Capstone results and conclusions from research of and interactions with a DNS hosting provider and web host relevant to the US Federal District Court case Clayton et al v Does, 2:24-cv-00182-JLR, Western District of Washington, Document 45. April 2025.
Christopher Clayton
04/16/2025
Findings regarding Domains by Proxy and Go Daddy from Document 45
The following was rendered as part of a Court Motion and thus includes legal assertions related to the case, but is largely a summary of facts and corporate governance conclusions from an investigation of Go Daddy and Domains by Proxy's corporate structure.
I. DOMAINS BY PROXY'S RESPONSE TO FEEDBACK OVER CONCERNS WITH INTITIAL DATA PROVISION
1. At this stage, Domains by Proxy and another entity involved in initially replying to Plaintiff 2, Go Daddy Software Inc, have not further replied to Plaintiff 2's feedback (Document 40-3, page 1 from February 27th, 2025) over data provided in Document 40-2 following service of a Western District of Washington subpoena and a domesticated Maricopa County Superior Court subpoena to DBP. Relevant web service customers are non-US-based according to the information produced, but Plaintiff 2 found the data was not complete enough or plausibly accurate enough to pursue those customers for joinder and summons. It is likely from these results and in context from other emergent facts summarized in Document 42 that the registrant on file for biitflyeir.com during events in controversy is a mainland Chinese or a Hong Kong Special Administrative Region (People's Republic of China) citizen. This is the extent of conclusions that can be drawn given the pseudonymous-looking name and inconclusive address. The data on file for the reported bitflex.cc registrant was completely incomprehensible in terms of potential usefulness.
2. It has now been more than 30 days since feedback and a request to substantiate data deficiencies was provided, let alone that it has been more than 30 days since the original subpoenas were delivered to Domains by Proxy's statutory agent. This is a general standard for allowing response and there is no indication that DBP will ever respond further as a relevant third party under current circumstances. However, Plaintiffs will rescind this Motion with the Clerk's Office if there is a response with plausibly useable data before the Motion Calendar date.
II. DETAILED CONCERNS
1. Even though Plaintiff 2 had a Maricopa County subpoena issued (subpoena domestication) out of caution, cause for the production of non-privileged customer information was found relevant by W.D. Wash. (Document 21) and Plaintiff 2 had a blank W.D. Wash. subpoena issued which he filled out and included in the entire subpoena packet mailed to Domains by Proxy (Document 35).
2. Domains by Proxy as a relevant third party (an Arizona and Delaware-registered company) was discussed in Document 16 (review of DBP's relevance) and Document 35 (affidavit of service of deposition subpoenas served upon its Arizona statutory agent and analysis of the agent's relevant addresses).
As established in Documents 33 and 35:
Domains by Proxy, LLC
Entity ID: R17247380
C/O Corporation Service Company
8825 N 23rd Avenue, Suite 100, Phoenix, AZ 85021
3. Go Daddy Software Inc has in essence admitted to also having a role in related data upkeep and reporting. It has the same shared Arizona Corporation Commission Entity ID as GODADDY.COM, INC. (Arizona entity # 07969287); yet another corporate name but where Plaintiffs have not alleged that entity name to be relevant to this case. That entity number is inactive, yet the Go Daddy Software Inc name in Arizona is still being utilized (mail sent to Plaintiff 2). The address is also used by GoDaddy.com's legal department according to the Terms of Service at https://www.godaddy.com/legal/agreements/universal-terms-of-service-agreement.
