Quantcast
Channel: CircleID: Law
Viewing all 531 articles
Browse latest View live

Lawful Registrations of Domain Names

$
0
0

Doug Isenberg notes in a recent CircleID essay that two records in domain name disputes were broken in 2017, namely number of cybersquatting claims (3,036 in 2016, 3,073 in 2017) and number of domain names implicated (5354 in 2016, 6370 in 2017). (Update: John Berryhill reminds me in a twitter after this essay was posted that another record was also broken in reverse domain name hijacking sanctions, 2017 had 45 cases and 2016 had 37 cases.) Fairly consistently from year to year, approximately twenty percent of filings are terminated (withdrawn): whether by settlement or nolo contendere we don't know. (All of these statistics come from the World Intellectual Property Organization (WIPO). It may be, as Mr. Isenberg says, "that cybersquatting is still a lucrative activity," although what is meant by "lucrative" is anyone's guess. In 2016, a shade under 74% of domain names were transferred (the highest number it has ever reached, incidentally, and 185 complaints denied); but in 2017 that percentage dropped to a shade over 60%, with 139 complaints denied. (The percentages are of complaints as a whole without subtracting the withdrawns, which in 2016 were 541 and in 2017 were 437). These numbers suggest both, less cybersquatting, and more complaining. (The numbers that don't come from WIPO directly are statistics calculated by DNDisputes).

These numbers should be view against the extraordinary rise in the number of domain names, from approximately 10 million in 2000 (the first year of the UDRP) to approximately 190 million today (legacy and new TLDs not including country code TLDs, 144.7 million) so that although the number of filings has essentially doubled from the first full year (1500 +) the rise in filings has been incremental rather than astronomical. The filing has not risen in proportionate to the rise in TLDs. Of the total number of annual filings, approximately 90% of claims that make it to award are indefensible. (An expensive irritant for trademark owners which, although quickly relieved, are costly to maintain particularly if they are frequent targets and opt for transfer).

In its implementation document, the Internet Corporation for Assigned Names and Numbers (ICANN) does not explicitly detail what constitutes unlawful registrations (Paragraph 4.1(c)), but the WIPO Final Report at Paragraph 172 offers two examples of innocent behavior: small businesses that are able to show "through business plans, correspondence, reports, or other forms of evidence, that [they] had a bona fide intention to use the [domain] name[s] in good faith" [recent example, AGIRC, ARRCO v. Roustom, Aboudi, Aarrco Inc., D2017-1805 (WIPO December 19, 2017) (ARRCO and ]; and "Domain name registrations that are justified by legitimate free speech rights or by legitimate non-commercial considerations would likewise not be considered to be abusive" [recent example, CPA Global Limited v. Perfect Privacy, LLC / Kobre and Kim LLP, D2017-1964 (WIPO December 26, 2017) (<cpaglobal-litigation.com>]. Of the approximately 10% to 12% of arguably defensible registrations, these two groups of innocent behavior are a small percentage of the whole.

A third kind of dispute is described by WIPO as being in "[g]ood faith" It involves "disputes between competing right holders or other competing legitimate interests over whether two names were misleadingly similar but these dispute would not fall within the scope of the procedure” (emphasis added). The implementation document ends with the warning that "only cases of abusive registrations are intended to be subject to the streamlined administrative dispute-resolution procedure."

When WIPO characterized the three kinds (two within and one outside the scope of the proposed Policy), and ICANN adopted them, they could not have anticipated that there was a fourth kind that would come to dominate the docket of defensible claims. The fourth kind comprises disputes between parties with competing interests for the domain names. The competitors are mark owners and investors (ranging from those offering a few domain names to those that can best be described as operating supermarkets of domain names, many of whom will be found at the NamesCon conferences in Las Vegas in a couple of weeks from now).

It quickly became apparent in the first full year of the UDRP that there was an investor class of registrants actively acquiring domain names composed of generic terms that could be used without infringing trademark or third-party rights. This has accelerated over the years and has been the subject of a good amount of attention by both panelists and judges. It began with a number of important cases in UDRP proceedings as well as in U.S. district courts under the Anticybersquatting Consumer Protection Act (ACPA) that established the boundaries of infringement, such as the competition for generic terms (likely to be lawful if properly curated) and domain names identical or confusingly similar to marks composed of minor changes (for which Panels invented the term "typosquatting" and are likely to be unlawful).

As Panels were presented with registrations of generic terms identical or confusingly similar to marks they not only had to distinguish the lawful from the unlawful but also the limits of lawful registrations and the protective reach of trademarks. This has resulted opening commercial space for the commodification of dictionary words, letters, and numbers, and numbers and facilitating their transformation into assets. None of this could have been predicted yet it is plain in retrospect that domain names (depending on their composition, choice, and number of characters) can be (have in fact for some combinations and numbers of characters become) scarce resources, and are valued accordingly.

The development of the secondary market for domain names is directly responsible for an increase in claims of cybersquatting involving domain names composed of generic terms. (A small percentage of complaints are mark owners whose marks postdate the registrations of domain names but their claims are outside the scope of the UDRP because an earlier registered domain name can never support a claim for registration in bad faith regardless how it is being used). And, even though a complaint may be within the scope of the Policy the demands for proof of cybersquatting can be weighty where the domain names are composed of generic terms such as dictionary words, common phrases, and acronyms.

A couple of examples that illustrate the limitations of trademark protection for generic terms. "Harmoni" (the Panel in Information Tools Limited v. Future Media Architects, Inc., D2017-2178 (WIPO December 23, 2017) tells us) "is a female given name, a word in a number of Scandinavian languages, and a phonetically identical variant of the common English word 'harmony.'" Although Complainant alleges it had a six-month lead over Respondent in using HARMONI it failed to provide any "evidence of sales, advertising or general reputation prior to the registration date, such that the Panel can conclude that the Complainant and its HARMONI Mark was so well known that the Respondent must have had the Complainant in mind at the time it registered the Domain Name." Moreover, "A Google search indicates that 'harmoni' is used as a business name by a number of entities. It is not implausible that in 2003, a party unaware of the Complainant would seek to register a Domain Name consisting of the word "harmoni" for reasons other than to take advantage of any reputation the Complainant had in the HARMONI Mark."

To prevail on a claim of common law rights priority must be supported by proof of reputation (not its reputation currently, but in the past when the domain name was registered.) Otherwise, the fact that "Respondent is clearly offering to sell the Domain Name and in 2015, in response to an enquiry from the Complainant, offered to sell the Domain Name to the Complainant for a sum that is likely to be greater than its out of pocket costs, that by itself is also not a sufficient basis on the present record to find that the Respondent registered the Domain Name in bad faith."

The point (which Information Tools illustrates) is that a finding of cybersquatting has to be earned by proof. The other illustration is for the generic word "virgin." VIRGIN is a potent mark as a noun, but Virgin Enterprises does not own "virgin," and its exclusive right does not extend to all phrases in which the word (as an adjective) is combined with a noun, in this case "living." Virgin Enterprises Limited v. Domain Admin/This Domain is for Sale, Hugedomains.com., D2017-1961 (WIPO December 11, 2017). I should point out that Complainant has prevailed in many UDRP disputes and its front-page news when it loses. The Panel explained that "there is no immediate likelihood of confusion with the Complainant's VIRGIN trademarks if the term is combined with another dictionary word such as in this case, 'living.'" Although VIRGIN predates the domain name, it has no right to "Virgin Living." It has "neither argued that it has unregistered or common law rights in the mark VIRGIN LIVING nor shown that the term 'virgin living' has become a distinctive identifier which consumers associate with the Complainant's goods and/or services."

The important reminder in this "virgin" case is that Respondent "is a domainer which regularly registers domain names that include generic words for the purposes of selling them. Such business activities can be legitimate and are not in themselves a breach of the Policy, so long as they do not encroach on third parties' trademark rights.... The Respondent simply chooses to register generic words as domain names." The lesson to be drawn from these cases is that while symbols and words signifying source certainly deserve protection when they do not signify source they can be trumped.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP


DOJ Closes Probe of VeriSign Over .Web TLD

$
0
0

The Justice Department has closed its investigation into VeriSign Inc.'s involvement in an auction for the .web internet domain. Alexis Kramer reporting in BNA: "The department's antitrust division sent VeriSIgn, a Reston, Va.-based internet infrastructure provider, a civil investigative demand in January 2017 after the results of the .web auction. The DOJ told VeriSign Jan. 10 the investigation is closed, VeriSign said in a Securities and Exchange Commssion filing. .Web applicant Nu Dot Co LLC had won the domain for $135 million in an auction run by the Internet Corporation for Assigned Names & Numbers [ICANN] ... VeriSign announced days later that it had provided funds for Nu Dot Co's bid and planned to acquire the rights to the domain. VeriSign hadn't applied for .web. The auction spurred a lawsuit against ICANN by domain name registry Donuts Inc., one of six other .web applicants."

Preventing 'Techlash' in 2018: Regulatory Threats

$
0
0

U.S. Chamber of Commerce President Thomas J. Donohue on January 10, 2018, warned that "techlash" is a threat to prosperity in 2018. What was he getting at? A "backlash against major tech companies is gaining strength — both at home and abroad, and among consumers and governments alike." "Techlash" is a shorthand reference to a variety of impulses by government and others to shape markets, services, and products; protect local interests; and step in early to prevent potential harm to competition or consumers.

