Appdetex Blog

Retrospective: Post-GDPR Compliance Rates for Domain Enforcement

Written by Appdetex Team | January 7, 2020 7:00:00 AM Z

A success rate of one out of four might not seem like a reason to celebrate, but when it comes to registrar compliance rates, the current 25% rates that AppDetex clients enjoy is a substantial improvement from the single-digit compliance rates initially experienced immediately following the implementation of GDPR.

In May of 2018, the European Union implemented the General Data Protection Regulation (GDPR). Meant as a way to help protect private information, GDPR forced a major shift in how organizations, including registrars, can collect, use and transfer the personal data of individuals. While originally designed to protect the citizens of the EU and all EU member states, the repercussions of its implementation have been felt globally.

While the original motivation behind GDPR was well-intended, the overly conservative approach adopted by many registrars has inadvertently made it more difficult to effectively take action to protect consumers and the brands they love. In fact, the fulfillment of requests from law enforcement as well as investigators and intellectual property rights holders with a legitimate need for registrant contact data has been significantly impacted.

The period immediately after the implementation of GDPR was one of marked chaos. In October of 2017, security researchers were able to identify and block 1.8 million newly registered malicious domains using domain name registrant contact data. But, following the implementation of GDPR, those numbers dropped drastically. In February of 2019, just nine months after GDPR went into effect, blocked domains relying on this data had dropped to just 160,000. To some extent, the chaos was understandable given that registrars were still trying to interpret the complicated GDPR rules and the potential repercussions attendant to this law.  

To fully understand the impact of the unavailability of domain name registrant contact data for the purpose of enforcements, AppDetex data engineers conducted a thorough investigation. The team assembled domain name abuse data from a market basket of consumer-focused brands who found, and then attempted to mitigate abuse of the domain name system related to their own brands. We evaluated thousands of mitigations during the quarter before and two-quarters post-GDPR, including the period directly after ICANN’s implementation of the Temporary Specifications for gTLD Registration Data (Temporary Specification).

The Temporary Specifications allows ICANN and gTLD registry operators and registrars to continue to comply with GDPR while still maintaining the existing WHOIS system to the greatest extent possible by restricting personal data to a layered/tiered access system. Unfortunately, participating registrars can make individual decisions about which requests to honor and which to deny. In addition, each registrar is able to set their own specific steps that need to be fulfilled when requesting personal information, leading to a diverse set of requirements that can range from filling out a simple online form all the way up to requiring a legal subpoena. 

During our investigations, we found a 38% decrease in compliance two quarters after the implementation of the Temporary Specifications, indicating that the life of abusive domains had increased, potentially exposing internet users to scams for much longer periods of time than prior to the implementation of the Temporary Specification.

Luckily, there were registrars who were prepared (and many who have since put programs into place) for post-GDPR reveal requests and had (and have) a plan in place that worked within the GDPR guidelines while also supplying our clients with the information needed to enforce their rights. We were able to work directly with some of these registrars, modifying how we asked for redacted data, where we were sending our requests, and the volume of the requests we were sending. 

As a result of this cooperation, we developed our Whois Requestor System (AWRS), an efficient workflow process that allows AppDetex to submit verified, legitimate WHOIS requests directly to the associated registrars. This system was designed to be used by customers to obtain non-public WHOIS data while still allowing the requested registrars to remain within GDPR compliance.. We also made an effort to have our IP address whitelisted with registrars to the extent that option was offered, and made personal contact with registrars to ensure the AWRS complied with individualized registrar request processes.

This coordinated effort between AppDetex and cooperative registrars resulted in modifications to our request process, allowing for a much-improved rate of compliance. Immediately following the implementation of GDPR we were seeing a compliance rate of 3%. Following the implementation of AWRS, those numbers climbed steadily in each quarter, finally leading to the current 25% rate enjoyed by our clients as of December 2019.

As long as GDPR and the Temporary Specifications stand as they are right now, the future of enforcement measures against bad actors and the access to currently redacted private information that is required to conduct those enforcements will remain difficult.  While AppDetex will continue to strive toward higher and higher compliance rates, it is clear that the GDPR as it is currently being interpreted, needs to be reevaluated. Establishing regulated access for individuals involved in cybersecurity, law enforcement, and web safety and security would still provide for the protection of private information while simultaneously helping to close the loophole of anonymity that has allowed criminals to operate with impunity online.

To help combat abuses and make digital channels safer for everyone, we’ve developed a set of notices that have assisted our clients in obtaining speedier and more efficient resolution of domain infringement issues. Brandholders and their legal teams can adapt and modify these notices to fit their strategies and goals. 

Download our free Guide to Domain Enforcement Post-GDPR here: