A recent investigative report reveals disturbing trend with amending legacy registry agreements

This past Monday, as ICANN65 was beginning in Marrakesh, the technical review blog Review Signal published a detailed expose, "The Case for Regulatory Capture of ICANN” authored by site founder and "geek-in-charge" Kevin Ohashi. The post was clearly the product of extensive investigative reporting — and what it reveals is deeply disturbing.

Ohashi marshals a dizzying and diverse array of facts and figures into a damning indictment of the ICANN organization. This, by itself, isn't exactly news. But his post goes a step further and, by connecting the dots of various data points, he begins to reveal how key constituencies of the Internet governance ecosystem are being influenced by the largest industry players in the Domain Name System (DNS). He accomplishes this in the same way that these things always are: he follows the money.

It bears mentioning that the effectiveness of the post is considerably dampened by expending a considerable amount of proverbial column inches to call out the past employment history with VeriSign of Shane Tews — which ended nearly a decade ago and is ancient history — who is currently founding principal of Logan Circle Strategies and a visiting scholar with the American Enterprise Institute along with various financial disclosures made in accordance with legal requirements by NetChoice's Steve Delbianco and Jonathan Zuck, formerly of ACT. Presenting these past and present affiliations as "gotcha" revelations overlooks the reality that information about them is publicly available for anybody with an Internet connection to view for themselves on LinkedIn or the respective organization's websites. What isn't publicly available but ought to be disclosed here is that these three professionals are first-rate subject matter experts and thought leaders who contribute time, energy, and expertise to DNS policy and Internet governance which would be difficult, if not impossible, to replace and without which would be to the great disadvantage and detriment of the public interest.

It is possible to disagree with someone without questioning their integrity and undue focus on mischaracterizing certain individuals' motives distracts attention away from what should be the primary areas of concern: the hazardous structural defects that are becoming increasingly and insistently apparent in the DNS governance edifice.

The post centers on current negotiations concerning the .ORG registry agreement between its operator, Public Interest Registry, and ICANN. .ORG is one of the original legacy DNS registries that was delegated, along with .COM and .NET, in the original Registry Agreement and is heavily populated with domain name registrations belonging to non-profit organizations. This registry agreement renewal has become somewhat controversial because of an amendment that would remove pricing regulation that has functioned to protect registrants for wanton price increases for nearly two decades.

For many, if not most, matters, ICANN requests public comment on proposed actions and, at any given time, there may be multiple open comment periods for various and sundry ICANN work streams. This would seem to suggest that incorporating stakeholder input is part and parcel of ICANN's normal course of business. But when it comes to matters related to registry agreements, contractual relationships with other contracted parties, or, more broadly, any issue with financial implications, then public comment becomes just that — commentary from the hoi polloi that often serves as a pressure-release valve during times of controversy and, in all cases, provides the facade of participatory governance and bottom up consensus-based policymaking to what would otherwise be seen quite clearly as closed-door dealmaking between ICANN and its contracted parties — or, more bluntly, between the regulator and the regulated.

In order to illustrate this point, the post's author analyzed all of the more than 3300 comments that were submitted during the request for comment period related to the proposed amendments to the .ORG registry agreement. What he discovered was that 3252, or 98.1%, of comments *opposed* allowing PIR an unrestrained ability to raise prices and only six, or 0.02%, of comments were in favor of the proposed change. In what alternate version of reality would an organization with a mission to serve the public interest feel justified to continue to push forward with a proposed action that enjoys virtually no public support while facing such voluminous opposition?

Playing devil's advocate for a moment, the post doesn't really highlight the fact that the reason for such an elevated number of negative comments is because the Internet Commerce Association, a trade group consisting of professional domain investors, made an organized push along the lines of a "Write Your Congressman" grassroots political effort that helped drive increased "turnout." However, the profit-minded motives behind this effort become irrelevant in the face of a supporting coalition of only six individuals that submitted comments in support of pricing flexibility for PIR.

The real issue of burning importance here is the disdain that ICANN displays towards stakeholders by disregarding their input — especially when that input is provided in response to ICANN's solicitation of it in the first place. This isn't an academic concern, nor is it a clerical error happening at the margins of a vast bureaucracy. It is corruption occurring at the heart of a major governance institution and, judging by the absence of organized protest or clarion calls for reform, it has become normalized.

Acquiescence to ICANN's corruption might also explain why stakeholder concerns and recommendations were utterly disregarded during VeriSign's recently approved Registry Services Extension Proposal (RSEP) to release O.COM for auction. The circumstances are strikingly similar — proposed amendments to a registry agreement that weaken or remove longstanding consumer protections and that receive opposition from affected parties during a public comment period that is later summarily disregarded. During that public comment period, ICANN's Intellectual Property and Business constituencies, along with others, recommended that VeriSign's proposed release of O.COM be subject to standard community-developed intellectual property rights protection mechanisms, including Trademark Clearinghouse, Sunrise Period and Priority Access. However, ICANN's Board approved the RSEP in March, at the last ICANN meeting in Kyoto, in a consent agenda vote with no discussion or further consideration pertaining to stakeholder concerns.

One of the most chilling aspects of the O.COM release has been the complete lack of uproar — the deafening silence — that has emanated from the community in response to ICANN's setting aside of critical protections that enjoyed community consensus. An observer could be forgiven for wondering if stakeholders are becoming trapped in a fog of myopic cynicism that causes them to ignore the implications of ICANN's failure to enforce its own policies in the first place and then following that up by sidestepping stakeholder recommendations that explicitly call for their implementation. Perhaps the community should take heed of the caution that, paraphrasing an old poem, "I said nothing when they came for everybody else and so there was nobody left to say anything when they came for me."

When the U.S. Government removed itself from direct oversight of ICANN, the thinking at the time was that the stakeholder community would step up to serve as the counter-balance and accountability backstop to the ICANN organization. There was an involved process of developing new accountability mechanisms that the community could leverage to keep ICANN in check. In reality, there's only one power that the community can avail itself of in the face of a runaway and intransigent ICANN — the power to recall the ICANN Board — which requires a convoluted process that, practically speaking, means it will be used only slightly more frequently than the appearance of Haley's comet.

By all appearances, it hasn't taken long, in the absence of U.S. Government oversight, for rot to set in at the root. If the community is going to acquiesce to its own dismissal — if corruption is to become normalized at ICANN and in DNS governance — then, perhaps it's time to start looking towards the heavens.