These impulses lead to a variety of actions and legal standards that can slow or change the trajectory of innovations from artificial intelligence to the Internet of Things (IoT) to business process improvements. According to Mr. Donohue, "[w]e must be careful that this 'techlash' doesn't result in broad regulatory overreach that stifles innovation and stops positive advancements in their tracks." Here are a few examples of the challenges ahead:

  • Global privacy and security regulations impose compliance obligations and erect barriers to the free flow of data, products, and services. Examples include the European Union's General Data Protection Regulation (GDPR), its Network Information Security Directive (NIS Directive), e-Privacy initiative, and a nascent effort on IoT certifications. "A growing number of countries are making it more expensive and time consuming, if not illegal, to transfer data overseas." [1] China's new cyber law "requires local and overseas firms to submit to security checks and store user data within the country." [2] Such efforts may be intended to level the playing field with large U.S. technology companies, but whatever their impetus, they create enormous compliance costs and impediments to multinational operations. [3] Emerging regulation around the world may do more harm than good, particularly to U.S.-based organizations.
  • Premature regulation and oversight drives up the costs of doing business, particularly for new entrants or disruptors. Government should act only when it has evidence of actual harms to consumers or competition and the benefits outweigh the costs. When government rushes in with a technical mandate, innovation suffers. Likewise, if the government demands business changes without evidence of anti-competitive effects, it distorts the marketplace. Premature regulations impose unnecessary compliance burdens, so governments should exercise "regulatory humility” and wait for experience and evidence.
  • Unjustified class action litigation over technology strikes fear in the hearts of innovators. The growth of "no injury" lawsuits in targeting the technology sector likewise is a concern. Class action plaintiffs were quick to sue GM and Toyota after news reports of a vulnerability in Jeeps, and dozens of plaintiffs immediately sued Intel after chip processor vulnerabilities named Meltdown and Spectre were reported. [4] While courts have generally rejected suits based on "risk of hacking," [5] plaintiffs continue to push these theories, along with novel "economic loss" claims from "overpaying for" [6] vulnerable devices. Legal uncertainty about such claims, and the rush to obtain damages awards and attorneys' fees, threatens to increase costs and chills companies' willingness to engage.
  • State laws, such as those attempting to impose "net neutrality" and online privacy obligations at the state level, threaten to balkanize regulation of technology. "Lawmakers in at least six states, including California and New York, have introduced bills in recent weeks that would forbid internet providers to block or slow down sites or online services." [7] State-by-state regulation of global ISP and carrier network practices is likely to create major inefficiencies. Likewise, state privacy laws create complexity for organizations whose operations, products, and customers cross state lines. Industry has decried "balkanized privacy regulation at the state level" which creates "a hazardous web of conflicting state-by-state laws for any company operating in the online space." [8]
  • Local barriers, like restrictive zoning regimes, stunt technology deployment and innovation. Tomorrow's innovations in health care, transportation, conservation, entertainment, and more depend on a robust technology infrastructure, including telecommunications facilities. [9] But many local jurisdictions are hesitant to allow deployment in public rights-of-way, and others see the explosion of small cell telecommunications facilities as a revenue stream. [10] Local barriers to deployment will slow innovation in communications technology, which may make many communities, and the United States at large, less competitive in the global economy. This is particularly troubling as other countries, like Japan and South Korea, welcome the next generation of communications technology.

2018 will be an important year for global regulation of technology, as issues from privacy to cybersecurity to competition percolate in legislatures around the world. As we enter what some call the Fourth Industrial Revolution, governments have to consider their role in supporting innovation. Hopefully the United States continues to lead by example, resisting "techlash" with a light regulatory touch and a lot of humility. The United States likewise should urge other countries not to punish success, and instead let innovators — not regulators — create the future.

[1] Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost? https://itif.org/publications/2017/05/01/cross-border-data-flows-where-are-barriers-and-what-do-they-cost
[2] T. Miles, U.S. asks China not to enforce cyber security law, Reuters (Sept. 26, 2017) https://www.reuters.com/article/us-usa-china-cyber-trade/u-s-asks-china-not-to-enforce-cyber-security-law-idUSKCN1C11D1
[3] Ann M. Beauchesne, Megan Brown, Sean Heather, Principles for IoT Security; The IoT Revolution and Our Digital Security (Sept. 2017), https://www.uschamber.com/IoT-security
[4] See S. Czarnecki, Intel faces dozen class action lawsuits over chip flaws, https://www.prweek.com/article/1454201/intel-faces-dozen-class-action-lawsuits-chip-flaws (Jan. 10, 2018).
[5] Cahen v. Toyota Motor Corp., No. 16-15496 (9th Cir. Dec. 21, 2017) https://scholar.google.com/scholar_case?case=7591856924921942948&hl=en&as_sdt=6&as_vis=1&oi=scholarr
[6] Id. While the court in Cahen found that the "economic loss theory is not credible, as the allegations that the vehicles are worth less are conclusory and unsupported by any facts," a future Plaintiff may survive a motion to dismiss with stronger allegations.
[7] C. Kang, States Push Back After Net Neutrality Repeal, N.Y. Times (Jan. 11, 2018) https://www.nytimes.com/2018/01/11/technology/net-neutrality-states.html
[8] Et tu, California? ISP Privacy Bill Moving through the Legislature (June 21, 2017) https://www.ana.net/blogs/show/id/rr-blog-2017-06-et-tu-california
[9] Thomas K. Sawanobori & Paul V. Anuszkiewicz, CTIA, High Band Spectrum: The Key to Unlocking the Next Generation of Wireless, 1, (June 13, 2016), https://www.ctia.org/docs/default-source/default-document-library/5g-high-band-white-paper.pdf
[10] See Jonathan Babcock, Joshua Turner, and Anna Gomez, 5G Deployment Faces Unique Challenges Across The US, Law360 (Aug. 1, 2017) https://www.law360.com/articles/950330/5g-deployment-faces-unique-challenges-across-the-us

Written by Megan L. Brown, Partner at Wiley Rein LLP

Tips for Ecommerce to Survive and Thrive with GDPR

$
0
0

The regulatory environment for brands and retailers that do business online is getting stricter thanks to regulatory changes in Europe with the General Data Protection Regulation (GDPR), as well as existing regulations in the U.S. Companies that adapt quickly can turn these changes into a competitive advantage.

As we grapple worldwide with the implications of the incredible amount of personal data generated every day, consumers are pressuring brands and legislators alike for more control over their information. This becomes increasingly complicated as a larger number of businesses pivot towards subscription models, where customer-brand relationships are fluid, longer-term, and involve more uses of personal data and consumer behavior information. Neglecting the privacy desires of these consumers puts brands at risk of everything from fines and penalties to a loss of trust with their customers. There are a number of key compliance obligations that organizations should consider as they adopt new business models and expand to new geographies.

Get ready for GDPR

The GDPR, passed by the European Parliament and Council in 2016, bolsters data protection measures for Europeans. The regulation, which becomes enforceable May 25, 2018, gives these individuals greater control over their personal data and is expected to simplify the regulatory environment for brands operating online by providing uniformity across Europe.

The ripples caused by this legislation will reach every corner of the global retail market, including the U.S. According to Ovum, 70 percent of global IT decision-makers expect to increase spending to meet data protection requirements. The GDPR will force companies that process or receive European data (even if your business is located outside Europe) to transform their information handling practices to meet a new, higher standard. For instance, part of the regulation calls for data portability, allowing an individual to request transfer of their personal data from one processing system to another in a commonly used format.

Though this regulation is not enforceable for a few months, brands that process European data should already be preparing. Once the regulations go into effect, the penalties are steep. Organizations that do not comply with certain GDPR articles can incur fines of 20 million euros, or 4 percent of total global revenue, whichever is greater.

In the U.S., no state is the same

In the U.S., there is no single, comprehensive federal law like the GDPR that regulates the collection and use of personal data. Instead, the U.S. has a patchwork system of federal and state laws and regulations that sometimes overlap. Many guidelines have been developed by governmental agencies and industry groups, but they are not enforceable by law. They are however, part of self-regulatory guidelines considered "best practices." These frameworks include accountability components increasingly used as a tool for regulatory alignment.

Although there isn't a comprehensive federal U.S. data privacy law, there are a number of federal privacy-related laws that regulate the collection and use of personal data. Some apply to particular categories of information, such as financial or health data, or electronic communications. Others apply to activities that use personal information, such as telemarketing and commercial email.

Particular states like California require websites that collect user data to communicate the type of information being collected, the types of third-parties they might share that information with, and their online tracking practices. Connecticut and Massachusetts also have stringent laws protecting consumers' data and requiring companies to safeguard that information.

The risk of noncompliance

The penalties for noncompliance vary depending on the type and severity of the violation, ranging, for example, from very high fines and delays in payment processing to civil lawsuits. Often, companies that have not maintained compliance struggle to catch up, giving significant competitive advantage to those that have implemented efficient data privacy systems and processes.

Ensuring ecommerce success

Maintaining a reputation as a company that respects consumer privacy is becoming more critical to brands every day. If done correctly, using consumer data to tailor online shopping experiences can strengthen the relationship between a brand and its customers. Yet, as the connection between a brand and its customers becomes more personal, it also becomes more complicated. Organizations that have relied on ad hoc best practices or even their own sense of right and wrong to manage customer information can no longer play data privacy by ear. Brands and retailers that conduct business online must take their role as custodians of personal data seriously. It's no longer just the right thing to do — it's the price of doing business in some of the world's most desirable global markets.

Written by Christopher Rence, Chief Information and Risk Officer at Digital River

Extraterritoriality

$
0
0

Black's Law Dictionary defines it as "the extraterritorial operation of laws; that is, their operation upon persons, rights or jural relations, existing beyond the limits of the enacting state, but still amenable to its laws. The term is used to indicate jurisdiction exercised by a nation in other countries, by treaty..." Extraterritoriality is also the most significant emerging development today in the law shaping virtual network architectures and services that includes OTT and NFV-SDN. The related developments extend from the development of the new public international law to the imposition of forensic handover requirements to local law enforcement officials. The latter is now centered on a landmark case before the U.S. Supreme Court for which the briefs have been recently filed. Case. No. 17-2, United States, Petitioner v. Microsoft Corporation is set to be argued on 27 February and decided this term ending in June. The Court's docket is available online.

This case has been coursing its way through the U.S. appellate system now for the past four years since the initial Microsoft search warrant was served in December 2013. Although there are other similar cases, this one was selected by the U.S. Supreme Court at the beginning of its term in October 2017 for consideration. The case has also disgorged a plethora of lobbying, pundit views, and hyperventilating on the streets of Washington DC, notwithstanding the essentially simple facts of the case and the application of law that has existed for hundreds of years.

Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. 2703 by making disclosure in the United States of electronic communications within that provider's control, even if the provider has decided to store that material abroad.

An amazing 29 amicus curiae briefs were submitted to the Supreme Court from almost anyone who had a view on the matter and some kind of theory to advance. Perhaps not unexpectedly, every brief raised extraterritoriality as an issue.

What was rather mind-boggling, however, is that the 27 parties — basically supporting the refusal to comply with the warrant — raised the subject of extraterritoriality, ignorant of 167 years of public international telecommunication law dealing with the subject. It was rather obvious that for most of them, the topic was only recently discovered as a "me too" devise to advance for some perceived organizational benefit or mantra. Only two amicus briefs — the States Attorney Generals, and the typically always-practical UK Government noted the obvious.

