What happens when someone uses your information to register a domain name?
The named domain registrant of zscalers .com made an unusual defense in a cybersquatting dispute: he didn’t actually register the domain name.
In response to the UDRP filing, the person said that he was a victim of identity theft and hadn’t registered the domain name (or any domains for that matter).
It’s easy for anyone to put anything in the contact fields for domain names. The only verification most registrars do is that the email address is working.
In the case of zscalers .com, panelist Debrett Lyons decided not to redact the name of the Respondent who said he didn’t register the domain. Lyons wrote:
As stated earlier, Respondent contends that it has been the victim of identity theft. Specifically, on February 24, 2022, the Forum received an email from Respondent stating that he did not own any domains. In certain circumstances the Panel has the discretion to redact information, including the name of a party, from the published decision…
The Panel takes account of the following matters in its decision not to redact the name of the domain name holder as Respondent in its decision. Respondent’s February 24, 2022, message does not request redaction of its name from any final decision. Respondent had until March 9, 2022, to provide the Forum with a formal Response; it did not. Respondent has not provided any other elaboration or evidence of its claim of stolen identity. Respondent’s name was shielded by a privacy service.
Most of this is a flimsy rationale. Let’s break it down:
Respondent’s February 24, 2022, message does not request redaction of its name from any final decision.
If you don’t own any domains or have never faced a UDRP, you probably don’t know that your name will be published.
Respondent had until March 9, 2022, to provide the Forum with a formal Response; it did not.
If you don’t own the domain you’re not going to mount a formal defense of the domain.
Respondent has not provided any other elaboration or evidence of its claim of stolen identity.
This is the only part of Lyon’s rationale that makes some sense. Lyons might not have been convinced of the registrant’s story.
Respondent’s name was shielded by a privacy service.
It’s possible that the registrant of this domain — the person who impersonated the registrant in Whois or the person himself — opted to use Whois privacy. This domain was registered late last year when GoDaddy was redacting some information but might not have applied Domains by Proxy as a default. But GoDaddy now adds Whois privacy to all domains. So, in the future, panelists need to be careful about drawing conclusions about domains using Domains by Proxy (or any privacy service for that matter).
In this case, the Complainant argues that the person who owned the domain impersonated someone in its collections department to scam people. This means it’s quite likely that they used fake information when registering the domain to cover their tracks.
I’ve decided not to link to the National Arbitration Forum case decision or name the Respondent given the circumstances.
David Michaels says
Why does this UDRP decision dwell on the identity of the respondent who stated that he did not own any domains? Why did the Panelist publish the respondent’s name?
If the respondent didn’t own any domain names, then his right to privacy was violated.
zscalers .com has a long history of being hosted on Amazon. Previously, it used Google mail servers before the domain expired.
Currently, it uses Microsoft Outlook cloud mail services, but it has no independent website.
As a cybersecurity company, Zscaler should have investigated further.
Maybe they should even have registered the domain name proactively after it dropped, for security purposes. Maybe they were the previous owners of the domain name, but this isn’t disclosed.
If it were my company, I would have filed suit and served a subpoena on Microsoft to get access to the emails and the access logs to find out whether there was some phishing going on that harmed any of my clients and try to determine the identity of the registrant.
Securing the domain name after 4+ months of possible phishing seems negligent.
Todd Ryan says
David, Jeff Neuman and I will be discussing this case on Domain Name Law this coming Tuesday at 6pm EST on Clubhouse. Andrew, If you’re able to stop in for 15 mins and join us on stage for the discussion, that would be fantastic.