As established in Document 40-5:
Go Daddy Software Inc
100 Mill Avenue, Suite 1600, Tempe, AZ 85281
4. Go Daddy Operating Company, LLC (Arizona entity number R18260883) is GoDaddy.com's apparent primary active entity registration in Arizona because it is listed on that website in the footer. It lists Corporation Service Company as its statutory agent in Tempe, and so CSC's processing office in Phoenix should be a relevant statutory agent location in the same way as it is for Domains by Proxy, LLC. Go Daddy Operating Company, LLC is the USPTO trademark registrant for the 'GODADDY,' 'GODADDY.COM,' and 'GODADDY REGISTRY' marks as they relate to Internet domain, Internet search, data sharing and information organization products and services (Serial numbers 86964922, 77684144, 85980751, 90736816). 'GODADDY AIRO' is specifically held by GoDaddy.com, LLC; yet another corporate entity but Plaintiffs are not claiming that it has relevance to this case. All of these marks are still associated with the Go Daddy Way building as the address on file with the USPTO (2155 East Go Daddy Way in Tempe, Arizona). This is where Plaintiff 2's first subpoena packet mailing attempt was redirected per USPS communications before a final return to sender event occurred (mail originally addressed to Domains by Proxy's 2150 E. Warner Road address, a location that was immediately attached to the Go Daddy Way building; Document 33). The Go Daddy Way building is still for lease after Go Daddy apparently vacated it according to LoopNet.com (an online commercial real estate marketplace) as of June 2024 (https://www.loopnet.com/Listing/2155-E-Go-Daddy-Way-Tempe-AZ/32210754/). This is in contrast to Domains by Proxy's Subpoena Policies web page which still lists the E. Warner Road address (a webpage bearing notice of having last been updated in March 2024). Further, Go Daddy Operating Company, LLC is the USPTO registrant for the mark 'DOMAINS BY PROXY' regarding the topic of 'registration of domain names on behalf of others for identification of users on a global computer network' (Serial number 78117330). It was registered in 2005.
Go Daddy Operating Company, LLC
Entity ID: R18260883
C/O Corporation Service Company
8825 N 23rd Avenue, Suite 100, Phoenix, AZ 85021
5. If these entities were to be joined and ultimately hailed to the Western District of Washington, it should not be a surprise to them when this particular issue was first non-judicially reported to GoDaddy.com and ICANN in September 2022 by Plaintiff 2 per Document 16-2. The original email exchange via Plaintiff 2's then-current work email address directly to Go Daddy was not saved in an alternate location for recovery and filing, but 16-2 is the saved joint reply from ICANN where Go Daddy refused to act on the primary intent behind a non-judicial compliance request (data disclosure). The original request had made use of Go Daddy's form for such matters (its 'Request for Disclosure of Non-Public Registrant Data' form at https://www.godaddy.com/pt-pt/help/request-for-disclosure-of-non-public-registrant-data-27915?tld=co&lang=en). Domains by Proxy, a Go Daddy-owned entity to whom ICANN and Go Daddy referred Plaintiff 2, even now still doesn't have a standard form or online submission system for non-judicially requesting DNS registrant data; only a 'File a Claim' page to report spam, phishing, malware, trademark or copyright infringement-related issues. This begs the question as to why Go Daddy maintains such a form if it redirects applicants for information disclosure to a substantially important subsidiary regarding any registrants that utilized the services of that subsidiary when that subsidiary doesn't maintain an equivalent reporting system whatsoever for such a topic.
a. GoDaddy.com and Domains By Proxy have since had an opportunity to understand the scope and scale of questionable domains of this nature, including those involved in this specific controversy, given that GoDaddy.com did receive a request related to a questionable domain where its ownership entity is also the beneficial owner of DBP. These entities are clearly doing business on an international scale by knowingly taking on non-US customers for website hosting and DNS services, and thus should be able to answer to resulting data concerns around customers who are accused of harming US citizens when evidence exists as such. They should have this data in order to deter fraud or other abuses, as well for the pursual of customers who bear responsibility for such acts in their roles as website registrants. Plaintiffs find that Go Daddy's original excuse as to which exact entity handles related data is also an aggravating factor that has needlessly delayed settling the entire discovery process, both in its non-judicial and judicial pathways, given that Go Daddy Operating Company, LLC owns all related entities and is directly named on GoDaddy.com.
b. Further, as described in Document 22, 'scamming as a service' has been a website fraud phenomenon at least since events in controversy, in particular as evidenced by the multiple self-similar copies of biitflyeir.com in function and content via alternate names that existed, as described in Document 5. If anything, the space has only become more saturated and sophisticated since then, including fake eCommerce websites where some exist primarily to harvest credit card data via fraudulent misrepresentation; not necessarily to directly gain from convincing people to purchase actually non-extant product and service offerings. DNS service providers and web hosting service providers are necessarily aware, or ought to be aware, of such frauds and resultant potential for impacts on society in order to generally craft mitigation and deterrence strategies, and to aid victims in the least with workable reporting systems that elicit forward-moving responses. These are concerns that consumers and society in general might reasonably have, similarly to concerns over cryptocurrency exchanges handling fiat-valued cryptocurrencies in their roles as custodial services, as reviewed in Documents 18 through 20.
