What happens when someone uses your information to register a domain name?
The named domain registrant of zscalers .com made an unusual defense in a cybersquatting dispute: he didn’t actually register the domain name.
In response to the UDRP filing, the person said that he was a victim of identity theft and hadn’t registered the domain name (or any domains for that matter).
It’s easy for anyone to put anything in the contact fields for domain names. The only verification most registrars do is that the email address is working.
In the case of zscalers .com, panelist Debrett Lyons decided not to redact the name of the Respondent who said he didn’t register the domain. Lyons wrote:
As stated earlier, Respondent contends that it has been the victim of identity theft. Specifically, on February 24, 2022, the Forum received an email from Respondent stating that he did not own any domains. In certain circumstances the Panel has the discretion to redact information, including the name of a party, from the published decision…
The Panel takes account of the following matters in its decision not to redact the name of the domain name holder as Respondent in its decision. Respondent’s February 24, 2022, message does not request redaction of its name from any final decision. Respondent had until March 9, 2022, to provide the Forum with a formal Response; it did not. Respondent has not provided any other elaboration or evidence of its claim of stolen identity. Respondent’s name was shielded by a privacy service.
Most of this is a flimsy rationale. Let’s break it down:
Respondent’s February 24, 2022, message does not request redaction of its name from any final decision.
If you don’t own any domains or have never faced a UDRP, you probably don’t know that your name will be published.
Respondent had until March 9, 2022, to provide the Forum with a formal Response; it did not.
If you don’t own the domain you’re not going to mount a formal defense of the domain.
Respondent has not provided any other elaboration or evidence of its claim of stolen identity.
This is the only part of Lyon’s rationale that makes some sense. Lyons might not have been convinced of the registrant’s story.
Respondent’s name was shielded by a privacy service.
It’s possible that the registrant of this domain — the person who impersonated the registrant in Whois or the person himself — opted to use Whois privacy. This domain was registered late last year when GoDaddy was redacting some information but might not have applied Domains by Proxy as a default. But GoDaddy now adds Whois privacy to all domains. So, in the future, panelists need to be careful about drawing conclusions about domains using Domains by Proxy (or any privacy service for that matter).
In this case, the Complainant argues that the person who owned the domain impersonated someone in its collections department to scam people. This means it’s quite likely that they used fake information when registering the domain to cover their tracks.
I’ve decided not to link to the National Arbitration Forum case decision or name the Respondent given the circumstances.