France's data privacy watchdog has fined Google 50 million euros ($57 million) under the European Union's General Data Protection Regulation (GDPR) making it the most significant regulatory enforcement action since the law came into effect in May. The National Data Protection Commission (CNIL) says Google was fined due to "lack of transparency, inadequate information and lack of valid consent" in its ad personalization service. More specifically, the group has identified two violations:

— A violation of the obligations of transparency and information: "the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information..."

— A violation of the obligation to have a legal basis for ads personalization processing: "The company GOOGLE states that it obtains the user's consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained..."

Google says: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR. We're studying the decision to determine our next steps."

U.S. Sen. Roger Wicker, chairman of the Committee on Commerce, Science, and Transportation, announced today that it will convene a hearing titled, "Policy Principles for a Federal Data Privacy Framework in the United States," on Wednesday, February 27 to examine what Congress should do to address risks to consumers and implement data privacy protections. The Commerce Committee exercises jurisdiction over the Federal Trade Commission, the primary overseer of consumer privacy and information security protections.

— Wicker: "It is this committee's responsibility and obligation to develop a federal privacy standard to protect consumers without stifling innovation, investment, or competition. As we continue to examine this critically important issue, I hope this first hearing will offer valuable insights that will help set the stage for meaningful bipartisan legislation."

— Noteworthy: John Eggerton of Multichannel points out there has been no privacy framework adopted for edge providers… "But both ISP and edge privacy are implicated by the growing Internet of everything at the speed of Docsis 4.0 and 5G."

US Congress asked to develop an internet data privacy legislation similar to the EU's General Data Protection Regulation (GDPR) to enhance consumer protections. The report was produced by the United States Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress. ZDNet on Friday reported: "The House Energy and Commerce Committee, which requested the GAO report two years ago, has scheduled a hearing for February 26, during which it plans to discuss GAO's findings and the possibility in drafting the US' first federal-level internet privacy law. If the committee's members would be to follow GAO's conclusions, a GDPR-like legislation should be coming to the US."

Ontario Liberal Member of Provincial Parliament (MPP) Michael Coteau has introduced a bill to enable consumers and independent professionals to repair brand-name computers and phones easily and economically. Jordan Pearson reporting in Motherboard: "Manufacturers make it incredibly difficult to repair our broken devices ourselves. Instead of taking a smashed phone to a local repair professional for an affordable fix, a complex matrix of trade secrets and government intervention often means consumers have to make a pricey trip to the Genius Bar or buy a new device entirely. This is bad for your wallet, but also bad for the planet. ... On Thursday, Coteau introduced a private member's bill in provincial parliament that, if passed, would be the first 'right to repair' law for electronic devices in North America. More than a dozen US states are currently considering similar bills, but nothing is on the books yet in the US or in Canada."

The Repair Association, non-profit group advocating the right to repair movement in the U.S. emphasizes the need for such laws stating: "The presence of technology parts in modern equipment has enabled manufacturers to reduce access to repair by proclaiming that repair might violate their 'Proprietary' rights. This is a marketing ruse and not grounded in law. Manufacturers do not have any rights to control property beyond the sale. Limitations on repair have become a serious problem for all modern equipment that also limits how equipment can be traded on the used market."

It is argued that the template for Right to Repair is similar to laws applied to the U.S. auto repairs agreed by the auto industry in 2012 (and later adopted by Commercial Trucks industry in 2015) in support of independent repair.

Thailand's military-appointed parliament on Thursday passed a controversial cybersecurity law which gives sweeping powers to state cyber agencies. Reuters reports: "The Cybersecurity Act, approved unanimously, is the latest in a wave of new laws in Asian countries that assert government control over the internet. Civil liberties advocates, internet companies and business groups have protested the legislation, saying it would sacrifice privacy and the rule of law, and warning compliance burdens could drive foreign businesses out of Thailand." The legislation will allow the military-led National Security Council to override all procedures with its own law at any time when a cybersecurity event reaches critical levels. Internet freedom activists call the legislation a "cyber martial law."

Irregularities surrounding O.COM RSEP reveal coloring outside the lines.

Let's take some crayons and draw a picture of the current state of affairs regarding single-character domain names (SCDNs), and specifically O.COM.

During the public comment period for the current O.COM RSEP, ICANN's own Intellectual Property and Business constituencies recommended implementation of rights protections mechanisms (RPMs) for intellectual property, including Sunrise and Priority Access periods. It is curious that such hard-won protections are being so easily set aside by Verisign and ICANN.

No matter, however, because this isn't just about trademarks. This is also a simple issue of internationalized domain names (IDNs). We can forego the finer points of trademark law, because Verisign has, since at least July 2013, been unequivocal in the commitments it has made numerous times in correspondence with ICANN, in response to questions raised by financial analysts during quarterly earnings calls, and which can still be found — in living color — on their website blog today:

Use Case No. 2: John Doe does not have a registration for an IDN.com second-level domain name. John Doe registers a second-level domain name in our Thai transliteration of .com but in no other TLD. That second-level domain name will be unavailable in all other transliterations of .com IDN TLDs and in the .com registry unless and until John Doe (and only John Doe) registers it in another .com IDN TLD or in the .com registry.

The blog goes on to helpfully explain that VeriSign's objective with this strategy is to avoid cost and confusion and will benefit the community by creating "a ubiquitous user experience." Ubiquity appears to have a different meaning here.

Just for fun, let's apply Use Case No. 2 to the facts at hand regarding the single-character "O", replacing John Doe with First Place Internet and substituting Hebrew for Thai.

First Place Internet does not have a registration for O.com second-level domain name. First Place Internet registers O in the Hebrew transliteration of .com but in no other TLD. O will be unavailable in all other transliterations of .com IDN TLDs and in the .com registry unless and until First Place Internet (and only First Place Internet) registers it in another .com IDN TLD or in the .com registry.

Since it seems that there might be a number of different ways to look at this predicament, let me break it down, super-simple style:

Want this to be a trademark issue? Then First Place Internet owns USPTO Registration Number 1102618 which is active and, having been registered in 1978, is older than I am.

Want this to be an IDN.IDN issue? Then, at precisely 2018-07-31 T14:29:51Z, employing its validated Trademark Clearinghouse SMD file for its U.S. Trademark # 1102618, First Place successfully registered VeriSign's Hebrew o.קום (o.xn--9dbq2a) IDN domain name in VeriSign's Sunrise Period.

Want this to be about an open and transparent DNS? Read VeriSign's words and then get acquainted with the United States Federal Trade Commission and the U.S. Securities and Exchange Commission.

We have rules in America that intend to ensure a level playing field — that seek to even things out between a rich, powerful and dominant industry player and its competitors and consumers. First among these is something my grandfather taught me when I was a little boy (still younger than USPTO Reg. No. 1102618): a person lives up to their commitments. Years of mandatory annual compliance training provided by the publicly-traded corporations that I've had the privilege to work for reinforces the significance of commitments made publicly in correspondence to a so-called regulator, to investors and analysts during quarterly earnings calls, and to an unsuspecting public in policy stated on the corporate website.

Over the years, I've learned — sometimes the hard way — that this rule means having to do something I didn't want to when I misspoke and then had to make it right.

If this auction proceeds and Verisign is permitted to color outside the lines by welching on commitments it has made and that can still be found on their website today, then multi-stakeholder governance will have failed — not to mention any sense of fair play — and the image of an open and equitable DNS dies by the auctioneer's gavel.

Maybe it's appropriate and relevant to ask: Is Verisign's trademark — USPTO Registration Number 3060761 for "It's a Trust Thing" — dead from discontinued use?

Written by Greg Thomas, Managing Director of The Viking Group LLC

From the copy of the House and Senate Democratic bill passed by a vote of 232-190 today.

The US House of Representatives just passed the Save the Internet Act of 2019 on a vote of 232-190. The bill will now be in the hands of the Senate, where Republican leaders have already warned it is "dead on arrival." The other roadblock facing the bill is President Trump. Ella Nilsen reporting in Vox: "Trump has said he will veto the bill should it make it to his desk. Senate Majority Leader Mitch McConnell called the bill 'dead on arrival in the Senate' and will likely decline to bring the legislation up for a vote as a result."

— The bill Democrats passed in the House today, the "Save the Internet Act of 2019," is a three-page long effort to undo the FCC's 2018 repeal of net neutrality rules. It also aims to embed the rules into law, making it difficult for a future FCC chair to undo them.

— "This bill should not and will not become law," says Ajit Pai, the chairman of the FCC, in a statement after the bill's passage today. "This legislation is a big-government solution in search of a problem. The Internet is free and open, while faster broadband is being deployed across America."

There are some who see the regulation of social media platforms as an attack on the open internet and free speech and argue that the way to protect that is to let those platforms continue to self-regulate. While it is true that the open internet is the product of the same freedom to innovate that the platforms have sprung from, it is equally the product of the cooperative, multi-stakeholder organisations where common policy and norms are agreed.

These organisations exist at almost every layer of the internet. At the physical level, we have the IEEE, the ITU-T sets standards for encoding, at the protocol level the IETF, for web standards, we have the W3C, IP addressing and routing is covered by the RIRs, and domain name policy by ICANN. Without these organisations, and without their adoption of some form of multi-stakeholder, cooperative approach, the internet would not have happened. While these organisations were established with a narrower, technical remit, they have mostly recognised the need to deal with issues of security and trust and have developed policies accordingly.