6. The matter of acquiring plausibly accurate, useable data for use in summonses by physical addresses from Domains by Proxy and relevant GoDaddy.com entities regarding customers accused of fraud, or holding them otherwise accountable for such data, is critical to this case because it entails the identities of those who registered the biitflyeir.com website (the fraud nexus). Plaintiffs also find that the registrants of bitflex.cc are relevant in direct association via shared account registration notification systems (Document 16-3). These websites and thus their registrants targeted Washington State as direct inducers of fraud through responsibility for the published information and mechanisms which Plaintiff 1 utilized to his harm via DBP's US DNS infrastructure (Document 22's initial personal jurisdiction analysis pending summonses of such Defendants, where DBP and GoDaddy.com entities are based in the US).
7. There are no other entities from which to seek the production of relevant information about the direct perpetrators of the website fraud nexus for summonses by physical addresses given that Domains By Proxy conducted the business activity to allow these domains to be utilized under an anonymizing proxy protocol and that GoDaddy.com provided the web hosting services. That is, unless plausibly complete and accurate enough information about end-point beneficiaries from other third-party sources (cryptocurrency exchanges) ends up overlapping with information contained in Document 40-2, assuming the most complete physical address in 40-2 has some level of accuracy. An analysis of map.baidu.com did not establish plausibly complete accuracy, especially given the pseudonymous-looking customer name. More expansively, the only other possibility to verify if some part of the data is accurate is if Plaintiffs find overlapping information working backwards from each downstream cryptocurrency transaction end-point via further depositions and/or Meet and Confer processes, starting with every person associated with final cryptocurrency exchanges. This assumes relevant persons are successively summoned and ordered to undergo Meet and Confer processes or served deposition subpoenas which yield enough information production to complete a total backwards search across every involved cryptocurrency wallet in the transaction chains up to the initial laundering event, where all intermediary blockchain transactions upstream of the final ones involve pseudonymous 'over the counter' wallets (cryptocurrency wallets not associated with a website-mediated exchange); and assuming all such legal discovery is feasible to accomplish.
III. JURISDICTION RELATIVE TO 'SAFE HARBOR'
1. The DNS and web hosting entities so named are now relevant in spite of Plaintiffs' preference to hold fraudulent website registrants directly accountable per the amended Complaint (Document 42) due to the entities' having recklessly failed to retain apparently effective means of correcting fraud harm, even if they didn't know of or intend to allow any specific frauds on their network. DBP as the most immediately-relevant entity, as claimed by Go Daddy, has provided unusable data about such customers in joint with Go Daddy Software Inc by any reasonable standard of scrutiny and has not responded to a chance to correct it. At minimum, the deficiency represents an originating customer verification mistake or oversight on a DBP employee's part and isn't necessarily indicative of a pattern of lackluster multi-layered verification procedures or general operational issues, but Go Daddy originally refused to make such data non-judicially available in the first place where it very well could have worked to do so with its beneficially-owned entities as needed. Later in relation to the same situation, DBP responded to subpoenas with questionably useable data as if the information were inherently accurate without further comment.
2. Though web-related services that are unaware of specific frauds or other harms on their networks are generally not responsible for the published information or mechanisms in any way unless they co-participated in a specific illicit activity directly per 47 U.S.C. § 230 ('safe harbor'), this case's specific circumstances involve a failure to understand customers within the context of the common phenomenon of DNS service and web-hosting registrants attempting to commit fraud harms on the modern Internet. It's not possible to hail the actual website controllers (customers) to this case for related harms to begin with because of the entities' lack of plausibly complete information about their identities, an aspect of the business relationship over which they had indisputable control. The entities could have denied business to potential customers that did not provide plausibly accurate identification.