Written by Greg Thomas, Managing Director of The Viking Group LLC

In disputes under the Uniform Domain Name Dispute Resolution Policy (UDRP), parties should be able to rely on Panels delivering predictable, consistent, and legally reasoned decisions. In large measure, this depends on Panels analyzing the facts objectively through a neutral lens and applying principles of law consistent with the jurisprudence. However, the results are not always seen by the losing party as having achieved a fair result. What has to be avoided in considering the underlying concern expressed in this criticism is the belief that marks and domain names are fixed locations on a continuum; they are not. Potential infringements grow into cybersquatting (if they do at all!) as the factors in favor of one party or the other establish one or the other's rights. Not every domain name corresponding to a mark is infringing, but it is equally the case that not every domain name composed of common linguistic elements is lawful. What principles of law will be applied will depend on the facts parties can establish or the record holds.

We can see this playing out in several recent adjudications. In some instances, domain names can just as easily be held, employed, monetized, and resold by others without disturbing any third-party rights. On the continuum some combinations employed as marks have achieved greater recognition than others, either because alone or combined they may be unusual or not commonly found together in everyday speech or have achieved a connotative value due to their penetration in the market, always recognizing that what is connotative in some circumstances can as easily be descripitive and denotative in others. See earlier discussion on this topic, Trademarks vs. Domain Names.

This is to say that some combinations are common coin even if they have never been uttered before --"Order my oil" (from 2017, noted at the bottom of this essay), "vapor supply," "fair markets," and others discussed further below. If website content projects the semantic understanding of words or phrases (to focus on just one factor) it favors lawful registration; but as a combination moves to the right on the continuum it strengthens to "coined" rather than a common coin; in trademark parlance, it becomes inherently distinctive.

Disenchantment over fairness has been expressed about a number of earlier decisions, some of which have moved to federal court for de novo assessments under the Anticybersquatting Consumer Protection Act (ACPA) resulting in UDRP awards being vacated (<ado.com> settled by on-the-record stipulation) or "confirmed" (<beautifulpeople.com> with attorney's fees to domain name registrant). See earlier discussion on ACPA actions, Post-UDRP, ACPA Actions Challenging Awards. In all the instances discussed, the question about fairness is whether particular awards are warranted by the facts.

Respondents are either domain name investors (reselling or monetizing their holdings) or businesses (active in the past but not necessarily so in the present). The award has been questioned in Lakes Gas Co. v. Domain Administrator, DomainMarket.com, D2019-0830 (WIPO June 21, 2019) (<lakesgas.com>). The issue revolves around its status as an expression: we will want to know on what part of the continuum "lakes gas" sits? Is it common or uncommon? I'll come back to this decision in a moment. The same question has to be considered for other expressions such as <payway.com> and <rxpetplan.com> and others which I'll talk about first. We have to determine where expressions sit on the continuum.

There is certainly a degree of subjectively in answering the question, but the analysis has to begin with the distinctive value of a particular combination. A speaker is more likely to encounter "beautiful people" or "power agent" in daily conversation than other combinations that signal the existence of a mark. Let's examine the differences through some recent cases. No one will argue that "toner connect" carries any strong connotative strength, but the Complainant nevertheless prevailed in Toner Connect, L.L.C. v. Privacy Protect, LLC / Realogue Corporation, D2018-2829 (WIPO February 21, 2019). This was not because the combination is particularly distinctive--it could only have become a mark through proof of secondary meaning--but because "the evidence submitted shows that Respondent's sole owner and president is a direct competitor of Complainant."

Where there is no proof of targeting weak marks, and the combinations are common coinage complaints must be denied. In Darryl Davis Seminars, Inc. v. Privacydotlink Customer 656889 / Domain Admin, Abstract Holdings International Ltd., D2018-2238 (WIPO January 21, 2019) the Panel held that Respondent "has satisfied the Panel that it registered [<poweragent.com>] for its inherent value as a domain name incorporating a common descriptive term, as part of its business as an investor in such domain names." In ILQ Australia Pty Ltd v. Gidman, John, FA1806001790689 (Forum July 13, 2019) Complainant failed to demonstrate (or even allege) it had common law rights to FAIR MARKETS, but even if it had proof of secondary meaning it would have taken a strong dose of evidence to overcome the commonness of the expression: "Respondent's own evidence [demonstrates] that the expression 'fair markets' is descriptive and in ordinary use in the financial markets sector."

The results in these cases are undeniably correct; one can even (once the facts have been fully excavated) say they are "predictable." Complainants prevail if they satisfy their burden of proving abusive registration but fail if their "proof" simply alleges a corresponding trademark. The results in Toner Connect and Darryl Davis Seminars are simply stating the law.

Let's look at a couple of more examples. In Pet Plan Ltd v. AD Burns, D2019-0755 (WIPO June 24, 2019) Respondent added "rx" to PET PLAN. The applicable principle is that adding an affix does not distinguish a domain name from the mark and most likely reinforces complainant's claim. The Panel considered three facts in Pet Plan that favored Respondent: 1) the phrase "pet plan" while distinctive in a trademark sense is a common phrase; 2) it qualifies as a mark for its acquired distinctiveness; no one would ever accuse it of being inherently distinctive; and 3) Respondent submitted documentary proof that it could not possibly have targeted Complainant because it actually offered Rx pet services before the existence or reputation of the mark:

Respondent has provided evidence, to some extent acknowledged in the Complaint, demonstrating a prior use of the disputed domain name that is consistent with its meaning as a descriptive phrase for drug prescription plans for pets.

The <payway.com> dispute, Payway, Inc. v. Domain Administrator, FA1905001845958 (Forum July 10, 2019) is another pointed lesson. Complainant attempted to extend its rights by alleging common law use earlier than the registration of the domain name but "[w]hile the Complaint recites familiar tokens associated with common law rights in a mark, the attachments to the Complaint are wanting of even the slightest proof in support of this claim."

In many of these disputes, we find that respondents are either businesses using identical or confusingly similar indicators (like Respondent in Pet Plan) or large or small resellers in the domain name market (Respondent in Darryl Davis Seminars). The latter is illustrated in Dr. Muscle v. Michael Krell, FA1903001833036 (Forum April 19, 2019) (<drmuscle.com>). Here, even though the Panel labels Respondent a "speculator" it nonetheless dismisses the complaint because "the components of the domain name, 'Dr.' and 'Muscle', are common terms." The Panel also pointed out that although there was no proof Respondent actually did any searches for Dr. Muscle as a mark, or "took any steps to meet his obligations under Paragraph 2," it is nevertheless Complainant's burden to prove registration and use in bad faith.

Thus being a "speculator" in the domain name market is never (if that was all there is) the tipping factor even where (as in Dr. Muscle) Respondent is found not to have rights or legitimate interests --"Although it is a close call, the Panel concludes, given the Respondent's failure to come forward with factual evidence supporting its allegations that Complainant has succeeded in demonstrating that Respondent lacks rights or legitimate interests in the disputed domain name."