In today's global communications environment that does not respect geographic boundaries, the U.K. believes that the location of data should not be solely determinative of access for law enforcement purposes. Such an approach would remove the ability of sovereign nations to protect life and prevent and detect crime within their jurisdiction. [Brief of the Government of the United Kingdom of Great Britain and Northern Ireland]

The reality is that ever since communication internets across multiple borders were first treated in multilateral instruments in 1850, the need to obtain evidence has existed. Then as now, law enforcement authorities obtain that evidence via a lawful order compelling a communication provider within their jurisdiction to hand it over. Indeed, the technical interfaces are called "Handover Interfaces" and global eWarrants standards exist for this purpose. At a fundamental level, the requirements and the networks remain the same, notwithstanding every new generation arguing that their new technology Kool-Aid is fundamentally different.

What remains almost untreated in the commentaries on this case, however, are the potential collateral effects of the case itself — including a likely decision in favour of U.S. law enforcement — on the evolution of public international cybersecurity and infrastructure protection law and the architectures of rapidly emerging transnational network virtualization platforms.

The extraterritorial considerations of schlepping an eMail message among data centers are trivial compared to those same data centers orchestrating entire network architectures and services autonomously across national borders among unidentified endpoints including IoT devices using multiple encrypted data streams. Over the Top (OTT) services are vexing precursors; but it is the new Network Functions Virtualisation (NFV) provisioning now at the threshold of deployment that is the real concern. Put another way, what rational sovereign State is going to allow this to occur without effective multilateral instruments?

So the Microsoft eMail case is only a mere "sneak peek" at the fascinating realm of extraterritoriality that will be emerging in the brave new world of virtual networks today. A hundred years ago, the major industry providers enlisted the U.S. government to develop the multilateral instruments necessary to roll out their radio-based transnational virtual internets from data centers a hundred years ago to avoid redundant implementations in every nation. Will history repeat itself?

Written by Anthony Rutkowski, Principal, Netmagic Associates LLC

Bitcoin Domain Names Become Popular - and Attract Disputes

$
0
0

Cryptocurrencies (such as Bitcoin) are all the rage — so, naturally, related domain name disputes are, too.

The wild fluctuations in cryptocurrency prices (Bitcoin hit a low of close to $6,000 this week, after reaching an all-time high of more than $19,000 only two months ago, and less than $1,000 a year ago) have attracted speculators, regulators and now even cybersquatters.

Bitcoin + Trademark Domain Names

About 16 cases involving domain names with the word "Bitcoin" have been filed as of this writing under the Uniform Domain Name Dispute Resolution Policy (UDRP). Each of the disputed domain names contains what appears to be a well-known trademark in addition to the word "Bitcoin," such as <morganstanleybitcoin.com>, <tdbankbitcoin.com>, and <capitalonebitcoin.com> (each of which was ordered transferred to the obvious trademark owner).

These multi-word cryptocurrency domain name disputes arose not because they contain "Bitcoin" but because they contain another entity's trademark. Indeed, it appears as if the word "Bitcoin" itself is not protected by any trademark registrations in the United States, although there are more than a dozen U.S. trademark registrations that include "Bitcoin," such as AMERICAN BITCOIN EXCHANGE (U.S. Reg. No. 4,665,053) and BITCOIN.GURU (U.S. Reg. No. 5,129,377).

So, it seems unlikely that anyone could successfully assert rights to a domain name based only on the word "Bitcoin," and the inclusion of another word may be essential to winning a UDRP dispute. For example, in a UDRP decision transferring the domain name <valium4bitcoins.com> to the drug company F. Hoffmann-La Roche, the panel wrote that the "dominant part of the disputed domain name" contained the trademark VALIUM and that the presence of the word "Bitcoin" in the domain name "does not affect the overall impression" of it.

And in a UDRP decision ordering transfer of three domain names including <bitcoincitadelinvestment.com>, the panel said that the word "Bitcoin" was simply a "generic financial term[]" that did not affect the UDRP's "confusingly similar" factor.

Interestingly, at least as of this writing, no UDRP complaints have been filed for domain names containing the names of some of Bitcoin's cryptocurrency competitors, such as Litecoin. That could simply be an indication of Bitcoin's dominance and, I suspect, is likely to change in the near future.

However, one company, Bittrex, which operates a cryptocurrency exchange, has been quite active in filing UDRP complaints for domain names that contain its BITTREX trademark, winning 23 decisions as of this writing, including for <bittrex.exchange>.

Why Cryptocurrency Domain Names?

Cybersquatters appear to be attracted to Bitcoin-related domain names at least in part to profit from questionable practices. For example, in the <valium4bitcoins.com> case, the panel wrote that the domain name "resolve[d] to a website offering generic products identical to Complainant's Valium products, and which are sold under Complainant's VALIUM trademark" — something the panel said created a likelihood of confusion and, therefore, bad faith under the UDRP's third element.

In the <morganstanleybitcoin.com> case (which also involved four other domain names), the panel applied the UDRP's "passive holding" doctrine to find bad faith even though the domain names were not associated with active websites. "Using a confusingly similar domain name that disrupts a complainant's business and trades upon the goodwill of a complainant shows bad faith..., even when a respondent does not actively use the domain names," the panel wrote.

Cybersquatters are not the only registrants of Bitcoin-related domain names, which also have attracted domainers interested in profiting from the fascination of cryptocurrency without treading on the rights of any trademark owners. Recently for example, one domain name blogger wrote that "cryptocurrency-related domain names have been big sellers."

If Bitcoin and other cryptocurrencies continue to attract traders and media attention, I'm sure more related UDRP complaints are coming."

Written by Doug Isenberg, Attorney & Founder of The GigaLaw Firm

GDPR - Territorial Scope and the Need to Avoid Absurd and Inconsistent Results

$
0
0

It's not just establishment it's context!

There is an urgent need to clarify the GDPR's territorial scope. Of the many changes the GDPR will usher in this May, the expansion of EU privacy law's territorial scope is one of the most important. The GDPR provides for broad application of its provisions both within the EU and globally. But the fact that the GDPR has a broad territorial scope does not mean that every company, or all data processing activities, are subject to it. Rather, the GDPR puts important limitations on its territorial scope that must be acknowledged and correctly analyzed by those interpreting the regulation for the global business community. Otherwise, it could lead to absurd implementation and bad policy which no one wants.

EU Establishment

In essence:

  • Where registrars are established in the EU, the registrars' use and processing of personal data is subject to the GDPR. That is no surprise to anyone.
  • Where registrars have no establishment in the EU, but offer domain name registration services to data subjects in the EU, the processing of personal data in the context of such offer will also be subject to the GDPR. Again no surprise and logical.
  • However, where a registrar is based outside the EU, without an establishment in the EU, and uses a processor in the EU, such non-EU based registrar (as a controller) will not be subject to the GDPR due to the EU based processor's establishment in the EU. The GDPR only applies to the controller according to Article 3 (1) GDPR where the processor in the EU would be considered the controller's establishment. If the controller uses an external service provider (no group company), this processor will generally not be considered an establishment of the controller. It would only be caught by GDPR if the processing is done "in the context" of that establishment. That is the key, and I'll discuss an example of potentially absurd results if this is not interpreted correctly. NB All obligations directly applicable to the processor under the GDPR will, of course, apply to the EU based processor.

WHOIS

If we look at the example of WHOIS (searchable registries of domain name holders) where there is presently much debate amongst the many and varied actors in the domain name industry over whether public WHOIS databases can remain public under the GDPR. The second part of ICANN's independent assessment of this issue offered an analysis of the GDPR's territorial reach that deserves closer scrutiny. Addressing the territorial limits of the law, the authors state: "Therefore, all processing of personal data is, no matter where it is carried out, within the territorial scope of the GDPR as long as the controller or processor is considered established within the EU; the nationality, citizenship or location of the data subject is irrelevant." In other words, the authors conclude that as long as a controller or processor has an "establishment" in the EU, all processing of personal data it undertakes, regardless of the location or nationality of the data subject and regardless of whether the processing has any nexus to the EU, is subject to the GDPR.

This is wrong. The analysis overlooks key language of the GDPR. Under Article 3.1, the law applies not to any processing that is done by a company that happens to have an establishment in the EU, but to processing done "in the context of" that establishment.

This distinction makes a difference. Imagine, for example, a Canadian company that has an office in Paris. Under the authors' analysis, the GDPR would apply to all processing done by that company simply by virtue of it having a Paris office, whether the data subjects interacting with it were French, Canadian, or even American, whether they accessed the company's services from France, Canada, or the U.S., and even if all the processing occurred outside of the EU. This would be an absurd result inconsistent with the text of the GDPR and sound policy. In order to determine whether the GDPR applies, one must look not only at whether the company has an establishment in the EU but also at whether the processing occurred within the context of that establishment. If the processing occurs in the U.S. or Canada for a Canadian data subject without any link to the EU establishment, clearly the processing is not done in the context of the EU establishment. Thus, the GDPR does not apply.

Understanding the territorial reach — and the limitations of that reach — of the GDPR is critical. The GDPR has the potential to shift global data privacy law and policy. As such, stakeholders must be well-informed on both the substance as well as the reach of the law's protections.

Written by David Taylor, Lawyer, Partner at Hogan Lovells

U.S. Lawmakers Moving to Consider New Rules Imposing Stricter Federal Oversight on Cryptocurrencies

$
0
0

Reuters reports today that several top lawmakers have revealed a "bipartisan momentum is growing in the Senate and House of Representatives for action to address the risks posed by virtual currencies to investors and the financial system." David Morgan
reports: "Even free-market Republican conservatives, normally wary of government red tape, said regulation could be needed if cryptocurrencies threaten the U.S. economy. ... Much of the concern on Capitol Hill is focused on speculative trading and investing in cryptocurrencies, leading some lawmakers to push for digital assets to be regulated as securities and subject to the SEC’s investor protection rules."


US Congress Considering Legislation to Authorize Faster Access to International Electronic Data

$
0
0

A legislation called, Clarifying Lawful Overseas Use of Data Act, or Cloud Act, was introduced on Monday by Congress aimed at creating a clearer framework for law enforcement to access data stored in cloud computing systems. Ali Breland reporting in The Hill: "[The] bill is aimed at making it easier for U.S. officials to create bilateral data sharing agreements that allow them to access data stored overseas and also for foreign law enforcement to access data stored on U.S. firms' servers. ... Federal law currently doesn't specify whether the government can demand that U.S. companies give it data they have stored abroad. The CLOUD Act would amend this, likely impacting Microsoft's pending Supreme Court case over data it has stored in Ireland."