3. Because 'Book Exchange' functioned as an illicit money transmission business hosted on this network where the entities have not shown that they can plausibly fully identify related registrants of biitflyeir.com, where the same also applies to the registrants of bitflex.cc during events in controversy, the entities should be held responsible to the standard of money transmission businesses' customer data retention standards in the context of these specific facts and circumstances. Mere providers of network access services for money transmitter businesses are not ordinarily considered to be money transmitters in themselves per 31 C.F.R § 1010(ff)(5)(ii)(A), but unchecked customer data verification mistakes occurred in the least on top of the provision of this network structure for what later turned into illicit website activity. This is also relevant relative to the broader context of the known perfusion of such website scams because of the great potential for DNS services and website hosts to gain from resulting fees charged to those seeking such services at scale, providing a motive for expedited (mistake-prone) or incomplete customer verification processes even without their knowing the exact eventual motivations of any specific customers. Plaintiffs correct Document 42, page 37 in that relevant minimum customer data retention standards were moved from 31 C.F.R. § 103.121 to 31 C.F.R. § 1022.210(d)(1)(iv), but they are otherwise the same standards, and this overlaps with standards in ICANN's contracts with DNS service providers.
a. Even if the entities do not have direct responsibility for the effects of website registrants' racketeering activities and commodity futures fraud such that the Racketeering Act's jurisdiction clause in 18 U.S. Code § 1964(a) and the Commodity Exchange Act's nationwide forum applicability clause do not apply in that context because of 'safe harbor' (lack of knowledge about the specific form of illicit activities or knowledge that specific customers were going to commit such acts), the lack of accurate data about customers who did turn out to commit fraud which has harmed Plaintiffs' ability to enforce interests should count as a racketeering activity because of the reckless risk for uncorrectable fraud that this lapse allowed. Personal jurisdiction over Domains by Proxy, which was served a subpoena for good cause, and related admixed entities should then apply under 18 U.S. Code § 1964(a) where district courts have jurisdiction to prevent and restrain violations of § 1962, the scope of which includes the Bank Secrecy Act and where 1964(c) defines a right of private action. The reckless allowance for the possibility of such fraud to take place without effective deterrence is a particularly established 'mistake' in the hard evidence according to FRCP Rule 9(b), even though it is not possible to conclusively determine any particular employees' state of mind or generally prevailing internal corporate practices during events in controversy without broad deposition of the entities concerning such practices. The only other insight regarding corporate practices is from public information, such as publicly-available (but largely pseudonymous) consumer reviews such as those on Trustpilot.com complaining of the effects of DBP's WhoIs-obscuring services, and civil US Federal District Court cases that have in part involved GoDaddy.com and DBP. However, the entire matter begs the question of how the customers paid for the services if inherently accurate payer information was not collected via a credit card or bank payment. Nevertheless, information that Plaintiff 2 received from DBP indeed does not constitute complete identification of relevant customers by any level of scrutiny.
4. As described in Document 16, Domains by Proxy does not maintain any apparent Terms of Use on its website that indicate mandatory arbitration (estoppel of judicial claims), and Plaintiffs have asserted at least one Federal Question as a legal standard superseding any possible user contract, where they find Domains by Proxy and related entities have direct responsibility superseding the scope of 'safe harbor' protections. GoDaddy.com's Universal Terms of Service, paragraph 24 requires users to arbitrate all disputes under a one-year limitations period via the AAA-ICDR's Consumer Rules and paragraph 27 denies benefits to third-parties, but Plaintiffs are not claiming a benefit there either relative to the Federal Questions. The denial of third-party benefits and the short limitations period are also overbroad compared to the established evidence of Plaintiffs' inability to hail customers to this case because of GoDaddy.com's and its subsidiaries' reckless lack of attaining and retaining useable information and prior lack of cooperation around non-judicial data disclosure. Plaintiffs further do not claim a third-party benefit under DBP's contract with ICANN in the context of the Federal Questions given that the Court already found cause for the release of such data without reliance upon such a contract's terms, but in Plaintiffs' view this would be a valid cause for arbitration as an alternative resolution pathway over data issues that allowed fraudsters to harm Plaintiff 1 without deterrent, unless DBP or GoDaddy.com entities finally respond with plausibly accurate identifiable information.
