Domain Registrars Can’t Be Completely Asleep at the Switch

There’s an interesting decision out of the Southern District of New York on the responsibilities domain-name registrars have towards their customers. It’s common for their contracts to disclaim all liability for mishandling domains, but the court held that such disclaimers don’t work where the registrar was so careless that its actions amount to gross negligence. In this case, mistakenly transferred the domain to the “Iranian Cyber Army.” How carless was Here’s how the court summarized Baidu’s allegations:

Although the Intruder gave the Rep an incorrect response to the security question, the Rep nonetheless proceeded with processing the Intruder’s request to change Baidu’s email address;

When the Intruder sent the Rep a bogus security code, the Rep did not notice that it was the wrong code, apparently because the Rep did not even bother to check it against the original security code;

When the Intruder gave “” as the proposed new email address, the Rep failed to question the legitimacy of the email address, which contained an unusual and unlikely user name and the domain name of a Baidu competitor instead of the Baidu domain name; and

Register then provided the Intruder with Baidu’s user name, enabling the Intruder to change the password and hack into Baidu’s account to re-route traffic to the wrong web site.

Yep. If proven, that sounds like gross negligence to me.

Also of note: this opinion was issued by Denny Chin, United States Circuit Judge, sitting by designation.