DomainTools Loses Appeal Against Their Use of .NZ Registrant Data

A US Court last week upheld a decision that prevents DomainTools from breaching .nz domain names registrant’s privacy and publishing their personal details.

The original decision prevented DomainTools from creating a shadow database of .nz registrant data. And now a second US Court has sided with the Domain Name Commission (DNCL). The first decision in favour of .nz domain name owner’s privacy was made in September 2018, but DomainTools immediately appealed and lost again in the US Court of Appeals on 17 July.

As Domain Pulse reported when the appeal was being heard in June, the case has revolved around whether DomainTools should be able to access .nz registrant data. The DNCL says DomainTools is expressly prohibited from a mass harvest of registrant data, while DomainTools have claimed when they downloaded the registrant data there were no restrictions, and DNCL should not be able to retrospectively stop them.

In 2018, the DNCL mandated that a privacy option be offered for all .nz domain name holders that are not in trade. It means people can withhold their address and phone number from publicly appearing in the online registration data search. More than 63,000 domain names have already taken up the privacy option, and the number is growing.

But DomainTools, a digital intelligence-gathering company in the US, has been scraping registration data from .nz for many years. This mass collection of data breaches the DNCL’s terms of use and exposes details of domain name holders who choose to have their details kept private. This is because DomainTools makes available historic records which show the now withheld information.

The DNCL had problems with how DomainTools were using the Whois data they bulk harvested from .nz registrants.

“We have to be able to control the personal information individuals have trusted us with and be able to enforce our terms of use,” Domain Name Commissioner, Brent Carey told Domain Pulse. “The local internet community through our WHOIS review requested a privacy option and we gave it to them in March 2018.”

“Technological, contractual and online privacy developments continually change the way we collect, store and share information. The actions of companies like DomainTools to bulk harvest personal information and indefinitely store historical personal information in contravention of terms of use and sell that information to anyone with a credit card is of particular concern. Such action happens in a context where a significant proportion of our daily activities are conducted online.

“We have to litigate to enforce our terms of use and for the protection of .nz domain name holders privacy. Onshore and offshore company attitudes toward online privacy must keep pace with our local New Zealand community expectations and laws.”

The decision will likely resonate with other top-level domain registries, both country code and generic, around the world and the ability of companies like DomainTools to harvest registrant’s data.

“Domain name regulators and the domain name industry need to pay attention to this decision. It is an important legal case,” Carey said. “The fact scenario is unlikely to be different for ccTLDs or gTLDs.”

“Thanks to the extra territoriality of the European Union’s General Data Protection Regulation or a country’s local privacy laws or domain name policy, domain name holders have privacy rights. Each of them will have terms of use that control how their WHOIS records are to be used, stored and shared online.”

“ccTLDs and gTLDs need to enforce these terms of use against third party companies who take data of their consumers and use it for unrelated secondary purposes that consumers now would no longer expect.

“This case illustrates that the judiciary is not hesitant to step in and weigh in to the contractual, online privacy and security debate. It demands that domain name holders have a right to privacy online.”

Going forward it’s now possible that other registries will use this precedent to stop third parties using registrant data without their permission, assuming it’s against the terms and conditions as it was for .nz.

To the DNCL’s knowledge, Carey says they’re the only one they know of involved in litigation with Domain Tools. But that others may well be contemplating litigation.

“It is also true that the US Courts have twice now said we have primie facie a strong legal claim for breach of contract against companies like DomainTools. I do expect other TLDs or gTLDS to get in touch with us and ask us about our tough enforcement stance to protect registrants privacy.

“After all, it started with a cease and desist letter, open dialogue and a good faith negotiation. But has now resulted in litigation. We hope other stewards of their country’s domain name system or online communities feel as strongly as we do about protection of registrants privacy rights.”

DomainTools was approached for comment but kindly replied their “firm policy is to not comment on any ongoing litigation. I’m sorry, but we won’t be able to contribute.”