The commonness of [removed]there being no evidence otherwise) is conclusive. However, what is good for the goose is also good for the gander. Respondents are not saved by manipulating parts: either creative rearranging of words, by reversing them as in AutoZone Parts, Inc. v. Li Wenhan, FA1904001840813 (Forum June 12, 2019) (AUTO ZONE and <zone-auto.com) or creating artificial combinations with new TLD extensions that refer to complainant's business as in Epic Games, Inc. v. Host Master / 1337 Services LLC, FA1906001846617 (Forum July 10, 2019) (FORTNITE and <fortnite.events>, <fortnite.games>). There is nothing surprising in these results because the evidence, one way or another, support the outcomes.

With these thoughts in mind, it is time to consider Lakes Gas in which Respondent is also a so-called "speculator." But here, the issue is squarely on the value of the combination; that is, where it sits on the continuum. Is it a common coin or more coined even if descriptive? The Respondent argued that the combination of "Lakes" and "Gas" was simply two dictionary words. The Panel questioned this:

[T]he Panel does not disagree ['lakes' and 'gas'] are both generic words. However, this specific combination of words together has no real descriptive or generic meaning, and really only has meaning in the context of Complainant's trademark.

Then concluded that

[i]n order to find rights or legitimate interests in a domain name based on its dictionary meaning, the domain name should be genuinely used, or at least demonstrably intended for such use, in connection with the relied-upon dictionary meaning and not to trade off third-party trademark rights.

The answer to the question about sitting on the continuum is that "Lakes Gas" is that it is on the right; it is descriptive, not generic, and descriptive is saved as a mark if there is proof of secondary meaning, which means that the decision forfeiting the domain name to Complainant is correct.

There are, of course, disputes in the penumbral zone; "close calls" as in Dr. Muscle, but in those cases, the result necessarily depends on complainants satisfying their burdens of proof. What is not always clearly understood is that "speculators" (even they, if that's an appropriate epithet to burden resellers) should not be deprived of their property, unlawfully. U.S. and courts in other jurisdictions have concluded that domain names lawfully registered are intangible property. But at the same time, mark and brand owners (which can include trade names functioning as marks) deserve protection. That is the balance Panels are attempting to achieve.

NOTE, regarding "Order My Oil" and <orderyouroil.com>. The Massachusetts Appeals Court in Wes Madan / United Oil Heat, Inc., d/b/a OrderMyOil.com v. michael Meehan, 18-P-325 (July 12, 2019) affirming the trial court's dismissal found the alleged mark to be generic. It also explained concerning Plaintiff's claim of common law rights that the test for common law trademark infringement "[i]n Massachusetts ... is the same as under the Lanham Act". The UDRP complaint was previously denied in Wes Madan / United Oil Heat, Inc., d/b/a OrderMyOil.com v. michael Meehan,: FA1701001715122 (Forum March 9, 2017) (ORDER MY OIL and orderyouroil.com>.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

EU holds an eight-hour-long hearing taking an extensive look at whether US surveillance practices break European data protection laws. "This case could potentially rupture the mechanisms that allow personal data to flow across the Atlantic," writes Peter Swire in a report on the July 9th European Court of Justice hearing in case C-311/18, also known as "Schrems II." Swire adds: "Should the Court so decide, it would soon be illegal for companies and services we use every day to transfer personal data from the EU to the US. Such a determination, however, may result in an absurdity; EU citizens' data could not travel to the US for fear of intrusive surveillance, but could flow unimpeded to China, a nation with surveillance practices ripped from the pages of a dystopian science fiction novel."

The UK cares about its citizens' privacy to the tune of a $229 million (US) fine of British Airways for a breach that disclosed information of approximately half a million customers. It's exciting — a significant fine for a significant loss of data. I think GDPR will lead to improved security of information systems as companies scramble to avoid onerous fines and start to demand more from those who provide information security services and products.

I wish, though, that as part of their penance, GDPR required companies to provide more details more quickly about how the breach occurred and how a company like British Airways fell short in stopping it. The conversation needs to move quickly and fluidly about what is the standard of duty of care that must be met by organizations.

From a tripwire article:

"Precisely how the hackers managed to gain access to British Airways' infrastructure to plant the malicious code in the first place hasn't been made public. However, what's clear is that for a period of time they failed to notice that a JavaScript library used in their website's payment flow had been tampered with."

What has been learned about the breach seems to be coming from third-party analysis such as the blog posting from RISIQ. It turns out that British Airways is one of a number of companies such as Ticketmaster and Newegg to have problems with digital card skimming attacks. Sanguine Security Labs reported that 962 online shops were recently, similarly attacked in a 24-hour period.

Digital card skimming attacks date back to 2016 and show no sign of abating. The attackers keep innovating and succeeding because it is hard to keep up with the newest variations of the Magecart mode of attacks. It's also confusing to know what defensive steps are reasonable and most cost-effective.

Elizabeth Denham, the UK commissioner in charge of the agency that levied the fine, was quoted as saying:

"That's why the law is clear — when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

Organizations must report breaches. There is real urgency to address digital skimming attacks, which continue to compromise user data. Shouldn't the EU and the bureaucracy administering the GDPR be anxious to share what they know about how these attacks are evolving and what they believe are the appropriate steps to prevent them? For example, is British Airways being fined because they failed to patch a known vulnerability such as the PHP Object Injection vulnerability CVE-2016-4010? Were they fined because they didn't have a file integrity monitor in place on their servers verifying that scripts had not been tampered with? Organizations that fall under GDPR jurisdiction need to know what misstep British Airways took from the viewpoint of the UK office.

When a breach occurs, more information needs to be disclosed more quickly about what happened and what went wrong. Appropriate steps will sound better when GDPR speaks up about what those are. British Airways will be given the opportunity to defend whether they acted reasonably. The reasoning behind whatever decision is made needs to be made public. Providing an account of what went wrong is as important as holding companies accountable.

Written by Curt Dukes, Executive Vice President

New Zealand's Domain Name Commission (DNC) wins in court against the US company DomainTools for "illegally scrapping personal information" of .nz domain name owners. The US Court's decision means DomainTools is forbidden from breaching .nz domain names owners privacy. This is the second time the US court has agreed with the DNC position. A couple of takeaways from the Friday's DNC press release:

— "The first decision in favour of .nz domain names owners privacy was made in September 2018, but DomainTools immediately appealed it and lost again in the US Court of Appeals on 17 July 2019. In 2018, the Domain Name Commission mandated that a privacy option be offered for all .nz domain name holders that are not in trade. ... More than 63,000 domain names have already taken up the privacy option, and the number is growing."