5. Plaintiffs do not find in the context of the operational, corporate structural and brand admixing evidence that Go Daddy Operating Company, LLC could possibly consistently claim that it is insulated from any responsibility over the DNS-related activities and decisions of its subsidiary Domains by Proxy. Plaintiff 2 was originally willing to give Go Daddy the benefit of the doubt in Document 16, and one or the other entity has been dropped before from civil Complaints over supposed operational nuances in DNS network responsibilities versus domain control responsibilities (e.g. W.W. Williams Co v. Google, Inc., No. 2:13-cv-713, S.D. Ohio, 22 July 2013 where DBP was originally named responsible for domain control over a trademark-infringing website but where the Court agreed that GoDaddy.com had sole control over the domain due to retaining domain suspension powers). However, in full structural context, Plaintiffs find Go Daddy Operating Company, LLC is necessarily jointly responsible for DNS operational activities, and that it would not be a matter of hailing an 'alter ego' subsidiary given that it is the beneficial owner of DBP in the corporate hierarchy.
6. If Domains by Proxy and/or other GoDaddy.com entities cannot be potentially held monetarily liable over reckless data retention negligence/mistakes or for the effects as such under these circumstances which are directly preventing summonses of relevant customers that caused harm, then not being able to hold anyone potentially judicially accountable over the website fraud nexus at all would result in no possible judicial resolution over such fraud mechanisms. This is why DBP and relevant related entities as the Court finds appropriate to include should be joined as Defendants for not having complete and actionable data regarding customers relevant to this case before having fully accepted them as customers, if not that they are responsible for the customers' fraud harms directly under these particular circumstances.
7. Domains by Proxy and related entities could reasonably expect that allowing customers to utilize the cover of proxy services with no potential check on their activities in the form of minimally understanding their identities in a plausibly verifiable way could result in facing claims in a relevant Court and set of legal standards in a way that does not require showing their direct knowledge of or participation in any given customers' eventual exact website contents and functionality.
Post-filing note on assertions related to the facts presented - 6/15/2023; updated 12/20/2025
I compiled this filing before considering cognizable harm in a US Federal District Court context, and in the way I presented it (lack of accurate discovery as a harm in itself), the Court did not find cognizable harm applied. I went about moving to domesticate a case elsewhere on this particular controversy per the Research section of this website.
The cause of action in the sense of a spin-off controversy is rooted in a duty of care basis. That is, an assertion that a duty of care exists to provide plausibly accurate data about web registrant customers accused of fraud and laundering even without prior relationships between the victim of the case (or myself) and the entities because of a plausible Statutory basis to attain and retain such data (the Bank Secrecy Act and relevant clauses in Arizona law affirming the recordkeeping requirements of the Act), a contractual basis to attain and retain such data asserted as superseding any 'no third-party benefits' clauses (the entities' Know Your Customer data retention and review agreement with ICANN), a case precedent basis in Arizona establishing a specifically defined duty of care via a Statutory basis and that a firm understanding of Know Your Customer standards has existed in the public mind at least since events in controversy (alternative public policy basis asserted as a standard that would not constitute one derived 'from whole cloth' because of the commonality of website-based Internet torts).
However, because the entities do not neatly fit into the Bank Secrecy Act's financial institution or money laundering business definitions, the contractual definition and firmly-rooted public mind understanding of duty of care in this context are primarily asserted (Know Your Customer standards as genuinely unique data needs to prevent and restraint harm by those specifically defined by their customer status of DNS and web hosting services). This is the argument for a duty of care existing in the first place under Arizona law; and then subsequently I assert foreseeability, scope of breach, causation and damages could be decided by an arbitrator, a relevant Court or a relevant jury.
Otherwise, this particular filing was about showing how DNS and web hosting businesses can create layers of legal entities and consumer reporting systems that dont't necessarily fully function, that can be designed to confuse by deferring responsibility to some other entity and/or that can refuse to help at all or after a certain point without compulsion by a Court or by government enforcement. This is exactly what occurred when attempting to communicate with these entities. This is why I found value in documenting these particular entities' corporate structures from someone impacted by them (my dealing with the victim's circumstances toward finding a recovery solution regarding these entities' web registrant customers) even without regard to the US Federal District Court case.
11/13/2025 - Further, it became apparent from discussion mediated by the backdrop of an arbitral case which was mutually accepted as the primary forum to sort out the issues that exact Know Your Customer standards of any sort could not be privately enforced. Any route I found potentially relevant did not explicitly confer benefits to any specifically defined beneficiaries so it would run afoul of sweeping protections to Internet companies from negligence over third-party content (47 U.S.C Section 230). That then settled the idea of potential money damages over any such standards.
