May 28, 2009
Contributory Cybersquatting and the Impending Demise of Domain Name Proxy Services?--Solid Host v. NameCheap
By Eric Goldman
Solid Host, NL v. NameCheap, Inc., 2:08-cv-05414-MMM-E (C.D. Cal. May 19, 2009)
This case involves an alleged domain name theft. Solid Host is a web host and initial owner of the domain name solidhost.com, which it registered through eNom in 2004. Solid Host claims that in 2008, a security breach at eNom allowed an unknown interloper (Doe) to steal the domain name and move the registration to NameCheap. Doe also acquired NameCheap's "WhoisGuard" service, a domain name proxy service that masked Doe's contact information in the Whois database. Solid Host contacted Doe and sought the domain name; Doe asked for $12,000, and Solid Host took a pass. Instead, Solid Host demanded that NameCheap hand back the domain name and identify Doe, but Doe claimed that he had bought the domain name legitimately. NameCheap, apparently feeling like the cheese in a sandwich, demurred to Solid Host's requests. Solid Host then got a TRO ordering NameCheap to transfer the name and reveal Doe's identity, both of which occurred. For unclear reasons, Solid Host hasn't amended the complaint to name the Doe, but it is proceeding against NameCheap on various claims, including an Anti-Cybersquatting Consumer Protection Act (ACPA) claim.
Who is the Registrant?
My understanding of domain name proxy services is that the service acts as the legal registrant, thus supplying its contact information, but it registers the domain name for the benefit of its customer, making the customer the beneficial registrant. An analogy: a bank may take legal title of a property as part of securing a loan on the property, but the borrower retains beneficial title to the property.
So, for purposes of the ACPA, is the proxy service the “registrant” of the domain name? ICANN’s agreement with registrars seemingly contemplates this characterization in Section 22.214.171.124 of its Registrar Agreement, which says “A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.” However, it’s not clear to me that a proxy service “licenses” the domain name, especially if you accept my lender-borrower analogy above. Alternatively, if the proxy service is the “agent” of the customer, the licensing analogy also breaks down.
Whether the proxy service is the registrant matters a great deal to the legal outcome, and unfortunately, the court’s analysis of this important question was cursory, muddled, and possibly internally inconsistent.
In this case, the court’s inquiry is made more difficult by the fact that NameCheap acted as both the registrar and the proxy service provider. As a registrar, an ACPA claim against NameCheap should be squarely preempted by the domain name registry/registrar safe harbor enacted as part of the ACPA (15 U.S.C. §1114(2)(D)). For example, 1114(2)(D)(iii) says:
A domain name registrar, a domain name registry, or other domain name registration authority shall not be liable for damages under this section for the registration or maintenance of a domain name for another absent a showing of bad faith intent to profit from such registration or maintenance of the domain name
(This provision only moots damages, not an injunction, but since Solid Host has the domain name back in its possession, damages seem like the only remaining issue).
The court concludes that NameCheap is not eligible for the domain name registrar safe harbor because NameCheap is the domain name registrant. It says, "NameCheap is, by virtue of the anonymity service it provides, the registrant of a domain name that allegedly infringes Sold [sic] Host’s trademark." Thus, NameCheap is ineligible for the registrar safe harbor, which applies only when the registrar acts as a registrar.
But, having rejected the domain name registrar safe harbor because NameCheap was the domain name registrant, the court then inconsistently says that NameCheap is not the registrant for purposes of the prima facie ACPA claim. Instead, for ACPA purposes the court treats Doe as the registrant, leaving NameCheap exposed to a possible secondary ACPA liability claim. (The court acknowledges that NameCheap would defeat a direct ACPA claim because NameCheap did not have any bad faith intent to profit from the domain name. Offering the proxy service wasn't enough to qualify as a bad faith intent to profit).
Wait a minute—how can NameCheap simultaneously be both the registrant (no safe harbor) but not the registrant (thus, subjected to a secondary claim)? The court does not acknowledge or explain this apparent inconsistency.
