"Bill Hartzer - Expert-Witness and Forensic SEO: Domain Theft, Defamation, Evidence Tools"

"How an internet expert witness uses forensic tools to recover stolen domains, prove ownership, and turn online activity into court evidence."

Bill Hartzer (Hartzer Consulting / DNAccess) has done SEO since 1996 and now works heavily as an internet expert witness, juggling roughly 10 ongoing cases during the spring trial season. His talk covers what an internet expert witness actually does in court, the forensic toolset for unmasking hidden site owners and reconstructing history, the legal mechanics of recovering a stolen domain, and a do-now prevention checklist. He is not an attorney and refers clients to domain and internet attorneys.

Main takeaways

• An internet expert witness translates SEO, PPC, and domain mechanics for courts. Hartzer reviews cases, requests info from both attorneys, writes evidence-backed reports (screenshots, spreadsheets, analytics, log files), gets deposed (sometimes up to 8 hours), and can testify at trial. Common case types are SEO/PPC disputes, online defamation, and domain name fights.
• Forensic tools can unmask hidden owners and reconstruct history. WHOIS history, archived snapshots, sales comps, code search by tracking ID, and DNS history let you find every site in someone's account or on a shared server, even behind Cloudflare and WHOIS privacy.
• Transferring a domain to yourself without permission is a federal cybercrime. Even with the correct user ID and password, web designers and developers (and even the rightful owner) cannot simply move a domain. The correct path is recovery, then UDRP, then legal action. Web designers and developers do not need registrar access at any time.
• 5-year registrations and WHOIS turned off are ownership proof, not just hygiene. Register domains for 5+ years, turn WHOIS privacy off using a company address, and use domain blocking services so thieves cannot grab brand variations. A thief who steals a domain typically adds WHOIS privacy, which itself becomes evidence of the theft.
• Recovery follows an escalation ladder. Attempt non-legal recovery first, then do forensic research to establish the facts, then escalate to UDRP or a lawsuit. Hartzer reports recovering 500+ domains in the past 2-3 years and gets around 15 inquiries per week about lost domains.

Key points

Background and role

• Owns Hartzer Consulting (a one-member agency); runs DNAccess for everything domain-name related; blogs at BillHartzer.com.
• Doing organic SEO since 1996; blogging on his own name since around 2001.
• Former Senior VP at Advice Local; also Globe Runner, Standing Dog, Vizion Interactive.
• Founded the DFWSEM Association in 2004; runs the State of Search conference.
• Brand ambassador for Majestic.com, Oncrawl, and SEMrush; judge for US, UK, and Global Search Awards.
• Not an attorney; refers clients to domain/internet attorneys.

Expert witness work

• Around 10 ongoing related cases; March/April/May is the big trial season.
• Process: review the case, request info from both attorneys, write a report with screenshots and spreadsheets, present to court, get deposed (sometimes 8 hours), possibly testify at trial.
• Case types: SEO/PPC blame (e.g., an e-commerce redesign blamed for large traffic losses that was actually caused by an AI Overviews rollout, proven with SEMrush timing data), online defamation, domain disputes, and brand confusion.

Named cases

• St. George Executive Shuttle v. Western Trails Charters & Tours LLC: Western Trails bid on the trademark "St. George Shuttle" and used it in ad copy; St. George (the trademark holder) sued and won. Hartzer explained how search works to the judge.
• Lab testing lead-gen case: a lead-gen site (referring customers to nearby labs, paid about $20/lead) was sued after a lab employee reused a used needle. Hartzer used Google Analytics to reconstruct the exact customer journey (date/time, pages, the online agreement clicked) to show the lead-gen site was not responsible.
• Whitespark example: the owner of whitespark.ca holds the "Whitespark" trademark; someone else holds whitespark.com running PPC ads and local-SEO content, a clear UDRP target (bad faith via competitor ads).
• Golf course case (Iowa): an expired domain had its old site re-posted from Archive.org with added sports-betting affiliate links, plus the old phone number and old AOL email still on it; a problem for the new course owner (sports betting is illegal in Iowa). Hartzer found the affiliate via the affiliate ID in the link source code. (Note: the deck names this "TerraceHillsGolf.com" while the talk says "Charis Hills"; the exact course name is inconsistent between deck and transcript.)
• Brand-confusion auto-suggest case: two month-long-training competitors (one in Arizona, one in California); the Arizona company manipulated Google Auto-Suggest to surface the competitor's name plus "Arizona."

