CISO Lee Neubecker recently spoke to Winston & Strawn LLP trademark attorney Paul McGrady about the impacts of GDPR on online copyright and trademark litigation. The transcript of this interview is available below.[Transcript]
Lee Neubecker: I’m here today with Winston & Strawn LLP trademark attorney Paul McGrady, and Paul – can you tell me a little about what type of attorney you are?
Paul McGrady: I’m a really good attorney!
Neubecker: So what types of matters and problems do you help solve for your clients?
McGrady: I’m a trademark attorney, so a lot of what I do involves trademark litigation and trademark prosecution, query marks and protecting those marks from infringing uses of third parties. I’ve developed a reputation in this space as someone who is heavily involved in the Internet and domain name enforcement. I’m heavily involved active in policy development and also contractual compliance issues and things of that nature.
Clients oftentimes come to me for help dealing with an online infringement or counterfeiting problem.
Neubecker: What happens when a company finds that their products are being sold online but not by them, such knock-offs and other products that might have fake labels on them – do you handle any of those types of projects?
McGrady: Those things come up all the time in this practice. There’s a couple of things, sometimes they’re being sold online through websites that the infringers own themselves, that is one track. Other times they show up on various sales platforms and that’s handled by a completely different track. Should we talk about both a bit?
McGrady: When it comes to websites that the infringer might own themselves, that’s very often handled with take down notices to the host. Back in the day, when Who Is was more accessible than it is going to be in the future, we could talk a little bit about that too, but you would use Who Is searches, you would run reverse registrant searches, find out the full universe about the bad guys who robbed you, more hosting takedowns, maybe a UDRP complaint which is an informal domain name complaint on the papers only, and then sometimes you’d have to go in and file a lawsuit for trademark infringement or cyber squatting or both, depending on the facts of the case.
But, as I mentioned Who Is is changing, we can talk a little bit about that.
Neubecker: Can you tell me a little bit about the platform issues?
McGrady: The platform issues are different than in the cases when the bad guy owns the domain name himself. The bad guy might be taking advantage of legitimate platforms to sell infringing or counterfeit goods. In those cases, many of those platforms will have a notice of takedown mechanism. Those are not meant to be used just to keep your trade channels clear, but rather to be used to report actually infringing counterfeit materials and sales, to have those taken down.
If you have repeat offenders, it can be a bit messier because you do need to find out who they are, and unlike domain names, which up until very recently had a very predictable “Who Is” framework, the platforms do not have anything like that.
Neubecker: Let’s say you identify a website that is selling your clients’ products. How have you gone about unmasking those entities when they’re hidden behind proxies?
McGrady: So historically, I’ve had really great relationships with many of the proxy privacy providers, a lot of them are legitimate outfits that have a mechanism by which you can alert them to a concern. Either they write to their customer directly and tell them to contact you, or they may even reveal the underlying customer information depending upon how egregious the situation is.
However, those proxy providers are moving into a new era where the European privacy law is going to dramatically change what information ICANN will allow the privacy proxy provider to disclose and to whom.
Neubecker: So “hide-my-stuff” or whatever it is might not actually work.
McGrady: Yes. So, in the coming months you are going to be seeing registrars, many of whom have privacy practices, implementing ICANN’s new proposed GDPR compliance model. That model basically boils down to this: There will be essentially, almost every domain name will be hidden behind some privacy proxy service, and brand owners who are concerned about abuse of their trademarks, either in the domain name or in the contents of the website, will have to try to get access to that Who Is information through an accreditation process.
The problem is that GDPR compliance begins in May, with stiff penalties, but there’s so far no accreditation process that ICANN has even sketched out. We may be going into a period of time where there truly is a blackout of Who Is between when Who Is is shut off, and when the accreditation begins.
That will be an interesting time because brand owners will have no choice but to go to court, issue subpoenas, try to get records from the registrars and the privacy proxy services, and then engage in forensics experts to come in and try to help them determine the entire universe of the infringing actor’s domain name, portfolio and things like that, track them down to credit card issues, IP addresses, you name it. So, the good old days of Who Is are winding down.
Neubecker: So, just so you remember, as part of our practice, we often can unmask people online by looking at other data. Operators often point to their websites from various places, they get lazy, they’ll use the same DNS servers, they’ll use the same mail routing services, and oftentimes we’ve been able to unmask people even when the legal means can’t identify them.
But, when it really comes down to it, once you get your hands on the entity, what have you had to do to get the court to allow you to do forensics to inspect the computers.
McGrady: Well that’s usually really straightforward because you’re talking about demonstratively bad guys, and you’re going in and essentially seeking discovery orders to have the computers turned over, to be looked at, it’s fairly straightforward these days.
Several years ago it was not quite as common as it is now. But we’re going to see an uptick in that kind of thing because without easy access to Who Is, therefore leading to easy UDRP complaints to deal with the problems in an essentially whack-a-mole fashion, once a brand owner is forced to go to court, they’ve already gone through the effort of being there, they’re going to try to get the full resources of the court behind them and try to get the infringing material to stop.
Neubecker: You mentioned before GDPR and its impacts on your process. Can you tell us a little bit more about how that’s going to impact your clients in the coming years as it relates to Internet domain disputes?
McGrady: So, back in the day, and I mean last month, it was easy to conduct a Who Is search on a domain name, figure out the email address, then do reverse registrant search on that email address and essentially take a look at the entire portfolio and understand the full universe of the problem you’re having with a particular bad guy.
That would also draw out uses by that particular bad guy of third party marks, which is a bad faith factor for the UDRP complaint that helps you win your UDRP arbitrations. But, as I mentioned, a lot of that easy access is essentially going away, so for now, in order to prove the kinds of bad faith, multiple infringements that were easy to prove just a few weeks ago, unless ICANN confirms that tiered access accreditation process will result in searchable Who Is data, that easy method is going to go away.
We’re going to have to figure out how to do that by piecing together information, like you mentioned Lee, that you are able to go in and see where the bad guys are pointing, what DNS records they have. But of course that’s a bit more work than just a simple reverse registrant search.
So, what is new maybe became a little commonplace, but now it’s come back because of how ICANN is handling the GDPR law.
Neubecker: Thank you Paul for being on the show today. If you need to reach Paul his contact information is available here: Wintson & Strawn LLP Bio :: LinkedIn Profile.
Paul: Thanks Lee!