— "This win is important not only to .nz domain name holders and their privacy but also for managers of other countries domain name systems who might consider starting legal action against DomainTools and other similar companies where terms of use are breached."

It continues to surprise that some counsel in proceedings under the Uniform Domain Dispute Resolution Policy (UDRP) are unaware or oblivious of its evidentiary demands, by which I mean they file and certify complaints with insufficient evidence either of their clients' rights or their claims. Because the UDRP requires conjunctive proof of bad faith registration and bad faith use (as opposed to the disjunctive model of the Anticybersquatting Consumer Protection Act), it should be ingrained for counsel experienced in the jurisprudence to know they cannot hope to succeed with marks postdating registration of domain names.

Yet, whatever the level of counsel experience with UDRP jurisprudence suing when there is no actionable claim is a recurrent feature on the docket. Examples: Puretalk Holdings, LLC v. Domain Administrator / Fundacion Privacy Services LTD, FA1906001848525 (Forum August 5, 2019) (<pure talk.com>, mark postdating domain name registration by15 years); Art-Four Development Limited v. Tatiana Meadows, D2019-1311 (WIPO July 29, 2019) (<aizel.com>, also postdating by almost 15 years). In Femida a/k/a International Legal Counsels PC v. Reserved for Customers / MustNeed.com, FA1906001847829 (Forum July 25, 2019) the postdating is quite short, but still "Respondent's domain name was registered before the first use and registration of the Complainant's mark."

Claiming cybersquatting against domain names predating marks in commerce is obviously misguided, but challenging domain names with deficient evidence of a mark's right or a respondent's bad faith is careless or worse. It is no more sufficient to have a naked right than it would be for complainants to succeed on respondents default. Respondents did not appear in Pure Talk and Art-Four; Complainants failed because it was impossible for them to succeed. The answer to why complainants fail depends in part on complainants linguistic brand choices, and in another part, on failing to marshal proof supporting their claims. For marks composed of dictionary words, descriptive phrases, and short strings of letters, the evidentiary bar is higher because complainants are not alone in the sole magnets for having associations with allegedly infringing names. The bar is higher still for complainants of unregistered marks.

Whereas complainants of registered marks have standing by virtue of their registrations, those with unregistered marks only have standing on proof of secondary meaning antedating registration of the challenged domain name. (Under the ACPA the "mark [must be] distinctive at the time of the registration of the domain name" regardless whether registered or unregistered). Applications awaiting approval by trademark registries are not deemed to qualify as a right; nor are marks registered on the Supplemental Register in the US, although unregistered rights may include trade names and personal names if they are found to be functioning as trademarks. (See earlier essay Do Trade Names Qualify as Trade Marks for Purposes of the UDRP?)

Both ICANN Panels and US courts (and, no doubt, other jurisdictions) insist that proof of secondary meaning "includes evidence as to (1) the length and continuity of a mark's use, (2) sales, advertising, and promotional activities, (3) expenditures relating to promotion and marketing, (4) unsolicited media coverage, and (5) sales or admission figures." The Panel in Facele SPA v. Jason Owens, D2019-0140 (WIPO July 28, 2019) (<facele.com>, Complainant represented by counsel) gives a thoughtful discussion of these expectations:

Even if the Complaint had only included details of the Complainant's pre-2010 sales and advertising figures accompanied by examples of how the mark has been used, that would have been helpful. (Emphasis added).

Since the facts the Panel references should be within a complainant's knowledge and control, failure of proof, evasiveness, or silence supports an adverse inference that the mark was not used before the registration of the domain name; if it were, the proof would have been submitted (or carelessly omitted).

A good illustration of this deficiency of proof is Empire Engineering LTD v. Liamuiga LLC, FA1906001847862 (Forum July 22, 2019) <empireengineering.com>). In this case, Complainant (represented "internally" presumably by an attorney) had to deal with the descriptive nature of the alleged mark. While the phrase "empire engineering" is hardly striking as an indicator of source, it is certainly capable of functioning as a mark. However, the Panel dismissed the complaint because "Complainant has not provided evidence of secondary meaning with respect to the expression 'Empire Engineering'". As in Facele SPA, Complainant (but more particularly its representative) failed to take into account the quality of and demand for proof to establish rights under paragraph 4(a)((i) of the Policy.

Failure to establish common law rights also sunk Complainant in Aurora Cannabis Inc., Aurora Marijuana Inc., Aurora Cannabis Enterprises Inc. v. Byron Smith, D2019-0583 (WIPO July12, 2019) (<auroradrops.com>). The Panel held

If there was indeed common law use of the AURORA DROPS at any relevant time by the Complainants, proof of that use was also deficient. This may be a function of the fact that the marijuana market in Canada was only operational at full scale beginning in October 2018. In any event, the Complainants' evidence of common law rights has not satisfied the Panel that there was a substantial reputation as of April, 2017, when the disputed domain name was registered. The Complainants' belated attempt to register AURORA DROPS has only served to muddy the waters."

The underlying concept of secondary meaning is proving reputation in the marketplace, not now but then. The evidence must be sufficient to show that the mark would have been recognized by consumers as a source of complainant's goods or services.

The same deficiency is noted in another common law claim, Dakota Access, LLC (c/o Energy Transfer LP) v John Saldis, FA1906001849464 (Forum August 6, 2019) (<dakotaaccess pipeline.com>). Here "Complainant has not adduced any evidence of trademark registration." While it "contends [it] has used the DAKOTA ACCESS PIPELINE name in publicity materials, contracts, and filings with state and federal regulatory agencies," it has not produced them:

The only supporting evidence adduced by Complainant is a presentation deck named "Energy Transfer LP Investor Presentation — June 2019". It is unclear to the Panel how this presentation deck supports Complainant's contention. This 45-page presentation deck seems to only have one reference to "Dakota Access Pipeline" in a map, without any elaboration as to the relationship of "Dakota Access Pipeline" with either Dakota Access, LLC or Energy Transfer LP. In addition, while the timing of when a complainant has acquired common law rights in a mark is not relevant for the panel in deciding on this element, the Panel notes that this presentation deck is dated June 2019, which is later than the creation date of the disputed domain name (September 18, 2016).

Even where marks allegedly predate domain name registrations, complainant's must still anticipate legitimate interests and rights defenses squarely undercutting their claims of cybersquatting. In Royal Caribbean Cruises, Ltd. v. James Booth, BQDN.com, D2019-1042 (WIPO July 17, 2019) (<rcc.com>) Complainant argued that the three-letter string infringed its unregistered four-letter acronym, "rccl." This raised a problem as summarized by the three-member Panel:

the Respondent raises a reasonable question regarding whether a four-character mark which is an initialism or acronym can be found to be confusingly similar to a three-character domain name which, as here, shares part of the same character set. The Respondent points out that, if a finding of confusing similarity is made in those circumstances, the logical extension is that all four-character initialisms/ acronyms would be regarded as confusingly similar to all partially corresponding three-character domain names. (Emphasis added).

