Much like regular websites operated by governments, companies, organizations, and the general public, most internet-based piracy services can be accessed using a domain name.
From a user’s perspective, domain names are more easily remembered than IP addresses and remain the same despite IP address changes behind the scenes.
Domain names also play an important role in conveying branding and as a result can be worth considerable sums of money. For companies enforcing their intellectual property rights, determining who owns a domain can prove invaluable as part of a wider investigation.
When the General Data Protection Regulation (GDPR) came into effect in May 2018, it aimed to protect the personal data of EU citizens. That included those whose names appeared in public WHOIS databases as registrants or owners of domains.
ICANN, the Internet Corporation for Assigned Names and Numbers, responded with restrictions that on one hand protected registrants’ privacy, but on the other came at the expense of rightsholders’ being able to conduct meaningful WHOIS-based investigations.
ICANN Accused of Hindering Rightsholders
Potential problems had been flagged way ahead but workable solutions remained elusive. Increasingly vocal rightsholders including the RIAA and MPA criticized WHOIS restrictions and piled on with other shortcomings; WHOIS proxy/shielding services that hide registrant information, for example, and the lack of an effective system to ensure the accuracy of collected data.
In an August 2023 joint submission to the United States Patent and Trademark Office (USPTO), Hollywood, the recording industry, TV companies, the gaming industry and publishers left little doubt that patience had run out.
RDRS: Registration Data Request Service
With WHOIS protocols set to be replaced by RDAP (Registration Data Access Protocol), a technology designed to improve Registration Data Directory Services (RDDS), this week ICANN launched RDRS, an all new service to simplify access to non-public domain registration data.
“Due to personal data protection laws, many ICANN-accredited registrars are now required to redact personal data from public records, which was previously available in ‘WHOIS’ databases,” ICANN explained.
“With no one way to request or access such data, it can be difficult for interested parties to get the information they need. The RDRS helps by providing a simple and standardized process to make these types of requests.
“The RDRS can be an important resource for ICANN-accredited registrars and those who have a legitimate interest in nonpublic data like law enforcement, intellectual property professionals, consumer protection advocates, cybersecurity professionals, and government officials,” ICANN added.
Probably Not What Rightsholders Are Pleading For
There appears to be little restriction on who can sign up for RDRS, something that already has some worried about what that could mean for their privacy. ComLaude confirms anyone can file a request but it doesn’t necessarily follow that information will be provided.
RDRS is effectively a case management system for handling WHOIS data disclosure requests, rather than a database which can be interrogated, as WHOIS has been. Anyone can make a request, via the system, for certain non-public domain registration data. RDRS identifies the sponsoring registrar for the domain name and routes the request to them, subject to the registrar having signed up to be part of the system. Then, subject to applicable law, the registrar will make a determination on what, if any, requested data will be disclosed.
Some rightsholders may be disappointed that the system only covers gTLDs such as .com, .net, and .org, plus new gTLDs including .xyz, .online and .horse. Common ccTLDs deployed at pirate sites, including .ag, .am, .cc, .me, .pw, .re, .sx, and .to, are excluded from the system.
Hands-On Test
Kevin Murphy at Domain Incite took RDRS for a spin and posted his first impressions of the service.
“The system is defined largely by what it isn’t. It isn’t an automated way to get access to private data. It isn’t guaranteed to result in private data being released. It isn’t an easy workaround to post-GDPR privacy restrictions,” Murphy explains.
“It is a way to request an unredacted Whois record knowing only the domain and not having to faff around figuring out who the registrar is and what their mechanisms and policies are for requesting the data.”
Murphy also got the impression from interface settings that simply walking in off the street and requesting domain registration data might not be what ICANN has in mind. As a tool for rightsholders demanding so much more, it’s certainly nothing like what they have in mind.
“The RDRS merely connects Whois data requestors — the default settings in the interface suggest that ICANN thinks they’ll mostly be people with court orders — with the registrars in charge of the domains they are interested in,” Murphy concludes.