However, and this is a big however, nothing like this exists for social media platforms, either at the technical level of interoperability of data or the more important level of policy. This might not matter so much if it were not for some of these platforms growing so large and their actions so powerful, that they are having a significant impact on global society.

So, the first question is, how are effective policies for the social media industry as a whole going to be developed and adopted? There's no doubt now that this will not happen in any reasonable timescale through self-regulation and public pressure.

Will they instead cooperate as part of a multi-stakeholder process to create standards and norms that address the serious issues of security and trust that affect them? Given that the behaviours that cause these issues of security and trust, are the very same behaviours that drive the growth of these platforms, I think that is also very unlikely.

With these issues deserving of urgent attention, that leaves government regulation as the only way now to address them and protect all of us from the adverse impact these platforms are having. Ideally, that regulation would be to force the social media platforms to follow the rules of an open, cooperative, multi-stakeholder organisation where they can participate along with all other stakeholders. That would be the way of the open internet. If this is not possible, then more specific legislation is needed otherwise more general legislation will probably appear, such as hate speech laws, which will actually threaten the open internet rather than support it.

The second question, is what exactly are these critical issues of security and trust that need industry policy controls in place? What are the issues that the social media platforms have proven to us they cannot be trusted to fix themselves as quickly as required?

The first place to start is with content recommendation algorithms, which we now know are causing radicalisation, hatred and violence by recommending extreme content to promote maximum engagement. If that's news to you then the quick primer is that the platforms have algorithms that look at which users are most engaged and which content triggers that engagement, and the algorithm then promotes that content to anyone it can. The sad fact is that the content of hate, outrage and conspiracy theories generate strong engagement and so for some years the algorithms have been recommending that content, while the platforms have either ignored or been oblivious to the harm caused.

As these algorithms are crucial to the growth that these platforms rely on, they are not going to radically overhaul them voluntarily. Left to their own devices the platforms would rather tackle the problem at the edges, e.g. a complaints mechanism for the most extreme content, rather than prevent the problem in the first place and forgo the growth.

The next pressing issue is that of multiple sock-puppet accounts and bots that are created to suggest a far larger number support a particular idea than really do and so influence others by deception. We know that the social media platforms know which these accounts are, in some cases they directly enable them through their APIs and commercial models, but we also know that their commercial success depends on their headline user numbers and a mass cull that hits those numbers hard is not in their interests. They will continue to carry out small culls every now and then to feign interest but never enough to spook the markets.

A longer running issue is how data is shared and resold and what visibility and control people have of that. If there's one thing we should have learned from the Cambridge Analytica scandal, it is that there is layer upon layer of denial here that no amount of self-regulation will ever prevent. In this specific case, full exposure and public outcry had only a limited effect, whereas the threat of EU fines was taken far more seriously.

Another area of increasing importance and little prospect of being addressed by self-regulation is that of undisclosed advertising by "influencers" and "brands", commercially facilitated by the platforms. In the regulated media world this was addressed decades ago for well-understood reasons, and we should be applying exactly the same rules to social media.

Last of all, for now, we have the burning question of who is a "fit and proper person" to run such a company, which is a test that many countries apply to a range of activities including traditional media ownership. It is about time that the same test was applied to social media platforms taking into account all the previous scandals the current set of founders have overseen.

To conclude, at the other layers of the internet the multi-stakeholder standards/policy organisations act as an important control mechanism. The absence of such an organisation for the social media platforms means an out of control industry. The best outcome would be for the platforms to self-regulate through an open multi-stakeholder process but that seems utterly remote. The only way forward now is legislation either forcing them into such a process or tackling a small set of the most urgent issues of security and trust and so pre-empt much broader and potentially damaging legislation.

Written by Jay Daley, Chief Executive of the .nz registry

Celebrating the 30^th anniversary of the internet Berners-Lee, the father of the internet, reiterated his suggestion for a radical change, which would improve the functionality of the internet for the benefit of society.

He suggests a sort of refoundation of the web, creating a fresh set of rules, both legal and technical, to unite the world behind a process that can avoid some of the missteps of the past 30 years. While this most certainly would be an excellent development, I am rather pessimistic about a rapid implementation of such a radical change. Nevertheless, his plan contains many possibilities that are worth looking at, to see what we can do in our 'muddling on' process to make changes for the better.

Calling it the 'contract for the web,' Berners-Lee said:

"Generations before us have stepped up to work together for a better future. With the Universal Declaration of Human Rights, diverse groups of people have been able to agree on essential principles. With the Law of Sea and the Outer Space Treaty, we have preserved new frontiers for the common good. Now too, as the web reshapes our world, we have a responsibility to make sure it is recognized as a human right and built for the public good."

Very few of us would have been able or be in the position to create the internet, but all of us can help in shaping it. The internet reflects humanity; it is a mirror of our society, the good things, and the bad things. For the first 15 years of its existence, it has shown us all the good things it has to offer, over the last 15 years it unfortunately also started to show the uglier side of our society. However, it is up to us to collaborate and ensure that as many as possible of the bad things are being tackled and eliminated, together (people, government and businesses) can do this.

I most certainly agree that what we need is more positive government involvement and a radical change from the current market-driven neoliberal approach. While I am all for free market developments, at the same time we also need to acknowledge that some of the structures are now faltering and, rather than burying our heads in the sand, we should acknowledge this. And, yes, legislation for the digital age will be needed to get us back onto a more robust democratic path. This is needed if we want to stay competitive, innovative, and to maintain a free and open society that protects people's individual rights.

However, the new way forward should be based on a contract between people, business and the government — 'people' being a critical addition here to similar contracts in the past. And the internet allows this to happen.

Each group will have to play its part in this new digital environment. Shareholder-driven short-term profit strategies should be replaced with strategies based on broader stakeholder values.

Positive developments here are that staff in large hi-tech companies are standing up against the short-term profit-driven strategies; we are seeing the 'Me Too Movement,' and schoolchildren taking a stand for better policies to address climate change. We also see companies investing heavily in renewable energy, despite government policies in many countries that still support the old fossil-based industry lobbies.

A key problem with our political system is that it is far too short-term-based. It often acts on a whim, looking at immediate issues as they crop up and addressing these with bits and pieces of hasty, unconnected regulations and legislation. All these pieces together create the notorious red tape, which then becomes like a bowl of spaghetti that cannot be untangled.

What they should do instead is take time, think things through and develop long-term policies and strategies. What we need is far more visionary leadership. While there are many examples around the world of this short-termism, with policies being made on the run, in Australia we can point to, for example, the NBN broadband policies, energy, and climate change issues and the current shocking policy-making mess around cybersecurity.

So, change is desperately needed to rebuild trust in our social, economic and political systems. This needs to be a collaborative effort and digital technologies can assist here. There is growing evidence that we are building mass in our society that could form the base from which we can work together. What is needed in order to achieve this is progressive government leadership to facilitate these developments in a more unified and structured way, providing the foundation for a more digitally-based democracy.

The internet itself is an example of global collaboration. It is not owned by any individual, business or government. It is 'owned' by millions, if not, billions of people and organizations. It can function therefore as a model for the above-mentioned concept of 'contract' arrangements.

As I have mentioned in the past, I also see (smart) cities as an ideal platform for such developments. Building from the bottom up will be much more manageable, rather than trying to take the top-down approach. The challenge will be scaling this, and I do have personal experience here of how difficult it is to get smart cities working together. Furthermore, there's also, of course, the need for more collective action to address larger problems such as for example, national security and climate change.

The digital transformation that is taking place in many organizations is creating the conduit for much better collaboration, and we are learning fast. We already see far more equal cooperation between employees and employers, customers and business, and between citizens, bureaucrats, and politicians. The internet has changed and has led to the destruction of many of the old structures — both for better and for worse. But on the positive side, it has changed the way we interact within society. And this can be further exploited for more collaboration.

We are also learning that we must address the darker side of the web, and while this is receiving a great deal of (media) attention, we need to put it into perspective. Certainly, digital developments are producing challenging issues such as privacy, cybercrime, cybersecurity, but I would dare to conclude that so far the benefits of the digital transformations outweigh the negatives.

Concentrating on the positive, we should continue to use the internet for more and better collaboration and create opportunities for all parties to transform and take an equal share in working for the common good. This is essential if we want our societies and economies to prosper.

Written by Paul Budde, Managing Director of Paul Budde Communication

APRIL 25, 2019 / Canada’s federal privacy commissioner Daniel Therrien in a news conference expressing dismay on Facebook's response to investigation findings.

The Canadian government released a statement saying "Facebook committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians." Following Facebook's Cambridge Analytica scandal last year and despite its public acknowledgment of a "major breach of trust," Office of the Privacy Commissioner of Canada says Facebook disputes Canada's investigation findings and "refuses to implement recommendations to address deficiencies."

— Sanctioning power: "Facebook's actions point to the need for giving provincial and federal privacy regulators stronger sanctioning power in order to protect the public's interests. ... The ability to levy meaningful fines would be an important starting point," says B.C. Information and Privacy Commissioner Michael McEvoy.

— How it all started: The complaint that initiated the Canadian investigations was the surfacing of reports revealing Facebook had allowed an organization to use an app to access users' personal information. The investigation found Facebook in violation of several federal and B.C. privacy laws.

