May 25, 2011
Ohio Appeals Court: GoDaddy can be Held Liable for Wrongly Transferring Control Over Domain Name and Email Accounts -- Eysoldt v. ProScan
[Post by Venkat Balasubramani]
Eysoldt v. GoDaddy, et al., C-100528 (Ohio Ct. App.; May 18, 2011)
Actions against registrars for allowing domain names to be wrongly transferred have been relatively rare. Members of the Eysoldt family brought claims against GoDaddy alleging these types of claims. A jury ruled in their favor and the Ohio Court of Appeals declined to set aside the verdict.
Jeff Eysoldt registered Eysoldt.com through GoDaddy. He used this account for personal purposes--he stored photos and used it for email, and he allowed other family members to do so. He also registered and managed a domain name for his sister's business through this account. Separately, he entered into a business arrangement with ProScan, and the parties sought to build out a website which would promote cosmetic surgery centers. As part of this project with ProScan, he registered Myrejuvenate.com and placed this domain name in the same GoDaddy account as his personal domain name and his sister's domain name.
The relationship between Eysoldt and ProScan soured, and ProScan sought control of the domain name and the website. One of the ProScan executives called GoDaddy directly. GoDaddy's customer service representative saw that the domain name was registered under Eysoldt's name but "verified" the account information with the ProScan executive by confirming the method of payment and account number used to pay.
GoDaddy gave ProScan control over the Myrejuvenate.com domain name. Unfortunately, it also gave ProScan control over the other domain names and associated email accounts in Eysoldt's GoDaddy account. Eysoldt contacted GoDaddy to fix the problem, but he was told he had to fill out a verification form and fax this along with his drivers license. He did this, but GoDaddy responded to him that his face was not legible in the copy of the drivers license. The ProScan executive also contacted GoDaddy and asked that the domain names other than Myrejuvenate.com be transferred back to Eysoldt, but this too was unsuccessful.
Ultimately, Eysoldt sued GoDaddy. He sued ProScan as well but settled with them. The jury ruled in favor of the Eysoldt and awarded him $50,000 ($20,000 for invasion of privacy and $30,000 for conversion). Two other Eysoldt family members were awarded $10,000 each ($7,000 for invasion of privacy and $3,000 for conversion). (Here is a link to the verdict form.)
GoDaddy made several technical arguments on appeal and the court rejects them all.
Economic Loss doctrine: GoDaddy argued that Eysoldt's claims were barred by the economic loss rule, but the court says that this rule only applies to negligence claims and not to intentional torts.
Conversion: GoDaddy argued that a domain name cannot form the basis for a conversion action because it is intangible property. The court says (citing to CRS Recovery, Inc. v. Claxton) that times have changed. A domain name is readily identifiable and can be converted. GoDaddy also argued that the family members could not assert conversion claims because they testified that they lacked any ownership interest in the accounts. On this point, the court ruled that there was sufficient evidence from which a jury could conclude that GoDaddy converted the "conditional email and private communications [of the family members] that were contained in the GoDaddy account."
Invasion of Privacy: Finally, GoDaddy argued that there was insufficient evidence to support an invasion of privacy claim because there was no evidence that GoDaddy accessed the email accounts. The court rejects this argument also, noting that Eysoldt testified that someone had accessed the emails. According to the court, the harm flowed from the disclosure and not the misuse of the emails. In any event, the court cites to the fact that GoDaddy took control of personal emails, websites, and communications and just handed them over to a third party.
GoDaddy had a pretty tough argument here given the facts. To treat a domain name as anything other than valuable third party property would be a mistake by registrars. There was some confusion early on as to whether domain names are contract rights (which do not support conversion claims) instead of property, but courts have long moved on from this question. (See Kremen v. Cohen, CRS v. Claxton, Office Depot v. Zuccarini, Bosh v. Zavala, etc.) I'm surprised GoDaddy didn't raise an argument based on waivers or limitations of liability contained in its end user agreement, but the opinion does not discuss them.
The court's conclusion regarding the invasion of privacy claim is worth noting because the court did not take the approach numerous courts have taken in data breach cases and require any showing of out-of-pocket loss. The likely explanation for this is that the plaintiff here asserted claims under the "intrusion" theory, where the harm flows from the mere disclosure, rather than the misuse, of data, but this should require a showing that the accounts contained information that was of an intimate nature. The court alludes to this in describing what type of information was contained in these email accounts, but does not come out and explicitly state this or cite to any specific information which would support a claim of intrusion.
The court's conclusion that the other family members could recover for conversion also glosses over a few nuances. The sister had a domain name registered through GoDaddy, but the court does not connect the dots on how giving Proscan control over the GoDaddy account translates into a conversion claim for the other family members. The court instead focuses on the email accounts and notes:
[w]hile Jill and Mark [the other family members] acknowledged that the account was registered to Jeff, the evidence showed that each of them had email accounts set up within Jeff's account. Additionally, Jeff and Jill had created content for Jill's website for her business, Good Karma Cookies. When Go Daddy gave control of the account to Wallace and ProScan, Jill could not access her website. Likewise, Jill and Mark could not access their email accounts. Thus, as the trial court stated, 'there was sufficient evidence produced at trial that would support the jury finding that GoDaddy converted the conditional and private email communications of Mark and Jill Eysoldt that were contained in the GoDaddy account.'
The court's focus on control over email accounts and content does not square well with the cases which say that domain names can be converted because they are freely transferable and can be bought and sold. Under the court's approach, a registrar could be found liable for terminating access to an email or hosting account, and this sounds problematic.
[Eric's comment: indeed, I read this opinion as hinting that any cloud service provider could "convert" a user account's to the extent that service provider "wrongfully" "cuts off" the user's access to his/her own intangible files. I don't think the court means to go there, but holding that GoDaddy converted the emails (as opposed to the domain names) naturally leads to a very dark place.]
It's clear that courts are not reluctant to impose some sort of obligation on the part of registrars to guard against identity theft. Registrars may need to adopt authentication procedures as rigorous as the procedures that banks use to authenticate bank accounts. Of course, even this approach is not infallible, and not easy to implement, given that much of the customer service interaction between a registrar takes place over the phone. Another suggestion is for registrars to respond promptly to any claims by customers of domain name theft. Sending a canned response from customer service when a customer frantically emails saying that his or her domain name has been stolen is not going to look good in the eyes of the fact-finder.
I'm struck at how often people register business and personal domain names in the same account, and how often the web-person ends up registering the domain name for a project in his or her account, rather than in the name of the entity, or a separate account which both joint ventures have control over. The domain name as a bank account analogy is useful here, and if you are part of a joint venture, think about whether you would want to give your co-venturers sole control over the bank account.