In favour of increased liability for registrars

whoisRegistrars’ liability

Registrars and registries play an important role in operating domain names. Even though they do not register domain names maliciously and with intent to cause prejudice to a trademark, they nevertheless are not required to review registration applications before reserving the names. This explains the common cybersquatting practices. Although they have a prima facie neutral status as technical service providers, they are in fact at the very heart of cybercrime cases.

Registrars made aware of consumer protection

“The courts held that a registrar has to carry out its mandate in accordance with its accreditation agreement with the ICANN and its liability is thus limited to the framework of the agreement” (Marques et Internet, Nathalie Dreyfus). Following this logic, in a cybersquatting case for instance, the registrar approves the domain name registration and derives financial benefits from the registration even though the trademark owner’s prior rights are being prejudiced.

Its status as technical service provider implies that there is no general statutory requirement to monitor content or search for circumstances revealing unlawful acts and doings (Article 6, I, § 7 of the Law no. 2004-575 dated June 21, 2004 for a Digital Republic). By contrast, “a presumption of knowledge of the disputed facts weighs on the technical service provider as soon as information containing factual and legal grounds has been notified to them” (Marques et Internet, Nathalie Dreyfus). Indeed, when the technical service provider is informed of infringement (by letter of formal notice in compliance with the strictformality required by Article 6, I, 5 of the Law for a Digital Republic), they are legally bound to act promptly in order to deactivate the contentious domain name, failing which they may be held liable because they are presumed to have been aware of the facts in dispute.

In spite of the absence of statutory requirements and even though no notification had been made, the Tribunal de Grande Instance de Paris, in a 2006 judgement, jointly sentenced the registrant and the registrar in a cybersquatting case. Without contemplating the latter’s liability with respect to its’ client, the court found the registrar guilty of aiding and abetting with respect to unlawful activities being carried out by the registrant. Not only was the registrar ordered to suspend the disputed domain names but it was also instructed to pay for irrecoverable expenses and damages granted to the company for which the registrant was responsible, in solidum (Tribunal de Grande Instance, Paris, April 10, 2006, Sté Rue du Commerce v. Sté Brainfire Group et Sté Moniker Online Service In.). In this case, the registrant was owner of the domain names “rueducommerc.com” and “rueducommrece.com” in order to redirect web surfers who made a typo when performing a search for similar worded websites (typosquatting). However, this example is just a mere exception to the registrars’ discretionarily acknowledged liability.

Generally, registrars cannot be held liable even though some legal practitioners advocate for minimum of liability.

At all events, things are evolving and some diligent registrars have joined forces as a top level domains conformity and verification consortium : The Verified Top Level Domains Consortium. This Consortium’s mandate focuses on protecting the online consumer. Indeed, in order to build web surfers’ trust by using websites that are likely to collect personal data, including sensitive data, this Consortium ensures that the domain names are being used for honest and non-fraudulent purposes.

This Consortium was created in May 2016 by eight registrars which managed the registration of 15 vTLDs (verified TLDs) of various sectors such as pharmacy <.PHARMACY> on behalf of the national pharmacists association, or finance <.BANK>. The registrars providing domain name verification services may join the Consortium provided that they obtain consent of the founding members.

This Consortium of registrars has the responsibility to ensure that the registrant complies with various conditions alreadylaid down by them before registering a domain name. In the case of <.PHARMACY>, the activity bearing this top level domain shall imperatively demonstrate a legitimate interest. This implies that the consumer will not be misled by the domain name extension. Furthermore, verifications will be carried out in the long term so that registrants may keep their domain names only if they comply with these requirements.

On account of the regulation performed by this entity and its’ will to work towards more regulation and security, it is possible to hope for changes in the registrars’ legal framework as the neutrality privilege  cannot be combined with a regulatory duty.

The WHOIS operated by registries showed flaws despite the willingness of registrars to ensure increased security

The increase in the number of domain names is a direct consequence of Internet democratisation. In that sense, the Internet offers more visibility for companies and even allows some individuals in bad faith to register domain names for resale at a high price to other individuals or entities who, in turn, have a legitimate interest.

When ICANN was created in 1998, the Clinton administration ordered the implementation of a highly accurate WHOIS database. The purpose was to index all registrants and to be able to contact them. Today, registries are responsible for operating the WHOIS database and its extensions.

Despite the publication, in December 2016, of a report (report of the WHOIS Accuracy Reporting System) pointing to this database performance, resolutions are yet to be passed to fill the gaps. This report has addressed the operational capacity of the WHOIS over 12 000 registered domain names with 664 different registrars. This sample comprised the old and new gTLDs only and excluded the ccTLDs (national domain names).

The study consists of two stages. Firstly, the formats of the e-mail address and phone number are verified. Then a test e-mail is sent to check if it is effectively delivered to the address specified in the WHOIS. In 97% of the cases, at least one of the details were valid with respect to its format and the test message is successfully delivered. North America has the most accurate information, whereas Africa conveys the most insufficient WHOIS information. The report, however, does include a weakness as no follow-ups are performed, and effective receipt of the message by the registrant is not mentioned. The test message only reports the existence of a valid address; as a consequence, receipt of the test message on a junk e-mail address, despite the validity of the address format, does not appear in the remaining 3% having specified inaccurate informations according to the report. Even if the specified WHOIS e-mail address is a junk e-mail address, as long as the address format is valid, the registrant’s address will be included in the 97% of domain name registrants who specified accurate details. In that context, in spite of erroneous information, this situation contributes to reinforcing WHOIS operativeness and accuracy.

Consequently, the real major challenge is to be able to effectively contact the registrant. However, even though the WHOIS does contain information, oftentimes the addresses lead nowhere because sauid information is inaccurate. Accordingly, the WHOIS is not as effective as seemingly stated by the report.

While domain names are growing in importance, information security and transparency are not always a priority for the main actors. Developments in the legal framework would thus be welcome.

To be continued…