Domain registrars might be too tight with their privacy services, which could create legal headaches.
For years, domain name registrars have set up separate legal entities for their Whois privacy services. They did this to comply with ICANN rules and to shield liability. Whois privacy services carry some liability, especially ones set up as proxies for the domain name owner. Historically, the services operated as the “owner” of the domain. (This has changed a bit post-GDPR, and, practically speaking, it can depend on what the privacy service does when it receives a legal request.)
But are registrars legally shielded from a privacy service they set up? It probably depends on how arms-length the privacy service is.
That’s one of the questions in an ongoing dispute between Meta Platforms and OnlineNic.
Meta Platforms, the owner of Facebook, sued OnlineNic over domain names registered at OnlineNic using its privacy service, ID Shield, that it says infringed Meta Platform’s brands. The domains might have been registered to customers, or they might have been registered by OnlineNic itself. Regardless, OnlineNic said it was throwing in the towel and closing down its register at the end of last July. That hasn’t happened.
It’s also when things got more interesting. There’s a question of how much separation there is between OnlineNic, ID Shield, and 35.cn, a Chinese registrar that probably holds the valuable assets that OnlineNic doesn’t.
In the Meta Platforms case, its lawyers filed an amended complaint to pull 35.cn into the lawsuit after OnlineNic said it wouldn’t defend the suit anymore. The company alleged that 35.cn is an alter ego of OnlineNic because:
(1) Carrie Yu is the sole director of OnlineNIC and an employee of 35.CN, (2) 35.CN’s employees carry out all of ID Shield and OnlineNIC’s day to day operations including all technical and customer support, (3) 35.CN shares the same domain name registration database, used to operate the registrar business for both 35.CN and OnlineNIC, and (4) the incorporator and founding president of OnlineNIC is the controlling shareholder of 35.CN.
35.cn filed a motion to dismiss. The judge ruled (pdf):
While these facts are not determinative of plaintiffs’ alter ego theory, they raise serious questions about how the defendants are related for purposes of surviving a motion to dismiss and the Court finds plaintiffs have made a prima facie showing of alter ego and general jurisdiction.
To be clear, the alter ego ruling is related to the connection between 35.cn and OnlineNic, not the privacy service. And the standards to survive a motion to dismiss are less stringent than proving an actual alter ego relationship. But the connection between privacy services and registrars is often even tighter than this, which suggests that they could create problems for the registrar. Indeed, the judge also ruled:
As discussed above, plaintiffs have plead a prima facie case of alter ego. Further, OnlineNIC and ID Shield admit that ID Shield is listed as the registrant for the allegedly infringing domain names listed in the complaint. Dkt. Nos. 109 ¶ 27 (SAC) and 88 ¶ 27 (Answer) (“it is admitted that ID Shield ‘is listed as the registrant in the WHOIS directory.’”). The SAC explicitly alleges ID Shield licensed the allegedly infringing domain names to third parties. Dkt. No. 109 ¶ 59. Plaintiffs have adequately plead the fourth element.
Meta Platforms filed a similar lawsuit against Namecheap. Namecheap subsequently changed its Whois privacy provider. I don’t have any insight into why, but a plausible reason was establishing more distance between the registrar and privacy service.
This creates a business opportunity for a genuinely separate Whois privacy provider that provides services to registrars and takes on the liability. Already, Google outsources its privacy service needs to Tucows.
But here’s another important question: are privacy services even necessary anymore?
The point of Whois privacy was to shield your private information from public Whois databases. Whether you didn’t want people to know you owned a site, or you just didn’t want to get spammed and robocalled to death, you could opt into a privacy service and shield your information. The registrar technically met ICANN’s Whois requirements, and the customer’s information remained private.
With the implementation of the General Data Protection Regulation (GDPR), most registrars block Whois information automatically, and they don’t need to do it behind a privacy service. Some registrars just note in Whois that the data is blocked due to regulations. There’s some question about what information should be blocked and what should remain public (such as an organization name). But for now, ICANN isn’t pressing the issue with registrars.
So I wonder if the need for privacy services has perhaps passed. Registrars might be better off just blocking Whois information on privacy grounds.
But if they continue to operate a privacy service, they should make sure it’s genuinely arms-length, or at least manage it in a way that reduces liability if a customer domain is used for nefarious purposes.