of the organization, had to pressure the ICANN board of directors to approve a temporary policy allowing registries and registrars to take the actions they deemed necessary to abide by GDPR.

However, this policy’s text is so vague that each registry and registrar has implemented a different set of rules. Certain registries, for example, are redacting every Whois record in their database without regard to the location of the registrant or even the fact that they are a legal person and, thus, outside of the Regulation scope.

Others, like EBRAND Services, have taken a more pragmatic approach, only redacting details of natural persons while displaying an anonymized email contact address for those registrants. Others have opted to make an online contact form available on their websites. And some have even attempted to create an access model with a pseudo accreditation system.

In a few months, it has assuredly become difficult to access the contact details of domain name registrants.

Isn’t it ICANN’s role to define industry standards and enforce them?

During its latest meeting in Panama City, which I attended, ICANN announced that an expedited policy development process was being initiated, so that a lasting gloabl solution could be created. ICANN’s goal is to have this new policy finalised and put into force by the end of April 2019.

Although this may seem very slow to the general public, it is light speed for ICANN. As a reminder, it took ICANN 10 years to launch the new extensions program.

This new policy should introduce a tiered access system to the Whois databases. For example, law enforcement agencies should have a certain type of access, IP owners another one, registrars another, security researchers another…

As previously mentioned, certain registrars have tried to pre-empt ICANN by devising their own tiered access, but their models are not based on a common standard and are operated by the registrars themselves. Although every registrar is presumably a competent technical services provider, they are certainly not qualified to judge the legitimacy of requests for access to customers’ personal data. In my opinion, this initiative is rather dangerous and ill-adapted but the eagerness to find a solution easily explains its conception.

Does this mean that the DNS has really become a lawless place?

Not quite. On top of their local laws, every ICANN accredited registrar is bound by the same accreditation agreement to ICANN. This agreement requires registrars maintain a so-called abuse contact point. They must investigate reports of illegal activity involving domain names under their management.

As evidenced by our enforcement team results, it is still possible to obtain the suspension of domain names used in an illegal fashion. However, it’s very difficult to know the identity of the person behind the abuse.

So there is no way to identify infringing parties anymore?

Here, too, the crux of the issue is the lack of standard process and policy. Each WHOIS database maintainer (registry or registrar) is acting in accordance with its own interpretation of GDPR.

Some are adamant that only a court decision allows them to disclose personal data. Others solely require a substantiated complaint meeting the DMCA requirements. And some are clueless and, regrettably, remain mute.

When the infringement is constituted by the domain name itself, the initiation of a UDRP or URS may be considered as it will compel the registrar to disclose the registrant details. However, this route is quite expensive for a mere disclosure.

But this does not mean that brand owners are left to their own devices. EBRAND Services has developed a set of innovative technological tools over the years which are still fully functional despite the current situation.

Luc Seufer, Chief Legal Officer EBRAND Services Group

Don’t let cybersquatters jeopardise your trademark rights

Your online brand’s trademark is one of your most valuable assets. It helps you distinguish your business from others and safeguards your reputation. But in our digital age, they are also increasingly vulnerable to predators like cybersquatters. Trademark cybersquatting occurs when a third-party registers domain names, especially with well-known company and brand names, with the intention of selling them. In essence, this allows them to profit from a registered trademark.

Recent reports show that trademark holders must become increasingly vigilant to prevent this from happening. In 2017, cybersquatting disputes related to generic top-level domains (gTLDs) increased to 12 percent of the World Intellectual Property Organisation’s case load. Country code top-level domains (ccTLDs) made up 17 percent. After the US, France filed the most cases.

TREx, an extra layer of security for trademark holders

Trademark owners now have a new way to protect their online brands. The Trademark Registry Exchange (TREx), a new service available through the Trademark Clearing House (TMCH), provides additional protection for your trademarks. The TREx service is available for TMCH-registered trademarks. Accredited agents – like EBRAND Services – will use this centralized service to match your trademark across various top-level domains (TLDs), currently 33 – soon to reach 40 and more expected to join them. (Including legacy TLDs and ccTLDs.)

During a TLDs general availability phase, registries will remove the availability of domain names that match your trademark so that third parties are unable to register them. In essence, this will help trademark owners block their trademark in any number of TLDs, eliminating the need for defensive registration against cybersquatters.

TREx is a simple, cost-effective approach to trademark protection as it eliminates costs incurred from both defensive registration and the renewal of those domains. You will incur no cost from TMCH to have a blocked domain overridden if at some point you decide you would like to register the domain yourself. Moreover, you will avoid the hassle of having to file a Uniform Domain Name Dispute Resolution (UDRP) as you’ll be less likely to become a victim of trademark infringement in the first place.

But there are a few important caveats to consider:

1. Domain names already registered by a third party prior to your signing up for the TREx service are, unfortunately, off limits. You will not be able to have these domains blocked. If domain names have already been registered under numerous TLDs, TREx may not be the best option for you.
2. Once your TREx service is activated, it will be valid for one year and will be renewable each subsequent year. Your TMCH trademark record will need to remain valid for the duration of this period. If your trademark record expires before the end of the year, your TREx service will be cancelled.
3. Variations related to your trademark are not protected under the TREx service.

How to subscribe to the TREx service

TREx is currently available to agents officially accredited by the TMCH or customers who are pre-paid trademark holders. Please contact an EBRAND Services Support Agent. We’ll get you started.

And keep in mind that EBRAND Services offers a variety of trademark protection and domain monitoring services. If TREx isn’t right for you, we’ll be happy to provide information about alternatives that are. Just remember: cybersquatters are lurking and if you don’t take action to protect your online brand’s trademark there’s a good chance it will be abused!

Internationalised domain names (IDNs) allow users to register domain names in almost any written language, enabling today’s global internet to become more multilingual. However, non-Latin script Unicode characters are making it easier for cybercriminals to register domain names for phishing websites. This website phishing technique, known as a homograph attack or IDN spoofing, is nothing new but reports indicate it’s a growing problem. If your domain isn’t being monitored, your brand is unprotected and may be at risk.

Unicode confusables key to homograph attacks

Farsight Security, the world’s largest provider of DNS data, has reported that between May 2017 and April 2018, nearly 36,000 domains were used to imitate 466 top brands with lookalike domains which used confusable characters. These brands came from diverse industries, ranging from banking to retail to technology. 91 percent of these IDNs were considered “confusable”.

IDNs represent characters in scripts other than Latin. Like other domains, IDNs rely on Unicode, which is the standard for digital representation of all the world’s languages. However, the key to a homograph attack is a specific Unicode formula known as Punycode. Punycode converts non-Latin script characters into code that is readable by DNS. For example, españa.com converted by Punycode creates the domain xn-espaa-rta.com. DNS will have no trouble recognizing xn-espaa-rta.com as it does not contain any non-Latin characters.

The problem, though, is that letters from different alphabets can look the same in different languages. These are called “confusables”.

Confusables are nearly undetectable to users, email clients, or web browsers. Take a look at this example (reported in The Sun).

To an untrained eye, there is no problem. But look closely at the “o” above “tower” and you’ll see a small diacritic mark – “ȯ” – which is used in some languages so, therefore, supported by Unicode.

This is the kind of small language script change that fraudsters rely on. They trick you into thinking you’re seeing one thing but, in reality, they’re redirecting you to a lookalike phishing site.

Combatting homograph attacks is everyone’s responsibility

ICANN (Internet Corporation for Assigned Names and Numbers) has taken steps to fight homograph attacks. Its Guidelines for the Implementation of Internationalized Domain Names provides registries and registrars with rules designed to help restrict the prevalence of homograph attacks and keep brands protected. Unfortunately, Farsight’s research indicates not everyone is adhering to the rules.