— See you in court, says Canada: "The Office of the Privacy Commissioner of Canada plans to take the matter to Federal Court to seek an order to force the company to correct its privacy practices."

The UK government on Wednesday announced plans to introduce new laws for internet connected devices to better enforce the inclusion of basic cybersecurity features into IoT devices. Measures will include labeling requirements — from the press release: "The Government will be consulting on options including a mandatory new labeling scheme. The label would tell consumers how secure their products such as 'smart' TVs, toys and appliances are. The move means retailers will only be able to sell items with an Internet of Things (IoT) security label."

— The government has narrowed its plans to three security requirement: 1) IoT device passwords must be unique and not resettable to any universal factory setting; 2) Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy; 3)
Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.

— Mandating retailers: Also considered is mandating retailers "to not sell any products that do not adhere to the top three security requirements of the Code."

Last year Europe imposed GDPR, arguably the world's toughest standard for data privacy and now, a year later, there has yet to be any enforcement action against a big tech firm. Data-privacy experts and regulators are pointing their fingers at Ireland — the designated lead enforcer. In a Politico investigative report, Nicholas Vinocur writes: "Despite its vows to beef up its threadbare regulatory apparatus, Ireland has a long history of catering to the very companies it is supposed to oversee, having wooed top Silicon Valley firms to the Emerald Isle with promises of low taxes, open access to top officials, and help securing funds to build glittering new headquarters." Loopholes? Almost a year later, privacy experts, data watchdogs, academics and regulators in other countries are increasingly concerned that GDPR has significant loopholes.

This essay expands a talk presented at the 27th Fordham International IP Conference on April 26, 2019.

Trademark owners (and here I'm talking about those with U.S. registrations even if they are foreign entities) have a choice of forum for challenging alleged cybersquatting domain names. They can either sue in district court under the Anti-cybersquatting Consumer Protection (ACPA), or get a quicker and less expensive result by filing a complaint and asserting a claim under the Uniform Domain Name Dispute Resolution Policy (UDRP). But to get to a quicker and less expensive result everything about the process is accelerated, and this begins with drafting the complaint.

Those who litigate for a living know that complaints filed in courts of competent jurisdiction essentially put adversaries on notice of an alleged claim. It does not have to include evidence for the claim, although allegation must be drafted carefully to avoid dismissal for an insufficient factual foundation for the relief. To take one recent example under the ACPA, Emerson Elec. Co. v. Emerson Quiet Kool Co., C.A. No. 17-1846-LPS (D. Del., 2019) (<emersonquietkool.com>) the court dismissed the complaint but granted permission to amend it. Absent factual allegations that support a "reasonable inference" of bad faith intent the claim is vulnerable to dismissal. In the Court's words

[Plaintiff claims that] Defendants registered the Infringing Domain Name with the bad faith intent to profit from the goodwill Emerson Electric has developed in the EMERSON Marks ... However, Plaintiff's allegation is merely a conclusory, speculative, bald assertion, lacking any "factual content" to support a "reasonable inference" of bad faith intent.

Emerson's experience could very well have been replicated under the UDRP, except that under the UDRP the mark owner would not have been invited to amend the deficient complaint. For trademark owners and their representatives, this point should be burned into their minds.

What is unusual about the UDRP, and this is what I want to bring to your attention is that there is imposed at the pleading stage of this administrative process a demand that the parties include proof (not simply allege the right factual predicates for the requested relief). It is critical to the point that if a proof is omitted, the complaint is incurable since there is no second chance under the UDRP as there is in court. This is aptly illustrated in Wix.com v. Domain Admin, Privacy Protect, LLC (PrivacyProtect.org) / Luciana Gomes, D2019-0264 (WIPO March 20, 2019). The complainant failed because it "has alleged no facts (and provided no evidentiary basis) on which the Panel could conclude that Respondent targeted Complainant's WIX mark [with <wixlinks.com>] and used it in bad faith within the meaning of the Policy."

Unless complainant can marshal sufficient evidence of cybersquatting to support its contentions its claim will be denied, and its complaint dismissed. No legal theory awards relief to the trademark owner for having a registered or unregistered mark without proof that the domain name was acquired in bad faith and is being used in bad faith. The point is made in Dr. Muscle v. Michael Krell, FA1903001833036 (Forum April 19, 2019) (<drmuscle.com>). Even if Respondent lacked rights or legitimate interests, there is no proof of bad faith use.

Instead of labeling the initiating pleading in a UDRP proceeding as a complaint, it would be more correct to call it a motion for summary judgment. If we think about the pleading in this way, we will immediately apprehend that a bare complaint will never do.

Yet, surprisingly, there is a small but steady number of cases in which parties or their representatives lose their claims for want of understanding the requirements of the UDRP. Generally, proof is easier with the well-known and famous, but as marks decline in composition to dictionary words and descriptive phrases, the burden grows heavier. The reason for this is that dictionary words used as trademarks do not lose their common function as dictionary words, and as such are capable of multiple associations unconnected with any particular mark. Whatever reputation a mark may have in the present is not probative of its reputation at the time of the registration of the domain name. In Brooksburnett Investments Ltd. v. Domain Admin / Schmitt Sebastien, D2019-0455 (WIPO April 16, 2019) (<incanto.com>) the Panel noted

The fact that the complainant now holds numerous trademarks in many countries does not mean that the Complainant's INCANTO mark is necessarily "world-famous," much less that it was "recognized throughout the world" at the relevant time, 16 years ago, when the Respondent registered the Domain Name.

Although trademark owners have a quicker and less expensive route to having domain names canceled or transferred under the UDRP, their claims must be properly presented. Quicker translates to the difference between forty days for a UDRP decision and one or more years for a Court decision. In several recent ACPA actions, just as an alert to owners thinking of going that route, owners have endured at least a year for a decision, In Advance Magazine Publishers, Inc. v. Tinsley (E.D. Mich., March 2019) (involving legacy TLDs, cybersquatting and trademark infringement) Plaintiff got its injunctive relief for the domain names, however, the cost for getting that result would likely have been significantly greater than the benefits. The domain names could have been silenced more quickly with less cost under the UDRP or (for new gTLDs) the Uniform Rapid Suspension System (URS) (a rights protection mechanism that delivers an even more rapid injunctive takedown for domain names in the new gTLD spaces). If trademark infringement is really an issue, it can be prosecuted separately after suspending, canceling, or transferring the domain nameS.

However, moving for summary judgment calls for a more deliberative approach to pleadings. There must be allegations supported by sufficient concrete evidence, and it must be argued and presented properly.

What I mean by "presented properly" is that trademark owners must include as part of their pleadings persuasive evidence of cybersquatting. The question, then, is what must trademark owners do? The UDRP has a simple three-part structure. There is a choice of two remedies, either cancellation of registration or transfer of the domain name to complainant. The UDRP does not authorize awards of attorney's fees or damages. For that, mark owners have to go to district court.

Complainants must prove its contentions by a preponderance of the evidence, that:

1. It has standing to maintain the proceeding;
2. Respondent lacks any right or legitimate interest in the domain names; and
3. Respondent registered and is using the domain name in bad faith.

The third requirement is called a conjunctive model of liability. Unless both elements are alleged and proved, the complaint must be dismissed. The ACPA, in contrast, is a disjunctive model. If there is proof that Respondent is using the domain name in bad faith (after having registered it in good faith) the domain name will be forfeited to trademark owner or its registration canceled).

The elements and factors in each of the three limbs are:

For the first limb there are two elements:

1. that the domain name is identical or confusingly similar to Complainant's mark. If the domain name is similar but not confusing the complainant has no standing to maintain the proceeding; and
2. that the complainant has rights. The rights can be either registered or unregistered, but if the rights are unregistered or there is an application pending complainant must prove the mark had acquired secondary meaning before the domain name was registered. Otherwise, it does not have standing. An example is Air Serv International, Inc. v. Stu Willcuts, FA1902001831670 (Forum March 31, 2019) Complainant argued that <alserve.org> was confusingly similar to Complainant's <airserv.org> domain name, but failed to offer any evidence that it had a mark. Respondent did not appear.
   1. The point of standing is underscored in Caleb Marshall v. c/o Weebly Domains, FA1901001826454 (Forum March 4 2019) (<thefitnessmarchall.com>. "Mere registration of a domain name without more does not establish common law rights.")
   2. If the complainant has registered rights that accrued subsequent to the registration of the domain name, there is the anomaly of complainant having standing to maintain the proceedings but no actionable claim or remedy. The point is underscored in Mobisy Technologies Private Limited v. Ibrahim Kazanci, D2019-0273 (WIPO March 6, 2019) (. "At the time the Domain Name was registered, there simply was no BIZOM mark out there to target or infringe.")

