Home / Blogs

Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?

Solid Host, NL v. NameCheap, Inc., 2:08-cv-05414-MMM-E (C.D. Cal. May 19, 2009)

Facts

This case involves an alleged domain name theft. Solid Host is a web host and initial owner of the domain name solidhost.com, which it registered through eNom in 2004. Solid Host claims that in 2008, a security breach at eNom allowed an unknown interloper (Doe) to steal the domain name and move the registration to NameCheap. Doe also acquired NameCheap’s “WhoisGuard” service, a domain name proxy service that masked Doe’s contact information in the Whois database. Solid Host contacted Doe and sought the domain name; Doe asked for $12,000, and Solid Host took a pass. Instead, Solid Host demanded that NameCheap hand back the domain name and identify Doe, but Doe claimed that he had bought the domain name legitimately. NameCheap, apparently feeling like the cheese in a sandwich, demurred to Solid Host’s requests. Solid Host then got a TRO ordering NameCheap to transfer the name and reveal Doe’s identity, both of which occurred. For unclear reasons, Solid Host hasn’t amended the complaint to name the Doe, but it is proceeding against NameCheap on various claims, including an Anti-Cybersquatting Consumer Protection Act (ACPA) claim.

The Opinion

Who is the Registrant?

My understanding of domain name proxy services is that the service acts as the legal registrant, thus supplying its contact information, but it registers the domain name for the benefit of its customer, making the customer the beneficial registrant. An analogy: a bank may take legal title of a property as part of securing a loan on the property, but the borrower retains beneficial title to the property.

So, for purposes of the ACPA, is the proxy service the “registrant” of the domain name? ICANN’s agreement with registrars seemingly contemplates this characterization in Section 3.7.7.3 of its Registrar Agreement, which says “A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.” However, it’s not clear to me that a proxy service “licenses” the domain name, especially if you accept my lender-borrower analogy above. Alternatively, if the proxy service is the “agent” of the customer, the licensing analogy also breaks down.

Whether the proxy service is the registrant matters a great deal to the legal outcome, and unfortunately, the court’s analysis of this important question was cursory, muddled, and possibly internally inconsistent.

In this case, the court’s inquiry is made more difficult by the fact that NameCheap acted as both the registrar and the proxy service provider. As a registrar, an ACPA claim against NameCheap should be squarely preempted by the domain name registry/registrar safe harbor enacted as part of the ACPA (15 U.S.C. §1114(2)(D)). For example, 1114(2)(D)(iii) says:

A domain name registrar, a domain name registry, or other domain name registration authority shall not be liable for damages under this section for the registration or maintenance of a domain name for another absent a showing of bad faith intent to profit from such registration or maintenance of the domain name

(This provision only moots damages, not an injunction, but since Solid Host has the domain name back in its possession, damages seem like the only remaining issue).

The court concludes that NameCheap is not eligible for the domain name registrar safe harbor because NameCheap is the domain name registrant. It says, “NameCheap is, by virtue of the anonymity service it provides, the registrant of a domain name that allegedly infringes Sold [sic] Host’s trademark.” Thus, NameCheap is ineligible for the registrar safe harbor, which applies only when the registrar acts as a registrar.

But, having rejected the domain name registrar safe harbor because NameCheap was the domain name registrant, the court then inconsistently says that NameCheap is not the registrant for purposes of the prima facie ACPA claim. Instead, for ACPA purposes the court treats Doe as the registrant, leaving NameCheap exposed to a possible secondary ACPA liability claim. (The court acknowledges that NameCheap would defeat a direct ACPA claim because NameCheap did not have any bad faith intent to profit from the domain name. Offering the proxy service wasn’t enough to qualify as a bad faith intent to profit).

Wait a minute—how can NameCheap simultaneously be both the registrant (no safe harbor) but not the registrant (thus, subjected to a secondary claim)? The court does not acknowledge or explain this apparent inconsistency.

Contributory Cybersquatting

Courts have rarely discussed a contributory ACPA claim. The only one cited by the court was a 2001 case (the Ford Motors vs. Greatdomains.com case) and I can’t think of any others. Perhaps this isn’t surprising because (1) as the Greatdomains.com case indicated, a contributory ACPA claim is available “in only exceptional circumstances,” and (2) registrars are the most likely targets of a contributory ACPA claim, and the domain name registrar safe harbor effectively eliminates their contributory ACPA liability.

Adopting the analysis in the Greatdomains.com case, this court equates contributory ACPA liabilty with the Ninth Circuit’s 1999 Lockheed standard for online contributory trademark infringement (as opposed to ACPA liability), which requires that “a plaintiff must prove that the defendant had knowledge and ‘[d]irect control and monitoring of the instrumentality used by the third party to infringe the plaintiff’s mark.’”

So how did NameCheap have the requisite control over Doe’s instrumentalities? Good question. The court tosses out this gem: NameCheap was “the “cyber-landlord” of the internet real estate stolen by Doe.” WHAT??? The court continues:

NameCheap’s anonymity service was central to Doe’s cybersquatting scheme. If NameCheap had returned the domain name to Solid Host, Doe’s illegal activity would have ceased.

