Here are the facts as laid out by the court:
“In November 2002, Jeff Eysoldt opened account number 1165490 with Go Daddy and transferred his domain name, Eysoldt.com, into that account.
When he set up the account, he agreed to the terms of Go Daddy‟s Domain Name Registration Agreement, which was subsequently replaced by Go Daddy‟s Universal Terms of Service Agreement (“UTOS”).
Though he could have opened multiple accounts, Jeff used account number 1165490 to register various personal and business domain names and the associated email accounts. He paid fees for those services with his credit card.
He also opened email accounts for his sister, Jill, and his brother, Mark. He helped Jill develop a website for her business, Good Karma Cookies. He locked all his domain names, which, according to Go Daddy, meant that the only way a third party could access any of the domain names was if the third party knew Jeff‟s user name and password.
Subsequently, Jeff began a business relationship with the owners of Proscan Imaging to operate cosmetic surgery centers called Rejuvenate Aesthetic Laser Centers (“Rejuvenate”).
During the negotiations, he registered the domain name Myrejuvenate.com through his Go Daddy account. He paid the monthly fee forthe website and its associated email through an automatic monthly withdrawal from Rejuvenate‟s checking account.
Ruth Wallace was ProScan‟s chief financial officer and a minority owner of Rejuvenate. When Rejuvenate did not perform as anticipated, the relationship between Jeff and his business partners began to sour. Jeff and his partners began negotiations to remove Jeff from the business. But they had difficulty coming to an agreement, and Jeff refused to turn the website over to Rejuvenate.
Consequently, Wallace called Go Daddy‟s customer service. Daniel Baranowsky, a call-center employee, randomly answered her call. Wallace told Baranowsky that she wanted to put Myrejuvinate.com into her name. Baranowsky testified that he had been trained that when a third party asked to change a domain name, the registrant was required to request the change.
Wallace did not know Jeff‟s user name or password. Baranowsky asked Wallace to validate the account by providing the last four to six digits of the method of payment for the account. Since Wallace was the chief financial officer of ProScan, she knew the last four digits of the bank account number used to pay for the Myrejuvenate.com website.
Baronowsky testified that validating an account only meant that he, as a customer-service representative, could access the account on his computer.
When Baronowsky accessed the account after speaking to Wallace, he saw a screen that showed that Jeff was the owner of account number 1165490. It also listed his address, phone number, and e-mail address.
Jeff testified that he had contacted Go Daddy on a number of occasions because he was worried that people associated with ProScan might try to steal his account.
A representative from Go Daddy had told him that no one could take his account unless that person had his user name and password or PIN. Jeff stated that nobody but him knew the user name and password for account number 1165490.
Baranowsky testified that he had looked through the log of telephone contacts during his conversation with Wallace and would have seen Jeff‟s contacts with Go Daddy.
Baranowsky walked Wallace through every step that she needed to complete to take control of all of account number 1165490, including all the domain names and email accounts that Jeff had paid for over the years. Baranowsky knew that he was transferring complete control of all the domain names to Wallace, even though she had only inquired about Myrejuvenate.com, and that Jeff would be completely excluded from his own account.
Wallace was given access to Jeff and his family‟s email accounts. Those accounts included communications with doctors, lawyers, the Internal Revenue Service, and others. They contained medical records, credit card numbers, bank records and other private information.
Jeff first learned that something was wrong when he received an email from Go Daddy informing him that his account had been changed. He tried to log in and saw that he was completely excluded from the account. He immediately contacted Go Daddy, and a representative told him that if he thought that his account had been taken fraudulently, he could fill out a form called “Request for Change of Account/Email Update” and fax it, along with a copy of his driver‟s license, to Go Daddy.
Jeff sent Go Daddy the form and a photocopy of his driver‟s license. The faxed form was readable and clearly showed his name and address. Nevertheless, Go Daddy sent him an email stating that it could not identify the person pictured on the copy of the driver‟s license it had received. It went on to state that “our legal department requires a clear, readable copy of government-issued photo identification in order for us to make any changes to an account.” It told him to scan or take a digital photograph of his photo identification and email it to Go Daddy. Jeff did not do so, instead filing this lawsuit.