For the second limb

Complainant succeeds by making an unrebutted prima facie case that Respondent lacks rights or legitimate interests in the domain name. It does this by alleging the following presumptive facts that are open to rebuttal:

1. Respondent is not using the domain name to make any bona fide offering of goods or services. Rebuttals include OVERSEAS CORP. v. NameTrust, LLC. CAC 102207 (ADReu February 22, 2019) (<options.events>. '[T]he evidence on record indicates that it is more likely than not that the domain name was registered in light of its dictionary meaning, for use in connection with the Respondent's link-shortening services forming part of the Respondent's domain name portfolio.");
2. Respondent is not commonly known by the domain name; and
3. Respondent is not making a legitimate noncommercial or fair use of the domain name. If the domain name resolves to an active website, complainant must submit screenshots of the website. In Bialetti Industrie S.p.A. v. Gary Valenti Inc., D2019-0190 (WIPO March 25, 2019) (. "The Complainant had to go back 18 years to find a single example of alleged appearance of a non-Bialetti product on the Respondent's website.")

If Complainant succeeds on its prima facie showing, the burden shifts to Respondent to rebut the presumptive evidence. There are three nonexclusive affirmative defenses (mirror images of the prima facie case, the positive rather than the negative):

1. respondent is using the domain name to offer bona fide goods or services; or
2. it has been commonly known by the domain name since prior to its acquisition; or
3. it is making a legitimate noncommercial or fair use of the domain name.

If Respondent successfully rebuts the prima facie case, the complaint must be dismissed. If Respondent fails to rebut or defaults, complainant succeeds and moves on to the third limb.

For the third limb there are four nonexclusive circumstances of bad faith.

They are:

1. Respondent is offering the domain name for sale to complainant or its competitors; or
2. Respondent acquired the domain name in order to prevent complainant from reflecting the mark in a corresponding domain name; or
3. Respondent is a competitor who has registered the domain to disrupt Complainant's business; or
4. Respondent is using the domain name intentionally for the purposes of commercial gain to attract Internet users to its website.

Proof of conjunctive bad faith is generally supported by the strength of the mark, the hyperlinks on the website, the plausibility of any claim of good faith, and the conceivability that the domain name can be used without infringing Complainant's rights.

The first factor is easily met. It is bad faith 1) if the Respondent solicits complainant to purchase the domain name (but not the other way around!); or 2) the website is populated with links to Complainant's businesses competitors. It is not bad faith 1) to respond to a Complainant's inquiry about the price of the domain name; or 2) populate the website with links consistent with the semantic meaning of the word or words.

The second factor is satisfied if there is evidence that Respondent's primary purpose in acquiring the domain name was related to its value as a mark rather than to its ordinary meaning.

The third element is satisfied if Respondent is a competitor and there is no justification for registering the domain name. An illustration is Toner Connect, L.L.C. v. Privacy Protect, LLC / Realogue Corporation, D2018-2829 (WIPO February 21, 2019) (<tonerconnect.com>).

The fourth factor is satisfied if Respondent's use of the domain name raises a likelihood of confusion with the consuming public. The stronger the mark the greater the likelihood that the registration of the domain name was intended to target it; the weaker the mark and its composition of dictionary words (examples "incanto" and "Dr. Muscle,", the likelier the complaint will be denied.

Even though in Dr. Muscle, supra, Respondent did not actually conduct any trademark or social media search at the time of registration, the fact the domain name is composed of common terms is dispositive:

One fact that does give the Panel some pause is that Respondent, as a domain name speculator, does have some obligation under Paragraph 2 of the Policy to ensure that his domain name does not infringe or violate a third party's rights. Respondent submitted evidence purporting to prove what a Google search in December 2018 might have shown; as discussed above, complainant persuasively refutes the accuracy of those searches. What Respondent does not say is that Respondent actually did such searches, or took any steps to meet his obligations under Paragraph 2.

That's a very brief overview of what I'm calling the evidentiary demands, which I think are significant. These observations are intended as cautionary warnings to complainants that if they fail to recognize the UDRP demands proof on the same scale required for a summary judgment motion, they will lose.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

MAY 8, 2019 / FTC Chairman Joseph Simons testifying at a hearing before the House Energy and Commerce subcommittee

At hearing on Wednesday, the U.S. Federal Trade Commission (FTC) urged Congress to pass data privacy legislation and enhance its authority to police large tech companies. Some members of the House Committee on Energy and Commerce Subcommittee on Consumer Protection and Commerce advised that FTC's current enforcement system is not enough to deter big companies from engaging in harmful data privacy practices.

— Inconsequential fines are just parking tickets: "For some firms, fines are a parking ticket and a cost of doing business,” says FTC commissioner Rohit Chopra. Rep. Kathy Castor, D-Florida adds: "No CEO is going to blink an eye at a fine that inconsequential. Companies will just see small FTC fines as the cost of doing business and will continue to elevate profits over privacy."

— FTC's $5.7 million fine against Musical.ly, also known as TikTok, over alleged Children's Online Privacy Protection Act violations was less than 1% of parent company ByteDance's annual revenue.

— Compared to the UK, FTC only has 8% of the staff devoted to privacy: The agency currently has 40 employees focused on privacy cases as compared to 140 at the Irish Data Protection Commission, which oversees Facebook, Twitter and other tech companies' compliance with the General Data Protection Regulation (GDPR), and UK has 500 at its Information Commissioner's Office.

Watch the full hearing here.

In December 2018, a bill on the "stable operation" of the Russian segment of the Internet was introduced and got the title "Sovereign Runet" in mass media and among the public. It was adopted after 5 months later, despite doubts about the technical feasibility of its implementation. The law is very ambitious in its intent to simultaneously control Internet traffic and protect Runet from some external threats, but legislators still have no idea how it would actually work.

This is not the first attempt of Russian legislators to take control of the Internet within the state borders. The previous bill was initiated by the Ministry of Communications (MoC) in 2014. Then it was proposed to describe the elements of the critical information infrastructure of the Runet, to establish control over traffic exchange points and cross-border communication lines. The main element of the first bill was the creation of a state information system that contains a copy of databases with traffic exchange points, autonomous system numbers (ASN), allocation of IP addresses and routing policies. The state information system should be used by the Russian telecom operators when routing national traffic. But this "national Internet" just means making a copy of the existing RIPE NCC databases. And that makes no technical sense because the data requires constant updates to keep the actual routing information (See my recent paper "Sovereign RUnet: What does it mean"?)

The discussion of the 2014 bill continued for 2 years; a lot of amendments were made to it. The latest activity on it was observed in January 2018, when the press referred to new edits that took into account the opinion of the telecom industry. Ultimately, a kind of compromise was reached but the bill was never submitted to the State Duma for debate and approval. Instead, a new bill was introduced in December 2018 by two senators and one deputy. None of them are directly connected to the Internet infrastructure issues. Obviously, such a move was chosen to launch the consideration of the bill in the State Duma as soon as possible, and to avoid additional coordination with other relevant ministries and the security service, as happened to the MoC bill.

According to anonymous sources (former MoC employees), the main interested party in the adoption of both bills is the Security Council. In 2014, after the start of anti-Russian sanctions and problems with the operation of Internet services in Crimea, the main task was to ensure the stability and security of the Russian segment of the Internet. Other interlocutors recalled even 2006-2007, when people in the Security Council and Administration of the President were preoccupied with the likelihood of an external Internet shutdown. They took seriously the prospect that the U.S. could unilaterally disable Russia's DNS. That is why Russia had been consistently taking initiatives to transfer ICANN's functions to the International Telecommunication Union (ITU), and still continues to criticize ICANN for being a US-based corporation.

Another concern was the circulation of Russian Internet traffic. Some high-ranking officials believed that a lot of Russian traffic loops through foreign networks. This did actually happen in the early 2000s, because of the low cost of such routes and competition between ISPs. But people from the Administration, inspired by several ideologues from Roskomnadzor (RKN, the communications supervisory agency) exploited this story: loop traffic is unacceptable because foreign intelligence can spy on our traffic or snatch it and replace it with something else. Exactly the same reasons were heard from the deputies and senators advocating for the new bill in 2019, as will be shown below.

Another interested party became RKN, since this supervisory agency got very broad powers to block prohibited Internet resources in 2012. In particular, the system of blocking built by RKN created DNS vulnerabilities that are regularly exploited.1 Finally, RKN's failure to block Telegram messenger became a reputational blow for the agency. As part of RKN's attempts to execute the law, on peak days in April 2018 entire subnets of IP addresses were blocked, reaching 18 million records in the blacklist. It negatively affected the work of many third-party services and Internet businesses. So RKN's interest in a new law that empowers it to control and filter all traffic, is obvious.

What's in the adopted law?

On May 1 2019 the new law was signed by President Putin. In total, only 5 months have passed since the first introduction of the bill and only 6 more months remain until its entry into force on November 1, 2019. Amazing speed! The content and focus of law, after all the debates, is not very different from its first December draft, except for several additions. Basically, the document contains amendments to two existing laws "on Communications" and "on Information", and these are summarized and commented upon in this document.

In brief, the law sets the following:

• The main subjects responsible for stable operation of the Internet in Russia are telecom operators and owners and/or proprietors of: (1) technical communication networks (used for operations of transport/energy and other infrastructures, not connected to the public communication network), (2) traffic exchange points, (3)communication lines crossing the state border and (4) autonomous system numbers (ASN). RKN will keep registries for the last three categories. All subjects must participate in the regular exercises for the stable Runet.
• RKN will execute the centralized management of communication networks in the event of threats to the stability and security of the Runet, by defining routing policies for telecom operators and other subjects and coordinating their connections.
• Telecom operators are required to ensure the installation in their networks of technical means for countering threats to the stability, security and integrity of Internet operation on the territory of Russia. These technical means will also serve the purpose of traffic filtering and blocking access to prohibited Internet resources.
• The law creates a Center for monitoring and control of public communication networks under the RKN supervision.
• The law creates a national domain name system

The debate over the law

Based on the statements of deputies and senators during the readings of the bill (3 in the State Duma and 1 in the Federation Council), the motivation for its adoption can be summarized in several points. The main motive is that this law is a response to the latest US cybersecurity strategy, where the Russian lawmakers saw a direct threat to Russian networks in a statement to use offensive capabilities to protect US networks and interests in cyberspace. The speed of the law's adoption was justified by its critical meaning for implementation of the national program "Digital Economy" that highly depends on the Internet.