WHOIS Access and Interim GDPR Compliance Model: Latest Developments and Next Steps

$
0
0

WHOIS access and development of an interim GDPR compliance model remains THE hot topic within the ICANN community. Developments are occurring at a break-neck pace, as ICANN and contracted parties push for an implementable solution ahead of the May 25, 2018 effective date of the GDPR.

To quickly recap:

  • Between November 11, 2017 and January 11, 2018, various ICANN community participants submitted different proposed interim GDPR compliance models to ICANN;
  • On January 12, 2018, ICANN published a set of three proposed interim GDPR compliance models of its own design for community input;
  • On January 24, 2018, the ICANN Intellectual Property and Business Constituencies (IPC and BC, respectively) held a community-wide webinar, with in-person attendees in Washington, DC and Brussels, to discuss the ICANN and community models, and key issues and concerns in developing an interim compliance model while preserving access to WHOIS data for specific legitimate purposes, including law enforcement, cybersecurity, consumer protection, and intellectual property enforcement, among other business and individual user needs;
  • On January 29, 2018, ICANN formally closed its community input period on the compliance models;
  • On February 1, 2018, the IPC and BC sent a joint letter to the Article 29 Working Party, with a copy to ICANN, providing an overview of WHOIS uses and needs for law enforcement, cybersecurity, consumer protection and intellectual property enforcement, and how these legitimate purposes fit within the framework of the GDPR;
  • On February 2, 2018, ICANN published a matrix of all the proposed interim compliance models, and a draft summary of discussion and comments regarding the models;
  • On February 7, 2018, the European Commission provided additional input to ICANN regarding the various proposed compliance models; and
  • Between February 10 and February 16, 2018, ICANN provided updates to various community leaders regarding a compliance model that ICANN had begun to coalesce around, based on the prior models, community input, and community discussions (the "convergence model").

ICANN is now poised to formally publish the convergence model, although the community continues to discuss and seek a solution that is acceptable for all stakeholders. As part of those continued discussions, the IPC and BC will be hosting another cross-community discussion, following up on their co-hosted event on January 24. This second event will take place on Thursday February 22, 2018 from 9 am to 12 pm Eastern (US) (1400 – 1700 UTC), with in-person participation in the Winterfeldt IP Group Offices in Washington, DC and the ICANN office in Brussels, Belgium. There will also be remote participation available through Adobe Connect.

We invite all readers to participate in this important ongoing conversation. Please RSVP to denise@winterfeldt.law if you or your colleagues would like to join in person in Washington, DC or Brussels, or via remote participation.

Written by Brian Winterfeldt, Founder and Principal at Winterfeldt IP Group

IPv6, 5G and Mesh Networks Heightening Law Enforcement Challenges, Says Australian Government

$
0
0

In a submission to the Joint Committee on Law Enforcement's inquiry into Impact of new and emerging information and communications technology, the Department of Home Affairs and Australian Criminal Intelligence Commission (ACIC) warn law enforcement will be degraded by a number of new technologies. In particular, emerging technologies such as 5G, IPv6, and mesh networking, the agencies warn, will make interception of communications through existing legislation harder. From the report: "The implementation of IPv6 will make it significantly more difficult for law enforcement to use interception powers. The framework will include a native IP security system, which encrypts the content of network communications as a matter of course. These encryption technologies are currently available, however, users require detailed knowledge of networks and configuring these systems is relatively complex. The implementation of IPv6 will make these encryption services easily accessible and transparent to consumers, and significantly increases the amount of encrypted content over internet services." Concerning 5G network technologies, the report says: "At present, law enforcement agencies rely on the unique identifiers associated with an electronic device to lawfully obtain information about the user of said device, including location-based data. Identifiers allow devices to establish a connection with different network towers. 5G will replace the permanent identifier with one which is temporary, destructing after connection to a tower is made. This will make it more difficult for law enforcement to gain information about a person."

Washington State Passes Country's Toughest Net Neutrality Legislation

$
0
0

Washington may be the first state to approve a net neutrality law that applies to all wired and wireless Internet providers in the state. While other states such as Montana, New Jersey, and Vermont have also issued executive orders or proposed legislation, Washington's policy is the most ambitious. The Washington bill applies to all ISPs and prohibits blocking of "lawful content, applications, services, or nonharmful devices, subject to reasonable network management." It further states that ISPs may not impair or degrade lawful internet traffic on the basis of internet content, application, or service, or use of a nonharmful device, subject to reasonable network management nor may ISPs engage in paid prioritization. Jon Brodkin reporting in Ars Technica writes: "Washington is likely to face lawsuits filed by broadband providers, who will argue that the state law is preempted by the FCC repeal of net neutrality rules. The FCC itself said that states are preempted from passing net neutrality rules, but legal experts have mixed opinions on whether that preemption will hold up in court."

Tracking the Line that Separates Cybersquatting from Trademark Infringement

$
0
0

The Uniform Domain Name Dispute Resolution Policy (UDRP) is a rights protection mechanism crafted by the World Intellectual Property Organization (WIPO) and adopted by the Internet Corporation for Assigned Names and Numbers (ICANN) for trademark owners to challenge the lawfulness of domain name registrations. Cybersquatting or abusive registration is a lesser included tort of trademark infringement, and although the UDRP forum is not a trademark court, as such, in some ways it is since it empowers (assuming the right alignment of facts) to divest registrants of domain names that infringe a complainant's trademark rights.

The argument that any use of a domain name "inevitably entail[s] an infringement of the world-renowned [name of any] brand in the industry" is unavailing because regardless of future use (by a successor holder, for example), if the original registration is lawful, the complaint must be dismissed. Equipo IVI SL v. Domain Admin, WebMD, LLC, D2017-2240 (WIPO January 31, 2018) (<ivi.com>). The complaint must also be dismissed if the substance of the claim is trademark infringement. Force Therapeutics, LLC v. Patricia Franklin, University of Massachusetts Medical School, D2017-2070 (WIPO December 12, 2017) (<forceortho.org>:

[T]he Policy is directed to determining abusive domain name registration and use. This involves a more limited assessment than trademark infringement.

The term "infringed" in the domain name context refers to unlawful registration in breach of the warranties agreed to in the registration agreement and, by incorporation, Paragraph 2 of the UDRP. The evidentiary demands for proving cybersquatting under the UDRP are different and less demanding than proving trademark infringement, but nevertheless demanding in its way and if not properly understood will sink the party with the burden of proof or production, as it did in Equipo IVI SL.

If one has to look for an analogy for the UDRP it is to the commercial rules promulgated by arbitration providers, with this difference: the UDRP has its own special purpose law as expressly defined by the terms of the Policy and Rules, as construed by neutral panelists. I underscore this because while these neutrals are limited in their assessment of the facts to determine whether 1) domain names are identical or similar to trademarks, 2) registrants lack or have rights or legitimate interests, and/or 3) the domain names were registered in bad faith, they are not robotic. They apply this special purpose jurisprudence (consisting of a cabinet of principles) in a fair and balanced manner so that although the UDRP was crafted for trademark owners, it operates as a neutral forum.

But precisely where to draw the line separating cybersquatting and trademark infringement is not always so certain because they are both present in that area of the continuum that defines the outer limit of one and the beginning of the other. Where the facts support either or both cybersquatting and trademark infringement what is within and outside jurisdiction is in the eyes of the beholder. Some panelists will accept what others decline. There are several considerations that go into accepting jurisdiction, one of them is the residence of parties in different jurisdictions. If Panels are convinced, there is compelling proof of abusive registration (or convince themselves that there is!) they push the jurisprudential envelope to assure that "justice" is done.

Notable for accepting jurisdiction where the parties reside in different jurisdictions, and there is also potential (or alleged) trademark infringement are Boxador, Inc. v. Ruben Botn-Joergensen, D2017-2593 (WIPO February 27, 2018) (<brandbucket.org> and <brand bucket.shop>, U.S. Complainant, Norwegian Respondent) discussed further below in which the Panel awarded the domain names to Complainant, and Autobuses de Oriente ADO, S.A. de C.V. v. Private Registration / Francois Carrillo, D2017-1661 (WIPO February 1, 2018) (<ado.com>. Mexican Complainant, French Respondent) in which the Panel issued a Complainant's award that has already been challenged in an Anticybersquatting Consumer Protection Act filing. I discussed the ADO dispute in an earlier essay. (If Autobuses de Oriente has any claim at all, which I think dubious, it would be for trademark infringement and not cybersquatting. In other words, the dispute always belonged in a court of competent jurisdiction and should have been declined by the UDRP Panel).

Let me quickly say, though, that the vast majority of disputes are easily pigeonholed as being in or out of jurisdiction, and mainly within. Those that are not within are respectfully declined as belonging in courts of competent jurisdiction. In some instances, complaints may be denied with permission to refile if the facts warrant further consideration. Of this kind Air Serbia a.d. Beograd Jurija v. Domains By Proxy, LLC / Meijun Lu, D2017-1986 (WIPO December 16, 2017) (<jat.com>, Serbian Complainant, Singapore Respondent) is notable in which the Panel accepted jurisdiction, denied the complaint, but agreed that Complainant could "at some point in the future" refile if "subsequent evidence come[s] to light which would demonstrate a bad faith intent on the Respondent's part."

Boxador is exemplary in a number of ways for the Panel accepting jurisdiction and granting the requested remedy. First, Complainant had to make a case for common law rights for the reason that it let lapse its USPTO trademark. However, the Panel explained that it found the Complainant's submission wanting:

While it would have been possible to infer on the balance of probabilities — from inter alia the Respondent's knowledge of the Complainant and its business when he registered the Domain Names — that the Complainant's business was an established business of some substance, the Panel majority were reluctant to accept bare assertions of unregistered trade mark rights without any supporting evidence of the kind set out in section 1.3 of the WIPO Overview 3.0.

"Reluctant to accept" is ordinarily fatal but Complainant was fortunate in two ways: first, in drawing a three-member Panel clearly appalled by Respondent's conduct; and second, a Panel prepared to order Complainant to supplement the record (in effect allowing it to make its case):

In response to Procedural Order No. 1 a sufficient amount of the missing evidence was supplied, including a substantial number of independent press reports speaking of the standing of the Complainant and recommending its services for businesses looking for new brand names. Enough of them pre-date the registration of the First Domain Name to satisfy the Panel that industry and media recognition of the Complainant at that time was high.