Interestingly (and unusual), the Panel declined to make a ruling under Paragraphs 4(a)(i) and 4(a)(ii) and rested its dismissal of the complaint on 4(a)(iii):

The Panel is inclined to favor the Respondent's case on registration in bad faith [and] accepts that the Respondent more probably than not acquired the disputed domain name due to its value as a short, ubiquitous and memorable three-letter string which would be attractive to a wide variety of existing and potential entrants to the marketplace rather than in a bad faith attempt to target one specific rights owner in the form of the Complainant.

In fact, such findings under either 4(a)(ii) or 4(a)(iii) have been made "in multiple past cases." For example, the panel noted in Compañía Logística de Hidrocarburos CLH SA v. Privacy Administrator, Anonymize, Inc. / Sam Dennis, Investments.org Inc, D2018-0793 (WIPO June 13, 2018) (<clh.com>) that "it is commonly accepted that absent factors to the contrary in a particular dispute [of which there are none offered in this case], trading in domain names is a legitimate activity that has grown into a substantial market over the years."

The facts in A Mediocre Corporation v. Domain Admin / Domain Registries Foundation, FA190600 1849931 (Forum July 27, 2019) (MORNING SAVE and <morningsafe.com>, Complainant represented by counsel) look like a textbook example of typosquatting, substituting an "f" for a "v" (which on the Qwerty keyboard sits immediately below the "f"). I like Andrew Allemann's comment on DomainNameWire.com because it suggests an approach which counsel did not pursue and was not taken into account in deciding the case:

There are plenty of Wayback Machine screenshots showing early use of the MorningSave. These could have been included with date stamps to show the [earlier] use.

Although the Panel rejected Complainant's argument, it more appears the dismissal was based on Complainant's failure to offer the necessary proof to support its claim. Complainant's contention based on constructive notice was rejected as not applicable in a UDRP proceeding (counsel should have known this!).

Mr. Allemann may very well be right about Mediocre that counsel could have done better. It applies to other cases of which it could be said that but for the deficiency of proof, the result would have been different if proof had been properly marshaled. For example, in Numerix LLC v. Dagmar Brebock, FA190600 1846731 (Forum July 25, 2019) (NUMEREX and <nurnerix.com> the confusing similarity is with the "rn" which replaces the "m." It would not be unreasonable to ask, who got it wrong the Panel or Complainant's counsel? The Panel found that Complainant limited its proof to asserting that "Our domain name Numerix.com has been registered and in use since at least 1998 with corporate formation in 1996." An astute commentator (Evan Brown this time, udrptracker.com) offered the following "practice tip":

If you own trademark registrations, be sure to actually plead them in the complaint. This UDRP case should not have been lost on these grounds. Some panels cut no slack, even when there is obvious evidence outside the record.

What Mr. Brown means by "outside the record" is that Panels are not forbidden to do research on the Internet and trademark databases, which it didn't do hence his wry comment that "some panels cut no slack." Substituting "rn" for "m" is right out of the squatters handbook: <rnerial.com> for MERIAL, <ernersson.com> for EMERSON, <freernanco.com> for FREEMAN, are some examples, all of them resulting in transfers. There is no indication that Complainant's counsel in Numerix brought this history of typosquatting practice to the Panel's attention. (This is probably a good candidate for an ACPA action).

If only for instructional purposes, complainants and their counsel should pay close attention to Panels' reasoning of what evidence is necessary to satisfy claims of cybersquatting. As I have pointed in earlier essays, complainants only get one shot in a UDRP at proving cybersquatting; there is no such pleading as an "amended complaint" under the UDRP. See UDRP Complaint: Actually, a Motion for Summary Judgment and Words and Descriptive Phrases as Trademarks Registered as Domain Names.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

InvenTel makes security cams for cars. It is trying to crack down on Chinese counterfeiters. It brought a prior lawsuit against a wide range of defendants, including GoDaddy. InvenTel voluntarily dismissed GoDaddy from that suit. It brought a second round of litigation involving a new counterfeit site allegedly by the same bad guys, www.hdminorcarnbuy.com, a domain name registered via GoDaddy. Initially, InvenTel claimed GoDaddy hosted the site as well, but it dropped that claim. So the suit against GoDaddy devolves into a simple question: can GoDaddy be liable for counterfeiting activity for registering the domain name?

The answer is no. This is wholly unsurprising because most of these issues were litigated and resolved in the 1990s, making this an old school case. On the plus side, it's a nice reminder that the law hasn't changed in the past two decades.

Federal Trademark Infringement. In the ACPA, Congress provided a safe harbor for domain name registrars (15 U.S.C. § 1114(2)(D)(iii)). This safe harbor hasn't been litigated very often, so this is a rare but otherwise unremarkable opinion applying the safe harbor. The court says:

"The only pleaded basis for GoDaddy's knowledge that the Website would be used to infringe is the Li Defendants' conduct using other websites and the Prior Action. But GoDaddy's domain name registration system is automatic. Therefore, without a warning that the specific URL being registered would be used for an illicit purpose, GoDaddy did not have a "bad faith intent to profit" from the automatic registration of 'www.hdmirrorcambuy.com.' In other words, failing to prevent its computer system from registering the Website does not constitute 'bad faith.' Plaintiff provides no basis for the proposition that GoDaddy must predict which URLs will be used for infringement purposes and proactively stop them from being registered."

To be clear, I don't think this passage supports the inverse proposition, i.e., that GoDaddy would be automatically liable if it had gotten a warning that a domain name was being used for illicit purposes.

State Direct Trademark Infringement. GoDaddy didn't "use" the allegedly counterfeited goods.

State Indirect Trademark Infringement. The Ninth Circuit shut down registrar liability in the 1999 Lockheed v. NSI ruling. "GoDaddy does not control or monitor the instrument of infringement (i.e., the Website)."

Direct Copyright Infringement. As a registrar, GoDaddy doesn't "copy" anything.

Indirect Copyright Infringement. There was no direct copyright infringement taking place when GoDaddy registered the domain name.

Direct Patent Infringement. GoDaddy didn't make, use, or sell the counterfeit goods.

Indirect Patent Infringement. "GoDaddy permitting its computer system to automatically register the Website, even with knowledge of the Prior Action, is not an activity GoDaddy knew would 'cause infringement.' As previously stated, GoDaddy is not obligated to proactively guess which proposed domain names will likely be used for nefarious purposes."