Courts have rarely discussed a contributory ACPA claim. The only one cited by the court was a 2001 case (the Ford Motors vs. Greatdomains.com case) and I can’t think of any others. Perhaps this isn’t surprising because (1) as the Greatdomains.com case indicated, a contributory ACPA claim is available "in only exceptional circumstances," and (2) registrars are the most likely targets of a contributory ACPA claim, and the domain name registrar safe harbor effectively eliminates their contributory ACPA liability.
Adopting the analysis in the Greatdomains.com case, this court equates contributory ACPA liability with the Ninth Circuit’s 1999 Lockheed standard for online contributory trademark infringement (as opposed to ACPA liability), which requires that "a plaintiff must prove that the defendant had knowledge and ‘[d]irect control and monitoring of the instrumentality used by the third party to infringe the plaintiff’s mark.'"
So how did NameCheap have the requisite control over Doe's instrumentalities? Good question. The court tosses out this gem: NameCheap was "the “cyber-landlord” of the internet real estate stolen by Doe." WHAT??? The court continues:
NameCheap’s anonymity service was central to Doe’s cybersquatting scheme. If NameCheap had returned the domain name to Solid Host, Doe’s illegal activity would have ceased.
The second sentence is true with respect to NameCheap, but it is also true of every registrar for every domain name they register--and we know from the 1999 Lockheed case that registrars lack control over the instrumentalities of their registrants. So the proxy service seems to make a legal difference, but how does the proxy service evidence NameCheap's greater control over the registrant's instrumentalities? I think something is amiss here.
To complete the prima facie contributory ACPA claim, in addition to control, Solid Host must show that NameCheap has the requisite knowledge of Doe's ACPA violation. The court sets a high scienter bar--mere notice from an aggrieved party isn't enough--but the court conclusorily says that the complaint alleged enough knowledge to survive the motion to dismiss.
Why This is a Troubling Ruling
As I trust is clear, I think the court's analysis is questionable at best. I’m also troubled about the normative implications. Most obviously, this case could portend the demise of domain name proxy services. Read literally, every proxy service is exposed to potential contributory ACPA liability for every domain name it services. I can’t imagine proxy service providers will be excited about that liability exposure, and some may choose to exit the business.
If proxy services evaporate, domain name registrants will have a tougher time maintaining their privacy. This could affect at least two groups. First, businesses seeking to register domain names for unlaunched new brands often want to procure the new brand's domain names without publicly announcing their intentions through the Whois database. (Of course, some businesses register such domain name through agents or shell companies, but at a much greater expense than a proxy service). Second, gripers, whistleblowers, critics and others may want to use proxy services to make it harder for their targets to unmask their identities. This ruling jeopardizes the potential privacy options available to both groups.
I’m also troubled by this ruling’s narrow reading of the domain name registrar safe harbors. There haven’t been many cases interpreting those safe harbors, and this case might influence other courts to read them narrowly.
A Mini-Trend of Lawsuits Against Registrars
I’ve noticed a small but troubling increase in lawsuits against domain name registrars in the past few months. In addition to this case, see the Vulcan Golf v. Google lawsuit (which named some registrars as defendants), OnlineNIC cases, Philbrick v. eNom and uBid v. GoDaddy. Personally, I believe this litigation trend mirrors the expansion of new and legally untested non-registration services offered by registrars. I explored this issue with Elliot Noss of Tucows in the most recent installment of TWiL (worth listening to, IMO). Discussing the uBid lawsuit, Elliott explained how registrars monetize dropped domain names before being returned to the available pool of unregistered domain names. The delay is putatively for the benefit of customers who mistakenly let a registration lapse; but this also has the happy (?) by-product of letting registrars create new ad inventory that they are monetizing.
In the past, a lot of the legal attention regarding domain names has focused on trademark owners vs. registrants. From my perspective, those lawsuits are becoming passé. The real litigation growth industry appears to be trademark owner vs. registrar lawsuits over new registrar service offerings that trademark owners don't like. Rulings like this one, with a broad reading of contributory ACPA liability and a narrow reading of the domain name registrar safe harbor, raise the specter that registrars may find more legal trouble than they anticipated.
UPDATE: Commentary from Domain Name News
UPDATE 2: A call for registrars to exit the domain name proxy business.
TrackBack URL for this entry: