Case number | CAC-ADREU-006423 |
---|---|
Time of filing | 2013-07-22 12:36:40 |
Domain names | richard-bertossa.eu |
Case administrator
Lada Válková (Case admin) |
---|
Complainant
Organization | Richard Bertossa ( ) |
---|
Respondent
Organization | Private Registration (richard-bertossa.eu) |
---|
Insert information about other legal proceedings the Panel is aware of which are pending or decided and which relate to the disputed domain name
None
Factual Background
Richard Bertossa is a resident of the United States and is thus ineligible under the Regulations to register a .eu domain name or have a domain name transferred to him by an ADR Panel.
A person whose identity remains unknown obtained registration of the domain name “richard-bertossa.eu” through the Bahamas-based .eu-accredited registrar internet.bs Corp in November 2011. The applicant's details submitted for registration included:
- As registrant name, “Private Registration”
- As registrant organization, repetition of the domain name “richard-bertossa.eu” itself
- An address in Kowloon, Hong Kong, followed by the “AX” international postal code prefix corresponding to the Åland Islands of Finland
- A telephone number in Hong Kong and an email contact address associated with the Complainant’s name.
The internet.bs registrant agreement specified Luxembourg law as the applicable law. It excluded private WHOIS services for all .eu domain names and included an explicit requirement for completeness and accuracy. It made compliance with the .eu Rules binding by reference and stipulated clearly that eligibility requires residence in the EU.
For its part, EURid’s standard Registrar’s Agreement requires each accredited .eu registrar to “[e]nsure and document that each Registrant for whom the Registrar registers a Domain Name complies with the requirements of Article 3 of Regulation 874/2004”. These include provision of the name and address of the requesting party as well as confirmation that all other registration conditions including as to eligibility are fulfilled.
The .eu Domain Name Registration Policy, which forms part of the .eu Rules and thus also of the registrant agreement, stipulates that “[t]he information must be that of the Registrant and must not be that of the Registrar, proxy or representative of a person or entity that does not meet the General Eligibility Criteria” (Section 5). Non-compliance with the registration conditions by a registrant correspondingly entitles EURid to “immediately suspend or cancel the Domain Name”.
Following activation, the domain name was then used to place business email and other contact information, images and text relating to Mr Bertossa on a website that masqueraded as his. The content depicting Mr Bertossa was later removed from the website, after this ADR proceeding began, and replaced with localized advertising content on a domain name parking page. There is no question of consent being given by Mr Bertossa regarding any of these actions or evidence of any contact with him by the person(s) behind richard-bertossa.eu’s registration or the production of the website (if different).
After discovering the existence of the website, Mr Bertossa filed an ADR Complaint on grounds of “identity theft”. He first named the Registry (EURid) as Respondent, but then, following EURid’s verification of its WHOIS data (essentially the details mentioned above), the Complainant amended his Complaint. In it, he repeated identity theft and noted that the domain name holder was hiding its identity but still complied with CAC's request to enter the holder’s (manifestly false) details.
After admitting the amended Complaint, CAC then sent registered letters to the new Respondent, both to the Åland Islands and to Hong Kong. These were returned as undeliverable. The Respondent made no response of any kind during this proceeding but was advised that the case would proceed and that it would continue to receive case-related communications. The Respondent’s email address appears to have been functional throughout.
Upon being seized of this case, the Panel undertook a series of administrative and technical investigations, including as to what procedures could be applied in favour of a victim of identity theft to prevent recurrence if the victim falls outside the .eu eligibility criteria. Investigation quickly revealed that the domain name holder’s Hong Kong details are not only bogus but that they have been used to obtain many other domain name registrations. The domain name used for the richard-bertossa.eu registrant email contract address is moreover traceable to a registrar which anonymizes the identity of the email account holder.
For its part, EURid’s website www.eurid.eu states: “Should you need the identification of the registrant to file an ADR complaint, you should ask EURid for disclosure of personal data via the special form available at http://www.eurid.eu/en/eu-domain-names/disputes/contact-domain-name-holder”. However, clicking on that link produces only a “404” link error message. The EURid website in addition mentions that “We also combat malicious registrations by actively screening newly registered .eu domain names and work closely with law enforcement authorities to fight cybercrime”.
Inquiries further revealed that internet.bs has subscribed to the .eu Code of Conduct which was established by EURid for .eu accredited registrars “offering a best in class service within the domain name industry” including as to “data accuracy”. This registrar has nevertheless had to suspend several registrations on grounds of reported abuse.