When Wallace discovered that Jeff and his family‟s websites and emailaccounts were included in the account that Baranowsky had given her control over, she sent an email to Baronowsky asking him to transfer everything but Myrejuvenate.com back to Jeff. Baranowsky did not do so. Instead, he ignored the email. Go Daddy never allowed Jeff to access the account and never returned control of his and his family‟s websites or email accounts. Since Jeff could no longer access the account, he stopped paying for it.
The Eysoldts filed a complaint for invasion of privacy and conversion against Go Daddy. The trial court overruled Go Daddy‟s motion for summary judgment, and the case proceeded to a jury trial.
The jury found in favor of the Eysoldts and awarded each of them compensatory damages on all their claims.
It also awarded each of them punitive damages.
Go Daddy filed motions for directed verdicts, for judgment notwithstanding the verdicts (“JNOV”), and for a new trial. The trial court granted Go Daddy‟s motion for a directed verdict as to the punitive damages, concluding that the evidence did not show actual malice. It overruled the motion for directed verdicts in all other respects, as well as the other motions. Both parties have filed timely appeals from the trial court‟s judgment.
Go Daddy first argues that the Eysoldts could not recover on their claims for conversion and invasion of privacy under the economic-loss doctrine. The economic-loss doctrine generally prevents recovery of damages in tort for purely economic loss.
The Eysoldts argue that it only applies in negligence cases, not in cases involving intentional torts. We agree.
Here, the tort claims went beyond the failure to perform promises contained in the contract; they involved separate injuries.
We hold that the economic-loss doctrine does not apply in this case because the causes of actions are for intentional torts. Consequently, the trial court did not err in overruling Go Daddy‟s various motions on that basis.
Go Daddy next argues that the trial court should have granted its motions relating to the Eysoldts‟ conversion claims because Ohio law does not recognize a cause of action for conversion of intangible property.
In this case, the converted property was readily identifiable. It was Jeff‟s account with Go Daddy and its accompanying domain names and email accounts.
At least one federal court has held that domain names are intangible property subject to conversion.
Other federal courts have held that emails and computer programs can be converted. Consequently, we hold that the trial court did not err in submitting the conversion claims to the jury.
Next, Go Daddy contends that the trial court should have granted its motion for directed verdicts as to Mark and Jill‟s conversion claims because they testified that they lacked any ownership interest in or control over the account.Conversion is the wrongful exercise of dominion over property in exclusion of tte owner‟s right, or the withholding of property from the owner‟s possession under claim inconsistent with the owner‟s rights.
While Jill and Mark acknowledged that the account was registered to Jeff, the evidence showed that each of them had email accounts set up within Jeff‟s account.
Additionally, Jeff and Jill had created content for Jill‟s website for her business, Good Karma Cookies.
When Go Daddy gave control of the account to Wallace and ProScan, Jill could not access her website. Likewise, Jill and Mark could not access their email accounts.
Thus, as the trial court stated, “there was sufficient evidence produced at trial that would support the jury finding that Go Daddy converted the conditional and private email communications of Mark and Jill Eysoldt that were contained in the GoDaddy account.”
Finally, Go Daddy contends that the Eysoldts‟ invasion-of-privacy claims should have failed because they presented no evidence that Go Daddy had ever accessed or read any of their emails. The Eysoldts each raised an invasion-of- seclusion type of invasion-of-privacy claim.
Go Daddy took private domain names and private email accounts and turned them over to a third party who had no right to access them and who easily could have viewed their contents.””
The decision did not disclose what damages were awarded to the plaintiff’s.
That’s quite the horror story, Mike. Validating using the last 4 digits of a payment method is extremely weak. How many people know your credit card number? A LOT! Basically, anyone you’ve done business with, e.g. other registrars, drop services, Amazon, cookie shops, restaurant waiters, etc! Even the most basic systems let you choose your own question/answer combination (and smart people pick answers that are totally unrelated to the question).
Also, a “Ruth” was able to hijack the account of a “Jeff”??!!?? Hello? If you’ve seen that Saturday Night Live skit about “Pat”, I could understand possible confusion…….but “Ruth” and “Jeff”??