The second sentence is true with respect to NameCheap, but it is also true of every registrar for every domain name they register—and we know from the 1999 Lockheed case that registrars lack control over the instrumentalities of their registrants. So the proxy service seems to make a legal difference, but how does the proxy service evidence NameCheap’s greater control over the registrant’s instrumentalities? I think something is amiss here.

To complete the prima facie contributory ACPA claim, in addition to control, Solid Host must show that NameCheap has the requisite knowledge of Doe’s ACPA violation. The court sets a high scienter bar—mere notice from an aggrieved party isn’t enough—but the court conclusorily says that the complaint alleged enough knowledge to survive the motion to dismiss.

Why This is a Troubling Ruling

As I trust is clear, I think the court’s analysis is questionable at best. I’m also troubled about the normative implications. Most obviously, this case could portend the deminse of domain name proxy services. Read literally, every proxy service is exposed to potential contributory ACPA liability for every domain name it services. I can’t imagine proxy service providers will be excited about that liability exposure, and some may choose to exit the business.

If proxy services evaporate, domain name registrants will have a tougher time maintaining their privacy. This could affect at least two groups. First, businesses seeking to register domain names for unlaunched new brands often want to procure the new brand’s domain names without publicly announcing their intentions through the Whois database. (Of course, some businesses register such domain name through agents or shell companies, but at a much greater expense than a proxy service). Second, gripers, whistleblowers, critics and others may want to use proxy services to make it harder for their targets to unmask their identities. This ruling jeopardizes the potential privacy options available to both groups.

I’m also troubled by this ruling’s narrow reading of the domain name registrar safe harbors. There haven’t been many cases interpreting those safe harbors, and this case might influence other courts to read them narrowly.

A Mini-Trend of Lawsuits Against Registrars

I’ve noticed a small but troubling increase in lawsuits against domain name registrars in the past few months. In addition to this case, see the Vulcan Golf v. Google lawsuit (which named some registrars as defendants), OnlineNIC cases, Philbrick v. eNom and uBid v. GoDaddy. Personally, I believe this litigation trend mirrors the expansion of new and legally untested non-registration services offered by registrars. I explored this issue with Elliot Noss of Tucows in the most recent installment of TWiL (worth listening to, IMO). Discussing the uBid lawsuit, Elliott explained how registrars monetize dropped domain names before being returned to the available pool of unregistered domain names. The delay is putatively for the benefit of customers who mistakenly let a registration lapse; but this also has the happy (?) by-product of letting registrars create new ad inventory that they are monetizing.

In the past, a lot of the legal attention regarding domain names has focused on trademark owners vs. registrants. From my perspective, those lawsuits are becoming passé. The real litigation growth industry appears to be trademark owner vs. registrar lawsuits over new registrar service offerings that trademark owners don’t like. Rulings like this one, with a broad reading of contributory ACPA liability and a narrow reading of the domain name registrar safe harbor, raise the specter that registrars may find more legal trouble than they anticipated.

More commentary on the case from Domain Name News

By Eric Goldman, Professor, Santa Clara University School of Law

Filed Under

Comments

Correction needed:In this case, the court's inquiry Marc J. Randazza  –  Jun 2, 2009 1:14 AM

Correction needed:
In this case, the court’s inquiry is made more difficult by the fact that NameCheap acted as both the registrar and the proxy service provider.

Actually, eNom is the relevant registrar.  NameCheap sought the shelter of the ACPA’s registrar safe harbor merely because it is a registrar—not because it served as the registrar. 

Comment:

this case could portend the deminse of domain name proxy services. Read literally, every proxy service is exposed to potential contributory ACPA liability for every domain name it services. I can’t imagine proxy service providers will be excited about that liability exposure, and some may choose to exit the business.

This seems a bit alarmist.  No privacy service will be liable if it, upon presentation of reliable evidence, discloses the name of the underlying customer.  If it decides that it would rather stand fast, then as provided for in the ICANN agreement, it stands in the shoes of the customer. 

This doesn’t mean that privacy services will disappear.  What it means is that some will become more expensive.  Others will continue to act as they do now, which is to release the name in proper circumstances.  Still others might simply charge the client for the defense of any request for their information.  The market will change, certainly, but the market will not leave a vacuum.

Oh, disclaimer: I am one of Marc J. Randazza  –  Jun 2, 2009 1:15 AM

Oh, disclaimer:  I am one of the attorneys for the plaintiff in this case.

I agree with Marc that the decision John Berryhill  –  Jun 10, 2009 2:26 PM

I agree with Marc that the decision is not a death knell for privacy services.

For the life of me, I can’t figure out why privacy services identify as the registrant “XYZ Privacy Service Inc.”

There is no reason why the registrant cannot be identified as “XYZ Privacy Customer No. (ID string)”  where ID string is a unique identifier assigned to the domain and uniquely associated with the customer who registered the domain name.

The defendant in that situation is “XYZ Privacy Customer No. (ID string)” which does indeed correspond to an individual, not the privacy service, and is certainly more specific than that “John Doe” guy who, in any other area of law, lawyers have no problem filing suit against on a daily basis, subject to discovery of who “John Doe” is. 

Is that the “name” of the registrant?  Sure it is.  It is just as much a registrant name as a sole proprietor who runs “Podunk Discount Store” and registers his domain name as “Podunk Discount Store” as a d/b/a name.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global