This article is more than 1 year old

Facebook accused of trying to bypass GDPR, slurp domain owners' personal Whois info via an obscure process

Antisocial network floods registrars with unjustified data requests

Facebook is accused of attempting to bypass Europe's hard-line privacy legislation and access personal data on domain name holders through an obscure policy process with the Whois registry.

Earlier this month, the CEO of domain registrar Namecheap Richard Kirkendall warned “Facebook is fighting for the blanket right to access your information,” and detailed efforts behind the scenes at DNS overseer ICANN to force through Facebook’s interpretation of privacy laws to slurp data on domain holders. Facebook ostensibly wants the info so it can track down and sue anyone who creates a domain or site that even vaguely sounds or looks like Facebook, including those masquerading as legit Facebook web properties to harvest people's login details.

ICANN is engaged in an effort to replace its outdated Whois database, which links domain names to their owners' contact info, with one compatible with Europe’s privacy-protection GDPR, a process that has been going on for nearly three years.

Progress has been slow going, in large part because commercial entities desperately want access to the full registration data of domains – which includes people’s home addresses, telephone numbers and email addresses – and have been trying to find ways around the privacy protections.

The first phase of the project was supposed to be in place by the end of February, and is still not done. The second phase had a deadline of this month and has already been extended in July. Over a year ago, the US government said its patience was running out.

Kirkendall revealed in a blog post that, in its latest effort to gain access to the mountain of Whois domain data, Facebook insisted it has a “legitimate interest” in the information. That term comes straight from GDPR legislation, though the social media giant has tried to reinterpret the expression outside of the context of GDPR to grant it constant access to private data.

Won't take no for an answer

While ICANN’s so-called expedited policy development process (EPDP) team tries to figure out how to grant access to such data, Facebook’s representative – who is a former member of ICANN’s policy team – has been pushing the wonks to grant Facebook a look-see, despite repeat refusals by the registries and registrars who argue that the Silicon Valley corporation has no right to the data and should use established legal avenues to obtain the information.


Haunted by Europe's GDPR, ICANN sharpens wooden stake to finally slay the Whois vampire


Access to full domain data through ICANN’s upcoming System for Standardized Access/Disclosure (SSAD) approach will only be allowed for law enforcement and companies that provide domain resolution services on behalf of ICANN – so-called Uniform Domain-Name Dispute-Resolution (UDRP) providers. However, commercial companies claim that their rights must also be considered, particularly around trademarks, and they should also be granted access.

Facebook has been particularly aggressive, filing tens of thousands of requests for data on domains that are often only tangentially related to its trademarks and insisting its rights are being infringed. When those requests have been rebuffed, Facebook has then sued the companies that people used to register the names, claiming trademark infringement and demanding $100,000 in compensation.

Namecheap’s Kirkendall is aware of this approach because his company is one of those being sued [PDF] for infringement. Back in March, Facebook lodged a lawsuit and wrote a blog post attacking the registrar for allowing people to register “deceptive” and “abusive” domain names.

But he insists that his company will not cave to strong-arm tactics: “Facebook recently started a campaign where it seeks to market itself as a company striving to protect internet users against cybercriminals,” he wrote.

“In fact, it used this claim when it sued Namecheap because Namecheap refused to hand over its customers’ personal information to Facebook just because Facebook demanded it. In doing so, it is attacking the fundamental right of privacy by attempting to set a dangerous precedent that could expose anyone’s information.”

Namecheap is just one of three registrars, so far, that have been sued by the mega corporations.


Earlier this month Namecheap filed to have the case dismissed entirely and mocked [PDF] Facebook’s “attempt to overcome the legal and factual deficiencies in their claims for cybersquatting, trademark infringement, and trademark dilution by relying upon non-existent allegations in the Complaint and misleading arguments.”

It’s not just Namecheap that is fed up with Facebook’s bullying tactics, either. Another recent post by one of the world’s largest registrars, Tucows, gave “examples that are obvious to a layperson as non-infringing” in the context of efforts to streamline the system of asking for domain name data. Almost all of them came from Facebook.

“; – in each of these cases, the domain name contains the whole trademark separated by additional characters ('Insta[…]gram' or 'Face[…]book') but bears no relation to any infringement of it,” the Tucows post noted.

It gave a second category of obvious wrong requests from Facebook: “These do not contain the full trademark but only portions of it or portions of misspellings…” One of the examples?

And then it has a whole section for “domains that use the full trademark [but] nevertheless evince an indication that the domain is or will be used to discuss grievances with the company in question.” Every one of them comes from Facebook:,,,,,

The message to Facebook from both Namecheap and Tucows – and many others in the domain industry – is clear: back off, we’re not going to cave under pressure to hand over the personal details of millions of people.


But so far at least, the antisocial network – whose entire business is built on grabbing, storing and monetizing this kind of data – is determined to keep pushing its claims, even if it delays the creation of a new system for everyone else.

Its representative continues to claim that being a registered trademark holder is sufficient to be granted full access to the Whois database, and that all other routes are unduly burdensome.

“You don’t know who to sue until you’ve got the Whois information,” claimed Facebook rep Margie Millam at one such recent meeting. “So it’s backwards to say you have to have a lawsuit and you have to use your subpoena power under the lawsuit to get access to Whois.”

She went on: “If that’s what the contracted parties are saying, that’s a huge problem for us. This SSAD will never solve the problem… the reality is that there are contracted parties that routinely do not look at requests. All they say is, ‘Go get a subpoena,’ or, ‘File a UDRP.’ That’s not the answer that’s going to work for us.”

Kirkendall closed out his blog post by making it plain what he believes is behind Facebook constant efforts: “Does Facebook really care about protecting you from cybercrime or are their recent efforts their newest Trojan Horse to get personal data that Facebook doesn’t have a right to have? We think it is the latter. What do you think?”

A Facebook spokesperson was unable to comment by time of publication. ®

More about


Send us news

Other stories you might like