"Obviously, it is necessary to protect the digital lifestyle of Russians; in this regard, it is necessary to ensure the stability of the main services of Runet and the reliability of Russian Internet resources, and this requires a national infrastructure that can protect Runet in the event of a threat of blocking the connection to the root servers placed abroad." — Ms. Arshinova, Deputy from the United Russia party.

The co-author of the law Mr. Lugovoy, Deputy from the Liberal-Democratic Party of Russia, frightened his colleagues with the controversial case of an Internet shutdown in Syria in November 2012, which he attributed to the special operations of the US National Security Agency. Another argument to adopt the law was the analogy with sanctions by international payment systems in Crimea in 2014 when Russia had to elaborate its own national payment system "МИР" to avoid financial collapse. And finally, some deputies still believe that foreign loop traffic must be "reduced significantly" according to the "Digital Economy program."

"The bill has already been called the law on autonomous, sovereign Runet, but if you look closely at the proposed changes, there is no separation of Runet or turning it into a closed system that does not communicate with the global Internet. The bill is not aimed at isolation at all — it is about ensuring the smooth functioning of our economy and other spheres of society, and most importantly, protecting the rights of Russian citizens who adhere to the digital lifestyle” — Ms. Arshinova, Deputy from the United Russia party.

The other co-author of the law, Senator Mr. Klishas claimed that technically Russia can be disconnected from the Internet root servers. But he didn't take into account that the governance of critical Internet infrastructure requires trust and cooperation amongst all involved stakeholders. To say that American companies (namely ICANN and Verisign) can immediately "cut out" records of Russian domains by the order of the US government is a major misconception. If ICANN sets such a precedent, the credibility of this organization will be lost forever — and it threatens the resilience of the Internet as a whole if there is no authoritative center for the coordination of the domain name space. There could be a rollback to the 80-90s, when various large regional networks coexisted. If we talk in terms of American interests, this is the last thing the US government wants to do, because it directly contradicts its policy of globalization and the spread of the Internet around the globe.

Nevertheless, representatives from the opposition parties asked tricky questions and conveyed the concerns of society about the real censorship nature of the law. Firstly, they demanded that the bill's advocates name the threats from which the law is supposed to protect the Runet. The law should reflect all these threats because they directly relate to the constitutional right of our citizens to access reliable information.

"The list of threats, as the authors tell us, they will determine during the exercises — wow! Imagine, colleagues, if we were to report our bills in the following way: we do not know what will happen, we will say after the experiment, so you first pass the law, and then we will conduct exercises. Will you conduct exercises on people? You can't do that, colleagues” — Mr. Nilov, deputy form the Just Russia party.

Another point of critique was the absence of responsibility for network crashes that may happen during centralized management by RKN. The law removes responsibility from operators, but there is no transfer of it. Operators can only ask RKN about anomalies in their networks, that is all.

"Whatever this bill may be called, its main purpose is to control the cross-border information flows. What for? In order to restrict this very information, the flow of this very information — there can be no doubts or illusions. They say, all this is done exclusively for the public good — for the good it would be enough to duplicate domain infrastructure, it could be carried out even without making appropriate changes to the law, it could be done at the level of Roskomnadzor or the Ministry of Communications. So, the bill is extremely restrictive, and it is also an attempt to force the execution of those laws which we adopted earlier” — Mr. Kurinnyi, deputy from the Communist party of Russia.

By the last sentence, the deputy implied the complete failure of RKN to block Telegram messenger, as well as to compel foreign companies like Twitter and Facebook to localize the personal data of Russian citizens.

"Now we are asked to adopt in the first reading the draft law on the protection of "something from something". And where are the guarantees that the next step, which will determine the Government, will not be the transformation of the currently public Internet into such a corporate intranet, limited by the borders of the Russian Federation?" — Mr. Yushchenko, deputy from the Communist party of Russia.

Other deputies paid attention to the creation of a point of failure for the Runet — the Center for monitoring and control of public communication networks. If there is a single control center, it is easy to break it and disrupt Runet at once. Finally, deputies were angry about the budget issue. Initially, the financial justification of the bill claimed that "adoption and implementation of the Federal Law will not require expenditures from the federal budget." But then it became known that the money was already allocated to the budget of the national program Digital Economy — 20,8 billion rubles to purchase the equipment to counter threats, 4,5 billion rubles for national DNS and 5,5 billion rubles to develop necessary hard and software.

"You know, colleagues, I have not seen such a brazen and cynical bill, which you push forward, saying that it won't require even a ruble from the budget. We have a government like Nostradamus: the government, adopting the draft budget last year, already assumed that three cranks (two from the Federation Council and one from the State Duma) will introduce this year this bill, and has already saved some money for it!" — Mr. Ivanov, deputy from the Liberal-Democratic Party of Russia.

Even before the first reading happened in the State Duma in February, measures in the bill were greeted negatively by the technical community, while the broader IT industry took an ambiguous position supporting but slightly criticizing the bill. It is known that there was only one expert meeting, organized by the State Duma Committee on information policy, information technologies and communications in January. It gathered representatives from IT business and telecom, public organizations and authorities. Some transcripts of the conversations were leaked to social media. Together, of the 33 speakers, 13 were clearly against or had serious objections to the bill — the "Big 3" telecom operators MTS, VimpelCom, and MegaFon (with Rostelecom predictably supporting the bill), the Association of Computer and IT Enterprises (which represents participants of the digital economy in Russia), the Association of Documentary Telecommunication (in 2017 it conducted the study of loopback traffic in Russia and proved its insignificant share), the Technical Center of Internet, Coordination Center for TLD .RU, the Russian Association of Electronic Communications and Regional public organization "Center of Internet-technologies."

Industry was concerned with these issues:

• The "black boxes" — the technical means to counter threats provided to telecom operators by RKN — will dramatically affect the quality of communication. It is obvious from the law because operators are even immunized from responsibility for future network crashes. Also, the law does not cover the cost of their installation and maintenance, nor take into consideration the development and growth of networks — operators will have to spend billions of rubles on that, which will slow down their development and growth.
• Legislators mixed up technical and content-based threats. It is impossible to solve both problems with one "black box."
• The issue of duplication of critical elements of the Internet infrastructure and domain names has already been agreed with the industry last year. Several representatives of telecom industry recalled the bill mentioned in the beginning of the post. They were curious why legislators decided not to push the adoption of the previous bill while there was a consensus with industry, but instead invented a new document and added an ambitious aim to filter all Runet traffic.

Anyway, despite the substantial criticism, the law was adopted. Legislators couldn't provide adequate answers on the resilience of the technical means and even lied that they won't degrade the quality of communication. The recent case with Yandex illustrates the argument. In March 2019, when attackers conducted a DNS attack on several large Russian Internet-resources, one of the main victims became Yandex. That was exactly that type of attack that exploits the vulnerability in the RKN blocking system which I explained above. As a result of the attack, a few small operators blocked access to some IP addresses of Yandex, and large operators who use DPI systems to block content were forced to pass all traffic to Yandex services through DPI. It significantly reduced the speed of access to Yandex services for users. Yandex repelled the attack for several days. "The blocking of sites was avoided, but the attack did not go unnoticed: active users of the company's services noticed a decrease in the speed of access to them," the company representative said. The case clearly illustrates the perspectives of traffic inspection on a large scale in future — the equipment won't cope with bandwidth.

What's now?

What will happen during the 5 months before the law comes into force? The MoC, the Government and RKN are required to prepare 30 by-laws (you can track their readiness here) which should fill in the blind spots in the text of the law. Specifically, they will need to:

• Make a list of the threats to the Runet and the principles of centralized traffic management
• Define the technical parameters and rules governing the "black boxes"
• Define how the registry of traffic exchange points will be formed
• Define rules for providing information from operators and owners of ASN for filling in various information systems,
• Figure out how the national DNS will work
• Establish a Center for monitoring and control of the public communications network. (It is noteworthy that the resolution on its creation was signed by the Government in February 2019, before the adoption of the law. The Center should start working by January 2020.)

Concluding thoughts

Analysis of the law leaves the impression that it was written by people who do not understand the way the Internet works and are relying on a mental model of telephone communications. Moreover, they appear to blindly believe in the omnipotence of "black boxes" that will filter traffic and protect Runet from unknown threats on a national scale.

With this first impression, it seems like the law is primarily aimed at censorship under the cover of national security. Companies who don't comply with laws that require decryption or localization of users' messages, and continue to operate in Russia, such as Twitter, Facebook and Telegram, have damaged the reputation of RKN. The government cannot allow these companies to continue to fail to execute its decisions anymore.