EURid reiterated its revocation procedure to the Panel and confirmed that, in case of an ineligible Complainant, the domain name would become available for re-registration after revocation.
A person whose identity remains unknown obtained registration of the domain name “richard-bertossa.eu” through the Bahamas-based .eu-accredited registrar internet.bs Corp in November 2011. The applicant's details submitted for registration included:
- As registrant name, “Private Registration”
- As registrant organization, repetition of the domain name “richard-bertossa.eu” itself
- An address in Kowloon, Hong Kong, followed by the “AX” international postal code prefix corresponding to the Åland Islands of Finland
- A telephone number in Hong Kong and an email contact address associated with the Complainant’s name.
The internet.bs registrant agreement specified Luxembourg law as the applicable law. It excluded private WHOIS services for all .eu domain names and included an explicit requirement for completeness and accuracy. It made compliance with the .eu Rules binding by reference and stipulated clearly that eligibility requires residence in the EU.
For its part, EURid’s standard Registrar’s Agreement requires each accredited .eu registrar to “[e]nsure and document that each Registrant for whom the Registrar registers a Domain Name complies with the requirements of Article 3 of Regulation 874/2004”. These include provision of the name and address of the requesting party as well as confirmation that all other registration conditions including as to eligibility are fulfilled.
The .eu Domain Name Registration Policy, which forms part of the .eu Rules and thus also of the registrant agreement, stipulates that “[t]he information must be that of the Registrant and must not be that of the Registrar, proxy or representative of a person or entity that does not meet the General Eligibility Criteria” (Section 5). Non-compliance with the registration conditions by a registrant correspondingly entitles EURid to “immediately suspend or cancel the Domain Name”.
Following activation, the domain name was then used to place business email and other contact information, images and text relating to Mr Bertossa on a website that masqueraded as his. The content depicting Mr Bertossa was later removed from the website, after this ADR proceeding began, and replaced with localized advertising content on a domain name parking page. There is no question of consent being given by Mr Bertossa regarding any of these actions or evidence of any contact with him by the person(s) behind richard-bertossa.eu’s registration or the production of the website (if different).
After discovering the existence of the website, Mr Bertossa filed an ADR Complaint on grounds of “identity theft”. He first named the Registry (EURid) as Respondent, but then, following EURid’s verification of its WHOIS data (essentially the details mentioned above), the Complainant amended his Complaint. In it, he repeated identity theft and noted that the domain name holder was hiding its identity but still complied with CAC's request to enter the holder’s (manifestly false) details.
After admitting the amended Complaint, CAC then sent registered letters to the new Respondent, both to the Åland Islands and to Hong Kong. These were returned as undeliverable. The Respondent made no response of any kind during this proceeding but was advised that the case would proceed and that it would continue to receive case-related communications. The Respondent’s email address appears to have been functional throughout.
Upon being seized of this case, the Panel undertook a series of administrative and technical investigations, including as to what procedures could be applied in favour of a victim of identity theft to prevent recurrence if the victim falls outside the .eu eligibility criteria. Investigation quickly revealed that the domain name holder’s Hong Kong details are not only bogus but that they have been used to obtain many other domain name registrations. The domain name used for the richard-bertossa.eu registrant email contract address is moreover traceable to a registrar which anonymizes the identity of the email account holder.
For its part, EURid’s website www.eurid.eu states: “Should you need the identification of the registrant to file an ADR complaint, you should ask EURid for disclosure of personal data via the special form available at http://www.eurid.eu/en/eu-domain-names/disputes/contact-domain-name-holder”. However, clicking on that link produces only a “404” link error message. The EURid website in addition mentions that “We also combat malicious registrations by actively screening newly registered .eu domain names and work closely with law enforcement authorities to fight cybercrime”.
Inquiries further revealed that internet.bs has subscribed to the .eu Code of Conduct which was established by EURid for .eu accredited registrars “offering a best in class service within the domain name industry” including as to “data accuracy”. This registrar has nevertheless had to suspend several registrations on grounds of reported abuse.
EURid reiterated its revocation procedure to the Panel and confirmed that, in case of an ineligible Complainant, the domain name would become available for re-registration after revocation.
A. Complainant
Like the original Complaint, the amended Complaint alleges identity theft and contends that the unknown domain name holder has no legitimate interest in the name and is using it in bad faith, by publishing content in the Complainant's name including images of him and personal contact information.
