Domain names are used as addresses on the Internet via “name servers” under the domain name system (DNS). A domain name is “example” in the URL “www.example.com.” For generic top-level domains (gTLDs) such as .com, .net, .org, and the like, domain registrations occur through various individual registrars on essentially a first-com, first-served basis—country-code top-level domains (ccTLDs) are treated slightly differently. Registration is not true “ownership” in the domain name but more like a lease. It is merely a contractual right to control use of the domain, in particular which server it resolves to—somewhat like assigning a phone number to a particular phone. It is more accurate to talk of holding domain rights than owning domains outright.
The way domains are registered can raise question over who actually holds the registration rights. So, how is the identity of the rights holder established for gTLDs?
Registrant Name and Registrant Organization Indications
When a gTLD domain is registered through a registrar, the indication of the registrant’s name and organization, if applicable, determines who holds the registration rights. Registration is really a contractual agreement between the registrant and the registrar. Questions of who holds the registration rights are thus a matter of contract law, in the context of registrar policies including those that registrars are required to follow by ICANN—the entity that oversees the international domain name system as a whole. Therefore, this question turns into one about how registrars (and ICANN) take in information that identifies the registrant when establish a domain registration contract.
Registration requires a name to be identified in a “Registrant Name” field. Inclusion of an individual’s name in that field, or a generic pseudo name like Domain Administrator or DNS Admin, will not give a corporate entity formal rights. A corporate entity holds domain registration rights only if that corporation’s legal name is currently indicated in the “Registrant Name” and/or “Registrant Organization” field(s) of the registrar’s records. But an employee or contractor/vendor registering a domain for an employer or client might list a personal name in the “Registrant Name” field and omit information in the “Registrant Organization” field necessary to make a corporate entity employer/client the formal registrant, for instance. Even inadvertent errors and omissions can change who is considered the rights holder. Such errors and omissions frequently occur because people registering domains often do not understand the legal significance of particular name/organization/contact data fields. Other times such omissions occur on purpose so that another entity can claim rights in the registration.
As an ICANN representative has stated:
“if the Registrant Organization field lists the name of an existing legal entity, that legal entity will be considered the registrant of the domain name. However, when the Registrant Organization field is empty, or when the name listed in it does not correspond to an actual legal entity (like ‘Domain Admin’, for example), the actual registrant will be whomever is listed in the Registrant Name field.
This situation happens sometimes when employees register names for their employers and don’t include the appropriate information in the corresponding fields. They may leave Registrant Organization blank, or include the name of their department and their own name in the field reserved for Registrant Name, turning themselves into the actual registrants of their company’s domains. In these cases, organizations face the risk of having the registrations disputed by their employees, who can claim the rights to the domains and attempt to transfer them away, on the basis that the particular organization is not a party to the agreement between the registrar and the registrant.”Carlos Alvarez, “Good Practices for the Registration and Administration of Domain Name Portfolios (Part II)” ICANN Blog (June 23, 2017)
When domain registration is left to a lower lever employee, that employee may intentionally or unintentionally make him- or herself (individually) the registrant. This can happen out of sheer ignorance about the significance of filling out the “Registrant Name” and “Registrant Organization” fields. Similarly, when a vendor or outside contractor handles registrations, such as a web site designer or IT service provider, the vendor may list itself (or its employee) as the registrant, and thus the holder of the domain rights. This might be benign and might be easily remedied by raising the issue with the employee or vendor. Or it might be what was agreed to in a prior vendor service contract. Though in some situations this can lead to an employee, ex-employee, or vendor holding a domain registration hostage. Although a vendor’s refusal to transfer domain rights in light of a related payment for services dispute is sometimes permitted.
Registrars will generally permit use of generic pseudo names in domain registration fields. For example, “IT Manager”, “DNS Admin”, and “Domain Administrator” are examples of pseudo names that can be utilized instead of individual legal names for various fields, including technical, administrative, and billing contact fields (such contact names do not establish who holds rights to the registration, but can establish who has authority to control aspects of it). Use of a psudeo name is generally permissible as long as a legal corporate name, such as “Acme, Inc.”, is also used in appropriate fields, such as for the “Registrant Name” and/or “Registrant Organization”.
Also, registration information can be changed after initial registration. So it is also possible for someone to later change rights holder information resulting in loss of rights to the domain registration, or at least loss of control of it and the associated potential for disruption. This can include removal of “Registrant Organization” information or changing such information to that of another entity. Such changes may stem from nefarious motives or simply incompetence.
When push comes to shove, domain registration is mainly about control of access to the registration’s information and technical settings. Such control hinges on control of the login credentials with the registrar responsible for the registration. Anyone with those login credentials can potentially change registrant name or contact information, change the login credentials, transfer the registration to another person or entity, or redirect the domain to resolve to a different server IP address hosting a different web site. This can constitute domain “hijacking”. Conversely, anyone (including an employer) lacking those login credentials cannot make changes to reflect the “true” or “correct” holder when there is a mistake or omission.
Consider implementing best practice procedures to protect domain registrations, such as following the guidance of the ICANN Security and Stability Advisory Committee set forth in “A Registrant’s Guide to Protecting Domain Name Registration Accounts” (SAC 044) and “Measures to Protect Domain Registration Services Against Exploitation or Misuse” (SAC 040). For instance, as suggested in SAC 044, consider identifying separate administrative, technical, and billing contacts to avoid having all communications routed through a single point of contact that may be more susceptible to hijacking. Also, corporate registrants should consider policies against using individual (legal) names in registration records and instead use only the formal corporate holder name plus pseudo names like “Domain Admin”, to the extent permitted by the registrar.
Strictly speaking, international organizations controlling the entire Internet domain name system “own” all domain names. Individual domain registrants merely hold contractual rights to use them, subject to contractual terms and obligations agreed to during registration (but sometimes forgotten or ignored). The identity of the registrant is specified with a registrar. It is the registrant information that is provided—or omitted—during the registration process that initially determines who formally holds the rights. Accurately providing that registrant information as intended and maintaining control over access credentials to modify such information and other technical settings are the keys to establishing rights and maintaining smooth functioning of the domain.
Austen Zuege is an attorney at law and registered U.S. patent attorney in Minneapolis whose practice encompasses patents, trademarks, copyrights, domain name cybersquatting, IP agreements and licensing, freedom-to-operate studies, client counseling, and IP litigation. If you have patent, trademark, or other IP issues, he can help.