Forensic tools

• DomainIQ - WHOIS history; each dated change shows when the WHOIS record changed; can reach pre-GDPR records to reveal the true owner if name servers/IP did not change; search by name or email to find all associated domains.
• Archive.org - historical site snapshots; site owners can opt out (submit a support ticket and verify as owner). Counter-use: proving you owned or operated a site years ago.
• Namebio - domain sales data, like real-estate comps; how much and when a domain sold, plus resale history.
• PublicWWW - code search engine; search a unique tracking ID (Google Analytics UA-12345, Hotjar, or Microsoft Clarity code) to find every site in someone's account, even across servers and behind WHOIS privacy or Cloudflare. (Google will not let you search code; PublicWWW will.)
• SecurityTrails - current DNS/WHOIS (NS records, Google site-verification TXT files, server/IP); click an IP to see every domain on that server; DNS history captures the original server even after a move to Cloudflare (a site often sits on its real server 1-3 days before moving).

Domain theft and recovery

• Threats: hacks and lost domains; insiders (employees, web developers, web designers); a single shared Gmail across many employees (one case: 27 employees on one Gmail tied to GoDaddy, domain went missing); dark-web passwords (Network Solutions was hacked, and old credentials still worked); wrong email on WHOIS; using the same company for registrar and hosting.
• Transferring a domain to yourself without permission is a federal cybercrime even with valid credentials; many designers and developers do not know this.
• Recovery speed: GoDaddy is slow (2-3 weeks minimum when things go bad); other registrars often resolve transfers back within 24-48 hours.
• Hartzer gets around 15 inquiries per week about lost domains and has recovered 500+ domains in the past 2-3 years.
• Active case: a nonprofit had all domains transferred to a rogue web designer; Hartzer filed a police report and is helping raise around $1,500 in UDRP filing fees.
• Recovery ladder: (1) attempt non-legal recovery (call the person; account recovery showing ID/company papers to the registrar); (2) forensic research (DomainIQ, WHOIS history, DNS); (3) legal (UDRP or lawsuit).

UDRP (ICANN policy) - must prove all three

1. The domain is identical or confusingly similar to a trademark you have rights to.
2. The registrant has no rights or legitimate interests in it.
3. The domain was registered (or acquired) and is being used in bad faith. - Proving two of three is not enough; all three are required. - Costs: up to $1,500 filing fee; choose 1 or 3 panelists (3 costs more); filing bodies are WIPO, the National Arbitration Forum, and CAC (Czech Republic, runs in English, lower cost). Domain attorney: $3,000 to $10,000+. - The registrant's identity is revealed when the dispute is filed.

Prevention

• Register domains for 5+ years.
• Turn WHOIS privacy off and use a company address (so a thief adding privacy later becomes evidence).
• Set up domain/WHOIS change alerts and keyword/brand alerts (Google Alerts and others).
• Limit registrar account access; never give web designers or developers registrar access.
• Use 2FA with a physical key (Fabulous.com supports U2F login and is cited as the most secure registrar); enable Google Advanced Protection for the Google account.
• Apply domain locks and executive lock.
• Use domain blocking services (NameBlock blocks up to 500 variations; GlobalBlock is owned by GoDaddy and sold via resellers with a free report); cheaper to block annually than to register defensive domains.
• Register your trademarks with Google Ads (TM authorization form) so others cannot use the mark in ad copy.
• Document everything; keep old client emails.
• Reference post: "7 Ways to Protect Your Domain Name" at billhartzer.com/domain-names/7-ways-protect-your-domain-name/

Other website legal issues

• Copyright/IP theft: content copied word-for-word, sometimes outranking the original; remedy via DMCA forms with search engines, web hosts, and registrars; some non-US hosts will not comply.
• Expired domain exploitation: scraper tools rebuild old sites from Archive.org; the new owner does not own the copied content even if it is years old.
• Google Ads: you can bid on any keyword (including trademarks) but cannot use trademarks in ad copy; trademark owners can file a Google TM authorization form (support.google.com/google-ads/contact/3rd_party_auth_req) so Google blocks others from using the mark in copy.
• Online defamation: contact host abuse for site content; flag and report (and have others report) social posts; sometimes it goes to court.
• Brand confusion: always involved a trademark in his cases; prove confusion with SEMrush query/volume data, Google Trends, and Similarweb.
• Image "theft": Higbee Law Firm letters (deck).

Q&A

• Buys domains from bankruptcy/estate auctions and works with families of deceased owners; uses legal ways to get info directly from registrars.
• Has not encountered blockchain-based proof-of-ownership tokens; notes the official WHOIS record is still what people rely on for ownership.
• DMCA does not cover a competitor using your registered trademark in URLs/page titles; if your mark is in their domain name and they registered it before your trademark existed, that is not bad faith; if it is elsewhere in the URL or page content you can demand they stop.
• A well-known name can be a common-law trademark even without a US registration; confusion is provable via Google Search Console queries.

Slides

Slides (42)

Source

Bill Hartzer, "Legal SEO and Domain Name Issues" (deck: hartzer-seospringtraining-apr2026), SEO Spring Training, April 2026. This was the first of three back-to-back talks; only Bill Hartzer's portion is captured here.