The Complainant claims as remedy deletion or transfer of the name to himself.
The Complainant claims as remedy deletion or transfer of the name to himself.
B. Respondent
As noted, the Respondent has not entered any Response.
Discussion and Findings
A. Preliminary finding regarding registration of the domain name richard-bertossa.eu
The required details provided by the applicant in order to register richard-bertossa.eu were manifestly false and appear clearly designed to exploit potential weaknesses in the .eu registration system.
The existence of such weaknesses is firstly demonstrated by the fact that, despite the express terms of its registrar’s agreement, internet.bs Corp failed to “ensure and document” that the applicant complied with the registration conditions. It simply registered the non-compliant details. Next, EURid, despite its declaration that it “actively screen[s] newly registered .eu domain names and work[s] closely with law enforcement authorities”, did not ascertain from the registrant data that this was a clearly non-compliant and thus suspicious registration. The task of administering over 3.5 million domain names doubtless explains this. However, EURid did not provide the advertized opportunity for a person considering ADR to obtain the necessary registrant identification data or, still more important, sufficient opportunity to signal an invalid registration to EURid so that it could revoke it under its powers pursuant to Article 20 of Commission Regulation (EC) 874/2004.
The Panel thus makes the preliminary finding that the .eu registration system was not yet adapted to help prevent the type of identity theft that the fraudulently obtained richard-bertossa.eu registration then facilitated. Moreover, had an appropriate revocation procedure been provided for and been given sufficient prominence by EURid, the victim of abuse might have been spared the cost and effort of bringing an ADR proceeding. Having such a revocation procedure in place is in the general interest particularly where a non-EU private person is concerned, because transfer of the name to that person is excluded as a remedy under the ADR procedure (see further below). But it is also important in the interest of working with law enforcement authorities when identity theft is involved because the requirement to treat the parties equally under the ADR Rules can require disclosure to the perpetrator of inappropriate information in this connection.
B. Preliminary finding regarding the invalidity of the registrant agreement in this case
The internet.bs registrant agreement prohibited, under both its own terms and the .eu Rules it incorporated, the provision of inaccurate or incomplete contact information. Given the exclusion of private WHOIS registration and the largely automated character of the registration process, details were hence accepted in this case that violated the registrant agreement fundamentally. In addition those details were not merely defective but were fraudulently misleading. They purported to identify the applicant, but in fact served to conceal the identity. This is conclusively proved by CAC’s failed attempts to contact the Respondent and the fact that the contact email address is in effect anonymous.
Under Article 1110 of the Luxembourg Civil Code, which applies by virtue of the registration agreement, such a grievous mistake as to identity – when details that should describe the registrant actually say nothing – is ground for nullity if "consideration of the person was the principal cause of the agreement", as it by definition must be when assigning registration to a particular person.
It therefore follows, and the Panel finds, that the registration in this case was not merely voidable but void ab initio. Neither the registrar nor EURid were accordingly bound in any way by the void registration, even once ADR proceedings had been initiated, although the perpetrator would be estopped from recovering monies it paid owing to its fraud. Any such registrant thus holds a .eu domain name precariously, as it can be deleted at any time (as opposed to revocation on grounds of impropriety or breach of registration conditions, for which the Rules provide due protection against arbitrary revocation).
For future reference it is hence all the more important for EURid to be alerted of similarly manifestly false registrations so that it can take corrective action without delay, so avoiding the need for ADR proceedings altogether.
C. Preliminary finding regarding the Complainant’s ineligibility for transfer and registration
The Panel finds that the Complainant’s ineligibility to obtain transfer of the domain name richard-bertossa.eu or register it after revocation prejudices his possibility to protect himself from repeated identity theft, including even by the same perpetrator.
This denial of the remedy of transfer relative to the ICANN system has one and only one justification – the preservation of the European identity for which the .eu TLD stands. Allowing continued harm and distress to non-EU residents can, by contrast, only bring .eu into disrepute and runs contrary to the “general interest” the EU's domain name is to serve. Revocation, whether at EURid’s initiative or through ADR, should therefore be accompanied by minimum measures that protect the victim of identity theft against its recurrence by use of the same or an equivalent character string (i.e. with or without the hyphen here). Such measures are for EURid to determine more generally but in this case the name should after revocation be open for registration with its activation held in suspension pending documentary verification of a registrant’s authenticity. This precautionary practical step will hence not prevent an EU resident with the same name from registering it.