Respondent did not deny that it knew of Complainant's business and its marketplace moniker. In fact, it offered similar services as Complainant in Europe and Norway:

The Respondent contends that since the Complainant has no rights to the BRANDBUCKET trade mark in Norway and Europe and since the Complainant is operating in totally different territories he cannot be said to have registered the Domain Names in bad faith.

The final clause misstates the law; operating in different territories does not shield a party from abusive conduct. In any event, Respondent knew of Complainant because it conducted a trademark search:

The Respondent claims that he investigated the trade mark rights position when setting up his business and found no registered rights in either Norway or the United States. He also noted that the Complainant's United States registration had lapsed. He points out that the Complainant has no rights in Europe or Norway, the geographical area in which the Respondent trades. He, on the other hand, has trade mark rights in both Norway and the United States.

Having learned that Complainant had allowed its trademark to lapse, Respondent applied for the BRAND BUCKET trademark in the U.S, which in the normal course (there being no opposition) advanced to registration. The contention that the parties operated in different national jurisdictions did not impress the Panel. It pointed out that the Internet is a global marketplace and "that for the most part websites connected to gTLDs are in general terms accessible from all jurisdictions."

While Respondent's trademark was lawful, the Panel concluded that its application was (although it put it more mildly) fraudulent:

[While] [t]he Panel is not in a position to assess the significance of that declaration [the formal declaration of use in commerce in the United States] ... it seems to the Panel to be a strange declaration to make if, as is the impression given by the Response, one has no intention of using the mark in the United States.

The Panel gave no credence to Respondent's statements justifying its conduct and explained why:

The position becomes clearer when one studies the chronology set out in section 4 above. The Respondent prudently conducted 'freedom to operate' searches, one of which was a search at the United States Patent and Trademark Office. From that date at least, if not before, he would have been aware of the Complainant's business being conducted under the Respondent's chosen name. He would have known then that the Complainant's claimed first use was in 2007. The Complainant's business at that time was a business, which according to [Respondent's] email of December 17, 2016, he respected and appreciated. Indeed, in that same email he suggested that there might be scope for collaboration between the parties. (Emphasis added).

On this basis, and because the Panel found "on the evidence before it and on the balance of probabilities that the Respondent's adoption of the name 'Brandbucket' for his business was an opportunistic move to take a free ride on the back of the goodwill associated with the Complainant's unregistered trade mark" it rejected Respondent's defenses entirely; although rejecting the validity of a U.S. trademark is extraordinary. In fact, to rule unenforceable a facially valid trademark is a decision that is ordinarily only within the jurisdiction of a court of competent jurisdiction.

I will posit (which most certainly will be denied as fanciful) that Panels are willing to accept disputes in the unclear area in which there is either or both cybersquatting and trademark infringement when the parties reside in different national jurisdictions and Panels have come to believe respondents have acted opportunistically. But granting a remedy under these circumstances is taking on a judge's role and setting aside the Panel's (which should be constrained by the jurisprudence of the UDRP). However, what may be acceptable when respondent's conduct is truly outrageous (as it was in Boxador) is not so acceptable when the conduct complained about is non-infringing (that is, within the scope of respondent's business) as was the case in Autobuses de Oriente.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

ICANN Cannot Expect the DPAs to Re-Design WHOIS, but Asking for a Reprieve Makes Sense

$
0
0

We are on the brink of the most serious threat to the open and public Internet for decades. ICANN, under pressure from domain name registrars and EU data protection authorities, has proposed an "interim" plan that will hide critical information in WHOIS. Security, threat intelligence, and anti-abuse professionals rely on WHOIS to track down bad guys and keep the Internet as safe and secure as possible.

ICANN and the registrars have been going back and forth on ways to align privacy laws with the WHOIS system, which functions as a public "phone book" for Internet domains, recording information that includes the name, email address, street address, and phone number of the company or individual who registered the domain.

For years, there has been an accepted procedure for handling situations in which WHOIS conflicts with privacy law — nobody disputes the importance of protecting the privacy of natural persons. But now, with less than sixty days to go before the General Data Protection Regulation (GDPR) adopted by the European Union (EU) comes into force, registrars, who finance ICANN, have pressured ICANN into closing the public phone book effectively altogether, turning the open and public Internet into a Tor-like deep and dark net. Specifically, ICANN came out with an interim solution nicknamed the "Cookbook," which suggests completely masking the contact email address, thereby completely hiding who is responsible for managing or controlling a resource on the Internet. The Cookbook also suggests masking certain information for corporations, even though GDPR doesn't apply to them.

The ability to register domains anonymously is a massive problem for the security of the internet — attackers need to establish an infrastructure to originate their attack and set up servers to communicate with their malware. Often, they'll register multiple domains at the beginning of an attack campaign for use during all phases of their operations. Security professionals rely on WHOIS to query for ownership information about a domain, IP address, or subnet. Without this data, it becomes significantly more difficult to rapidly take down phishing sites or compromised domains hosting malware — the vast majority of cybercriminal activities. Some think that it is the hosting provider's problem to fix, but unless their customer is reaching out to them, they likely have a different service department handling the issue, and probably even have a backlog to deal with. By reaching out directly to the victims in parallel by phone and email, those victims are able to help themselves more quickly.

The Cookbook also makes it impossible to see which sites are connected or under the same management or control. For example, if someone in an organization's marketing department registered a domain using a corporate account without going through the correct internal procedures, and that site did not have the right patches or was not scanned for vulnerabilities, their online customers and visitors will likely become exposed to phishing and malware.

With the registrar business being low-margin, anything that will reduce the security line item on their budget is attractive to many registrars if they can get away with it. Registrars generally would rather conceal the connectedness between domain assets than lose business or deal with reports of malicious activity. Because GDPR is complex, difficult to interpret at this early stage and comes with heavy fines of up to 4% of annual global turnover, GDPR has been weaponized by registrars to pressure ICANN into making the domain name system more closed and private.

The Governmental Advisory Committee (GAC) of ICANN met in San Juan, Puerto Rico in March 2018. The GAC advised the ICANN Board to instruct ICANN to maintain the current structure of the WHOIS to the greatest extent possible. The GAC essentially pleaded to the ICANN Board to instruct ICANN that it must reconsider hiding the registrant email addresses from the free phone book, emphasizing (quite diplomatically) that it may not be proportionate given the significant adverse impact on law enforcement, cybersecurity, and rights protection it would have.

The GAC appropriately went even further by emphasizing to the ICANN Board that it must instruct ICANN not to erroneously use GDPR, which applies to people, as an excuse to shut down public access to corporate contacts in the phone book, which is not even in the remit of GDPR. This unjustifiable over-application of GDPR prevents companies from effectively defending their very own infrastructure. Whether requiring the same cryptographic hash function across registrars for individually owned domains so you can still pivot on the email across registrars is technically feasible, has been submitted for discussions right now with the world's top experts in this area. Technical discussions are also underway on whether requiring the local part of the registrant email on a corporate domain to be generic moving forward and otherwise masked (leaving only the corporate domain, which has no information relating to an identified or identifiable natural person) can be done for the sake of security and stability. These less drastic (conceivably possible) measures will certainly not be coming from the DPAs on their own initiative. The ICANN org must do that work.

If the phone book must change in some ways, notwithstanding the accepted procedures for handling WHOIS conflicts with privacy laws, then ICANN must ensure that those with a legitimate purpose still have continued access to the contact information needed to protect business and the public until the re-designed phone book is ready for use. You can't just close the book and tell security professionals, who rely on WHOIS data to keep the internet safe, to come back when it's re-designed, potentially months later. It's entirely unacceptable for ICANN to leave each registrar to decide if and how it will provide continuous access, with no means of enforcement. Continuous access must be mandatory. The phone books also have to be easy to use in today's world, i.e., not designed to impose limits that undermine all functionality in the digital age — if you can only use the phone book manually or less than you would reasonably need, the query volume limitation is no more than a disguised blockade. I guarantee that the registrars do not have the resources to start taking on the additional work needed on the back-end that is being done for them using bulk access. But unless and until the accreditation system is up and running efficiently, that is what would have to happen to avoid disrupting the stable and secure operation of the Internet's identifiers.

To repeat, we are on the brink of the most serious threat to the open and public Internet for decades. We must step up to the plate and not get complacent about this. ICANN must have a way to hold registrars accountable if they abuse GDPR as an excuse to cripple WHOIS.

We at RiskIQ sent a letter requesting such adequate assurances from the Board on March 26. To express your concern, we prepared a generic letter you can fill out here. This letter will go to ICANN's Board, ICANN's CEO, and the GAC Public Safety Working Group Co-Chairs. Copies will be sent to the DPAs. ICANN has since then corresponded in writing and subsequently published yesterday, twenty eight letters to DPAs asking for help:

We request you to help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented.

The DPAs will not be able to come up with the technical solutions that are necessary to architect WHOIS in a way that is both compliant with GDPR and at the same time not damaging to the security and stability of the DNS. That is the only way an ICANN temporary policy can be used to hold registrars accountable. We need to do that work. A moratorium is not needed on enforcement, but rather, a tiered-phase enforcement forbearance that has strong snapback provisions. The phases should be subject to discussion between ICANN, the community, and the DPAs. One phase may be re-designing the public Whois so that it is minimally disruptive to the security and stability of the DNS and consistent with GDPR. The second phase may look at an accreditation model and what needs to be done by ICANN to help the community build it into the system architecture in a fair and just manner. For each phase, deadlines can be set against which the DPAs can measure whether to have enforcement snap back into force.

Yesterday, ICANN's President and CEO met with the technology subgroup of the Article 29 Working Party. It appears to have been confirmed based on a third-party source that as anticipated by ICANN, the WHOIS system is on the upcoming Article 29 plenary's agenda in less than two weeks. ICANN is hopeful that it will be provided with a moratorium on enforcement that would allow sufficient time to implement the model and build the appropriate accreditation system. The model must reflect GAC consensus advice not to make changes to the current WHOIS that are not required by GDPR and disrupt the stability and security of the DNS.

Written by Jonathan Matkowsky, VP of Intellectual Property & Brand Security at RiskIQ

Parsing Predatory and Parasitical from Innocent and Good Faith Domain Name Registrants

$
0
0

When the World Intellectual Property Organization began deliberating in 1998 and 1999 about creating an arbitral regime that the Internet Corporation for Assigned Names and Numbers transformed into the Uniform Domain Name Dispute Resolution Policy the curse words of choice were "predators" and "parasites" to describe cybersquatters. (In an early UDRP decision a Respondent who had also featured as a defendant in a trademark case asserted he had "just as much right to own the Domain Names [with typographic variations of the mark] as the person who owns the correct spelling of [the mark]" — Dow Jones & Company, Inc. and Dow Jones LP v. John Zuccarini, D2000-0578 (WIPO September 10, 2000) — he was quickly disabused).

Although WIPO recognized in its Final Report that there were also "innocent and good faith registrants" (Paragraph 172), there was no clear law at that time parsing the shades of difference distinguishing good faith registrants from parasites. At the time, the focus was primarily on threats to well-known and famous marks (as it was, incidentally, in the U.S. Congress; the Senate Hearing Report on the Anticybersquatting Consumer Protection Act stated that "[f]amous and well-known marks have been the special target of a variety of predatory and parasitical practices on the Internet.'")

The metes and bounds of innocent and good faith registration began with Panels separating the wheat from the chaff by explaining and distinguishing different circumstances such as strength and reputation of mark, location of the parties, manner of use, priority, and other factors that had to be taken into account. This steady accumulation of principles and factors are the marrow of a living jurisprudence we now have. Respondents like the one in the Dow Jones case learned what conduct was predatory; trademark owners similarly learned (or should from the case) that simply having a mark is insufficient to prevail on a claim of cybersquatting.Burden is not a figure of speech! A good example is the overreaching by Guess? (or most likely by its representative who apparently is unfamiliar with the UDRP jurisprudence in Guess? IP Holder L.P. and Guess? Inc. v. The Web Group, FA1802001770358 (Forum March 20, 2018) (<g81.com>).

"Abusive registration" is applied to registrants who are found (after a merits assessment of the facts) to have infringed complainants' rights by targeting their trademarks or service marks. While the ultimate determination in a UDRP adjudication is a yes or no on cybersquatting, the means of reaching that conclusion passes through a critical assessment of 1) complainant's evidence, not just contentions; and 2) respondent's proof that it has rights or legitimate interests in the domain name or if it does not that it lawfully registered the domain name (as for example it has priority over complainant for the string of characters alleged to be infringing).

The WIPO Final Report gave as an example of innocent and good faith registration "[small businesses that are able to show] through business plans, correspondence, reports, or other forms of evidence, that [they] had a bona fide intention to use the [domain] name[s] in good faith." The perception of "small business" conjures a commercial enterprise offering traditional goods and services--there was no secondary market at that time for the buying and selling of domain names so there was no conception in 1999 that Panels would one day construe "small business" to include domain name sellers, although one U.S. federal judge presciently noted that domain names could have independent monetary value unrelated to identical or confusingly similar marks (Dorer v. Arel, 60 F.Supp. 558 (E.D. Va. 1999).

Whether registration and use amounts to cybersquatting depends on the answer to the question of rights. Trademark owners (and the constituency as a whole) have learned over the eighteen years of decisions that the UDRP is not a rubber-stamp forum for owners of marks less well-known and formed of common elements. When targets are well-known and famous identifying predators and parasites is easily predictable (90% at least of claims are indefensible and rarely defended).

Speculating in and selling domain names, though, immediately raised an issue as to whether the practice amounted to a lawful registration as defined in Paragraph 2 of the Policy, Some Panels thought not, but they have been overtaken by the current consensus that buying, monetizing, holding, and selling domain names is not per se unlawful. The parsing (and the first contributions to the jurisprudence) began with the fifth decision which held that there was no actionable claim for marks acquired after registration of domain names. Then in the sixteen decision, the Panel held that offering a domain name composed of dictionary words could only be unlawful if complainant proved the registrant was particularly targeting its mark. Allocation Network GmbH v. Steve Gregory, D2000-0016 (WIPO March 24, 2000) (<allocation.com>). The Panel explained:

The difficulty lies in the fact that the domain name allocation.com, although descriptive or generic in relation to certain services or goods, may be a valid trademark for others. This difficulty is [com]pounded by the fact that, while 'Allocation' may be considered a common word in English speaking countries, this may not be the case in other countries, such as Germany.

In formulating the ground rules for determining abusive registration, the WIPO consensus agreed the purpose of the proposed arbitral process was

not to create new rights of intellectual property, nor to accord greater protection to intellectual property in cyberspace than that which exists elsewhere. Rather, the goal is to give proper and adequate expression to the existing, multilaterally agreed standards of intellectual property protection in the context of the new, multijurisdictional and vitally important medium of the Internet.... (WIPO Final Report, Paragraph 34).

Implicitly, the WIPO consensus accepted and ICANN institutionalized the proposition that domain names could be identical or confusingly similar to trademarks, yet lawfully registered as long as they were not targeting complainant's mark ("Before any notice" etc. under Paragraph 4(c)(i) of the Policy).

In determining rights, Panels have construed the minimalist instructions of the Policy neutrally; in a sense, the Policy has been superseded by the jurisprudence; that is, the jurisprudence has become the UDRP, not the minimalist terms. The Panel in a recent decision held that the law is "concerned ... with defining the boundary between unfair and unjustified appropriation of another's intellectual creations or business identifiers." Anyclean Premium Limited v. Jethro Denahy, Any-Clean, D2017-0581 (WIPO April 28, 2017) (ANY CLEAN and <any-clean.com>). Whether a respondent crosses the boundary and its conduct is assessed to be abusive is a matter of proof and not assertion. The Respondent in Anyclean Premium was a legitimate small business, but the ruling applies equally to domain investors.

There is an even more explicit analysis in Wedding Flea Market, LLC v. Edward Panian, FA1712001762373 (Forum January 19, 2018) (<weddingflea market.com>). It perfectly captures irrelevant contentions as a legal basis for abusive registration. The Complainant argued Respondent (again a small business, not a domain investor) was liable because

[1) it] is not using the disputed domain names in connection with a bona fide offering of goods or services, or a legitimate noncommercial or fair use as the domain name resolves to websites which are not actively being used.

[2) its] sole intention is to profit from the sale of the disputed domain name after an inquiry from Complainant to purchase the disputed domain name in good faith.

[3) it] owns numerous domain name registrations, and cannot possibly have rights and legitimate interests in all of the domain names it registered. (Emphasis added)

Even assuming all of these facts were true, they are irrelevant if the domain name registration predates the earliest use of mark in commerce. To have priority over trademark owners is one form of innocent and good faith registration and the one for which complainants are most likely to draw censure as reverse domain name hijackers.

It is a well-established principle under trademark law that common words registered as marks cannot be monopolized if used by others in non-infringing ways. "Elle" for example (the name of a well-known, perhaps even famous brand in the magazine universe) cannot prohibit its legitimate use by a company that markets silk to women: Hachette Filipacchi Presse v. Perfect Privacy, LLC / Jing, Liu, D2017-2278 (WIPO January 25, 2018) (<ellesilk.com>).

Just how demanding the proof requirements are is illustrated in Marathon Savings Bank v. Domain Manager, Affordable Webhosting, Inc., Advertising, D2017- 1841 (WIPO November 20, 2017) involving <marathonsavingsbank.com> (held by a domain investor):

Complainant has not proved by a preponderance of evidence that Respondent registered the disputed domain name in bad faith. There is no basis to infer that Respondent had knowledge of Complainant's rights when it registered the disputed domain name in 2004. Neither is there any basis to conclude that Respondent probably knew of Complainant's rights when it registered in 2004. While Complainant provides print ads from 1996, 1997, and 2002, these ads appear to be in local circulars and there is nothing to indicate that the reach of the circulars extended beyond the local area in Wisconsin.

It should not go without saying, of course, that domain names composed of strings of characters that spell out words (dictionary or coined) or common phrases or expressions that are identical or confusingly similar to marks must be explained, or respondent fails as in Brandzy AB v. Daniel Niklasson, D2017-2456 (WIPO February 6, 2018) (<brandzy.com>. Respondent-consultant registered domain name in its own name rather than in the name of its client and refused to transfer it to Complainant).

In contrast, the Respondent investor in CSP International Fashion Group S.p.a. v. NameFind LLC, 2018-0163 (WIPO March 13, 2018) offered evidence that <myboutique.com> was a common expression that Complainant could not "own" even if had succeeded in demonstrating it had a common law right to it. Similarly in Kitchens To Go, LLC v. KTG.COM, Whoisguard Protected / HUKU LLC, D2017-2241 (WIPO February 6, 2018) (<ktg.com> in which Complainant had been in business for decades but only lately after the domain name registration did it become better known by its acronym, KTG. Both Respondents are investor.

What Kitchens To Go tells us is that the law does not give businesses statutory rights of precedence if the acronymic versions of their marks postdate the registration of domain names: "Even if there were stronger evidence of common law rights, the Panel notes that the Complaint would fail on other grounds." The Panel not only denied the complaint that the registration was unlawful cybersquatting, but it went even further by castigating the trademark owner that the complaint should never have been brought and sanctioned it for reverse domain name hijacking.

Parties expect consistency in arbitrating disputes under UDRP jurisprudence. What they get is a neutral assessment of the facts regardless of the strength of the trademark, but most pronounced are assessments of facts by owners of weak marks who have little to complain about when registrants are holding domain names corresponding to their marks. One no longer looks to the Policy which after all provides minimalist instructions for determining rights and interests and bad faith but to the jurisprudence which has explicated and construed the Policy.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP


Holocaust Remembrance Day

$
0
0

Today is Holocaust Remembrance Day. Today we remember that the Nazis rounded up Jews, Roma, political dissidents, and other "undesirables" using the best data and technology of the day and sent them off to concentration camps. We don't normally deal with this type of political reality in ICANN, but now is the time to do so.

In 1995, the recently formed European Union passed the EU Data Protection Directive. It was a commitment to the idea that society would never again misuse its data in the destruction of its citizens. Privacy is a fundamental human right. It's true in Europe, and with the passage of comprehensive data protection laws in more than 120 countries, it's been secured as such around the world.

