-Akshay Ajaykumar*
Abstract
The article discusses the lack of availability of Whois details for .in ccTLDs. It explains how the GDPR and ICANN policies have affected public access to registrant information and the drawbacks of such data redaction. It also examines the terms and conditions imposed by the .in Registry, and the lack of enforcement measures to ensure accurate and reliable Whois data. It suggests that the .in Registry should update its policies and adopt a non-anonymous mechanism to balance data privacy and domain name abuse prevention.
Introduction
The Domain Name System (DNS) is responsible for associating numerical Internet addresses with alphabetical names that are easy for end users to recognize, remember and input into their connected devices. Domain names are typically made up of words separated by dots, such as <spicyip.com>. These words are technically called labels, and the labels to the far right are the highest in the hierarchy. For example, in www.ijlt.in, “.in” is the top-level domain and “ijlt” is a subdomain that belongs to or is part of the .in country code top-level domain. Top-level domains are the highest level in the hierarchy of the DNS. They are generally divided into two categories: (i) generic top-level domains (gTLDs), and (ii) country code top-level domains (ccTLDs). Currently, there are over 1200 gTLDs and over 316 ccTLDs using 2-letter Latin codes (see here). Examples of popular gTLDs include .com, .net, .org and .info. ccTLDs consist of two letters and follow the ISO 3166-1 alpha-2 standard published by the International Organization for Standardization. For example, .in is the ccTLD for India and .us is the ccTLD for the USA.
This post outlines the domain name registration system and examines the reasons and drawbacks of redacting Registrants' details in .in ccTLD.
Who governs gTLDs and ccTLDs?
The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit organization that has technical management responsibility over the DNS, including root server management functions that support both gTLDs and ccTLDs. ICANN also coordinates the development and implementation of policies concerning gTLDs and accredits both registry operators and registrars with respect to gTLDs.
In contrast, the policies for ccTLDs are subject to the authority of the relevant country’s government represented by the particular ccTLD. This includes policies such as who may register a domain name in a particular ccTLD and what activities are prohibited by a website using a domain name belonging to a ccTLD. For instance, the .in ccTLD is governed by the National Internet Exchange of India (NIXI).
What is Whois and why is the data redacted?
Whois is a system that provides online records containing identifying and contact information about registered domain names. ICANN policy and contracts require that domain name contact information be made available via the WHOIS system (see Registration Data Access Protocol (RDAP) - ICANN).
Before the General Data Protection Regulation (GDPR), ICANN policy and contracts required that domain name contact information be made available via the Whois system, allowing anyone to look up the name and contact data of domain registrants and their administrative and technical contacts. The GDPR adopted by the European Union (EU) took full effect on 25 May 2018. This data protection and privacy law restricted the publishing of personally identifiable data belonging to natural persons in the EU. It is not a mandate to redact information of legal persons and personal data of data subjects who are not in the EU (see Article 3 of GDPR).
In response to GDPR, ICANN established the Temporary Specification for gTLD Registration Data effective on 25 May 2018. This “Temp Spec” was affirmed, without notable alterations, in May 2019 under the Interim Registration Data Policy for gTLDs (see Temporary Specification for gTLD Registration Data - ICANN ). This policy allows registrars and registry operators to withhold the data of any domain contacts they wish (including legal persons), including contact data that is not protected by GDPR or a similar data protection law making the Whois system inoperable.
The new EU Network and Information Systems Directive (“NIS2” Directive 2022/2555), came into force on 16 January 2023, under Article 28 of NIS2 and its related recitals resolved the need for an accurate Whois system that permits legitimate access by third parties to data, including personal data, and the legal basis under the GDPR that supports such a system. Member States have until 17 October 2024 to adopt new legislation to comply with NIS2. This guarantees that Whois details will be collected but it remains to be seen how legitimate access will be provided.
What are the conditions imposed by NIXI for registration of a ccTLD?
