WIPO's New $20 Loophole Lets Anyone Unmask Domain Owners Behind Privacy Services

If you use Whois privacy protection on your domains — and you should — there's a new threat you need to know about. The World Intellectual Property Organization (WIPO) just made it dramatically cheaper for anyone to find out who's behind your domain name.

On March 9, 2026, WIPO announced new pricing for its UDRP (Uniform Domain-Name Dispute-Resolution Policy) service. Buried in the changes is a reduction that domain privacy advocates are calling alarming: the fee for withdrawing a UDRP complaint before it's formally notified dropped from $500 to just $100 — for up to five domain names.

That works out to $20 per domain to unmask the person behind a privacy-protected registration.

How the Loophole Works

Here's the mechanism, step by step:

1. Someone files a UDRP complaint against your domain at WIPO. The filing fee for up to five domains is $1,500.
2. WIPO contacts your registrar and obtains your actual registration data — your real name, address, email, and phone number — which is normally hidden behind your privacy service.
3. WIPO provides this data to the complainant so they can amend their complaint with the correct respondent information.
4. The complainant withdraws the case before it's formally notified to you.
5. WIPO refunds all but $100 of the filing fee.

The result: for $100, someone just obtained the private registration data for up to five of your domains. You may never even know it happened.

"The Complaint Doesn't Need to Make Sense"

UDRP attorney John Berryhill, one of the most experienced domain name lawyers in the industry, explained the severity of this loophole to Domain Name Wire:

> "Anyone, anywhere can file a pro forma UDRP against up to 5 domain names — it doesn't even need to make any sense — and get the underlying registrant data from the registrar, withdraw, and only pay $100 net."

Berryhill went further, noting that initial UDRP complaints are often filed with skeletal information — placeholder text like "[to be amended when respondent data obtained]" — and there's no verification that the complainant even exists or has legitimate trademark rights.

In other words, the system has no meaningful gatekeeping. There's no smell test. There's no check on whether the complainant is a real trademark holder or someone with entirely different motives.

Who Could Exploit This?

The potential for abuse extends well beyond trademark disputes:

Domain Buyers Bypassing Brokers

Someone who wants to buy a domain registered through GoDaddy can skip its brokerage service (which charges around $100 plus 20% commission) and instead get the owner's contact information through WIPO for $20. They can then approach the owner directly, cutting out the middleman entirely.

Competitors and Bad Actors

A business competitor could unmask the owner of a criticism site, a review blog, or a competitive domain — all for the price of a nice lunch.

Threats to Whistleblowers and Journalists

Perhaps most concerning: someone could use this to identify the person behind a gripe site, a whistleblower publication, or a citizen journalist's domain. In countries with weak press protections, this could have serious real-world consequences.

Stalkers and Harassers

Domain privacy exists partly to protect individuals from unwanted contact. A $20 unmasking service fundamentally undermines that protection.

WIPO's Stated Rationale

To be fair, WIPO presented reasonable justifications for the fee reduction. They cited scenarios where complainants discover the registrant is actually a licensee, or where a "John Doe" complaint reveals the domain holder has a legitimate personal name or business that matches the domain.

These are legitimate reasons to withdraw a complaint early. The problem isn't the ability to withdraw — it's that the economics now make it trivially cheap to abuse the system.

The Broader Context: Domain Privacy Under Siege

This development comes at a time when domain owner privacy is already under pressure from multiple directions:

• ICANN's ongoing WHOIS debates continue to pit law enforcement and trademark interests against privacy advocates
• The EU's GDPR forced registrars to redact Whois data, but workarounds keep emerging
• ICANN's Registration Data Request Service (RDRS) launched to provide a standardized way to request registrant data, though adoption has been limited

WIPO's fee change effectively creates a parallel, low-cost channel for obtaining protected data — one that bypasses the privacy frameworks registrars have spent years building.

What Domain Owners Should Do Right Now

1. Audit Your Domain Portfolio

Check which of your domains have privacy protection enabled. If you're using a registrar that doesn't offer privacy by default, consider switching. Use a WHOIS lookup tool to verify what information is publicly visible for each of your domains.

2. Use Registrars with Strong Privacy Defaults

Some registrars include free Whois privacy on all domains. When comparing domain pricing across registrars, factor in whether privacy protection is included or costs extra.

3. Consider Corporate Registration

For sensitive domains, register under a corporate entity rather than your personal name. Even if someone unmasks the registration, they'll find a business name rather than your home address.

4. Monitor for UDRP Filings

Set up alerts or periodically check WIPO's case database for complaints filed against your domains. While you may not be notified of withdrawn cases, active monitoring adds a layer of awareness.

5. Use Multiple Registrars

Don't keep all your domains at one registrar. Spreading your portfolio across different registrars makes it harder and more expensive for someone to unmask your entire portfolio in a single UDRP filing.

The Numbers in Perspective

At the previous $500 withdrawal fee, unmasking five domains cost $100 per domain. That was expensive enough to deter casual abuse.

At the new $100 withdrawal fee, the same five domains cost just $20 each. That's less than the price of a .com domain registration.

For context, GoDaddy's domain brokerage service costs a minimum of about $100 plus a 20% commission on the sale price. The WIPO route is now cheaper than the legitimate alternative — and it gives you the registrant's actual identity and contact information.

What Should Change

Domain industry advocates are already pushing back. Potential reforms could include:

• Minimum withdrawal fees high enough to deter abuse (the previous $500 was arguably more appropriate)
• Verification requirements for complainants filing UDRP cases
• Notification to registrants even when cases are withdrawn before formal notification
• Limits on repeat filers who show a pattern of filing and withdrawing

Until such reforms are implemented, domain owners need to take their own precautions.

The Bottom Line

Whois privacy protection is one of the most important tools domain owners have. It protects personal information, prevents spam, and shields domain investors from unwanted solicitation.

WIPO's new pricing — well-intentioned as it may be — has created a significant loophole. For $20 per domain, anyone can now bypass the privacy protections you're paying for.

If you own domains, especially valuable ones or ones tied to sensitive projects, take the steps above to strengthen your privacy posture. And if you're shopping for domains or researching domain values, remember that the privacy features your registrar offers are just as important as the price tag.

The domain industry has spent years building privacy protections. It shouldn't take $20 to tear them down.

---

*Stay informed about domain industry changes that affect your portfolio. Browse our domain tools to check availability, compare prices, and protect your online identity.*

🔍 Looking for a wipo udrp privacy domain?

Search 400+ extensions instantly. See prices. Register in seconds.

📚 Keep Reading