Many browsers have also responded to the growing threat of homograph attacks by providing warnings to users about potential Punycode lookalikes. Here’s what you see when you type https://www.са.com/ into Chrome and Safari:

Notice how in both examples the website address is converted to Punycode, “xn--80a7a.com” so visitors better understand this is a lookalike site. It is not the actual “.ca.com” site they are searching for. It is, instead, one using the Cyrillic “a” to trick users.

But what about outside browsers where such warning don’t exist? Users have a number of options:

• Don’t click on suspicious-looking links in emails, especially from senders you don’t know.
• See if your email client has the option to disable links altogether from incoming emails.
• Changing the junk filter level will significantly remove the number of malicious incoming emails.
• For both email and social media links, use a link checker (there are a number of them out there) to verify it.

Domain monitoring tools will help keep your brand protected

Of course, EBRAND Services is here to help eliminate threats which could undermine your brand name.

We use brand protection tools to monitor new domain name registrations, quickly identifying domains which are identical or confusingly similar to your brand, corporate name, or trademark. We identify who the infringing third party is. When necessary, we take legal action to stop third parties from infringing on your domain.

For more information about how we can help keep your domain name out of the hands of others, get in touch with one of our support agents. We are committed to making sure your brand name is never used by malicious third parties intent on unleashing the next big homograph attack.

The following is written right after the March 2017 ICANN 58 meeting which took place in Copenhagen, and we will do our best to update it as the review process develops.

What to expect from the next round of gTLDs

New gTLDs coming soon ?

A question we often are asked here at EBRAND Services is : when will I be able to apply for my own internet extension (like my competitor did) ? We usually reply that the process and policy used for the last round of applications are currently being reviewed and that it’s difficult to give a firm date. To help clarify matters, we’ve decided to write this article which will delve into the current review, and foreseeable date, of the next rounds of applications. The following is written right after the March 2017 ICANN 58 meeting which took place in Copenhagen, and we will do our best to update it as the review process develops.

Refresher

ICANN (the domain name regulator) officially allowed new extensions to be applied for back in 2008. The means selected to delegate those extensions was to stagger them in time limited application rounds.

The first round took place in the beginning of 2012. 1,930 new internet extensions were applied for in accordance with ICANN categories : generic (.blog, .email,.企业 .ninja), geographical (.paris, .berlin, .nyc) , community based (.gay, .catholic, .porn), and brand (.lidl, .apple, .postbank).

The delegation started in October 2013 and, as of now, 1,216 extensions have been delegated. 86 should be delegated in the near future.

Second round

On February 7, 2012, the ICANN Board approved a resolution to implement a second application window for the new gTLD program.

However, before the second round can take place, the programme needs to be reviewed to ensure that the first one promoted consumer trust and consumer choice. Moreover, ICANN needs to measure the effectiveness of the application and evaluation process as well as the safeguards put in place to mitigate issues

There are currently three review processes, all running in parallel, which need to be finalised for the second round to open.

1/ New gTLD Subsequent Procedures The Subsequent Procedures working group reported that several tracks are running in parallel, each dealing with one specific aspect of the charter questions. Some of the work has been completed while other larger pieces are taking longer. They stated that their initial report should be issued at the end of 2017.

For its part, the Cross Community working group on Country and Territory names has concluded that no 2-letter label must be allowed in future gTLD rounds because 2-letters are specifically reserved for current and future ccTLDs. However, as the group could not reach consensus on 3-letter extensions, they might be allowed during the next round.

2/ All Rights Protection Mechanisms (RPM) As an EBRAND client, you must be aware of the protection mechanisms available to brand owners as part of the new extension programme. (If you are not, please do contact your account manager).

The RPM working group is tasked to review all rights protection mechanisms. As such its members are reviewing the use and effectiveness of the TMCH, the UDRP, the URS, and the lesser used Post Delegation Policy. The working group reported that review of the UDRP and URS would be undergone last as they will take longer than the first two.

The group expect to have its initial report ready for publication in late 2017 for the PDP and TMCH review. The second phase of the review, which will be solely dedicated to UDRP will begin in early 2018.

