Time to regulate domain name registrars?

The outbreak of COVID-19 changed the modus operandi of businesses. For consumers, there was an increased reliance on the internet to work, order goods and services. For businesses, it meant detracting from the traditional brick-and-mortar establishment and creating a digital presence.

Since time immemorial, a company’s brand provided information on its origin and ownership, and served as an indicator of quality. Where ownership of a brand is concerned, companies are no strangers to attacks and smear campaigns initiated by their competitors to dilute their earned goodwill among consumers. Another method to interfere with consumers’ trust in a brand is to fuel and support the distribution and circulation of counterfeit products. In the offline world, the consequences of consuming counterfeit products are well-known. However, the discourse on digital counterfeit products is yet to gain momentum. This article is authored to set the ball rolling in that direction.

How do domain names work?

To register a website on the internet, a domain name must be registered with a Domain Name Registrar (DNR). A domain name is an address to a website on the internet. The person or entity purchasing a domain name is a registrant. A DNR is a company that manages the reservation of domain names. To put it differently, DNRs are analogous to the sub-registrar, an authority that registers documents related to property transactions in the offline world. To set up an online shop, businesses buy online space by purchasing addresses offered by DNRs.

As a separate service, DNRs offer to protect the ownership details of these websites through privacy and proxy services. With this service, contact details of the domain owner are hidden from public access. Typically, WHOIS, a publicly accessible directory lists the contact information of the owner of a website. Businesses, consumers and law enforcement agencies use the WHOIS directory to track the owner of a website. Domain privacy services hide the name of the domain owner by redacting their details on the WHOIS directory. Domain proxy services hide the details of the owner of a domain by substituting the details of the owner with an alias. Offering such services are not problematic if the details of the original owner are known, assessed and verified by DNRs. For reasons unknown, DNRs do not undertake this task, in effect, allowing the unscrupulous practice of cybersquatting.

How do domain proxy and privacy services impact internet users?

Domain privacy and proxy services are a challenge to at least the following stakeholders: (i) Businesses (ii) Consumers (iii) Courts and law enforcement authorities.

For businesses, domain privacy and proxy services are a challenge from the vantage point of brand protection. Competitors and other motivated third parties use domain privacy and proxy services to create deceptively similar websites and mobile applications by using logos and other proprietary IP assets of a company, in effect, infringing the company’s rights over its IP and diluting its brand. For companies that host OTT and other media platforms, domain privacy and proxy services are used to host pirated content. In-house lawyers that protect the interests of such companies are expected to act quickly due to the extent of risk. It is impossible to act quickly since the details of the website owner are unavailable publicly or on request.

The facts in the case of Bombinate Technologies Private Limited v. www.koo.money and ors is an example of the impact of cybersquatting using domain privacy and proxy services. In this case, the Delhi High Court restrained three websites from offering digital coins and currencies consisting of the trademark owned by microblogging site ‘Koo’. The Court observed that the users of the app were misled to believe that there exists a genuine cryptocurrency or digital currency platform associated with the micro-blogging platform.

If a company does not act on time, these rogue websites exploit the goodwill of the brand and the trust of its consumers. By virtue of their position, consumers are on the receiving end. Under the pretence of associating with a particular company or brand, rogue websites seek out consumers’ personal information, offer fraudulent financial services, seek donations, promote fake products and services etc. With the internet of things, rogue websites and fake mobile applications have the potential to access and control devices too. If consumers are duped into accessing or using such websites and mobile applications, multiple consequences ensue. By extension, they lose money and are victims of phishing and online scams without their knowledge or fault.

Courts and law enforcement authorities are privy to two problems. One, domain privacy and proxy services make it impossible to trace the original owner of the domain. Two, some DNRs refuse to respond or comply with law enforcement requests, court orders, notices and other communications.  Often, DNRs refuse to disclose the names of the owners of the website, and do not possess details of the owner of the website, since the original owner purchases the website via a privacy or proxy service. Major companies that run and operate DNRs are headquartered in a foreign land with a liaison office in India. The labyrinth of departmental structures of large companies have multiple channels of communication. Often, communication from courts and law enforcement are lost between these channels of communication. This results in delayed responses and lack of compliance with court orders.

Not everybody is convinced that this is a problem. However, some countries have recognised the need to keep a check on DNRs. For instance, United Kingdom lays down strict conditions under which domain privacy and proxy services are to operate. Belgium does not allow the use of privacy and proxy services to shield the identity of the real domain owner. Given this general trend, is it time to contemplate regulating the operations of DNRs? Would regulating DNRs complement India’s quest to create an open, transparent and accountable internet?

Paving the way for a better internet

As discussed by Tim Berners Lee, the inventor of the world wide web in Weaving the Web, the fundamental problem with the business of registering domains on the internet is two-fold. One, domain registration is a privatised service done on a first-come-first-serve basis. This means that domain names will wind up with companies or people with the most money. In other words, creating channels for information flow becomes difficult because of privatised control and ownership of channels to information.

Two, there is a mismatch between the technical domain structure and trademark law. One of the criterion critical to asserting ownership of names is the physical location of business and markets companies sell in. This criterion does not work for domain names since the internet transcends geographic bounds and has no tangibly conceivable idea of market area.

To reconcile the inherent systematic inconsistencies as pointed out by Lee, we must aim to create a wholesome and effective regulatory framework. It must assist in theory and implementation. As a reminder, DNRs operate on the internet. Among the various reasons, the internet was born out of the idea to bypass hierarchical flow of information and enable multiple channels of information exchange. To protect this fundamental core of the internet, DNRs must be held responsible in creating a reliable, resilient and secure domain name system. DNRs must be mandated to undertake the KYC process for all domain name owners. Identities of the true owners of the domain name must be known and verified by the DNRs.

Conceptually, trademark law is incongruent with the internet’s architecture. However, the creation of intelligible systems and processes can help tailor the law to suit the demands of today and tomorrow. To achieve this, DNRs must be obligated to assist in trademark protection. To achieve this, DNRs should: (i) have the tools to contact the owner of the domain at the instance of a complaint on domain name abuse or court order; (ii) open a channel of communication with the Indian Trademark Registry, get access to all registered trademarks, and prevent registration of domains of already registered trademarks. A similar line of direction must apply to gatekeepers of the app marketplace to prevent apps that imitate other apps that mislead consumers.

Contemplating regulation in this direction prompts us to take a deep dive into the concepts of ‘privacy’, ‘anonymity’ and ‘proxy’. It offers the opportunity to explore the contours of these concepts and articulate a coherent definition bespoke to the online world.

Often, the temptation to restrict, regulate and control blinds the perspective of maintaining balance in outlook. While circumstances hint at the need for regulation, an indiscriminate ban on proxy and privacy registration of domains is likely to impact democracy’s watchdogs, journalists. To alleviate doxxing fears, the rules must contain access control mechanisms to prevent the powers that be from strong-arming DNRs to hand over details of websites that do not sit well with the regimes in power.

At the end of the day, the buzz around regulating DNRs is bound to receive backlash. Swimming against this reasonably foreseeable current is necessary in the interest of creating an open, transparent and accountable internet accessible to all. In the grand scheme of things, the key to effective regulation lies in balancing the risks with prospective rewards by meticulously calibrating stakeholders’ interests.

Eashwari Nair is an in-house legal counsel at Bombinate Technologies Private Limited, a company that runs and operates the Koo App.

The views expressed in this article are personal and do not represent the views of the company.