D. Finding as to speculative and abusive registration
Even though the registration of richard-bertossa.eu was based on a legally invalid registration, it nevertheless provided the applicant with the opportunity to commit a grave invasion of the Complainant’s privacy through establishment of the bogus website that purported to bear the Complainant's name. On the basis of the amended Complaint and in accordance with Art. 21(1)(b) of Commission Regulation (EC) 874/2004, the Panel finds for the Complainant on the ground of bad faith use and that the domain name richard-bertossa.eu must be revoked under the conditions specified in the preceding paragraph.
E. Remarks on procedural aspects
With respect to the CAC procedural documentation, steps should be taken to accommodate adequately the possibility, originally sought by the Complainant, to bring a Complaint against EURid. This should be available in relation to EURid’s decisions in establishing registration or revocation procedures if it is contended that their substance conflicts materially with the Regulations.
F. Remarks on human rights aspects
The Panel observes that the “general interest” standard according to which the .eu TLD is to operate clearly embraces assuring respect for the right of privacy as enshrined in Art. 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, which forms part of the general principles of EU law recognized in the Lisbon Treaty. This right is moreover placed on the same level as EU primary (treaty) law thanks to being part of the EU Charter of Fundamental Rights. Regulation (EC) No 733/2002 reflects this legal context in stating that it should be “implemented in compliance with the principles relating to privacy and the protection of personal data”. The Complainant must hence be afforded sufficient protection under this principle, including through proportionate technical and organizational measures within the registration system EURid manages.
The Panel considers that the measures it has mentioned in its preliminary findings will suffice as a minimum level of privacy protection quality in administering the .eu TLD system for purposes of helping prevent cases of identity theft suffered by natural persons. But it considers that addressing this harmful and growing phenomenon would also be assisted by provision for dissuasive sanctions and for appropriate administrative cooperation by amendment of Regulation (EC) 874/2004.
The required details provided by the applicant in order to register richard-bertossa.eu were manifestly false and appear clearly designed to exploit potential weaknesses in the .eu registration system.
The existence of such weaknesses is firstly demonstrated by the fact that, despite the express terms of its registrar’s agreement, internet.bs Corp failed to “ensure and document” that the applicant complied with the registration conditions. It simply registered the non-compliant details. Next, EURid, despite its declaration that it “actively screen[s] newly registered .eu domain names and work[s] closely with law enforcement authorities”, did not ascertain from the registrant data that this was a clearly non-compliant and thus suspicious registration. The task of administering over 3.5 million domain names doubtless explains this. However, EURid did not provide the advertized opportunity for a person considering ADR to obtain the necessary registrant identification data or, still more important, sufficient opportunity to signal an invalid registration to EURid so that it could revoke it under its powers pursuant to Article 20 of Commission Regulation (EC) 874/2004.
The Panel thus makes the preliminary finding that the .eu registration system was not yet adapted to help prevent the type of identity theft that the fraudulently obtained richard-bertossa.eu registration then facilitated. Moreover, had an appropriate revocation procedure been provided for and been given sufficient prominence by EURid, the victim of abuse might have been spared the cost and effort of bringing an ADR proceeding. Having such a revocation procedure in place is in the general interest particularly where a non-EU private person is concerned, because transfer of the name to that person is excluded as a remedy under the ADR procedure (see further below). But it is also important in the interest of working with law enforcement authorities when identity theft is involved because the requirement to treat the parties equally under the ADR Rules can require disclosure to the perpetrator of inappropriate information in this connection.
B. Preliminary finding regarding the invalidity of the registrant agreement in this case
The internet.bs registrant agreement prohibited, under both its own terms and the .eu Rules it incorporated, the provision of inaccurate or incomplete contact information. Given the exclusion of private WHOIS registration and the largely automated character of the registration process, details were hence accepted in this case that violated the registrant agreement fundamentally. In addition those details were not merely defective but were fraudulently misleading. They purported to identify the applicant, but in fact served to conceal the identity. This is conclusively proved by CAC’s failed attempts to contact the Respondent and the fact that the contact email address is in effect anonymous.
Under Article 1110 of the Luxembourg Civil Code, which applies by virtue of the registration agreement, such a grievous mistake as to identity – when details that should describe the registrant actually say nothing – is ground for nullity if "consideration of the person was the principal cause of the agreement", as it by definition must be when assigning registration to a particular person.