3/ Registration Directory Services The working group is still working on phase 1, which is focused on fundamental requirements for the new WHOIS system. Next step will be to focus on policy development. However due to the sheer amount of work and the divergence of point of of views between the group members, no specific timeline for an initial report was provided.

Get involved

Leadership from each working group called for more involvement : the more participants, the faster the work will be accomplished and the second round can take place. If you want to help, you can by joining a working group or commenting on working group reports.

ICANN Passes 100 Delegations For New gTLDs This week ICANN announced they have passed the 100 mark for new gTLDs to be delegated. The move to being delegated is one of the final steps before the Registries that control the gTLDs may begin accepting registrations. In total, as of 21 January there were 107 gTLDs delegated.

In the past couple of weeks the first brand was delegated with the Australian university Monash having its gTLD delegated. And one of the pioneers of the new gTLD programme, those behind the application for .berlin became the second city gTLD to be delegated behind .wien (Vienna).

“There are now almost five times more generic Top-Level Domains than there were only a few months ago and that translates to greater consumer choice,” said Akram Atallah, President of ICANN’s Global Domains Division. “We are as eager as everyone else to see what type of innovation these new Domains will usher into the online world.”

Noting the historic achievement, Christine Willett, Vice President of gTLD Operations, said the year ahead was full of new opportunities.

“This is an historic milestone for ICANN’s New gTLD Program and the Internet as a whole. The year ahead will be defined by new opportunities in a vastly expanding online landscape.”

In addition to the new delegations, over 200 Registry Agreements (RA) have been signed by new gTLD applicants. The signing of an agreement allows applicants to move onto the final stages of the programme and prepare for delegation into the DNS.

In a posting on the ICANN blog, Atallah wrote enthusiastically of the possibilities of the already delegated gTLDs. He rattled off the following statistics : • there are new gTLD registries with delegated gTLDs operating in nine countries, including Australia, China and Switzerland • the original 22 gTLDs consist of Latin characters only, and most are abbreviated English words, but the new gTLDs include Arabic, Chinese, German and Russian • registries for gTLDs .WIEN and .BERLIN self-identified as community applicants, signifying their intention to operate the gTLDs on behalf of the citizens of Vienna and Berlin, respectively.

But there are still obstacles to be overcome for some applicants with ICANN’s Governmental Advisory Committee, who is charged with giving advice to ICANN from governments to ICANN on issues of public policy, and especially where there may be an interaction between ICANN’s activities or policies and national laws or international agreements, concerned about some applications.

The GAC has expressed reservations about applications for .wine and .vin. The GAC is concerned that appropriate that safeguards against possible abuse of these new gTLDs may be needed. The issue for the GAC is that many may associate a type of wine with a region, and this name may be a protected name. Examples include Champagne and Burgundy in France and Mosel in Germany. However governments have not been able to agree on appropriate safeguards and the GAC has recommended “that the applications should proceed through the normal evaluation process.”

Other contentious applications raised by the GAC were for .guangzhou (IDN in Chinese) and .shenzhen (IDN in Chinese) which were both rejected with neither being able to get local government support. Another application, for .spa, aimed at the spa and wellness industry has similarly had difficulties due to it also being a geographic name. To deal with these concerns, the applicant (Donuts) has offered the city a number of domains to take account of their concerns.

There were also issues with the protection of intergovernmental organisation acronyms including the Red Cross/Red Crescent Names, a special launch programme for geographic and community gTLDs and the applications for .islam and .halal have also been contentious.

And one of the major issues for new gTLDs has been concerns raised by brand owners. In an effort to explain in simple terms issues such as the Rights Protection Mechanisms that trademark holders and their representatives can use to combat infringement during the Domain Name System expansion, ICANN published an educational infographic.

The New gTLD Program Rights Protection Mechanisms include both proactive and reactive measures for defending trademarks. The infographic seeks to explain these issues such as the Trademark Clearinghouse, Uniform Rapid Suspension System and Trademark Post-Delegation Dispute Resolution Procedure succinctly and clearly.

The infographic is available to download from http://newgtlds.icann.org/en/announ….