However, ICANN's Registrar Accreditation Agreement # 3.7.8 allows 'any person' to bring up a data inaccuracy claim and stipulates for such inaccurate WhoIs data to be reasonably repaired, alongside the use of reasonable verification techniques (the public as a specifically defined and intended beneficiary). Domains by Proxy is not the accredited registrar but is a re-purchaser according to the 're-seller' clause, where a re-seller of registrar services (an accredited registrar) has to ensure a re-sale contract includes all of ICANN's provisions (RAA # 3.12.2). All of this makes sense relative to ICANN's origin as a public-private partnership.
These are all corporate governance and contract considerations I didn't consider until counter-arguments actually occurred, which was not possible in the W.D. Wash. case essentially because a basis for enforcement over the original subpoena was not found; even for sanctions which I suggested as an alternative in order to enforce supplementary responses. The subpoena was nevertheless domesticated into the relevant principal place of business' jurisdiction, which I find means Arizona Civil Rule of Procedure 26(g) is also relevant (duty to subpoena senders to correct or supplement responses once an inaccuracy is made known to a recipient). The lack of reply under that clause has been what sparked the entire controversy since I still find that the discovery materials are not accurate; no sign of provable verification after cross-checking with the Hong Kong Land Registry for the most-complete data. That general procedural clause perfectly overlaps with the specific subject matter.
This is why I keep solutions and forums for dispute resolution very much open (take into account potential holes in my own arguments for adaptation as needed), as I've always done in interpersonal disputes. It applies no less to legal situations, where as a non-lawyer I've wanted to minimize the amount of intervention needed to solve ongoing branching legal disputes. However, the existence of a duty has been continually questioned instead of discussing the factual issues in this particular situation after a lack of corrective reply whatsoever to begin with.
12/20/2025 - After review of further cases as described in my ongoing article on dealing with the overall underlying situation and my article on data privacy laws and policies, I further clarified in arbitration that Domains by Proxy is most specifically contractually defined as a registrant (Registered Name Holder) via public WhoIs data published by the registrar entity. Thus, that ICANN's RAA # 3.7.7.3 most aptly applies to answer duties over licensees regarding what duties, which kinds of entities owe duties and for whose benefit (who can invoke duties). The accredited registrar in this scenario is GoDaddy.com, LLC according to ICANN which nevertheless has the same exact Arizona principal place of business registration as every other related Go Daddy entity. Regardless of the contractual specifics, the point of this article has been to provide an example of how to analyze the structuring strategies that DNS-related businesses may take and potential impacts on society.
I also could have potentially kept the underlying matter in question within W.D. Wash. if I had cited the RAA contract's choice of jurisdiction clause as part of amending that case's Complaint, but I assumed such a move would have been challenged under the competing mandatory arbitration clause.
Contractual significance of proxy services as registrants from other legal cases - 12/20/2025
As I outlined in my article on data privacy laws and policies, the contractual basis for treating proxy services as registrants for duties under ICANN's RAA # 3.7.7.3 has been reviewed in some legal cases. This is structurally important in terms of which entities should be targeted for dispute resolution within the governance structures that such companies set up via multiple entity registrations. The problem though is how rarely such contractual duties have apparently been litigated or disputed, even though they are significantly important because ICANN was formed as a public-private partnership in the first place under the Department of Commerce's powers, with deliberately sweeping protections for Internet service companies otherwise at a US Statutory level.
To restate from the data privacy law outline, Balsam v. Tucows Inc., 627 F.3d 1158, 1163 (9th Cir. 2010) considered the relevance of RAA # 3.7.7.3 to the disadvantage of that Plaintiff because a registrar had been targeted. The clause rather only specifically defines that registrant entities owe invoked duties under the clause when they sub-license domains.
Facebook Inc. v. Namecheap Inc., No. 2:20-cv-00470-GMS (D. Ariz. Nov. 10, 2020), Document 52 specifically found that a claim could continue in Federal Court on the basis of liability invoked under RAA # 3.7.7.3 against Namecheap's proxy service (WhoisGuard) (choice of jurisdiction clause held up; valid claim had been made; Section 230 in a contract context did not even come up). However, the initial Complaint in the least had not shown that the registrar entity (Namecheap) acted as an alter ego of the registrant; only the proxy service had been relevantly targeted.