Facebook accused of trying to bypass GDPR, slurp domain owners' personal Whois info via an obscure process

Antisocial network floods registrars with unjustified data requests

Facebook is accused of attempting to bypass Europe's hard-line privacy legislation and access personal data on domain name holders through an obscure policy process with the Whois registry.

Earlier this month, the CEO of domain registrar Namecheap Richard Kirkendall warned “Facebook is fighting for the blanket right to access your information,” and detailed efforts behind the scenes at DNS overseer ICANN to force through Facebook’s interpretation of privacy laws to slurp data on domain holders. Facebook ostensibly wants the info so it can track down and sue anyone who creates a domain or site that even vaguely sounds or looks like Facebook, including those masquerading as legit Facebook web properties to harvest people's login details.

ICANN is engaged in an effort to replace its outdated Whois database, which links domain names to their owners' contact info, with one compatible with Europe’s privacy-protection GDPR, a process that has been going on for nearly three years.

Progress has been slow going, in large part because commercial entities desperately want access to the full registration data of domains – which includes people’s home addresses, telephone numbers and email addresses – and have been trying to find ways around the privacy protections.

The first phase of the project was supposed to be in place by the end of February, and is still not done. The second phase had a deadline of this month and has already been extended in July. Over a year ago, the US government said its patience was running out.

Kirkendall revealed in a blog post that, in its latest effort to gain access to the mountain of Whois domain data, Facebook insisted it has a “legitimate interest” in the information. That term comes straight from GDPR legislation, though the social media giant has tried to reinterpret the expression outside of the context of GDPR to grant it constant access to private data.

Won't take no for an answer

While ICANN’s so-called expedited policy development process (EPDP) team tries to figure out how to grant access to such data, Facebook’s representative – who is a former member of ICANN’s policy team – has been pushing the wonks to grant Facebook a look-see, despite repeat refusals by the registries and registrars who argue that the Silicon Valley corporation has no right to the data and should use established legal avenues to obtain the information.


Haunted by Europe's GDPR, ICANN sharpens wooden stake to finally slay the Whois vampire


Access to full domain data through ICANN’s upcoming System for Standardized Access/Disclosure (SSAD) approach will only be allowed for law enforcement and companies that provide domain resolution services on behalf of ICANN – so-called Uniform Domain-Name Dispute-Resolution (UDRP) providers. However, commercial companies claim that their rights must also be considered, particularly around trademarks, and they should also be granted access.

Facebook has been particularly aggressive, filing tens of thousands of requests for data on domains that are often only tangentially related to its trademarks and insisting its rights are being infringed. When those requests have been rebuffed, Facebook has then sued the companies that people used to register the names, claiming trademark infringement and demanding $100,000 in compensation.

Namecheap’s Kirkendall is aware of this approach because his company is one of those being sued [PDF] for infringement. Back in March, Facebook lodged a lawsuit and wrote a blog post attacking the registrar for allowing people to register “deceptive” and “abusive” domain names.

But he insists that his company will not cave to strong-arm tactics: “Facebook recently started a campaign where it seeks to market itself as a company striving to protect internet users against cybercriminals,” he wrote.

“In fact, it used this claim when it sued Namecheap because Namecheap refused to hand over its customers’ personal information to Facebook just because Facebook demanded it. In doing so, it is attacking the fundamental right of privacy by attempting to set a dangerous precedent that could expose anyone’s information.”

Namecheap is just one of three registrars, so far, that have been sued by the mega corporations.


Earlier this month Namecheap filed to have the case dismissed entirely and mocked [PDF] Facebook’s “attempt to overcome the legal and factual deficiencies in their claims for cybersquatting, trademark infringement, and trademark dilution by relying upon non-existent allegations in the Complaint and misleading arguments.”

It’s not just Namecheap that is fed up with Facebook’s bullying tactics, either. Another recent post by one of the world’s largest registrars, Tucows, gave “examples that are obvious to a layperson as non-infringing” in the context of efforts to streamline the system of asking for domain name data. Almost all of them came from Facebook.

“Instantmonogram.com; letsfacethebook.com – in each of these cases, the domain name contains the whole trademark separated by additional characters ('Insta[…]gram' or 'Face[…]book') but bears no relation to any infringement of it,” the Tucows post noted.

It gave a second category of obvious wrong requests from Facebook: “These do not contain the full trademark but only portions of it or portions of misspellings…” One of the examples? zharfambook.com

And then it has a whole section for “domains that use the full trademark [but] nevertheless evince an indication that the domain is or will be used to discuss grievances with the company in question.” Every one of them comes from Facebook: addictedtofacebook.org, banned-by-facebook.com, divestfacebook.com, facebooksucks.org, protestfacebook.org, saynotoinstagram.com.

The message to Facebook from both Namecheap and Tucows – and many others in the domain industry – is clear: back off, we’re not going to cave under pressure to hand over the personal details of millions of people.


But so far at least, the antisocial network – whose entire business is built on grabbing, storing and monetizing this kind of data – is determined to keep pushing its claims, even if it delays the creation of a new system for everyone else.

Its representative continues to claim that being a registered trademark holder is sufficient to be granted full access to the Whois database, and that all other routes are unduly burdensome.

“You don’t know who to sue until you’ve got the Whois information,” claimed Facebook rep Margie Millam at one such recent meeting. “So it’s backwards to say you have to have a lawsuit and you have to use your subpoena power under the lawsuit to get access to Whois.”

She went on: “If that’s what the contracted parties are saying, that’s a huge problem for us. This SSAD will never solve the problem… the reality is that there are contracted parties that routinely do not look at requests. All they say is, ‘Go get a subpoena,’ or, ‘File a UDRP.’ That’s not the answer that’s going to work for us.”

Kirkendall closed out his blog post by making it plain what he believes is behind Facebook constant efforts: “Does Facebook really care about protecting you from cybercrime or are their recent efforts their newest Trojan Horse to get personal data that Facebook doesn’t have a right to have? We think it is the latter. What do you think?”

A Facebook spokesperson was unable to comment by time of publication. ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022