Of course, one can agree that the resiliency of the Internet in the country is a serious concern and should be addressed in some way, but the measures offered by this law don't solve those problems; on the contrary they can degrade the quality of access and make Runet more vulnerable than it is now by centralizing management of public networks.

More likely this law will share the fate of the anti-terrorist amendments known as the "Yarovaya package," which required service providers to store the content of voice calls, data, images and text messages for 6 months, and the metadata of communications for 3 years. It came into force in October 2018, but since then none of the service providers execute data retention, simply because they do not possess the necessary equipment needed to store such enormous amounts of data. Moreover, there is still no ready-made suitable solution on the market for this purpose. And government is still fighting to establish the requirement to use only national technological solutions.

One can imagine how much work will be needed to develop the traffic management equipment to support the RKN Center for monitoring and control of public networks, and the systems supporting a national DNS. It is therefore highly unlikely that those 30 by-laws needed to clarify the technical requirements will be issued by the 1st of November 2019. On the contrary, it will probably take several years to complete.

However, the upcoming field testing of DPI solutions by RKN will gradually reveal the insanity of its idea to fully control all traffic in the country. End users and especially businesses will need to be prepared for service interruptions; "without a declaration of war," access to some "legitimate" Internet services will be denied. Well, it's good, if such problems would be immediately acknowledged by RKN and rolled back, but who will compensate the businesses for the losses? That's why optimists simply crossed their fingers, held their breath and waited for telecom to sabotage the execution of the law or find a way to comply formally on paper, without actually doing so. Moreover, there is nothing to execute yet — practical steps are awaiting to be defined in future.

Originally published in the Internet Governance Project.

Written by Ilona Stadnik, Ph.D. candidate at the Saint-Petersburg State University

With the first anniversary of the European Union's General Data Protection Regulation (GDPR) approaching in just a few days, Microsoft's Corporate Vice President and Deputy General Counsel, Julie Brill says GDPR has been an important catalyst for progress in privacy protection around the world. Since GDPR began, she tweets: "Over 18 million people have used the Microsoft privacy dashboard to control their data… including 6.7 million users from the US — the most of any country. Does this show an appetite among Americans for updated privacy laws? Yes!" In an accompanying post on Monday she notes:

"A lot has happened on the global privacy front since GDPR went into force. Overall, companies that collect and process personal information for people living in the EU have adapted, putting new systems and processes in place to ensure that individuals understand what data is collected about them and can correct it if it is inaccurate and delete it or move it somewhere else if they choose.

This has improved how companies handle their customers’ personal data. And it has inspired a global movement that has seen countries around the world adopt new privacy laws that are modeled on GDPR. Brazil, China, India, Japan, South Korea and Thailand are among the nations that have passed new laws, proposed new legislation, or are considering changes to existing laws that will bring their privacy regulations into closer alignment with GDPR.

... Now it is time for Congress to take inspiration from the rest of the world and enact federal legislation that extends the privacy protections in GDPR to citizens in the United States."

A U.S. district court judge rules that Qualcomm violated anti-trust laws and has ordered the chip maker to change some of its licensing and negotiation practices. The case brought to court in 2017 by the US Federal Trade Commission, accuses Qualcomm of illegally suppressing competition in the market for smartphone chips by threatening to cut off supplies and extracting excessive licensing fees. "Qualcomm's licensing practices have strangled competition," for years said U.S. District Judge Lucy Koh in San Jose, California who issued the decision late Tuesday night. Qualcomm told reporters it will appeal the decision and seek a stay to stop it from taking effect. "We strongly disagree with the judge's conclusions, her interpretation of the facts and her application of the law," said Don Rosenberg, Qualcomm general counsel.

MAY 29, 2019 / Song Liuping, Huawei Chief Legal Officer: US blacklisting Huawei is a "dangerous move."

Huawei has filed a legal motion in the United States federal court calling for the ban to be declared unconstitutional and deemed an assault on global human rights. During a press conference on Wednesday, Song Liuping, Huawei's chief legal officer, said the trade ban would "directly harm" American companies and affect jobs. He added: "They are using every tool they have, including legislative, administrative and diplomatic channels. They want to put us out of business. This is not normal. The fact is the US government has provided no evidence to show that Huawei is a security threat. There is no gun, no smoke. Only speculation."

— Section 889 unconstitutional, alleges Huawei: In a motion for summary judgment against the US government, Huawei has argued Section 889 of the National Defense Authorization Act, (which the Trump administration used to enforce the ban) violates constitutional rules by explicitly calling out Huawei by name. "This was a breach of constitutional rules in that Congress may not selectively punish or deprive commercial opportunities." (Washington Post) If section 899 is deemed unconstitutional by courts, Huawei will attempt to have the legislation thrown out.

— Pressure mounting: Google has suspended its business activities with Huawei including the transfer of hardware, software and technical services to comply with Trump's Executive Order prohibiting US firms from having any such transactions with a foreign adversary. This is "a huge blow to the Chinese firm, which relies heavily on Android for the smartphones it sells outside of China." (CNBC)

In a trademark context, who owns or controls, or would prevent others, from using words and phrases commonly available to speakers in a language community, is in persistent tension. While common words alone or combined may become protected from infringing uses under trademark law, their protection is contingent on factors such as linguistic choices and strength or weakness of marks in the marketplace. What is distinctive and exclusive in a trademark sense is, as with love, in the eyes of the beholder. The more common the words or descriptive phrases, the less protection from others registering them for non-infringing purposes, although percentage-wise the number of indefensible claims filed under the Uniform Domain Name Dispute Resolution Policy has been creeping up and is now over ninety percent. Defensible registrations (regardless of whether respondents appear) are now in the 5% to 7% range.

But in considering whether the use of identical or confusingly similar words or phrases is defensible (or not) we have to know what the facts are. To take two simple examples: in one, a UDRP Panel found that the non-appearing Respondent in Slingshot Transportation, Inc. v. InBok Lee, FA1904001841279 (Forum May 26, 2019)) was using <slingshot.info> "to point to pay per click links relating to slingshots the weapon," therefore the complaint was denied. In contrast, another non-appearing Respondent in Indeed, Inc. v. Mark Conway, FA1905001843197 (Forum June 10, 2019) was found to be pointing <indeedconsultant.com> (two dictionary words combined into a not uncommon phrase) to its own competing business website, therefore the complaint was granted.

The reason for insisting the "linguistic commons" not be enclosed is consistent with U.S. (and most likely other jurisdiction's) law. In Entrepreneur Media, Inc. v. Smith, 279 F.3d 1135, 1147 (9th Cir. 2002) the court held that "[a]lthough EMI has the exclusive right to use the trademark 'ENTREPRENEUR' to identify the products described in its registration, trademark law does not allow EMI to appropriate the word 'entrepreneur' for its exclusive use. The descriptive nature and common, necessary uses of the word 'entrepreneur' require that courts exercise caution in extending the scope of protection to which the mark is entitled."

The same point was made more recently by the dissent in Booking.com B.V. v. U.S. Patent & Trademark Office. No. 17-2458 (4th Cir., 2019). He stated that the decision to allow registration of BOOKING.COM "[u]njustifiably empowers Booking.com to monopolize language, thereby enclosing the linguistic commons and adversely affecting competitors in precisely the manner that trademark law seeks to forestall." The majority justified its decision by explaining that "the relevant public understood BOOKING.COM, taken as a whole, ... refer[s] to general online hotel reservation services rather than Booking.com the company" (emphasis added).

In other words, BOOKING.COM was found to be descriptive, not generic. The "common mistake" noted the court in CES Pub. Corp. v. St. Regis Publications, Inc., 531 F.2d 11 (2nd Cir., 1975) is in "failing to distinguish between 'merely descriptive' terms which can be rescued as trademarks by such proof [of secondary meaning] and generic terms which cannot be."

From the UDRP's opening cases in 2000, Panels can be seen taking care (although not without some unfortunate lapses) to reject mark owners' attempts to "enclose[e] ... the linguistic commons." The first shot at this was Allocation Network GmbH v. Steve Gregory, D2000-0016 (WIPO March 24, 2000) in which the Panel noted that

[t]he difficulty lies in the fact that the domain name allocation.com, although descriptive or generic in relation to certain services or goods, may be a valid trademark for others, so that "[a]lthough the registration and offering for sale of allocation.com as a domain name may constitute a legitimate interest of Respondent in the domain name, this is different if it were shown that allocation.com has been chosen with the intent to profit from or otherwise abuse Complainant's trademark rights.

There was no such proof of intent to profit at Complainant's expense and the complaint was denied.

A number of decisions from the 2019 docket similarly find no evidence of "intent to profit from or otherwise abuse Complainant's trademark rights." In these disputes, respondents are either operating businesses (<headkandy.com>, <sumvalley.com>, and <emsprofessionals.net>) or domain resellers (<slingshot.info>, <drmuscle.com>, <karma.com>, <cloudinsure.com>, and <rdw.com>). (As a side note, deserving further study and not further argued here, it is interesting that except for <ems professionals.net> these cases were filed with the Forum rather than WIPO, most likely because of a misimpression the Forum is more hospitable to complainants (which it generally, with exceptions, is not!). A quick review indicates the Forum currently has a slightly higher percentage of complaints denied than WIPO, but having said that the number of transfers by both providers has been creeping up. This correlates with a diminishing number of complaints against common words, descriptive phrases, and arbitrary letters filed with both providers, which is directly attributable to the emergence of a robust jurisprudence).