State Consumer Fraud Act. InvenTel wasn't GoDaddy's "consumer."

The court summarizes:

"As to the automatic registration of the Website...that conduct cannot produce direct or contributory intellectual property liability on the facts of this case. GoDaddy did not have the requisite knowledge that the Li Defendants would use the Website to infringe on InvenTel's intellectual property rights when it engaged in the only conduct at issue — providing domain name registration services. InvenTel cannot plausibly allege GoDaddy acted with the requisite knowledge, as InvenTel filed its Complaint without even notifying GoDaddy of the new Website. Even considering facts outside the Complaint set forth by InvenTel, GoDaddy could not be liable. InvenTel has not presented any theory under which GoDaddy is obligated to monitor and predict which websites might be used for infringing purposes. Even when the same individual registers multiple websites, it is the intellectual property holders' responsibility to protect their property, not third parties'. Had InvenTel taken advantage of GoDaddy' s takedown request procedures, and GoDaddy refused to deregister the Website (despite evidence of infringement), InvenTel may have a claim. But here, InvenTel ran to federal court without informing GoDaddy of the infringement. Having no notice of the infringement, liability will not attach because GoDaddy did not take any action with the requisite knowledge."

A periodic reminder that even if the law doesn't require notice-and-takedown, courts are unimpressed when plaintiffs could have solved their problems by sending takedown notices.

As far as I can tell, the court doesn't distinguish between domain name registration and domain name hosting (as opposed to website hosting, which the court does distinguish). I wonder if the court would be more amenable to liability for domain name hosting. The above passage suggests it might be.

Trademark, copyright, and patent law all have discretionary fee-shifting provisions. Given the complete lack of merit in this case and the venerability of the legal principles it raised, I wonder if the court will be amenable to a fee-shift request from GoDaddy.

Case citation: InvenTel Products, LLC v. Li, 2:19-cv-09190-WJM-MF (D.N.J. Aug. 13, 2019)

Written by Eric Goldman, Professor, Santa Clara University School of Law

WIPO's Arbitration and Mediation Center earlier this month became the only non-Chinese entity to provide domain name dispute resolution services for the .CN and .中国 (China) country code Top-Level Domain (ccTLD) — one of the world's largest ccTLDs. Rory O'Neill reporting in TBO writes: "The Cyberspace Administration of China's (CAC) decision to designate the WIPO centre as a dispute resolution provider comes after WIPO chief Francis Gurry and CAC minister Zhuang Rongwen signed a memorandum of understanding last month. ... A number of high-profile brands and IP bodies have taken action against alleged cybersquatters in recent months."

Domain Names composed of generic terms and combinations — dictionary words, random letters, and short strings — have achieved ascending values in the secondary market. DNJournal.com (Ron Jackson) reports on his year to date chart, for example (just a random sampling from the charts) in August 2019 <joyride.com> was sold for $300,000, in June <voice.com> sold for $30 million, in July <rx.com> sold for $1 million, and in January <california.com> sold for $3 million; on his weekly chart for August 19-25 he reports that <skew.com> was sold for $93,000 and <homee.com> for $20,000. Resellers of every size have inventories of domain names in some instances so large and varied they have become veritable department stores for every conceivable taste and possible brand. The magnitude of the reported sales suggests that businesses have come to depend on resellers than go to the trouble of inventing brand names from scratch.

Needless to say, such values for domain names offer enticing opportunities for mischief, and at the same time put registrants of valuable domain names at risk of having them stolen from their accounts. (For a useful discussion on domain name theft see Domain Name Theft: How to Avoid Buying Stolen Domain Names & Protect Your Own Domain Names). The sheer value and sometimes easy picking incites thieves to mine registration accounts for saleable domain names. Recent fraudulent transfers, as reported in DomainNameWire (Andrew Allemann) include <eqn.com>, <1001.com>, <864.com>, and in an August 26 blog he reports on another lawsuit involving <tabelaFipeBrasil.com>. (See Mr. Allemann's advice on protecting domain names). I'll discuss the "EQN" case further in context with other cases decided in federal court under the Anticybersquatting Consumer Protection Act (ACPA). Fraudulent transfers often happen without holders' immediate knowledge of the thefts, and it may take many months before they even learn the domain names have disappeared from their accounts.

The question is, what legal steps must victims take, and what are their chances of recovering fraudulently transferred domain names? The Uniform Domain Name Dispute Resolution Policy (UDRP) has been successfully applied, although some panelists have got it wrong, Lawrence Gurreri v. To Thai Ninh, FA100600 1328554 (Forum July 12, 2010) (<internationalcircuit.com>) where the Panel found that "alleged theft of a domain name falls outside the narrow scope of the UDRP." The correct view is expressed in Anglotopia, LLC v. Artem Bezshapochny, D2013-0168 (WIPO March 13, 2013) (<anglotopia.net>) in which Respondent argued that "the Policy is not designed to deal with allegations of fraud or theft," to which the Panel responded that that is only true "where a complainant does not have trademark rights and is seeking to recapture a hijacked domain name," but where complainant has trademark rights the claim falls within the Policy.

In fact, panelists have not hesitated to condemn fraudulent transfers and return domain names to complainants on a theory that hacking and transferring are abusive registrations. To take one example of several, the Panel in Stepp Manufacturing Company Incorporated v. Protection of Private Person, FA1608001686520 (Forum September 9, 2016) (<steppmfg.com>) pointed out that

Prior panels have held that a respondent's apparent hijacking of another's domain has registered and used the domain in bad faith ... [citing] ITX sarl v. Steiner, FA 1222737 (Forum October 24, 2008) (finding that, where "Complainant has shown that it has a long-term ownership of the domain name at issue before the domain name came under the control of Respondent," and where there was also evidence that the domain name had been transferred to Respondent without the permission of Complainant at a time when Complainant was the registered owner of the domain name, Respondent had registered and was using the disputed domain name in bad faith pursuant to Policy ¶ 4(a)(iii).")

Compared to cases brought to federal court under the ACPA, the UDRP database contains a relatively small number of transfers of hijacked domain names, and none recently. This may be because the UDRP is designed to deal with domain names serviced by registrars, rather than domain names in the root directory administered by registries. With this as background it is interesting that the UDRP database contains no investor-reseller complaints even though they certainly have viable marketing or monetizing businesses for their domain names sufficient (one would think) to prove common law rights. The reason for this (I think) is the difficulty for this class of victim to prove it does have those rights.

Rather than test their claims under the UDRP, investor-resellers have turned to the Eastern District of Virginia, Alexandria Division (the location of Verisign, Inc., the dot com registry) to recover possession of the domain names under the ACPA. That court has proved particularly friendly to the argument that marketing and monetizing domain names supports common law rights.

