October 25, 2009
Tucows Not Liable for Spam Judgment Against 3rd Party Based on Private Registration Services -- Balsam v. Tucows
[Post by Venkat]
Judge Breyer (N.D. Cal.) rejected an attempt by a spam plaintiff to hold a registrar liable for a judgment against a third party based on private registration services provided by the registrar. (Balsam v. Tucows Inc., et al., CV 09-03585 CRB (N.D. Cal. Oct. 23, 2009). Access a copy of the order at Scribd here.) Incidentally, the plaintiff - Dan Balsam - is a recent law school grad who catalogues his extensive anti-spam efforts at his website: "danhatesspam.com."
Facts: As recounted by the court, Balsam received 1,125 pieces of spam advertising an adult-oriented website over a seven month period. Balsam performed a WHOIS lookup and found that the website was registered to Angeles Technology Inc. Some time later, Angeles started utilizing private registration services provided by Tucows. Balsam sued Angeles, and obtained a default judgment for $1,125,000. After Balsam brought suit but before he obtained judgment, Balsam requested the registrant’s identity from Tucows. Tucows refused to provide the name without a court order.
Balsam tried unsuccessfully to collect against Angeles and have garnished revenues from the website's payment processor. He even tried to have the underlying domain name seized. Understandably miffed, he brought suit against Tucows, arguing that Tucows was liable for the judgment due to its failure to disclose the identity of the person who held the beneficial interest in the domain name.
The Court's Ruling: Balsam sought to hold Tucows liable based on a variety of claims, but they were all premised on Balsam being a third party beneficiary to the "Registrar Accreditation Agreement" which registrars are required to sign with ICANN. Specifically, the RAA contains a clause which requires all registrars to enter into agreements which obligates registrants to provide accurate information and also for each registrar (referred to as a "Registered Name Holder") who provides private (or nominee) registration services to "accept liability for harm caused by wrongful use of the [domain name], unless [the registrar] promptly discloses the identity of the licensee to a party providing [the nominee registrar] reasonable evidence of actionable harm." I've reproduced the actual clause below at the end of this post. (Arguably, the reference in section 126.96.36.199 to the "registered name holder" should not necessarily be seen as a reference to the registrar. Registrars often wear multiple hats, and this results in some confusion. But to me it doesn't seem like the fact that registrars often provide private registration services through subsidiaries or related entities should be a determining factor. At the end of the day, the clause speaks to the person or entity in whose name the domain name is registered, which in the case of private registration services is the registrar or its subsidiary.)
Judge Breyer held that Balsam was not a third party beneficiary under the RAA and thus all of Balsam's claims failed.
Thoughts: To begin with, Balsam was fighting against the weight of precedent in arguing third party beneficiary claims under the RAA. Courts have refused to find that the RAA creates obligations enforceable by third parties. (See, e.g., Register.com v. Verio, 356 F.3d 393 (2d Cir. 2004).) Also, this isn't the first time a court has looked specifically at whether section 188.8.131.52 of the RAA creates a class of third party beneficiaries. As Professor Goldman previously noted, in Solid Host NL v. NameCheap, Inc. (No. 08-5414) (C.D. Cal. May 19, 2009), a judge in the Central District of California denied a registrar's motion to dismiss where a plaintiff sought to hold a registrar liable for cybersquatting under theories of direct and contributory liability (among other theories). That case also involved a registrar's failure to disclose the identity of the person or entity using the private registration services. Oddly, the court in Balsam cites NameCheap for the proposition that section 184.108.40.206 does not create an intended class of third party beneficiaries. I actually read NameCheap to say that third party beneficiary status was possible, depended on the facts as to intent and construction of the agreement, and thus could not be resolved on a motion to dismiss. (See pp. 39-49 of the NameCheap order.)