Ever heard of making an *outgoing* telephone call to perform some validation? It only costs pennies, and deters a lot of attacks. Google Gmail has 2-factor security, as do other systems.
Often, domain registrars are holding assets that are more valuable than cash holdings at a bank. It’s high time that bank-level security methods became standard within the domain name industry, especially for high-profile domain names (VeriSign-Lock is a start).
And Jeff needed a photo id to access his own account, but Wallace needed the last 4 of a credit card.
Photo ID in itself is an awful method of authentication. Suppose GoDaddy needs photo ID, and so does another system (say Acme Inc.). If you provide photo ID to GoDaddy, that means your credentials can now be used to hijack your accounts at Acme. Are you going to trust GoDaddy (or other companies) so much that you open up that attack vector, by giving them a valuable document like a passport?
This is why I’ve advocated for things like 2-factor security, WHOIS validation, email/SMS notifications when accounts are accessed via a login, etc.
At least banks, border agents, etc. are *regulated* and have extremely high security standards when dealing with those trusted documents. Domain registrars….web hosting companies…..email providers…..methinks not. Smaller registrars also tend to “know their clients”, whereas a big registrar is more likely not to know who you are. In a reseller model like Tucows/OpenSRS (my registrar), there’s all the advantages of a smaller boutique registrar, because there’s a “chain of trust” in the relationships from the registrar to the reseller to the registrant.
And let’s nor forget the glaring point that the point of a “photo” Id is to be able to match a face you see in person with one on the card. Godaddy had no idea what this guy looked like so what was the point? It’s silly they wanted him to fax a clearer photo, what for, what the heck were they trying to compare it to inconclusively?
What do you suggest me to do, I have a case where I registered a domain name and paid the registration fees with my credit card, and I was sent the receipt of registration by email, and I saw a domain in my account. But a wekk later when I checked the whois information of the domain name I saw that the name of the registrant was not my name and the address also was not mine. I called the registrar and explained the situation, they told me they orderd the registry to delete the domain name by mistake and someone else registered it 2 or 3 days after I registered. So what do you suggest I should do. Please help
more of the same, the little guy has a claim, the big fish ignores him they go to court and a jury finds Go Dady liable and then GD throws more money at the matter and the case goes on and on, deny, dleay, defend, how utterly special, get off it GD, admit it, ya screwed up.
note how the people (partners) who pulled off this little act of leggerdemain seem to be not named nor culpable here?
” It told him to scan or take a digital photograph of his photo identification and email it to Go Daddy. Jeff did not do so, instead filing this lawsuit.”
Hmmm, let’s see… He can send a scan of his photo ID or sue GoDaddy.
Sounds like GoDaddy was negligent here but it seems like he could have avoided the whole problem with less than one minute’s worth of work.
What do you suggest me to do, I have a case where I registered a domain name and paid the registration fees with my credit card, and I was sent the receipt of registration by email, and I saw a domain in my account. But a week later when I checked the whois information of the domain name I saw that the name of the registrant was not my name and the address also was not mine. I called the registrar and explained the situation, they told me they ordered the registry to delete the domain name by mistake and someone else registered it 2 or 3 days after I registered. So what do you suggest I should do. Please help
Read it again. They didn’t give Wallace access based on the last few digits of a bank account number. Wallace needed to know that so that the customer service rep could use it to access the account on his/her computer. Otherwise, even the rep couldn’t access the account. Wallace had to produce other information or documentation to actually gain access his/her self, but the article doesn’t detail what that was.
Perhaps there were some missteps by Go Daddy, I don’t know, but I do know it is a really bad idea to put both personal and business names and info into one account.
Avoided the problem by opening himself up to identity theft? I don’t think so. As JP said:
“point of a “photo” Id is to be able to match a face you see in person with one on the card. Godaddy had no idea what this guy looked like so what was the point? It’s silly they wanted him to fax a clearer photo, what for, what the heck were they trying to compare it to inconclusively?”
There’s a subtle difference between “identity” and “authentication”, see:
http://technet.microsoft.com/en-us/library/cc512578.aspx
Thanks for the info about goodkarmacookies .
So happen I have working sites on GoodKarmaToYou.com and GoodKarmaEnergy and karmaenergy and of course BadKarmatoyou
I will be eating their cookies now!!