It therefore follows, and the Panel finds, that the registration in this case was not merely voidable but void ab initio. Neither the registrar nor EURid were accordingly bound in any way by the void registration, even once ADR proceedings had been initiated, although the perpetrator would be estopped from recovering monies it paid owing to its fraud. Any such registrant thus holds a .eu domain name precariously, as it can be deleted at any time (as opposed to revocation on grounds of impropriety or breach of registration conditions, for which the Rules provide due protection against arbitrary revocation).
For future reference it is hence all the more important for EURid to be alerted of similarly manifestly false registrations so that it can take corrective action without delay, so avoiding the need for ADR proceedings altogether.
C. Preliminary finding regarding the Complainant’s ineligibility for transfer and registration
The Panel finds that the Complainant’s ineligibility to obtain transfer of the domain name richard-bertossa.eu or register it after revocation prejudices his possibility to protect himself from repeated identity theft, including even by the same perpetrator.
This denial of the remedy of transfer relative to the ICANN system has one and only one justification – the preservation of the European identity for which the .eu TLD stands. Allowing continued harm and distress to non-EU residents can, by contrast, only bring .eu into disrepute and runs contrary to the “general interest” the EU's domain name is to serve. Revocation, whether at EURid’s initiative or through ADR, should therefore be accompanied by minimum measures that protect the victim of identity theft against its recurrence by use of the same or an equivalent character string (i.e. with or without the hyphen here). Such measures are for EURid to determine more generally but in this case the name should after revocation be open for registration with its activation held in suspension pending documentary verification of a registrant’s authenticity. This precautionary practical step will hence not prevent an EU resident with the same name from registering it.
D. Finding as to speculative and abusive registration
Even though the registration of richard-bertossa.eu was based on a legally invalid registration, it nevertheless provided the applicant with the opportunity to commit a grave invasion of the Complainant’s privacy through establishment of the bogus website that purported to bear the Complainant's name. On the basis of the amended Complaint and in accordance with Art. 21(1)(b) of Commission Regulation (EC) 874/2004, the Panel finds for the Complainant on the ground of bad faith use and that the domain name richard-bertossa.eu must be revoked under the conditions specified in the preceding paragraph.
E. Remarks on procedural aspects
With respect to the CAC procedural documentation, steps should be taken to accommodate adequately the possibility, originally sought by the Complainant, to bring a Complaint against EURid. This should be available in relation to EURid’s decisions in establishing registration or revocation procedures if it is contended that their substance conflicts materially with the Regulations.
F. Remarks on human rights aspects
The Panel observes that the “general interest” standard according to which the .eu TLD is to operate clearly embraces assuring respect for the right of privacy as enshrined in Art. 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, which forms part of the general principles of EU law recognized in the Lisbon Treaty. This right is moreover placed on the same level as EU primary (treaty) law thanks to being part of the EU Charter of Fundamental Rights. Regulation (EC) No 733/2002 reflects this legal context in stating that it should be “implemented in compliance with the principles relating to privacy and the protection of personal data”. The Complainant must hence be afforded sufficient protection under this principle, including through proportionate technical and organizational measures within the registration system EURid manages.
The Panel considers that the measures it has mentioned in its preliminary findings will suffice as a minimum level of privacy protection quality in administering the .eu TLD system for purposes of helping prevent cases of identity theft suffered by natural persons. But it considers that addressing this harmful and growing phenomenon would also be assisted by provision for dissuasive sanctions and for appropriate administrative cooperation by amendment of Regulation (EC) 874/2004.
Decision
For all the foregoing reasons, in accordance with Paragraph B12 of the Rules, the Panel orders that the domain name richard.bertossa.eu be revoked and that, in order to protect the right to privacy of the Complainant in view of his ineligibility to have the domain name transferred to him, the character strings corresponding to richardbertossa.eu and richard-bertossa.eu be held suspended prior to activation following any re-registration until sufficient documentary proof is produced to the relevant registrar, with copy to EURid, to demonstrate that the applicant for registration complies fully with the registration requirements.
EURid is requested to make the necessary arrangements to implement this order.
The request by the Complainant for transfer of the name richard-bertossa.eu is denied.
EURid is requested to make the necessary arrangements to implement this order.
The request by the Complainant for transfer of the name richard-bertossa.eu is denied.
PANELISTS
Name | Dr Kevin Madders |
---|
Date of Panel Decision
2013-05-06