Balsam's case is somewhat tougher to make than Solid Host's, in that Balsam obtained a default judgment of over a million dollars. No judge is going to put the registrar on the hook for this type of a damage award absent some serious facts showing misconduct (i.e., the type of evidence the jury found persuasive in the Louis Vuitton case mentioned below). And that's where Balsam falls short in my opinion. It's tough to see where the real harm is to Balsam from the use by Angeles of private registration services. Balsam already knew the identity of the registrant, since the registrant he proceeded against started using the privacy protection services after Balsam after discovered its identity. (Stepping back, it's tough to see how a thousand emails should result in a million dollar damage award, but that's a separate issue.) Balsam only alleges that the failure by Tucows to reveal the identity of the beneficial registrant 'complicated' Balsam's ability to collect against Angeles Technology Inc. Regardless of how the third party beneficiary status discussion plays out, to me this casts a shadow over Balsam's claim.
As a side note, I agree with Professor Goldman that the court's reasoning in NameCheap isn't crystal clear, but I think it's a closer question as to whether - based on section 220.127.116.11 - a registrar should be held liable for harm flowing from a delay in disclosure. Regardless of whether the parties intended to create a class of third party beneficiaries, the thrust of section 18.104.22.168 is that if a registrant offers privacy protection services (i.e., register the domain name in your own legal name and allow someone else to be the beneficial owner), it seems to have a contractual obligation to disclose the identity of the beneficial owner upon request by an injured party. The fact that the RAA is an agreement registrars enter into with ICANN (which is a quasi-public entity) as a condition of being accredited and being allowed to offer domain name registration services also weighs in favor of the third party beneficiary argument. On the other hand, accepting that the RAA creates third party beneficiaries would result in a variety of problems and create unintended classes of plaintiffs and causes of action. Ultimately I don't think it's a very good idea, and courts have not been very receptive in general to third party beneficiary claims under the RAA.
To the extent the third party beneficiary argument flies, Solid Host had a stronger argument for why it should be treated as a third party beneficiary. Solid Host involved wrangling over a domain name that was originally registered in the name of Solid Host. Solid Host arguably relied on the provisions in the RAA in registering its domain name in the first place. (Note: to the extent a court accepts the third party beneficiary argument this leaves registrars in an arguably tricky spot. Section 22.214.171.124 does not limit itself to harm caused by the failure to disclose. It seems to cover harm "caused by wrongful use of [the domain name] . . .")
In any event, trying to hold a registrar (or someone else in the chain) liable for ACPA or trademark claims raises a host of thorny issues that courts struggle with. To the extent they can be unpacked, I'll admit I'm incapable of unpacking these issues in a blog post, or even a series of blog posts. I'll leave that to Professor Goldman. (See posts from Professor Goldman on the Solid Host case here and on the recent jury verdict for contributory liability for trademark infringement ($32MM!) obtained by Louis Vuitton here.) Suffice it to say that facts often dictate the result, and here, it just didn't pass the gut test to hold Tucows liable for a significant default judgment based on failure to disclose by Tucows. Particularly when in the court's view Balsam's evidence connecting the failure to disclose by Tucows with the underlying harm wasn't particularly strong.
As I read Balsam v. Tucows, I wondered whether Tucows had a Section 230 argument lurking in the background. My tentative thought is that it could have a viable 230 argument, since Balsam is seeking to hold Tucows liable based on third party content. Although Balsam could argue that under Barnes v. Yahoo Tucows could be viewed as having a contractual obligation which it didn't fulfill, this could be a tough argument to make, given that Tucows did not make any promises to Balsam directly. (See the two rulings in Goddard v. Google, Inc. (rejecting attempts to bring claims against Google based on third party beneficiary status under Google's advertising terms); see also Morrison v. America Online, Inc., 153 F. Supp. 2d 930, 934 (N.D. Ind. 2001) (rejecting attempt to evade § 230 immunity by claiming to be third-party beneficiary of AOL’s member agreement with chat-room users).) Given his interest in Section 230, I'll leave this issue to Professor Goldman as well.
3.7.7 Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar including at least the following provisions:126.96.36.199 Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.