For those who are Star Wars fans, the following scene from the prequel, Attack of the Clones, will be easy to recall: a young and misinformed Jedi, known as Obi-waan Kenobi, opines about how an army of clones had been able to snatch a victory from imminent defeat. Yoda, a Jedi Master and virtual fountain of wisdom, immediately gushes forth an important correction: "Victory? Victory you say? Master Obi-waan, not victory." Yoda explains that winning a battle is not a victory, if the win merely signals that the war has just begun. Yoda's apparent perception seems particularly apt for the precedent setting federal court opinion involving the sex.com domain name. Notwithstanding that individual domain name registrants may seek comfort in the victory obtained from the Ninth Circuit's opinion in Kremen v. Cohen, that decision merely signals a beginning — not an end — to the controversy over the proper legal framework for resolving domain name theft.
In Kremen v. Cohen, a federal appellate court accepted the view that a domain name is "property" and that domain name registrars should be held liable for the conduct of third-parties when a third-party interferes with the property interests of a domain name registrant by stealing their domain name. What is remarkable about the decision is its far-reaching implications and its potentially severe impact upon domain name registrars. Undoubtedly, there have been numerous claims that registrars were pilfering from individual domain name holders with impunity, and that domain name holders were clamoring for a legal remedy. In those instances, holding registrars directly liable for their illicit conduct is clearly sensible. The question remains, however, whether the court's ruling regarding registrar liability for the conduct of a third-party is a prudent and sensible response to domain name theft? I am doubtful.
Stephen Cohen stole Gary Kremen's domain name, sex.com, simply by submitting a fake transfer letter to domain registrar Network Solutions (now owned by Verisign) with a forged signature. Since it was once fairly common for ICANN-approved registrars to respond to domain name transfers in an automaton-like fashion, Stephen Cohen, a convicted felon, was able to exploit the domain transfer process, con Network Solutions, and ostensibly steal the domain name. Cohen pretended to be authorized by Kremen to order Network Solutions to transfer the name of the registrant of the sex.com domain name over to his company. Cohen used a phony letter from a non-existent executive at Kremen's company, Online Classifieds, authorizing transfer of Sex.com to Cohen. The letter was written and signed by a "Sharon Dimmick," identified as the president of Online Classifieds. The letter is addressed to Stephen Cohen, and states that Online Classifieds is relinquishing the rights of sex.com to Cohen. The letter contained an instruction from the non-existent Dimmick to Cohen: "Because we do not have a direct connection to the Internet, we request that you notify the internet registration on our behalf, to delete our domain name sex.com. Further, we have no objections to your use of the domain name sex.com and this letter shall serve as our authorization to the internet registration to transfer sex.com to your corporation." The Ninth Circuit considered the badly faked letter as well as the simple ease with which the transfer was effected as indicative of the fact that Kremen could not have been well-served by Network Solutions. This finding of the court seems unassailable.
Even so, that domain name registrars should be held liable for the wrongful conduct committed by third parties begs the question of to whom liability is, in actual fact, being extended. In practice, the chain of domain name registration extends from ICANN-accredited registrars to domain name resellers, web hosting service providers, web programmers, Internet Service Providers (ISPs), and a number of other service providers and professionals; each ostensibly may provide domain name registration services for any given individual domain name registrant or client. The Ninth circuit opinion is broad enough to sweep within its reach anyone in the chain of management of the so-called domain name property. The "registrar" need not be at fault or lacking in a clearly stated duty of care; to be found liable, the service provider need only supply the means or be the engine of a domain name transfer that happens to turn out to be improper. Even mistake may not be a defense to liability.
As the Court noted, "[w]e must, of course, take the broader view, but there is nothing unfair about holding a company responsible for giving away someone else's property even if it was not at fault. Cohen is obviously the guilty party here, and the one who should in all fairness pay for his theft. But he's skipped the country, and his money is stashed in some offshore bank account. Unless Kremen's luck with his bounty hunters improves, Cohen is out of the picture. The question becomes whether Network Solutions should be open to liability for its decision to hand over Kremen's domain name. Negligent or not, it was Network Solutions that gave away Kremen's property." Oddly, the court seems to adopt a legal theory that cuts both ways: that Cohen stole the domain name and that the registrar "gave away" the property are both regarded as factors supporting the court's ultimate decision despite the obvious consideration that both propositions cannot be true. In this manner, the court seems to extend strict liability to the "registrar" (or, likely, any service provider who transfers the domain name registration) without reflection upon what safeguards a registrar may rely upon to avoid the risk of liability.
