Welcome to CSC Coffee Chats—a series of interviews with CSC’s Digital Brand services business experts, where we talk about industry issues across cybersecurity, domains, brand protection, and fraud protection.
I grab a cuppa with our subject-matter experts and discuss what’s on their mind. This month, I spoke with Patrick Hauss, head of Corporate Development and Strategic Alliances EMEA, about the Internet Corporation for Assigned Names and Numbers (ICANN) Registration Data Request Service (RDRS). Patrick had a skinny cappuccino with a pump of sugar syrup. That’s fancy to a non-coffee drinker like me. Like a true Brit, I had a cup of tea!
So why not grab yourself a cuppa, and take five minutes to read our chat?
It’s a Monday morning, and mug in hand, I’m speaking to Patrick Hauss. These chats are all about discussing industry issues, and today, Patrick wants to share some thoughts on RDRS. But first up, what is RDRS? I ask Patrick to give me a quick overview.
“RDRS stands for Registration Data Request Service. It’s a tool from ICANN aimed at helping to solve the data access restrictions that came about because of the redaction of personal data on WHOIS records, which happened when GDPR came into force. WHOIS lookups are used by cybersecurity investigators, trademark experts, and brand protection service providers like CSC—as well as brands and their security, IP, and legal teams—as part of the enforcement process against third parties registering fraudulent domains,” he explains.
Before GDPR, accessing full WHOIS data formed an essential part of investigations to inform enforcement actions against intellectual property (IP) infringements and domain name system (DNS) abuse. Since many online brand abuse cases starts with a deceptive domain name registration, registrant information can be used to track down bad actors and take infringing content offline. But it’s also exactly the personal data that GDPR aims to protect.
Enforcement became more challenging once redactions happened, and ICANN responded to the need for access to such data from those with legitimate access requests by introducing RDRS for an initial period of two years, starting on November 28, 2023. But gaining access to WHOIS data even with RDRS is still a bumpy road, so where do the issues lie for brand owners?
“Part of the challenge is that RDRS is optional and requires domain registrars to sign up to the service. It means that the number of domains eligible to a RDRS request are somewhat limited.” So, the full top-level domain (TLD) landscape isn’t covered, and bad actors spread their registrations far and wide across multiple TLDs, including country-code TLDs (ccTLDs), which are out of the RDRS scope.
There may be good reason for this low uptake from registrars. The threat of GDPR fines looms large. Many registrars may be reticent to share redacted WHOIS information unless they consider the request for access to be 100% watertight, legally. And with good reason—the risk of a GDPR fine would strike fear into the hearts of most. Unfortunately, less than 15% of information requests through RDRS are granted; in December 2023, it was as low as 7%. The result is that it takes longer for brand abuse investigations to conclude, and for enforcement action to be taken.
So, what does Patrick see as the way forward to improve things for registrars and brand owners?
“On a very practical level, encouraging as many registrars as possible to sign up would expand the TLD coverage,” he says. But perhaps the real issue, he ponders, requires a more rounded look at policies concerning online abuse. Policy-wise, there’s a big distinction between what constitutes DNS abuse and IP abuse and infringements. “There’s work being done currently by the European Commission to recommend that the definition of DNS abuse be expanded to include IP abuse. Online brand abuse would benefit from a better definition in and of itself. If that were to happen, there would be clearer legal perimeters of what constitutes abuse, making it easier for registrars to identify legitimate requests for WHOIS information, that is, those with a clear legal basis for requesting—giving them the reassurance that they won’t be breaching GDPR.”
—
Thanks for reading our CSC Coffee Chats on RDRS. Look out for the next blog in the series, where I’ll cover other pertinent industry topics with CSC experts.
