Domain Privacy Service Can Be Liable Under the ACPA

The wrong approach for a domain privacy service.

The wrong approach for a domain privacy service.

The Central District of California just issued this thoughtful, reflective, and lengthy opinion in a case two of my Los Angeles partners and I are working on.

Web hosting company, Solid Host, took the position that a domain privacy service should be held responsible for the actions of one of its customers, when that customer was a hacker who stole a Solid Host’s domain name, and the privacy service took a “not our problem” approach to the theft.

From a trademark practitioner perspective, the really interesting part is that the court sustained the viability of a claim that a privacy service may be contributorily liable under the ACPA for its customer’s actions.

While this is not a final ruling in the case, the theory that a privacy service can be held liable for the actions of its customers has passed its first test, and got past the privacy service’s motion to dismiss.

See Solid Host v. NameCheap,

7 Responses to Domain Privacy Service Can Be Liable Under the ACPA

  1. Venkat says:

    congrats – that’s a nice result.

  2. […] may be contributorily liable under the  ACPA for its customer’s actions.  See his full post here. We will continue to monitor this case for you and provide relevant updates as they […]

  3. […] – Marc Randazza took time out from INTA to post about an interesting decision, holding that a domain privacy service can be contributorily liable for the actions of its […]

  4. This is becoming quite a hot topic on the internet, and sadly there is a dearth of relevant black letter law and regulation for clear guideance.

    There are two opposing sides in this issue, and frankly both have some merit. The “practical” side is that domain registrars offering privacy services are simply acting as “ministerial middlemen” between the domain owner and applicable registration authority, and just offering access to a service that the latter is really providing. Under this theory, the substantive, though not legal, relationship is between the domain owner and the internet registry. Hence, the domain registrar should be held unaccountable for mischief on the part of the registrant.

    The “legal” side, possibly based on common law, is based on the concept of “agency.” When the domain registrar acts as intermediary on the registrant’s behalf, it becomes the former’s legal agent. Add to this the fact that the domain is actually legally owned by the domain registrar, and you are left with a strong legal, if not entirely practical, end result that the domain registrar has taken on a due diligence responsibility under the law.

    Speaking purely from a “common man’s” standpoint, as opposed to that of a lawyer, I tend to support the first (“practical”) argument more. The need to protect legitimate trademark holders needs to be weighed against the business friction and resultant potential loss of availability of valuable services if the strictly legal approach is taken. To settle the issue for good, an exception needs to made in federal statute to ensure that the concept of agency does not apply to this special situation. It’s simply a matter of recognizing that the unique aspects of internet related activity do not always fit neatly into the constructs of “offline” law.

    I guess if worse comes to worse, the domain registrars can pay up for more comprehensive liability insurance, but this really is skirting the issue. It would be far better for the federal authories to issue a logical, definitive opinion than for the potential defendants to be left drifting in the wind deciding about whether or not to self insure. The primary thing is to get the law right, and not leave certain parties guessing about whether or not to keep or pass on financial risk.

  5. The problem with using your “common man” approach is that it effectively shields the squatters. The ministerial middleman, as you call him, is the only one who can be found and who is amenable to process.

    When an agent acts for an undisclosed principal, we get to go after the agent. That’s not only the common law, but it is good sense. Would you have us chase ghosts in hope that we can sue them?

  6. Hi Tanner,

    What you are saying, in a vacuum, is correct. The problem is that the real world is not a vacuum.

    Here are some issues to consider:

    First, who is the registrar really acting as agent for, the domain buyer, the internet registry, or both? It’s not completely clear, as the registrar receives a fee from the domain buyer, but in at least semi-substance is also acting as a registered marketing middleman for the applicable internet registry (the latter point is somewhat weakened by the fact that the internet registry may be receiving application/system fees from the registrar, so the relationship here is probably at least in part arms-length). It would seem that the greater the level of approval required from the registrar for the internet registry to grant domain owner requests (like changing name servers, switching registrars, etc.), the less arms-length the relationship between the internet registry and domain registrar becomes. This so called “trusted party” approval level varies from low to high, depending on country. For example, Switzerland is quite strict in terms of trusted party approval, but the Philippines is less so.

    Another point is that while it’s true, in a strictly legal sense, that the domain registrar is acting as an agent for the domain owner, it is not the kind of face-to-face relationship where the vendor is able to become initimately aware of the client’s situation (such as in lawyer/client relationships). Forgetting the current “black letter” legalities for a minute, the domain registrar is really just providing administrative processing services, not offering professional or consulting advice. In this sense, the relationship between the domain registrar and buyer is really more arms-length (i.e., “non-fiduciary” in the common law sense since the registrar is just receiving a fixed fee for a stated service, and not a salary or fee per hour to “maximize value” for the buyer).

    The upshot of the above is that the domain registrar should not be placed in the untenable position of being subject to legal liability for acting on domain buyer requests. If issues arise that raise questions about the legality of what the domain buyer requested and received as services, then the authorities, armed with a proper court order, should be able to subpoena records from the registrar, without potentially imputing legal liability to anyone except the domain buyer.

  7. John Nagle says:

    It’s been almost a year. How did this case come out?

%d bloggers like this: