GDPR and Online Trademark Infringement

Enigma Forensics CEO & President Lee Neubecker and Trademark Attorney Paul McGrady. They disect what is the GDPR and internet and domain name enforcement. Tune in to find out more about how complicated trademark infringement and what to do if you find out your product is being sold by another company online.

Online Trademark Infringement

The transcript of the video follows

Lee Neubecker: So I’m here today with attorney Paul McGrady and Paul, can you tell me a little bit about what type of attorney you are?

Paul McGrady: I’m a really good attorney.

Lee Neubecker: Okay.

Paul McGrady: Yeah.

Lee Neubecker: So what type of matters and problems do you help solve for your clients?

Paul McGrady: So I’m a trademark attorney, so a lot of what I do involves trademark litigation and involves trademark prosecution, clearing marks, protecting those marks from infringing uses of third parties. I developed a reputation in this space as someone who is heavily involved in the internet and domain name enforcement. I’m heavily active in ICANN, involved in policy development, but also contractual compliance issues and things of that nature. And so clients come to me often times, at least initially, for help dealing with an online infringement or counterfeiting problem.

Lee Neubecker: So what happens when a company finds that their products are being sold online, but not by them? Knockoffs and other products that might have fake labels on. Do you handle any of those type of projects?

Paul McGrady: Sure those things come up all the time in this practice. So, there’s a couple of different things. Sometimes they’re being sold online through websites that the infringers own themselves. That is one track. Other times, they show up on various sales platforms and that’s handled by a completely different track. Should we talk about both a little bit?

Lee Neubecker: Sure.

Paul McGrady: So when it comes to websites that the infringer may own themselves, that’s very often handled with take down notices to hosts. It’s, back in the day, when whois was as, more accessible than it’s going to be in the future, and we can talk a bit about that too, you would use whois searches, you would run reverse registrant searches, find out the full universe of what the bad guys were up to. More hosting take downs, maybe a UDRP complaint, which is an informal domain name complaint on the papers only. And then sometimes you’d have to go in and file lawsuits, either for trademark infringement or cyber squatting, or both. Just depending on the facts of the case. But, as I mentioned, whois is changing, we can talk a bit about that.

Lee Neubecker: Paul, can you tell me a little bit more about the platform issues?

Paul McGrady: Sure so the platform issues are different than in the cases where the bad guy owns a domain name them self. The bad guy may be taking advantage of legitimate platforms to sell infringing counterfeit goods. In those cases, many of those platforms will have a notice and take down mechanism. Those are not meant to be used just to keep your trade channels clear, but rather to be used to report actually infringing, counterfeit materials and sales, to have those taken down. If you have repeat offenders, it can get a little messier because you do ultimately need to find out who they are and unlike domain names, who have up until very recently had a predictable whois framework, the platforms don’t have anything like that.

Lee Neubecker: Let’s say you identify a website that is selling your clients’ products. How have you gone about unmasking those entities in the past when they’re hidden behind proxies?

Paul McGrady: Sure, so historically I’ve had really great relationships with many of the proxy privacy providers. A lot of them are legitimate outfits that have a mechanism by which you can alert them to a concern and either they write to their customer directly and tell them to contact you or they may even reveal the underlying customer information, depending on how egregious the situation is. However those proxy providers are moving into a new era where the European privacy law is going to dramatically change what information ICANN will allow the privacy proxy provider to disclose and to whom.

Lee Neubecker: Great. So Hide My Stuff might not actually work, or whatever it’s called.

Paul McGrady: Yeah, so in the coming months we are going to be seeing registrars, many of whom have privacy proxy services, implementing ICANN’s new proposed GDPR compliance model. And that model basically boils down to this, there’ll be essentially almost every domain name will be hidden behind some sort of privacy proxy service and brand owners who are concerned about abuse of their trademarks, either in the domain name or in the content of the website, will have to try to get access to that whois information through an accreditation process. The problem is, is that GDPR compliance begins in May with stiff penalties, but there’s so far no accreditation process that ICANN has even sketched out. And so, we are maybe going into a period of time where there truly is a blackout of whois between when whois is shut off and when accreditation begins. And that will be an interesting time because brand owners will have no choice, but to go to court, issue subpoenas, try to get records from the registrars, and the privacy proxy services. And then engage in forensics experts to come in and try to help them determine the entire universe of the infringing actors, domain name, portfolio, and things like that. Track them back through credit card issues, IP addresses, you name it. So the good old days of whois are winding down.

Lee Neubecker: And Paul, just so you remember, as part of our practice we often can unmask people online by looking at other data. Operators often point to their websites from various places. They get lazy. They’ll use the same DNS servers, they’ll use the same mail routing services, and often times we’ve been able to unmask people even when the legal means can’t identify them. But, you know when it really comes down to it, once you get your hands on the entity, what have you had to do to get the court to allow you to do forensics to inspect the computers?

Paul McGrady: Well, I mean that’s fairly straightforward right? Because we’re usually talking about demonstrably bad guys and you know going in and essentially seeking discovery orders to have the computers turned over, to be looked at. It’s, you know fairly straightforward these days. Several years ago it was not quite as common as it is now, but we’re going to see an uptick in that kind of thing because without easy access to whois, therefore leading to easy, you know UDRP compliance to deal with the problems, you know essentially in a Whack-a-Mole fashion. Once a brand owner is forced to go to court, they’ve already gone through the effort of being there, they’re going to try to get the full resources of the court behind them in trying to get the infringing material stop.

Lee Neubecker: You mentioned before, GDPR and its impacts on your process. Can you tell us a little bit more about how that’s going to impact your clients in the coming year as it relates to internet domain disputes?

Paul McGrady: Sure, so back in the day and I mean last month, it was easy to conduct a whois search on a domain name, figure out the email address, then do a reverse registrant search on that email address, and essentially take a look at the entire portfolio and understand the universe of problem that you’re having with a particular bad guy. And that would also draw out uses by that particular bad guy of third party marks, which was a bad faith factor for the UDRP complaint that helps you win your UDRP arbitrations. But as I mentioned, a lot of that easy access is essentially going away and so from now in order to prove, you know, the kinds of bad faith multiple infringements that were easy to prove just a few weeks ago, unless ICANN confirms that the tiered access accreditation process will result in searchable whois data. You know, that easy method is going to go away and we’re going to have to figure out how to do that by piecing together information, like you mentioned Lee, that you know, you are able to go in and see where the bad guys are pointing, what DNS records they have, but of course that’s a bit more work than just a simple reverse registrant search. So, you know what is new maybe became a little common place, but now it’s back, mostly because of how ICANN is handling the GDPR law.

Lee Neubecker: Well thank you Paul for being on the show today and if you need to reach Paul, his contact information is available on our blog post at Thank you.

Paul McGrady: Thanks Lee.

Leave a Reply

Your email address will not be published. Required fields are marked *