Godaddy misuses what current events denote inconceivable power over business and personal assets which are domain names, and the content and email accounts associated with them. Almost daily there are new horror stories posted to forums.nodaddy.com about fresh and inventive ways Godaddy applies to confuse the identity and thereafter steal domain names.
Yip. No surprise here. My experience tells me GoDaddy.com r crooks. i’d b very concerned they have your DL# & company information.
They sold my address to their customers (themselves) near Russia territory & then tries to sell it back like extortion (pretending they would negotiate a price). Turns out they where doing this before in the US, said they did stop, but obvioulsy did start overseas. Bad Company
Wish they would return my Internet site
GuN
This is sickening. Based on what I just read, it seems that GoDaddy were clearly in the wrong. I had an experience about 18 months ago dealing with GoDaddy and BlueRazor reps over a failure in their drop catch system. It amounted to about $850. Although I was eventually reimbursed, the lack of appropriate customer service response and lack of CS knowledge really disappointed me. Consequently, have been incrementally moving my portfolio out of both registrars. This story, posted by Mike, only further confirms my decision.
Mava-. ‘So what do you suggest I should do. Please help’
my suggestion is to keep on it, memorialize the matter in writing, and as a registered letter,
but all the while knowing full well that you are but one of perhaps thousands, maybe even tens of thousands, thus affected.
then walk in to your local municipal court house and file a small claims action and follow the mail instructions for service upon the company.
on the date of the court action, it is likely no one will present themselves, get your summary judgement and serve that, watch the fire works fly from a secret safe undisclosed location, and serve a writ of execution at the approriate time there after if they still refuse to do right by you.
if all this fails, buy a cheap picture frame and create a wall of shame over your pc.
UPDATE
I reader just sent me the trial court’s verdict in this case and the damages awarded were:
Ultimately, Eysoldt sued GoDaddy. He sued ProScan as well but settled with them. The jury ruled in favor of the Eysoldt and awarded him $50,000 ($20,000 for invasion of privacy and $30,000 for conversion). Two other Eysoldt family members were awarded $10,000 each ($7,000 for invasion of privacy and $3,000 for conversion).
http://www.scribd.com/doc/56073400/Eysoldt-v-GoDaddy-Verdict-Form
It’s a slap on the wrist to Godaddy, but this sort of arrogant disregard for its customers goes on daily.
Another take:
http://blog.ericgoldman.org/archives/2011/05/ohio_appeals_co_1.htm
As a former tech support rep for GoDaddy I can see this issue from both sides. I agree with the judgment, however there seems to be a bit of inaccurate information.
We always had to use the last SIX numbers of a credit card that was already associated with the account. Not the last four.
However, as was mentioned by a commenter above, this is still not good security.
In any case we were never to help a customer access the account. They would need to come up with the login themselves. I, as a support rep, could see the account once they validated it, but if they could not login I would tell them to try the password reset link or to call back when they were able to access the account.
I have no love for GoDaddy. I actually work for a competitor, but it looks like the issue was the agent, not GoDaddy per se, although GoDaddy is responsible for their agents. So it is GoDaddy’s fault. Sorry about that Bob!
One more thing – why didn’t the guy work with the other party to resolve the issue when she found that she had control of all this. she asked him to take control back, which would have easily been accomplished, but he refused. it looks like he smelled a suit he could make money on and decided to become uncooperative so it could go to trial.
Med
Its been a week or so since I read through the case but it seemed the parties were involved in a business that may have ended on not such friendly terms.
But she emailed and offered the account back to him when she realized she had more than she bargained for. He willfully ignored that. He should have some responsibility as he willfully tried to make the matter worse.
MED
I think at that point he knew that his ex-partners had access to all sorts of personal info and he wanted compensation for that, and the court awarded it
That’s one way to see it, but if I were so worried about access to my private info I would have jumped on the offer to get it back. If it were found that the info was used illegally then I would have sued that company. The suit with GoDaddy could have still gone through, but probably would not have stood as much a chance in that case. So he was not so interested in the security of his info as much as the larger award he could get from showing a greater problem than it could have been. He should have taken the offer to get control back.