NIXI imposes numerous conditions for registration of a .in ccTLD (see “T&C”, Terms and conditions for registrants). The following are relevant to the current discussion:
Clause | Terms and Conditions |
1 | Contact Details: The Registrant shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the Registered Name, including the full name, postal address, email address, voice telephone number, and fax number if available of the Registrant; name of authorized person for contact purposes, in case of a Registrant that is an organization, association, or corporation. The email address submitted in the contact information will be that of the Registrant only. This correct information should be available in WHOIS of .INRegistry, and it is the duty of the Registrant to check this information from time to time and make sure that it is up-to-date. |
2 | Inaccurate Information: A Registrant's willful or grossly negligent provision of inaccurate, false or unreliable information, and in the event the registrant willfully or grossly neglects to promptly update information provided to Registrar shall constitute a material breach of the Registrant's Registration Agreement with the Registrar and be a basis for cancellation of the Registered Name, and any other action under the relevant laws of India. |
3 | Proxy/Privacy Services: Any kind of proxy services are not allowed, and if the data is wrong or masked out by any proxy/ privilege protection services, the Registrant shall not be recognized as the owner of the domain name. |
As per Clause 12 of the T&C, the .in Registry reserves the right to deny, cancel, transfer or otherwise make unavailable any registration that it deems necessary for, inter alia, violation of any of the above terms and conditions. It may also place any domain name(s) on registry lock and/or put a domain name on hold at its discretion.
Furthermore, Clause 4.4.3 of the Registrar Accreditation Agreement (‘RAA’)precludes anonymous or proxy registrations. They are specifically instructed not to include information in the “Registrant” or “Administrative Contact” fields that do not reflect the true registered domain name holder or administrative contact. Also, privacy services that let a registrant publish valid alternate contact information, or proxy services that hide a domain name's identity and contact details in public Whois data by becoming the registered name holder of the record are not allowed (definitions are available here). Violation of this provision will constitute a material breach of the agreement and the registrar/registrant can invite termination of RAA by the NIXI along with appropriate penalty as per Clause 4.3.3.1.
So, are the Whois details of the registrants of .in ccTLDs available?
In practice, Whois details are not normally completely available for .in ccTLDs irrespective of the fact that they are EU residents/legal persons and are normally redacted by the registrar or some privacy/proxy service providers.
For instance, INDRP Case No. 1392 (lockmytrip.in) and INDRP Case No. 1525 (postpe.co.in) were filed without the details of the registrant. NIXI followed the procedure of WIPO Arbitration and Center (see Impact of Changes to Availability of WhoIs Data on the UDRP: WIPO Center Informal Q&A) and requested the Whois details from the registrar. Once the Whois details were obtained, it was provided to the complainants and the complaints were accordingly amended. However, the author had an instance where the registrar (in this instance Namecheap Inc.) refused to divulge details of the registrar even when requested by NIXI without a U.S. state or federal court order or subpoena (despite the Registrar Accreditation Agreement mandating such disclosure under paragraph 5.2). Furthermore, foreign Registrars are well known for even refusing to comply with directions of Indian Courts and such that in New Balance Athletics Inc Vs. Nbstoresinindia.In & Ors. the Delhi Court instructed action to be taken against Registrar for not complying with orders. There have also been instances in the author’s experience where the complainant has been instructed by the Arbitrator to use an address available on Google rather than requesting the one provided as Whois. A cursory search (search here) for the Whois detail for <google.in> reveals that the Whois details are redacted.
A similar search for <yahoo.in> and <microsoft.in> revealed that the Whois details were redacted. However, Whois searches for <tata.in>, <Infosys.in> and <icici.in> revealed that the Registrant name, province and country were provided. However, the information is insufficient to reliably contact them as mandated by the Registrants' T & C. Such redaction is violative of the “Registrar Accreditation Agreement” and the “Terms and Conditions for Registrants". NIXI Registry can even terminate the Registrar Accreditation Agreement for this violation and also, the Registry has the right to deny, cancel, transfer or otherwise make unavailable such a registration.
In the past (in 2013 and 2005, see Registry Advisory LA 02: Accurate WHOIS Information in Domain), the .IN Registry has issued advisories instructing registrars to correct any inaccuracies and prevent the use of proxy/privacy services. It was also cautioned that if the Registry detects inaccurate registrant information, proxy registrations/privacy protection, or any other violation relating to the accuracy of WHOIS information, it will initiate specific action like suspension or deletion of such domains.
