We have seen a lot of domain theft cases lately. Let me say that again. We have seen a LOT of domain theft cases lately. In the typical scenario, a hacker will often identify, by performing a reverse WHOIS search, an individual or company with a large and valuable domain name portfolio. The hacker will then identify the email address associated with that portfolio, either brute force or social engineer the password for the registrant’s email address account through a variety of nefarious means, and then obtain control over the registrant’s email account and use that account to transfer the domain names away to a foreign, and often uncooperative, registrar.
Often, the domain names within the registrant’s portfolio represent millions of dollars. In those cases, where it makes financial sense to file a lawsuit, we will get a call and, often six to twelve months later and after numerous arguments with the registrar and/or the registry, the registrant will re-obtain control over the domain names. But there is a very simple step that registrars could take, and many find too costly to take, to prevent against this scenario, which is not going away.
Two factor authentication requires a registrant to provide two forms of authentication before allowing the registrant (or the thief) to transfer domain names away from the registrant’s account or take any other action that could potentially be detrimental to the registrant’s rights. It requires confirmation of identity through two means, which typically consist of something that the user possesses, such as a USB encryption key dongle or a phone number, something that the user knows, such as a password, or something that is inseparable from the user, such as a fingerprint. Many registrars have been reluctant to implement two factor authentication and cite cost as a factor; additional authentication methods may require the purchase of additional software or the hiring of additional personnel.
But registrars that do not implement two factor authentication may risk subjecting themselves to a negligence lawsuit under case law that every American law student reads in law school. In The T.J. Hooper, esteemed jurist Learned Hand examined whether a tugboat company should be held liable for negligence for failing to implement a radio as a safety mechanism. During a large storm, the T.J. Hooper, a cargo vessel, sunk, destroying cargo owned by the plaintiff. The plaintiff sued, alleging that the owner of the barge should be held liable for negligence for failing to equip the tugboat with a radio, which would have warned the captain of bad weather. Judge Learned Hand found the T.J. Hooper’s owner liable because he failed to act with due care in failing to install a radio, despite the fact that “everybody’s doing it.” In so ruling, Learned Hand noted, “There are precautions so imperative that even their universal disregard will not excuse their omission.” In re Eastern Transportation Co. (The T.J. Hooper), 60 F.2d 737 (2nd Cir. 1932).
And the same may be true for registrars. Even though many registrars have failed to implement two factor authentication, and though many have only done so for their high net worth clients, there are some precautions that are so imperative to the protection of their consumer’s property rights that even universal disregard will not excuse their omission.
When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]
If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]
Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]
