As recent headlines have made clear, our online life is often far from private. Hacking, phishing, and even common search engine results can expose us to dangers ranging from identity theft to routine spam.

Legitimate concern for one’s privacy and the desire to protect one’s information from bad actors are major reasons many domain name owners use Whois privacy (or “proxy”) services to hide their identity. When someone looks up the Whois record for a certain domain, these services show the information of the privacy service, rather than the true owner, and often supply a substitute email address such as [domain.tld], which will forward messages to the owner.

However, these Whois privacy services are also popular with cybersquatters.

A Cybersquatter’s Shield

Privacy services can help cybersquatters evade detection – the Whois privacy service hides the identity of the person behind an infringing website and makes it more challenging for brands to enforce their trademarks.

For example, domains using Whois privacy services likely won’t show up when researching whether a given cybersquatter owns other infringing domains or was the target of past UDRP complaints. Also, if a brand owner wants to save money by sending a demand letter prior to filing a complaint, privacy protection doesn’t give any other options for contact beyond the above-mentioned substitute email address. Some registrars will help out by disclosing the domain owner’s identity if you can convince them that infringement is occurring, but this varies quite a bit and some registrars are less than accommodating.

The good news is that the use of a Whois privacy service does not prevent a brand owner from filing a UDRP or URS complaint against the domain and, in fact, may actually help its case.

A Brand Owner’s Sword

Under paragraph 4(c)(ii) of the UDRP, a respondent may show that it has rights or legitimate interest in a domain if it or its business is “commonly known by the domain name.” If the domain name owner uses a privacy service to hide its identity, however, a brand owner can argue that the respondent wants exactly the opposite – to not be known by the domain.

Further, use of a Whois privacy service can be used as evidence of a respondent’s bad faith registration and use. This was upheld earlier this year, when the National Geographic Society brought a case against the domain name The Respondent used a private registration service and failed to respond to three attempts at email contact before the complaint was filed. While the facts of the case supported bad faith in other ways, the Panel felt compelled to note that the use of a privacy service “raises the rebuttable presumption of bad faith in the commercial context. Given the Respondent’s obligation to provide correct WHOIS information and its unexplained failure to do so, this raises the rebuttable presumption of bad faith.”

Since the Respondent submitted no evidence or argument to rebut this presumption, the finding of bad faith was reinforced and the domain was ordered to be transferred. In an earlier decision involving the domain (similar to a mark used by a company in Beijing) the Panel noted “the fact that the disputed domain name was registered anonymously and protected by Premium Registration Service is consistent with bad faith in this Panel’s view.”

So, as a practical matter, the use of Whois privacy services by cybersquatters can frustrate and sometimes delay the resolution of a domain dispute but it can’t prevent the inevitable. In the end, its more common and, in my own opinion, more pernicious effect is the wastefulness of the brand owner having to incur the expense of filing a UDRP or URS complaint. As mentioned above, emails sent through Whois privacy services don’t always get through and many disputes could have been avoided had communication been more open.

Steve Levy
Whois Privacy: Sword or Shield?

3 thoughts on “Whois Privacy: Sword or Shield?

  • November 5, 2015 at 12:21 pm

    Great article Steve! The purpose of WHOIS in the first place was partly to create domain registration transparency. Increasingly domains by proxy is being used by well intentioned registrants because of larger societal concern for increased personal privacy, but the side-effect is much more frustrating and challenging recovery processes. I too think that we would all be better off as a society without it.

  • November 5, 2015 at 9:36 pm

    An interesting point, that on the “commonly known by the domain name” issue “a brand owner can argue that the respondent wants exactly the opposite – to not be known by the domain.”

    Also, just to stimulate discussion rather than to express a decided view on it, why is it assumed to be better for the brand owner to send a cease and desist letter first announcing that it proposes to file a UDRP complaint? The argument could be that if you do, you are telegraphic your punches in advance, which may not be wise.

    • January 5, 2016 at 3:28 pm

      Thank you for your thoughtful comment. By “not wise” may I assume you’re referring to cyberflight? This is an excellent point and one which weighed heavily on my mind when I undertook my first few UDRP complaints. However, after now having filed over 300 of these and only encountered that problem once I’ve reached the conclusion that the the small risk of cyberflight is outweighed by the overall savings to clients which resulted from settlements reached after the use of cease and desist letters.

      I suppose another problem which could arise by telegraphing ones punches might be a change in the disputed domain’s website content from clearly infringing to something like fair use. However, in the few cases this has been attempted, Panels have applied the rule that such changes are not to be considered when made only after the respondent receives notice of the dispute.

      I’m eager to hear of your experience on these points and whether you see other harms which could arise from sending pre-complaint cease and desist letters.


Leave a Reply

Your email address will not be published. Required fields are marked *