On Tuesday, Mark Zuckerberg, Facebook's founder and CEO, sat in front of a joint session of Senate Committees for more than five hours. Again and again, he admitted to his company's sale of the personal data of tens of millions of Facebook users to a private contractor, where it was grossly misused. Zuckerberg was told by Senator Markey and others that new privacy laws are being drafted in the US and, with a pause, he agreed to support many of them. These laws will help raise the privacy rights of US citizens to the level of the rest of the world.

But Mark Zuckerberg's company has already been the subject of review. It was Facebook's misuse of European citizens' data that led Austrian lawyer Max Schrems to sue in the European Court of Justice, which led this highest court to strike down the EU-US Safe Harbor as illegal — reaffirming that the transmission of data from Europe to the US and elsewhere must be done in accordance with the law and must be done in ways that protect fundamental right of privacy of EU citizens.

Yet privacy rights were not the issue raised in the discussion convened by the IPC/BC on their proposed model for 'accreditation' to access Whois data. Instead, last Friday, we heard - yet again - how to give unlimited access to Whois data to any law enforcement, any cybersecurity firm, any trademark owner; basically to anyone who seeks it. The potential that journalists might use the non-public WHOIS data was recognized and credited; the potential that journalists might be the subject of a fishing expedition by a government or individual they criticized in a publication was not. The IPC/BC lawyers heading the meeting then heard that the GDRP rejects unlimited access to data — and they, in turn, unilaterally rejected the interpretation and advice of the legal advisor to ICANN, in the Hamilton Memo (#3). They told 150 people listening to the meeting that ICANN could give unlimited access to non-public Whois data to those the IPC/BC chose in their accreditation model.

We need real community consultation and on neutral ground — at ICANN — where we can again discuss what the law requires and what real compliance involves. Most importantly, we need to stop talking about who wants access to domain name data and start talking about how to respect the privacy rights of registrants. On this day of all days, on this week of all weeks, it's time for ICANN to be on the right side of law, the right side of principle and the right side of history. We hold the personal and sensitive data of almost 200 million domain name registrants. Today we must recognize that the privacy of this data could be the difference between protection and suppression.

Written by Kathy Kleiman, President, Domain Name Rights Coalition (DNRC)

Why Getting Awards Wrong Undermines the Integrity of the UDRP

$
0
0

The integrity of any legal system depends on the quality of mind of those appointed to administer it. There are expectations that the one judging the facts and applying the law knows what the facts are and what law to apply. Panels appointed to adjudicate disputes under the Uniform Domain Name Dispute Resolution Policy (UDRP) are not held to any lower standard than the judges of courts of competent jurisdiction. They are expected to be neutral and competent. An overall assessment of the decisions from UDRP Panels is that it works well and the decisions are fair.

But, from time to time, there are decisions so clearly wrong they demand another look, but the UDRP has no in-house mechanism for appeal. Respondents who have the means have taken their grievances to U.S. district courts under the Anticybersquatting Consumer Protection Act (ACPA) (where there is jurisdiction) and complainants have learned the hard way the cost of overreaching their rights. (If any readers have information about "appeals" to other national courts I would like to hear from you). (Respondents also learn the costs when they defend against UDRP complaints wrongfully dismissed).

Unfortunately, not all respondents in UDRP disputes have the resources to "appeal." Such a one (I suspect) will be the Respondent in T & P Holding Company, LLC v. Wendy Webbe and Ancient Holdings, LLC, FA1802001773041 (Forum April 6,2018) (<youareok.com>). This is a case so wrongly decided that it has to be discussed and error explained. The Panel is a long-term veteran on the Forum roster of panelists. He has denied a good number of complaints, so he has weighed the difference between "predators and parasites" and "innocent and good faith registrants." These are the bookends the World Intellectual Property Organization wrote into its Final Report (April 1999). What went wrong in this case?

First of all, what is the error? The facts as the Panel recites them are 1) Respondent defaulted, 2) Complainant owns an unregistered trademark for YOU ARE OK that dates from 2010, and 3) the domain name does not resolve to an active website. For the Panel item, 3 is the significant factor. However, a significant fact the Panel does not recite is the creation date of the domain name: 2009-01-01 (which he must have known because it is standard practice to include the WhoIs information as an Annex to the Complaint).

Paragraph 4(a)(i) requires complainant to prove it has a right. This is easy with registered marks because complainant simply has to attach a copy of the registration to the Annex but not so easy with an unregistered mark which has to be evidenced by some other form of documentary proof. Standing to maintain a UDRP proceeding depends on proof that the mark was used in commerce earlier than the registration of the domain name.

The analysis in CSP International Fashion Group S.p.A. v. Domain Administrator, NameFind LLC, D2018-0163 (WIPO March 13, 2018) (claiming cybersquatting for the common expression,<myboutique.com>) gives a good account of the requirement:

Before the Complainant can claim unregistered or trademark status in "myboutique", it must therefore demonstrate that it has acquired secondary meaning. That in turn requires the Complainant to prove that the term "myboutique", in the context, distinctively identifies primarily the Complainant with the goods or services it supplies. The consensus view of UDRP panels as to the sort of evidence required in order to establish unregistered or common law rights is described in WIPO Overview 3.0 at section 1.3 as including "a range of factors such as (i) the duration and nature of use of the mark, (ii) the amount of sales under the mark, (iii) the nature and extent of advertising using the mark, (iv) the degree of actual public (e.g., consumer, industry, media) recognition, and (v) consumer surveys".

The Panel in CSP International found Complainant did not have standing since it had no market presence until after the registration of the domain name. Timing is a critical factor. An earlier registered domain name in the .it space is not evidence of a trademark.

Notwithstanding the clearly applicable law, and without substantive proof (there is, after all, an evidentiary standard!) the Panel in T & P Holding the Panel found Complainant had standing because it:

provides screenshots of its website and social media posts indicating it uses the mark. See Compl. Ex. 2. Complainant does not provide other evidence to support its claim of common law rights. The Panel finds Complainant's contentions to be sufficient, and concludes that Complainant has established common law rights per Policy ¶ 4(a)(i) by showing the YOU ARE OK mark has taken on a secondary meaning in association with Complainant's business. (Emphasis added).

Let us assume the unregistered mark predated the registration of the domain name: in that event it is not unusual for Panels to give complainants the benefit of the doubt, leaving the issues under the second and third limbs of the Policy to be decided by the facts in the case. In T & P Holding, Respondent defaulted. Silence is generally sufficient to support complainants' prima facie showing that respondents lack rights or legitimate interests in the domain names. Thus, not surprising that Complainant succeeded on the second limb.

However, the question for the third limb is whether Respondent was "an innocent or good faith registrant" or a "predator and parasite"? The Panel obviously concluded that Respondent was a predator and parasite and awarded the domain name to Complainant. The problem is that it is impossible for Respondent not to have been an innocent and good faith registrant because the domain name predated the earliest date of the unregistered mark. See WIPO Overview 3.0, Paragraph 3.8.1:

where a respondent registers a domain name before the complainant's trademark rights accrue, panels will not normally find bad faith on the part of the respondent.

WIPO Overview 2.0 (not so much superseded, but earlier) went further. It correctly explains the reason "panels will not normally find bad faith," but why the explanation is omitted in 3.0 is a mystery:

the registration of the domain name would not have been in bad faith because the registrant could not have contemplated the complainant's then non-existent right. (Emphasis added).

In support of bad faith, Complainant cited and the Panel accepted Marss Supermarkets Company, LLC, formerly known as Marsh Supermarkets, Inc. v. Choi Sungyeon, FA1312001532854 (Forum Feb. 25, 2014) (<marshsupermarkets>). It is neither germane nor dispositive on the issue of bad faith for two reasons: 1) Complainant owned a registered mark registered decades before the domain name and 2) the second level domain combined the mark with a term that identified Complainant's business, namely "marsh" and "supermarkets."

For these reasons alone, the Panel's holding of bad faith in T & P Holding is absurd:

Per Policy ¶ 4(a)(iii), Complainant argues Respondent's failure to make an active use of the <youareok.com> domain name indicates it was registered in bad faith. Respondents who make no active use of a domain name have been found to have registered and used said domain name in bad faith under Policy ¶ 4(a)(iii) [citing Marsh]… Here, Complainant avers Respondent's domain name resolves only to an "under construction" page. See Compl. Ex. 4. Consequently, the Panel finds Respondent's inactive holding of the domain name is in bad faith per Policy ¶ 4(a)(iii).

If a newly minted attorney had cited Marsh for the proposition that a domain name holder was a predator and parasite because the domain name did not resolve to an active website he would be laughed out of court. That a seasoned Panel accepted the Marsh citation as support for the proposition that <youareok.com> infringes a later unregistered mark so totally undermines UDRP law as to call into question whether the Panel actually read the papers and annex and thought about the factors that should have been applied.

T & P Holding is a case that should be "appealed" but the only present route is to a court of competent jurisdiction, and that is costly to the point of being prohibitive. A Working Group on ICANN's rights protection mechanisms for all gTLDs (currently deliberating whether any changes should be recommended) should give some thought to an appeal process in-house to allow for a reconsideration before a new Panel.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

ICANN Files Legal Action Against Domain Registrar for Refusal to Collect WHOIS Data

$
0
0

Germany-based ICANN-accredited registrar EPAG owned by Tucows has informed ICANN that it plans to stop collecting Whois contact information from its customers as it violates the GDPR rules. As a result, ICANN on Friday filed legal action against the company asking the court for "assistance in interpreting the European Union's General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS." John Jeffrey, ICANN's General Counsel and Secretary says: "We are filing an action in Germany to protect the collection of WHOIS data and to seek further clarification that ICANN may continue to require its collection. It is ICANN's public interest role to coordinate a decentralized global WHOIS for the generic top-level domain system. ICANN contractually requires the collection of data by over 2,500 registrars and registries who help ICANN maintain that global information resource."

Update May 28, 2018: Tucows issues a statement on ICANN legal action. "Fundamentally, ICANN and Tucows disagree on how the GDPR impacts our contract. The facts and the law as we see them do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data."

Update May 31, 2018: German regional court has determined that it would not issue an injunction against EPAG. John Jeffrey, ICANN's General Counsel and Secretary responds: "While ICANN appreciates the prompt attention the Court paid to this matter, the Court's ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings. ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services."

Update Jun 14, 2018: ICANN Appeals German Court Decision. ICANN has appealed the decision by the Regional Court in Bonn, Germany not to issue an injunction in proceedings that ICANN initiated against EPAG. The appeal was filed to the Higher Regional Court of Cologne, Germany… ICANN is asking the Higher Regional Court to issue an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAG's Registrar Accreditation Agreement with ICANN.