To date, the author is not aware of any such suspension or deletion. Moreover, in the authors opinion a vast majority of the registrant details of .IN ccTLDs are redacted (no studies exist to the authors knowledge).
Why do we need access to Whois details?
Even before GDPR, a registrant could use a privacy/proxy service to mask their identity. However, as of 2021, over 85% of large Whois providers redact their data (see the study).
The primary use of a privacy/proxy service was to prevent the scraping of registrant information for abusive use besides questionable uses. This concern is currently being considered by the United States Department of Commerce's National Telecommunications and Information Administration (NTIA) which administers the contract for the country code top-level domain “.us”, which mandates a publicly accessible Whois database of usTLD domain name registrations. To prevent abuse of usTLD registrant data, NTIA is considering a proposal to create a system that requires users to provide their name, email, and a legitimate, non-marketing purpose for accessing the data. Users would also have to agree to a Terms of Service that prohibits misuse of the data. The system would send unredacted WHOIS data to the user by email automatically or manually, depending on the purpose. This system would also allow emergency requests and have a portal for law enforcement users. Such a non-anonymised mechanism to review Whois details might curtail otherwise abusive uses and make sure that such details are only used for legitimate purposes (at least on theory!).
Stopping scammers and squatters are increasingly difficult without Whois details. Counterfeiting, piracy, phishing, fraud, and distribution of malware, among other abuses, can last longer because of a lack of Whois information. For instance, in Make My Trip (India) Private Limited v. Owners of https://www.makemytripmood.com & Ors., wherein a website providing escort service was hosted, it was proceeded ex parte without ever identifying the registrant.
The lack of Whois details also makes brand owners more likely to file domain name disputes like INDRP or litigation. A brand owner cannot identify a proper point of contact to notify the registrant of the brand owner’s concerns and potentially resolve the issue amicably. The lack of information also limits the development of a comprehensive case against a registrant. Usually, the time given (in the author’s experience it has varied from a few hours to days) for amendments in INDRP Complaints after receiving the Whois information from the registrar is small, limiting a Complainant from further substantiating a case.
The alternatives are either contacting the registrar for disclosure of non-public information (very unlikely without a court order) or submitting a cease-and-desist letter through an online form or anonymized e-mail address which may have word limits or/and inability to attach annexures and may not reach the registrant.
Why is the .in Registry not showing Whois details?
Despite having explicit clauses in the Registrar Accreditation Agreement and Terms and conditions for registrants, it is surprising that registrars can redact Whois details. This is primarily due lack of enforcement measures taken by the .in Registry. This is more evident by the fact that the .US Registry, which has similar requirements and yet Whois details are reflected (a study found 90% of the .US Whois records are not redacted) despite offering services to EU residents. For instance, a Whois look up for <google.us> is as follows (see .us Registry Whois):
Therefore, it is very well within the .in Registry’s means to implement the requirements of unredacted Whois details to accredited registrars for legal persons and non-residents of the EU. With the current legal landscape moving towards an accurate Whois system, it is time that the .in Registry take enforcement measures to implement the requirements of the Whois system. Going further, a mechanism like the NTIA's proposed non-anonymous review of Whois details could balance preventing abuse of public Whois details and availability of Whois details to prevent abuse of the domain name system. The Registry should update its Registrar Accreditation Agreement to reflect the global data privacy regulations and the widespread use of proxy and privacy services. For example, Nominet UK, which manages the .uk ccTLD, , under Schedule 4 – Proxy Services of .uk Registry-Registrar Agreement, requires Registrars to keep and disclose the real details of Registrants who use a Proxy Service within two days if their domain name is undergoing a dispute resolution process.
*Akshay Ajayakumar is a graduate of National Law University, Jodhpur and has an LL.M in IP and Competition Law from Munich Intellectual Property Law Center (MIPLC). He is currently a consultant for domain name disputes at Sim and San, Attorneys At Law. He may be contacted at yahska.a@gmail.com.