The lead case, Weitzman v. Lead Networks Domains, l:09-cv-01141 (ED Virginia, Alexandria Div, 9/24/2010) involved nineteen domain names including <daffy.com>, <oncologics.com>, and <sunlet.com>. On the issue of common law rights and standing, the court (Magistrate's Recommendation) found:

Plaintiff is in the business of domain monetizing and establishes and registers domain names for the purpose of turning Internet traffic into monetary gain through the use of "click through traffic." (Compl. 9.) Domain monetizing is a process in which advertisements are placed on "parked" domain names in order to generate revenue for both the party that owns the domain and the party that places the advertisement.... Plaintiff's pervasive use of the Domain Names transposed the trademarks into valuable assets to Plaintiff, representing Plaintiff's substantial goodwill and solid reputation with consumers. (Compl. ¶ 12.) Therefore, through Plaintiff's longstanding, continuous, and exclusive use of the Domain Names, Plaintiff owns valid and enforceable rights to each of the registered Domain Names. (Emphasis added).

The Magistrate Judge concluded that "legal precedent dictates that Plaintiffs Domain Names should be afforded the protection of the ACPA."

This view of investor-monetizing/reseller rights is recognized in later cases. In Traffic Names, Ltd. V. Zhenghui Yiming In Re: 224.com, 604.com; and 452.com, 1:14cv1607 (E.D. Va, Alexandria Division April, 14 and May 12, 2015) the Magistrate Judge held: "Plaintiff's registration of the Subject Domain Names and use of them in business since that registration establishes his common law rights in the marks. Therefore, plaintiff is entitled to enforce the provisions of §1125(d) against any domain name that violates its rights in the protected marks."

This view is cemented more recently in Blackshore Properties, Inc. v. EQN, an Internet domain name, et al. l:I8cvI325. In its complaint, the Plaintiff had alleged

18. Blackshore used the EQN.com domain name in U.S. commerce in association with the paid provision of information and advertisements for goods and services until Defendant John Doe stole the domain name and thereby disabled Blackshore's access to and control of the domain name.

19. Blackshore is entitled to common law trademark protection in the EQN.com mark by virtue of its use of the mark in U.S. commerce in association with paid advertising and information services.

The Court (Magistrate's Recommendation January 11, 2019 and Order confirming the Recommendation January 28, 2019) did not question Plaintiff's contention that it had common law rights for its business operations involving the stolen domain name. It concluded that the domain name had been spirited away from Plaintiff's account and it was entitled to relief:

Plaintiff ... established that it is the rightful owner of EQN.com and the associated trademark, that Doe had a bad-faith intent to profit from using that domain name, and that the domain name Doe was using was identical to plaintiffs distinctive mark.

This view appears to be challenged in another recent decision, a still-pending and becoming an increasingly complicated case, Yoshiki v. John Doe, 18-cv-01338 (LO/TCB ((ED Virginia, Alexandria Div. 2019). The Magistrate Judge tacks differently on rights and standing by taking notice of a line of cases critical of certain uses of domain names by defendant-hackers and applying that as a standard for assessing standing to investors monetizing and reselling domain names. At first glance, there appears to be two parallel views within the Alexandria Division, but on closer look, there is a good argument that this is not the case. Under the Weitzman line, lawful monetizing and reselling is sufficient to support ACPA standing. Post-Weitzman (according to the Magistrate Judge in Yoshiki) ”this Court has found on several occasions that a defendant violated ACPA because, in part, they only used the disputed mark and domain name for pay-per-click advertising." The question is whether this analysis of the law is a departure from precedent or a reasoned response to particular facts?

I opt for a reasoned response to particular facts. The key difference with Weitzman is that the Yoshiki court is looking at the conduct of defendants accused of fraudulent transfers, not the business model of investor-monetizing/reselling plaintiffs. The court cites Entrepreneur Media, Inc. v. B-Entrepreneur.com, 1:11-cv-583 (E.D. Va. Feb. 9, 2012) and Travelers Indem. Co. v. Travellers.com, 10-cv-448 (E.D. Va. November 28, 2011. In neither case is there any question of standing because both plaintiffs own well-known, even famous marks; they are not investors. Rather, the court is challenging plaintiffs to explain why they are different from the defendants in the cited cases who employ the hacked domain names unlawfully under the ACPA. That is a far distance from assessing whether investors lack standing to maintain an ACPA case for a business model of monetizing their domain names.

The essential insight of Weitzman, which has never been challenged on appeal (and is unlikely ever to be challenged because defendants never appear), elevates domain names to the status of the property and their holders to trademark owners. The Yoshiki challenge to victims is that they cannot expect to be granted trademark status (thus would lose on standing) for registering domain names identical or confusingly similar to well-known or famous brands or marks. In other words, they cannot at the same time, be tort-feasors and claim rights to infringing domain names. The Magistrate Judge in Yoshiki stated that it

is especially concerned about the prospect of granting relief when Plaintiff's only use for domain names such as tang.com, wtv.com, and nnn.com is domain monetization. Names such as "tang" arouse the Court's suspicion that Plaintiff may be engaged in the type of activity that ACPA was intended to remedy. (Emphasis added).

A principal consideration in restoring domain names lost to fraudulent transfers to victims must be whether they are "engaged in the type of activity that ACPA was intended to remedy." If they are, they cannot expect any sympathy from the court.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

A letter, signed by 51 CEOs, was sent to U.S. House and Senate as well as leaders of other committees today urging policymakers to pass a comprehensive national data privacy law. The open letter was sent through the Business Roundtable, an association consisting of CEOs from America's largest companies. At the heart of the matter is the request for federal privacy laws that companies argue should replace various state-level laws that have already been passed. From the letter:

"Consumers should not and cannot be expected to understand rules that may change depending upon the state in which they reside, the state in which they are accessing the internet, and the state in which the company's operation is providing those resources or services. Now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws. Further, as the regulatory landscape becomes increasingly fragmented and more complex, U.S. innovation and global competitiveness in the digital economy are threatened."

This post was co-authored by Anriette Esterhuysen and Wim Degezelle. Authors are Consultants with the IGF Secretariat, supporting the work of the 2019 Best Practice Forums.

IGF Best Practice Forums, an opportunity to bring your experience to the policy debate

In the run-up to the 14th Internet Governance Forum in Berlin, Germany, 25 to 29 November, different groups are discussing best practices pertaining to specific internet governance policy questions. These groups are open and thrive on your input and experiences. Their findings will be presented at the IGF and published shortly after.