A Trebuchet Defence in the Age of the Augmented Reality Cyberwarrior

$
0
0

I've been ruminating on this for a while, this follow-up that was a decade in the offing. My article Trench Warfare in the Age of The Laser-Guided Missile from January 2007 did pretty good in terms of views since I wrote it. Less so in terms of how well the ideas aged or didn't, but that's the nature of the beast. Everything gets worse, and simultaneously, better, and so here we are: Using embarrassingly ancient approaches to next-generation threats. Plus ça change.

I'M OPTIMISTIC. I just got an Oculus Go, something as revolutionary as the iPhone — cheap, free of most constraints, and VR a technology with inherent emotional impact well beyond traditional channels. You are 'there' wherever there you choose. The top of Everest. On the moon, watching Neil Armstrong take those steps. The steps. I wept. VR is a sensorial nec-plus-ultra. If you haven't, you don't know.

Yes, there must be one.

BUT

Recently, I had the opportunity to work with a victim of a sophisticated credential theft attack, with many parallels to phishing. Someone paid someone at a mobile company $50 to swap her cellphone SIM. He took her phone number. So much for two-factor authentication.

He owned her life. He could own yours too. Just. Like. That. Nobody wants to talk about it, the popular press aren't interested and for $50 your life is gone. Poof.

It was eye-opening to walk through the process with this woman, trying to put her life back together, locking down valuable assets: her bank account, mortgage, pharmacy and medical and professional online accounts, and on and on through every detail of her existence.

After some hours spent on the phone, late night for us both, she suddenly realized a sad truth, and broke down crying. 'Am I safe?' she asked. She was alone, thousands of miles away. I had no way to know, no way to protect her from an attacker who had proven capable of severing a foundational lifeline, her phone, and identity, at will. So I lied, and told her she was absolutely safe, then stayed on the line until I fell asleep.

The reality of the impact on her life was disgraceful and profound; the incremental incursions so complex and intertwined unappreciable until wrested from one's grip. Her Hotmail, Twitter, Gmail, Facebook, Snapchat and Instagram accounts were devilishly difficult to re-attain, despite my having highly-placed colleagues in most security departments to whom I had made calls. The response to a victim would be embarrassing, if it existed. Nay, nothing more than a collective yawn was issued by all, save for those companies, two of them, from whom she had purchased connectivity and hardware. They let her call. They heard her voice, distraught, confused and angry. A price too dear according to the logic of a business plan that drives free services; thus free too from messy distraction by outsourced firewall and webpages with a common friendly tone but unmistakably focused in having the customer, user, rather to go away, as quickly and far as is possible.

I've attended security conferences regularly since 1998, where we mutter self-reassurances and work hard on standards and papers and high-flying concepts that work, sometimes, utter bon mots about cross-organizational initiatives that demand our presence, and are always somewhere cool "No, no, not my motivation, I swear, didn't you hear me just now? I was saying, braying really, that Business was sold out and at great personal sacrifice, flew here *economy plus*! The horror! " It is our want to pay lip service to this standard or that, never missing a chance to virtue signal about one's service to the community, without an inkling of how confusing it is to a normal human being that you cannot simply call a place and get your account back. What? Is she mad? No, her login to countless ancillary services is based on a social media login. Which is tied to a compromised email. Which was changed to 2FA to the attacker's burner phone. ya know, so really, she does need her account back and photo ID and a bank letter isn't good enough for an over-worked out-sourced staffer half a globe away and even further in terms of caring.

Online help? An obscene joke, so broken: submit documents, someone reviews them and denies a legitimate request with a curt 'no', 'no' with no rationale, No upon which follow-ups are ignored: that it is clear no-one in authority has actually tried to them recently. It looks good on paper but let me tell you — it is a morass to rival the bogs of Scotland, so acutely byzantine, it would be home to any self-respecting Minotaur. The experience suffered by users so insanely frustrating one wishes to become that mythical beast so as to sup on the innards of the middle management dweebs who are bonused for its horrid, terrifying deployment and maintenance.

It was base abandonment and abjuration of the industry's responsibility to their customer. And don't give me that hooey about 'you are the product being sold' on some platforms. That is cynical, and to a degree true, but that does not absolve anyone of their fundamental responsibility to the users of a network or service.

Nor should you get me started on the subject of companies downsizing their abuse and security departments so often we in the security community begin all too many conversations with 'I know we are a cost center'. Talk about Stockholm Syndrome!

Stop apologizing for what we do. We are an essential service tasked with protecting people from more threats than could possibly be imagined, let alone fathomed. It's so bad, I attribute anyone's continued use of 'the net' to collective insanity.

Sadly: Seriously. There are hosting provider and registrars who have pared staffing to the bone and beyond, discouraging good staff with arbitrary downsizing, and promoting the dim and incompetent to put a handsome face on an ugly problem: At one of the largest and most threat-fraught services, word on the street is their abuse ticketing queue dates back SIX MONTHS. Time to flush and start fresh, folks.

As the Internet, once a trifling plaything is now fully integrated into a vast number of people's lives, thus disruptions have serious real-life consequences. Nascent technologies are democratized with blinding speed — a $70,000 4K screen costing less than $1,000 little over a year hence; Virtual Reality from thousands to hundreds in less that. But, the rush forward is insanely blind as iOT and Augmented Reality seem poised to make the two-week hellscape my friend endured, a typical ID Theft in final measure, a tempest in the tiniest of teacups. Ransomware has disrupted medical services. What happens when someone hacks the neural network of AR subscribers to a popular entertainment stream piped straight to an always-on sub-cutaneous implant receiver? Same as it ever was. Same as it ever was. We'll deal with security ... later.

Personally, I think we should tap the brakes (decidedly faster than the self-driving Uber), and make some decisions as to realistic but irrevocable expectations of this place we call home, this thing of ours. You don't get to freaking sell our personal information without us having informed express consent. The same kind of informed express consent some of my gender apparently seem to think is optional, to their long over-due peril I am glad to say.

There is an often-justified skepticism of government, but by the same token, CASL, Canada's spam law, and the EU GDRP came about because of rampant, systemic abuse of fundamental human rights. Shame on those responsible. You acted like jerks, or failed to act, at the expense of us all. Breaches unspoken. Marketing based upon personal details we aren't aware of it. Basic technologies left fallow so long network time and SSL needed emergency efforts to sustain them; a collapse of either so dire a situation it could not possibly be overstated. This exploitation is common to all humanity, but one with hens that will come home to roost without fail, besides which, they bought a trebuchet while on their last trip to Ibiza.

This inter-related network is not a simple marketing opportunity, despite what you've been told. We are here because of the humanity, the art, jokes and cat pictures. Those are what is precious and worth protecting. When I spoke face to face in a virtual room with a friend in another city last week, I felt the way I hadn't in a long while, a familiar sensation.

It was first and best described by the great Arthur C. Clarke in 1962. Ironically, in an essay entitled "Hazards of Prophecy: The Failure of Imagination" which I suppose is a charge levelled fairly about this piece and its predecessor. I'm not innovative, I speak the obvious, nicely at times.

I am, of course, referring to law the third: Any sufficiently advanced technology is indistinguishable from magic.

My Oculus Go made me feel like the first time I used NCSA Mosaic. Wonderment, and pure unbridled joy. We are a lovely race when we put our minds to it. See you at the bottom of the Mariana Trench!

Written by Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE

What Happens If Two Applications for a New gTLD Are a City and a Family Name?

$
0
0

When applying for a new gTLD, what happens if two applications for the same extension are a city and a family name? Which one wins?

Let's imagine that a person whose family name is "Marseille" applied for the .MARSEILLE new gTLD in the next round of the ICANN new gTLD program. What if there was a .MARSEILLE new gTLD too but as the name of the French city?

When the Family name is the name of a city

Even if the ICANN new gTLD applicant guidebook did not allow persons to submit an application in the first round, anyone could create a company using his or her family name and submit his application: this was perfectly legal and will probably remain like this in future rounds of the program.

Note that there is an existing case: it is known that one applicant applied for his first name and family name as a new domain name extension in the first round of the ICANN new gTLD program: it is the .RICHARDLI new gTLD.

Now: what happens when your family name is the name of a city?

"Marseille" is a famous French family name

A friend of mine's family name is "Marseille" and I wondered what would happen if he created a company named "Marseille" — or if he trademarked his family name like I did — and decided to submit a new gTLD application in the next round of the ICANN new gTLD program. Such an application could receive an objection from the French city of Marseille or he could object to the city's application too but — precisely — what could happen in such case of a conflicting geo/family application?

Some experts answered the question:

1) John McCormac from HosterStats.com (the biggest domain and webhosting statistics site):

"That's a legal question but I would think that the rights of the city could take precedence unless there is a lot of strong IP/TM rights supporting the family name application. The city may be able to object but there may be multiple cities sharing the same name with families. And then it may come down to which city is oldest. Think Paris, France versus Paris, Texas".

2) Dirk Krischenowski from dotBERLIN GmbH & Co. KG (the .BERLIN registry):

"If you apply the rules of the 2012 AGB (we don't know to which extend the 2020 AGB may have changed in this respect) the answer for family names that match capital city names is clear: you need a letter of support or no-objection from the relevant city authority.

If the applied-for family name is a city name but no one, even not ICANN's geographic names panel, objects the application may go through smoothly. If you search at www.geonames.org for instance for Monash, Norton, Lancaster and many other .brand applications you will find names of municipalities with the same name. But all the applications were going through, the same of many generic term gTLD.

And then there is a large grey zone where there had been not many cases (like .spa) where the city objected but was not found by ICANN to fall into the geographic names category.

I hope I could give you guidance to your question."

3) Roland LaPlante, Senior Vice President and Chief Marketing Officer Afilias (multiple registry for 20 new gTLDs):

"The issue of geo-names such as city names is currently under active discussion in the Government Advisory Committee and other stakeholders in the ICANN community. I expect that, in the event of a conflict between an individual and a city, the city would win. This is because the city will usually have become the official owner of the name in some manner (e.g. in the ISO3166 list), and the official list trumps other claims. Further, if the city does not apply and the individual does, the individual must get permission from the city to proceed with the name."

Written by Jean Guillon, New generic Top-Level Domains' specialist

Viewing all 531 articles
Browse latest View live