A recent case stands out as being (in the dissent's view) "inconsistent with the trend of decisions on generic and common language domain names." In Rosetta Stone Ltd. v. Digital Privacy Corporation / Stuart Thomas, D2018-2322 (WIPO February 27, 2019) (<rosettastone.app>) the dissent expressed his "disappoint[ment]" that "this is another decision that prevents people from registering domain names that are simply part of the common language that belongs to everyone." The disappointment echoes Entrepreneur Media. I have discussed this case in earlier essay Credibility and Disbelievability as it affects Outcomes in UDRP Proceedings. The dissent continued:

The basis for making such a claim is said by the Complainant to be Article 6bis of the Paris Convention and Article 16.2 and Article 16.3 of the TRIPS Agreement. But that is not so. Neither document justifies the statement that the Complainant's trademark rights actually prevent "any" use of the mark with "any" products "regardless of the list of the products and services for which the trademark is registered".

Accordingly, the Complainant's trademark gives it the right to use ROSETTA STONE within the terms of the trademark itself. However, it does not prevent other uses of the same expression and in particular, it does not prevent the Respondent or anyone else from showing that it has a right or legitimate interest in the disputed domain name. It also does not prevent the Respondent from showing that it did not register or use the domain name in bad faith.

The Rosetta Stone award is being challenged in an Anticybersquatting Consumer Protection Act case.

In close cases, the question of lawful registration turns on whether any of Respondent's acts were pretextual, simply taken to avoid forfeiting the domain name, or clear instances of cybersquatting. Domain names identical or confusingly similar to marks (without more) is never sufficient to overcome a persuasive reason for particular words and combinations. The issue in Sinclair Finance Company v. Nathaniel Young / SumValley, FA1903001835985 (Forum May 3, 2019) (SUN VALLEY and <sumvalley.com> registered by an operating business) was whether the registration was pretextual or not, and the Panel held it was not. The Panel found "Respondent's explanation for the selection of the business name and corresponding domain name to be entirely plausible."

In Dr. Muscle v. Michael Krell, FA1903001833036 (Forum April 19, 2019) (registered by a domain reseller) the Panel rejected Complainant's claim that Respondent lacked rights and legitimate interests in the domain name. The Panel explained that:

the components of the domain name, "Dr." and "Muscle," are common terms ... [and that] Respondent's claim [is] credible that he registered the domain name because of the descriptive nature of those terms rather than because Respondent was targeting Complainant and its trademark… Complainant has failed to rebut these assertions with sufficient evidence of the fame or renown of its app in Nebraska or in the United States generally, nor has Complainant adduced any evidence that would support a finding that Respondent likely was aware of Complainant or its app or its DR. MUSCLE trademark at the time he registered the domain name.

When we turn to respondents forfeiting domain names composed of common words (alone or combined) we have to ask what has the Complainant submitted in proving its case? And what Respondent lacked in rebutting the proffered evidence? Two factors top the list, namely website content and credibility based on documentary evidence.

Two recent decisions (one understandable and the other not) illuminate the role of credibility or lack of it in balancing rights to domain names: T & P Holding Company, LLC v. Wendy Webbe and Ancient Holdings, LLC, FA180200 1773041 (Forum April 6, 2019) (<youareok.com>); and Charisma Brands, LLC v. Web Support / Pearl One Media, FA1903001833611 (Forum April 2, 2019) (<adora.com>). Both marks are weak; the Respondent defaulted in the first and appeared in the second.

In T & P Holding the Panel explained: "Here Complainant provides a list of prior UDRP cases decided against Respondent.... Accordingly, the Panel finds Respondent has engaged in a pattern of bad faith registration under Policy ¶ 4(b)(ii)." Respondent forfeits <youareok.com> because it "is part of that pattern and thus registered and/or used in bad faith."

The decision in Charisma Brands for <adora.com> is more problematic, since it's what I call a "one-off decision." Not only are the facts unclear on several issues, the Panel applies the wrong standard of liability. The Panel cites "precedent," but these are either unconvincing or not germane to the facts in the case. Respondent alleges <adora.com> was registered before Complainant trademark was first used thus could not have been registered in bad faith, but the facts appear to indicate bad faith use. Complainant's argument that Respondent was offering to sell the domain name to Complainant is undercut by the rebuttal that Respondent was responding to Complainant inquiring about purchasing it. If these are the facts, the complaint should have been dismissed since the UDRP is a conjunctive model of liability. In other words, the Panel applied the disjunctive standard of the ACPA. I have not heard that this award is being challenged, although if it were, there are clearly problems of trademark infringement as a separate and distinct claim from cyber-piracy.

In summing up, complainants prevail for marks composed of common words and phrases when respondents use their domain names to capitalize on complainants' reputations, but complainants have no legal or better right to prevent use by others where the proof of cybersquatting is lacking. An interesting illustration of this is L-Nutra, Inc. v. Douglas Kantner, D2019-0597 (WIPO May 29, 2019) (<longivitynutrician.com>) in which the 3-member Panel got it exactly right:

it may be possible that Respondent's actual future use of the disputed domain name could cast a different light on the Panel's assessment of Respondent's claimed rights and legitimate business purpose. Consequently, the Panel concludes that its ruling is without prejudice to Complainant potentially refiling a Complaint in the event that the use of the disputed domain name by Respondent turns out to be for a business that competes with Complainant and/or its NUTRITION FOR LONGEVITY goods and services.

It is noteworthy that a jurisprudence of domain names that emerged and developed since the year 2000, in which Panels from the start developed factors protecting the "linguistic commons", has the effect of discouraging one-off decisions. While <longivitynutician.com> may pass the confusingly similar test for NUTRITION FOR LONGEVITY it could also have been found similar without being confusing, thus failing the Paragraph 4(a)(i) test. Having a robust jurisprudence encourages predictability and consistency. This is so because as the jurisprudence strengthens earlier, well-reasoned decisions are influential in establishing the principles and factors Panels apply in determining rights. Where the linguistic commons is breached district courts or defendants themselves had vacated UDRP awards.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

As it stands, legal practitioners, registrants and brand owners are forced to navigate the online landscape in fairly low visibility. However, once you acknowledge the fact that you are driving in foggy conditions, you can adjust your approach to avoid any wrong turns.

The Internet has provided an unprecedented number of opportunities while raising far-reaching legal issues. It has created a complex matrix of national laws, global circumstances and new definitions — or, at least, definitions in progress. The turmoil over Brexit and the international implications of the EU General Data Protection Regulation are signs of the times; as are issues surrounding domain names. We all initially think that we have a pretty good understanding of domain names, but once you scratch the surface and look a little closer, they still lack an official international legal definition. The fact that question marks remain regarding how domain names should be legally categorized is concerning when you think about the substantial financial value that they can hold, as well as the fact that there are more than 330 million registered domain names and almost 4 billion internet users worldwide.

This article takes a closer look at the issues relating to the definition of 'domain names,' how this ties into trademark law and, subsequently, how jurisdiction and the outcome of disputes are potentially affected.

What is in a (domain) name?

First, the role of domain names has evolved significantly since their early years. As internet usage has increased, domain names have been compared to everything from phone numbers to online real estate, aliases, and addresses. Many people agree that they must logically constitute some kind of property since there is a market in which they are bought and sold. However, exactly what kind of property they are legally, remains unclear. Are they intangible property (but without being intellectual property for that matter), tangible property, intellectual property or a combination thereof? Or perhaps they are an entirely unique kind?

Domain names are used by brands to differentiate themselves from other brands online and for consumers to easier orient themselves among goods and services on the Internet. As such, it has become increasingly necessary to view domain names as something to which certain rights are associated. But can they be regarded as identifiers in the same way as trademarks and service marks? For domain names to be considered in this way, they would need to have the characteristics and functions of these other types of mark, such as serving as an identifier of goods and services from a particular source. Trademarks are commonly registered as domain names, but there are also examples of domain names gaining the status of an unregistered mark through use and awareness. 'Amazon.com' is one example.

Further, due to the substantial commercial and financial value that domain names can hold today, another question that has been raised in a number of court cases is whether domain names constitute property that can be subject to attachment or garnishment (i.e., property that a creditor can seize from a debtor, even when the debtor does not possess the property). This question also lacks a uniform answer across jurisdictions.

Clearly defining what domain names are legally (i.e., whether they should be considered property and, if so, what kind) also gives rise to many other questions. For instance, depending on what kind of property they are, can they be seized? Who owns the domain name (is it the registry, the registrar or the registrant) and where is it located? Where something is located matters, especially when it comes to jurisdiction. Jurisdiction plays an important role not only concerning the balance between international comity and national sovereignty, but also for individuals and businesses that need predictability regarding whether their online activities make them liable for suit. In the early days of the Internet, the courts often struggled to apply traditional personal jurisdiction principles (e.g., purposeful availment, minimum contacts and a reasonable connection between the forum and the activities) in cases involving domain names and attempted to draw analogies from older communication forms such as mail and telephone. These often far-reaching applications and analogies were especially unfit to properly manage the rising issue of international cybersquatters and typosqatters, many of which had provided false WHOIS information when registering the disputed domain name and were therefore difficult for the plaintiff to locate. One regulation that eventually addressed this issue was the US Anti-cybersquatting Consumer Protection Act.