What is more, broad registrar liability for the wrongful conduct of others may create perverse incentives in the marketplace of domain name registration: the cost of doing business as a domain name registrar has increased as a result of the potential liability (and insurance) due to this new liability, and as the costs of providing registration services increase, the cost of registering domain names will increase once those costs are passed on to registrants. Quite possibly, if domain name litigation increases due to this new property right, some registrars may drop out of the registrar space and competition could suffer just as prices increase. Notwithstanding that the scope of liability is virtually unbounded and indefinite as identified by the court, the best way to approach the question of registrar liability may be to consider the Ninth Circuit's determination that a domain name is "property;" certainly, for the Ninth Circuit, the holding in the decision hinged significantly on the contour of the property interest the court found existing in a domain name.
The sense in which a domain name is property, according to the appeals court, depends upon the application of a three-part test: "[f]irst, there must be an interest capable of precise definition; second, it must be capable of exclusive possession or control; and third, the putative owner must have established a legitimate claim to exclusivity."
In applying this test, the Court concluded that domain names satisfy each criterion. Reasoning that like a share of corporate stock or a plot of land, a domain name is a well-defined interest; the court urged that someone who registers a domain name decides where on the Internet those who invoke that particular name — whether by typing it into their web browsers, by following a hyperlink, or by other means — are sent. Ownership is exclusive in the sense that the registrant alone makes the decision to register the name. And, the court was persuaded that registrants have a legitimate claim to exclusivity. Thus, concluding that Kremen had an intangible property right in his domain name on the basis of the three-part test, the Ninth Circuit accepted the argument that a registrar improperly transferring a domain name — even if mistakenly so — would be liable for wrongfully disposing of the property right to the detriment of the proper domain name registrant.
Without explanation, the court's analysis conflates registration services with the alphanumeric designation of a domain name; in doing so, the court undermines any attempt it may take in considering the appropriateness of competing legal theories that may prove helpful in setting forth the legal contour of a domain name. To wit, certain jurisdictions have drawn a distinction between the right to use a unique telephone number and the right to receive telephone service. The Ninth Circuit did not create a new federal common law of property for domain names. This is especially noteworthy since doing so would contravene the long-established role that the States have played in creating property interests and in determining the definition and scope of property. Even so, the court was reluctant to consider alternative legal theory for defining the contours of a domain name. A domain name, for instance, may be a contract the owner has with the domain name registrar — the company that provided the name. There are federal cases that expressly have found that a domain name is not tangible real property, and at least one state Supreme Court held that domain names should be considered services rather than property. The Supreme Court of Virginia concluded that domain names are, therefore, not proper subjects for garnishment. Admittedly, domain names seem to have features of both tangible and intangible property. What is more, the scope of a property interest in a domain name may vary widely in the United States since States create and define property interests, not federal courts. More to the point, State court litigation would hardly serve the interests of uniformity.
Three years ago I wrote a column asking what standard of care registrars (and, in some cases, registries) owe domain name registrants in thwarting attempts of domain name theft. Or, what happens when a requester who requests a domain name transfer and the registrar refuses to do so because of suspected fraud? The domain name space seemed poised to impose a duty of care upon registrars in handling domain name transfers, but most discussions on the topic focused upon registrants and the data they provided to registrars rather than directly upon duties and obligations of registrars. There was little or no guidance on what safe harbors there should be for registrars who complied with ICANN (the Internet's domain name regulator) mandated fraud detection directives. In part, I viewed this as a question of Internet governance; ICANN was given short shrift by the Ninth Circuit. Would a private sector scheme of arbitration prove relevant and more responsive than the Ninth Circuit's choice?
ICANN was not around in 1995, but, today, ICANN has sufficient experience in managing the domain name space to insist that registrars install systems and procedures in place to avoid domain name theft. ICANN could also withdraw registrar-accreditation from registrars that have an identifiably significant number of illicit domain name transfers. ICANN has set-up contractual relations with domain name registries and registrars that could be the means to ensure that these entities have adequate safeguards against domain name theft. In doing so, ICANN could attempt to establish DNS policies aimed at benefiting all domain name holders while the courts could be a last resort under a careful and narrowly drawn standard of liability.
By Rod Dixon, Attorney
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Minds + Machines
Afilias - Mobile & Web Services