The Best Reason for Domain Name Privacy Services

Domain name privacy and proxy services, which allow registrants to shield their identities and/or contact information from public view, have long been the subject of much debate.

While the services are often used by cybersquatters trying to hide from or frustrate legal action (including under the Uniform Domain Name Dispute Resolution Policy, or UDRP), WIPO has succinctly noted that “[t]here are recognized legitimate uses of privacy and proxy registration services.”

Legitimate uses of these services (such as Domains By Proxy, Private Registration, Whois Privacy Corp., Privacy Protect, Contact Privacy Inc., PrivacyGuardian.org, and WhoisGuard Protected) include companies that don’t want to divulge a forthcoming brand or corporate merger, individuals who want to blog about sensitive topics anonymously, and anyone who simply might want to reduce the amount of spam and unsolicited offers they receive.

But, a recent criminal case provides what may be the best justification of privacy and proxy services yet: to protect registrants from armed attempts to hijack their domain names.

I have been discussing the case in presentations since it made national headlines earlier this year, putting it on a PowerPoint slide under the category of “How Not to Resolve a Domain Name Dispute.” Now, the case is over, with a social media entrepreneur sentenced to 14 years for the attempted violent domain name transfer.

Domain Transfer at Gunpoint

According to the U.S. Attorney’s Office in the Northern District of Iowa, the man behind the scheme, Rossi Lorathio Adams II, tried and failed to buy the domain name <doitforstate.com> from a Cedar Rapids, Iowa, resident. Adams apparently wanted to use the domain name in connection with his popular website that “mostly contained images and videos of young adults engaged in crude behavior, drunkenness, and nudity.”

When Adams’s attempts to acquire the domain name lawfully failed, he refused to give up, according to the U.S. Attorney’s Office, eventually enlisting his cousin, Sherman Hopkins, Jr., a convicted felon who lived in a homeless shelter, to break into the domain name registrant’s home and force him at gunpoint to transfer the domain name.

Here’s how the U.S. Attorney’s Office described it:

On June 21, 2017, Adams drove Hopkins to the domain owner’s house and provided Hopkins with a demand note, which contained instructions for transferring the domain to Adams’ GoDaddy account. When Hopkins entered the victim’s home in Cedar Rapids, he was carrying a cellular telephone, a stolen gun, a taser, and he was wearing a hat, pantyhose on his head, and dark sunglasses on his face.

The victim was upstairs and heard Hopkins enter the home. From the top of a staircase, the victim saw Hopkins with the gun on the first floor. Hopkins shouted at the victim, who then ran into an upstairs bedroom and shut the door, leaning up against the door to stop Hopkins from entering.

Hopkins went upstairs, kicked the door open, grabbed the victim by the arm and demanded to know where he kept his computer. When the victim told Hopkins that he kept his computer in his home office, Hopkins forcibly moved the victim to the office. Hopkins ordered the victim to turn on his computer and connect to the Internet. Hopkins pulled out Adams’ demand note, which contained a series of directions on how to change an Internet domain name from the domain owner’s GoDaddy account to one of Adams’ GoDaddy accounts.

Hopkins put the firearm against the victim’s head and ordered him to follow the directions on the demand note. Hopkins then pistol whipped the victim several times in the head. Fearing for his life, the victim quickly turned to move the gun away from his head. The victim then managed to gain control of the gun, but during the struggle, he was shot in the leg. The victim shot Hopkins multiple times in the chest. He then contacted law enforcement.

How Privacy and Proxy Services Could Help

The whois record for this domain name is currently protected by the Domains By Proxy service, and historical whois records show that was also the case when the attempted gunpoint hijacking occurred, so it’s unclear how Adams learned the registrant’s identity and address.

Of course, domain name registrants often disclose their identities and contact information on websites associated with their domain names, and many who use privacy or proxy services don’t initially register their domain names with those protections in place, adding them only later.

(The European Union's General Data Protection Regulation (GDPR) has added additional protections even in the absence of privacy or proxy services, though it has led to greater challenges for trademark owners in their pursuit of cybersquatters.)

Still, this case should serve as a reminder that registering a domain name can lead to public disclosure of personal information such as names and addresses — information that can be protected via privacy and proxy services.