A legislative perspective

Under this act, domain names have been considered as some kind of property in rem actions (i.e., when the registrant cannot be located, which is common when it comes to cybersquatting). If a domain name is to constitute property for the purposes of in rem actions, the property must logically be located in one definable geographical place. For these purposes, domain names have been assumed to be located where their registrar or registry is located. Why is this important? Because it determines which court or country has jurisdiction in the event of a domain name dispute, which in turn may differ from the geographical territory in which the party claiming infringement has registered trademark rights.

While the Anti-cybersquatting Consumer Protection Act is national in nature, the UDRP is international in its scope and addresses jurisdiction in a different way. The UDRP is an administrative dispute resolution system specifically created for domain name disputes between domain name registrants and trademark owners, regardless of their nationality. It is contractually mandated through the registration agreement for gTLDs (e.g., '.com', '.org', '.global' and '.app') and certain ccTLDs. Cases are decided by one or three panelists, who have been given the freedom to base their decision on:

• statements and documents provided by the parties;
• the provisions of the UDRP;
• previous case law; and
• any other principles that they consider applicable.

As such, the panelists can determine whether it is relevant to consider national laws in a certain case.

Once a complaint has been filed and a UDRP process has been initiated, it is important for the complainant to understand the consequences of the 'mutual jurisdiction' clause, which is agreed to when filing the complaint. This clause (Paragraph 3b(xiii) of the UDRP) stipulates that if a decision to cancel or transfer the disputed domain name is made by the UDRP panellists and thereafter is challenged by the domain name owner, the complainant will submit to the jurisdiction of the courts either where the principal office of the registrar is located or where the registrant is located according to the WHOIS database. A challenged UDRP decision that gets brought before a national court by the respondent in the UDRP case will include potential trademark territorial issues for the trademark owner that are similar to those regarding jurisdiction under the Anti-cybersquatting Consumer Protection Act.

Similar cases, different outcomes

One case that illustrates the abovementioned situations and how the global nature of domain names collides with national trademark laws and principles — partially due to definition and jurisdiction — is WIPO Case D2000-0505 regarding the domain name 'barcelona.com'

The case was initially brought before a UDRP panel. The complainant, Barcelona City Council, provided several Spanish trademark registrations that included the term "Barcelona" and claimed that the respondent's 'barcelona.com' domain name infringed those rights. Respondent Barcelona.com Inc was a company located in the United States and owned by two Spanish citizens, which used the domain name as a travel portal with information for people intending to visit Barcelona. The panellist found the domain name to be confusingly similar to the complainant's trademarks; determined that the respondent lacked legitimate interest and had registered and used the domain name in bad faith; and ordered the domain name to be transferred to the complainant.

Barcelona.com Inc obtained an automatic stay of the UDRP panel's order to transfer the domain by filing a reverse domain name hijacking claim under the Anti-cybersquatting Consumer Protection Act with the US District Court for the Eastern District of Virginia. However, the court determined that there were no grounds for such a claim and that the disputed domain name should still be transferred to Barcelona City Council.

Barcelona.com Inc went on to file an appeal with the US District Court for the Fourth Circuit, in which the court stated that the use of the disputed domain name was not unlawful since Barcelona City Council did not have a protected trademark under US law. The court argued that the Anti-cybersquatting Consumer Protection Act specifically requires the Lanham Act — rather than foreign law — to be applied, through the wording "file a civil action to establish that the registration or use of the domain name by such registrant is not unlawful under this chapter" (15 USC §1114(2)(D)(v) (emphasis added)). The court further enunciated the territorial nature of trademark law in general and subsequently applied the Lanham Act, establishing that a geographical term cannot be considered a trademark in the United States unless it has acquired secondary meaning. Because there was no evidence of the term "Barcelona" having acquired secondary meaning, the court ruled that use of the domain name 'barcelona.com' was not unlawful under US trademark law; therefore, the domain name should remain with the registrant, Barcelona.com Inc.

This decision has far-reaching consequences in that, unless the owner of a foreign mark can prove trademark rights under US law, domain name registrants will be free to register identical or confusingly similar domain names and be protected by the Lanham Act — even if such registrations would have constituted cybersquatting had the brand owners held US trademarks. In other words, the court of appeals' decision essentially states that national law supersedes international regulations.

Analyzing a similar case in light of the Barcelona.com decision provides further understanding as to what effect the perceived location of a domain name can have on the outcome of a dispute. WIPO Case 2015-2295 regarding 'britishschoolofbarcelona.com' had the following circumstances, similar to Barcelona.com:

• Both parties were Spanish citizens.
• The domain name consisted of descriptive terms.
• The complainant had several Spanish trademark registrations that included the disputed term(s).

The panel began by explaining that the UDRP rules give panelists the freedom to decide what, if any, specific national laws should be applied. In this case, the panelist held that Spanish trademark law must be considered since both parties were Spanish — as was the case in Barcelona.com. In both cases, the respondents argued that the complainant's trademarks were purely descriptive and therefore questioned their validity. However, since the trademarks in both cases were already registered with the Spanish Patent and Trademark Office, any questions regarding their validity would need to be challenged in the Spanish national court, not under the UDRP. For the purposes of the UDRP, the fact that an active trademark registration exists is enough. After establishing that the respondent lacked legitimate interest and had registered and used the domain name in bad faith, the panelist ordered that the disputed domain name 'britishschoolofbarcelona.com' be transferred to the complainant.

So far, the case has mostly followed the path of Barcelona.com. However, the main difference is that the registrant in britishschoolofbarcelona.com would have had a very different outlook when it comes to overturning the UDRP panel's decision. This is because — unlike in Barcelona.com, where US courts had jurisdiction — the respondent in britishschoolofbarcelona.com would have had to rely on Spanish courts and Spanish trademark law if the case was to be tried anew in national court (i.e., in the same jurisdiction in which the trademarks were already approved and registered). As such, the court would likely have come to the same decision as to the UDRP panel.

In other words, two court cases from two very similar UDRP disputes could have had significantly different results due to the ways in which the international nature of domain names and their location intersected with territorial trademark law.

In summary

• Domain names lack a uniform legal definition and despite having certain similarities with trademarks, there are key differences.
• Several identical trademarks can co-exist in different classes or territories, while a domain name is unique and global at the same time.
• The difficulties with defining what a domain name is legally and where it is located for the purposes of jurisdiction can lead to further complexity in cases where the domain name is considered to be located where the registrar is located, despite none of the parties residing in that country. This can further highlight the sometimes odd interplay between different national laws and the international nature of the Internet, as demonstrated in Barcelona.com, where two Spanish parties (although one of them owned a business incorporated in the United States) ended up in a US court to have a case regarding a Spanish mark and a domain name consisting of a Spanish city name tried under US trademark law.
• Geographical and purely descriptive terms registered as domain names can give rise to a special set of challenges. This is due to the following:
  • The protection of geographical names varies largely between nations; however, when challenging a domain name registration, the complainant moves into international territory.
  • UDRP cases that involve geographical names have resulted in varying outcomes. Therefore, complainants should ensure that they have sufficient evidence to prove either registered or unregistered trademark rights, in order to meet the first requirement of the UDRP — namely, that the disputed domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights.

Mapping a route ahead

As previously mentioned, legal practitioners, registrants and brand owners must navigate the online landscape in fairly low visibility and can come across situations or circumstances that require either new tools or abrupt adjustments. However, once you acknowledge the fact that you are driving in foggy conditions (figuratively speaking), you can adjust your actions to better avoid wrong turns. Taking all of this into consideration, readers are encouraged to consider the following advice:

Understand your intellectual property – All business owners and IP practitioners should acknowledge that domain names have become a crucial asset for online branding and should understand how they are closely connected to trademarks. Knowing how to manage domain names proactively and safely, as well as how to enforce IP rights online, is a necessity for any modern business. Being aware of the similarities and differences between a domain name and a trademark — as outlined in this article — makes it easier to create a successful strategy.

Know your business – Along the same lines, business owners and practitioners should be mindful of the brand or company name that their new business decides to operate under. As discussed, geographical and descriptive names can be especially difficult to enforce online under many circumstances. Further, it is important to consider:

• how a new name would work in the event of future international expansion;
• whether the name can be registered as a trademark and where; and
• whether the corresponding domain names are available under the relevant TLDs.

These factors are often addressed much too late or in the wrong order, leading to costly consequences and the risk of brand damage.

Manage existing rights closely – For established businesses, closely examining how the company's IP rights are managed online should be a top priority. This includes reviewing the chosen registrar, assessing enforcement routines and aligning the domain name strategy with marketing and trademark strategies.

Build a strong case – In the event of a domain name dispute, complainants must provide sufficient evidence to prove their trademark rights, especially when secondary meaning is required for unregistered marks. Lastly, complainants must be aware of the mutual jurisdiction clause in the UDRP rules, as well as the general principles of jurisdiction in domain name cases.

(To learn more: "Domain Names - Strategies and Legal Aspects, 2nd edition" ThomsonReuters/SweetandMaxwell.

This article can also be read in the 78th Issue of WTR Magazine, as well as online on WorldTrademarkReview.com)

Written by Jeanette Söderlund