DomainTools Continues To Systematically Violate .NZ’s ToU Harvesting WHOIS Data, Despite Preliminary Injunction

In a reply brief filed in the Ninth Circuit Court of Appeals
last week, New Zealand’s Domain Name Commission has accused DomainTools of continuing
to harvest the personal data of .nz domain name registrants from WHOIS Records
and offering this data to anyone with a credit card, thereby systematically
violating the DNC’s terms of use. The reply notes how DomainTools has
continually abused the ToU, despite repeated correspondence from the DNC
advising them so and a preliminary injunction advising them to stop.
DomainTools is now appealing the preliminary injunction.

Privacy in New Zealand, and around the world, has become a significant
and important issue. Within .nz, individual domain name registrants have had
the option of privacy protection where personal information is withheld if they
didn’t conduct “significant trade” via their domain name. In under 6 months
after its launch, 23,000 individual registrants had opted in to have their
personal information withheld.

“DomainTools’ business model consists of obtaining bulk
WHOIS information from registries around the world, storing that information in
an ‘unparalleled repository of … Whois data’ consisting of ‘12 years [of]
historical records,’ and selling it to interested individuals and business
customers,” according to the DNC filing. “DomainTools boasts it has compiled
and stored ‘the world’s largest database of Whois records,’ which allows its
users to ‘uncover the real owner of a domain that is currently cloaked by
privacy.’ In other words, DomainTools’ business model revolves around the
creation of the kind of shadow database that DNCL’s TOU have always forbidden.”

DomainTools have harvested registrant information for 16 years from both country code top level domain (ccTLD) and generic top level domain (gTLD) registries around the world and harvested the .nz data via Port 43, which has always been prohibited. In the case of .nz, in spite of efforts to thwart the likes of DomainTools, they have “accessed the .nz Register using mass WHOIS queries ‘at least every day … using a distributed network of global IP addresses, to evade the technical protective measures that DNCL has established to prevent high volume queries and bulk harvesting of .nz WHOIS data.’” This “shadow register” is then made available to the world, for a price, which happens to start at US$49 for a subscription service that might give access to search more than one domain name. Despite the efforts of the DNC to thwart DomainTools, they have “circumvented those measures by, among other things, ‘using a distributed network of global IP addresses’ to mask its identity.”

The Domain Name Commission, whose role is to develop and
monitor a competitive registrar market, as well as create a fair environment
for the registration and management of .nz domain names, says in their filing
that anyone accessing their “WHOIS service does so subject to a few easily
understood restrictions embodied in the .nz WHOIS Terms of Use.” This ToU prohibits
“both replicating the .nz WHOIS database by creating ‘a secondary register of
information’ and publishing ‘historical or non-current versions of WHOIS
data.’”

“These provisions combine to protect the privacy of tens of
thousands of .nz registrants who have elected not to have their sensitive
identity and location information exposed to the public in response to a .nz
WHOIS query. Without these restrictions, commercial services like DomainTools
would be free to collect and store historical .nz WHOIS information accumulated
before personal information was subject to privacy restrictions and to share
the sensitive personal information in those records with any internet user.”

The DNC notes that “DomainTools advertises that it violates
DNCL’s restrictions. Far from denying that it compiled ‘a secondary register of
information,’ it tells the world that it has ‘the world’s most comprehensive
and accurate database of … historical domain Whois records.’”

The DomainTools’ database includes records for over 665,000
.nz domain names—approximately 94% of all .nz domain names. DomainTools then
uses this “secondary register” to subvert the prohibition against publication
of historical information and undermine user privacy.

15 months ago in November 2017 individual domain name
registrants had the option of a privacy option for their WHOIS information.
Concerns relating to DomainTools’ conduct that would undermine this privacy
option led to the DNC writing to DomainTools asking them to stop their
practices, however it refused stating it didn’t believe it violated the ToU.

“Faced with DomainTools’ contempt for DNCL’s modest
restrictions on access to and use of WHOIS data, DNCL terminated DomainTools’
right to access the .nz WHOIS service, and it brought this action to compel
compliance with the TOU.” The district court then properly entered a
preliminary injunction. But this didn’t stop DomainTools. They continued
unhindered and not bothered by the preliminary injunction.

With the introduction of the privacy option for individual
registrants (IRPO), the DNC “became concerned that DomainTools’ practices would
undermine the program. DNCL had assured .nz domain registrants who opted in to
the IRPO that their domain registration information would remain private. DNCL
could make this promise because, among other things, DNCL’s TOU prohibited Port
43 users from (a) downloading the .nz Register; (b) storing and compiling WHOIS
data to build up a secondary register; and (c) publishing historical versions
of WHOIS data. But DomainTools was doing all of these things. On November 2,
2017, weeks before announcing the IRPO, DNCL sent DomainTools a letter instructing
it to ‘cease and desist accessing .nz WHOIS servers or using and publishing .nz
WHOIS data except as permitted by the TOU.” The letter explained that
DomainTools was “access[ing] and quer[ying] .nz WHOIS servers, download[ing]
.nz WHOIS data, and republish[ing] that data” through its products, all in
violation of the DNCL TOU. ER510. The letter specifically identified the TOU
terms that DomainTools was violating. Id. DomainTools sought repeated
extensions of the deadline for compliance, to which DNCL acquiesced in hopes of
resolving the dispute. Eventually, however, DomainTools told DNCL it would not
comply with the TOU.” Cease and desist letters were sent, but nothing changed.
The DNC gained a preliminary injunction in June 2018, which DomainTools is now appealing.

In their filing in response to the DomainTools appeal, the
DNC say they “will clearly succeed on its claim that DomainTools violated the
TOU.” The DNC notes “DomainTools’ only argument on appeal is that law
enforcement and cybersecurity organizations may be unable to use .nz WHOIS data
to investigate potential threats and criminal activity. But DomainTools offers
no evidence that .nz domain information, which makes up a minuscule portion of
its “unparalleled” WHOIS database, has significance in any law enforcement
investigation. Further, law enforcement and cybersecurity organizations can
readily acquire WHOIS information directly from DNCL. DNCL has not offered
comparable access to DomainTools because, unlike law enforcement and
cybersecurity organizations, it sells historical data to anyone willing to pay.
DomainTools cannot show the public interest will suffer because it will be
deprived of revenue from reselling unlawfully acquired data.”

DomainTools has gone on to develop new arguments, “never presented to the district court—and not supported by any evidence.” This includes their chatacterisation of the “Port 43 service as a ‘computer-to-computer’ channel and argues (without record support) that any terms sent via that service are ‘not designed for human consumption.’”

Disclosure: InternetNZ is a client of the author.

This latest Domain News has been posted from here: Source Link