The IGF Best Practice Forums intend to inform internet governance policy debates by drawing on the immense and diverse range of experience and expertise found in the global IGF community to create a resource of best practices and policy recommendations. For 2019 there are four Best Practice Forums: on Cybersecurity, on IoT, Big Data, and AI, on Gender and Access, and on Local content.

The BPF Cybersecurity explores how international cybersecurity initiatives, such as the Paris Call for Trust and Cybersecurity in Cyberspace or the GCSC's Norm Package for Responsible Behaviour in Cyberspace, can be turned into actions that make a difference. The BPF identified a body of international cybersecurity agreements and is inviting their stakeholders, supporters and signatories to share experiences and thoughts on how to implement and operationalise the high-level principles, norms and policy approaches they support or signed up to. Details on the BPF and the Call for contributions are on the BPF Cybersecurity webpage.

The BPF Gender and Access is focusing on what happens once women and LGBTIQ people have some form of access to the internet? In particular, what opportunities and challenges do they have to deal with if they want to participate meaningfully in the digital economy. The BPF put out a call for contributions, now closed, to help them identify the scope of these challenges and what interventions, including policy approaches, are needed to address them. Learn more on the BPF Gender and Access webpage.

The BPF IoT, Big Data, AI acknowledges the huge potential of the new technologies to address societal policy challenges when applied in concert in an internet context. The expectations are high, both in terms of new solutions and making existing solutions more efficient. The BPF is focussing on three clusters of policy questions pertaining to the application of IoT, Big Data, AI technologies to address societal challenges: enhancing trust in the applications, stimulating their use and uptake, and the collection and management of the data. The BPF is currently conducting a public survey, more details on the BPF and survey are on the BPF IoT, Big Data, AI webpage.

The BPF Local Content is exploring how the internet can be used to preserve local language and cultural heritage, particularly in current contexts where cultural and linguistic diversity, artifacts and histories are at risk as a result of political and social shifts and upheaval. The BPF will soon be putting out a call for contributions to help gather examples and best practices of how digital technologies and the internet can be used to promote, preserve and share local culture and content. The BPF would also like to identify best practices of how to manage and promote the digitisation of existing analogue content (printed and electronic media, cinema, etc.) and services. A call for contributions will be published on the BPF Local Content webpage in the next few weeks.

IGF Best Practice Forums are open to all interested. Consult their respective webpages for details on how to get involved or subscribe to their mailing list.

IGF website : www.intgovforum.org
IGF2019 host country website: www.igf2019.berlin

Written by Wim Degezelle, Independent Internet Policy Analyst and Consultant

Orin Kerr recently blogged about a 9th Circuit decision that held that scraping a public web site (probably) doesn't violate the Computer Fraud and Abuse Act (CFAA). Quoting the opinion (and I copied the quote from that blog post):

"For all these reasons, it appears that the CFAA's prohibition on accessing a computer "without authorization" is violated when a person circumvents a computer's generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. It is likely that when a computer network generally permits public access to its data, a user's accessing that publicly available data will not constitute access without authorization under the CFAA."

On its surface, it makes sense — you can't steal something that's public — but I think the simplicity of the rule is hiding some profound questions. One, I believe, can most easily be expressed as "what is the cost of the 'attack'"? That is, how much effort must someone expend to get the data? Does that matter? Should it?

Let's start with the court's example: it is hacking (more precisely, a CFAA violation) if someone bypasses a username and password requirement. But what is the role of the username and password? Is it intended as an actual barrier or as a sign saying "Authorized Personnel Only"? Does it matter if the site has trivial password limitations, e.g., two digits only?

More concretely, imagine a poorly coded website, where you're prompted for a login and password if you visit the home page, but not if you go directly to some internal page. (For the record, it's really easy for a neophyte to implement something this badly.) Is that a suitable barrier or warning? What if someone else links to an internal page (as I've done, above, to a blog post)? Is clicking on that link, and thus never even seeing the password prompt a CFAA violation? It's hard to see how the answer could be "yes," but if you think that that example is too contrived, what about a misconfigured firewall that inadvertently permits access to the interior of a corporate net — is someone who stumbles on that access liable? That's a very subtle kind of error, and one that's easy to make.

There are, of course, other forms of access control. One of the simplest is address-based access control: only certain IP addresses may access a certain resource. It's long been known to be weak, but it's still used quite frequently, especially on Intranets. Is this a "generally applicable rule"? Is there a difference between an address rule that says "these three IP addresses may have access" and "anyone but these three may have access"? Mathematically, they're identical, and it's actually not harder to specify the latter than the former; one doesn't have to write 4,294,967,293 separate "allow" rules. Does it matter if a blocked party changes their IP address to evade the blockage? What if their ISP happens to change it, as some consumer ISPs do quite regularly?

I should note that one common use for such restrictions is geoblocking: excluding certain locations from access to content. This may be major league baseball videos (they're blacked out in areas where there is a local TV channel that carries those games), movies for which a site does not have a world-wide license, and even online gambling if it violates local laws (as in the US). If someone uses a VPN to evade such a restriction, is that a CFAA offense? What if they use Tor, not to evade the restriction but because they value their privacy and just happen to gain access?

There have also been systems that relied on, more or less, just a username or equivalent, and not a password. One of the best-known cases is that of Andrew "weev" Auernheimer; he and a colleague noticed that a database of AT&T customers could be accessed just by knowing the ICCID from an iPad's SIM. For that particular situation, it was possible to enumerate the namespace. Was that hacking? In a controversial move, the Justice Department prosecuted; his conviction was eventually overturned on rather legalistic grounds, and the underlying CFAA issue was never squarely addressed.

Does it matter how hard it is to enumerate the namespace? Suppose the account numbers were sequential, in which case, given a single number, it's trivial to find the others. What if the odds on a random number being valid were 1:1,000,000? 1:1,000,000,000,000? Does it matter? Should it?

What all of these scenarios have in common is that they reflect a different degree of effort to gain access to some resource. Sometimes, the effort necessary is known to or knowable by the defender; other times, it may not be. My questions, then, are these:

• Does effort matter?
• Should it?
• How do we define effort? Does allowable effort change over time, as technology improves?

I don't know the answers to any of these questions, but I think that they're important. Some situations, e.g., intentionally working around a password requirement, are pretty clearly (all other things being equal, which they may not be; see Orin's blog post for that) on the wrong side of the law. An address block where an "access unauthorized" message is displayed may also be clear, which suggests that the real issue of access control is intent and warning. But even there, numerous subtleties are beyond the control of the defender.

Consider a situation where a firewall implements an address-based access control mechanism. Furthermore, the firewall is configured to return an ICMP Administratively Prohibited packet when it sees an unauthorized IP address attempting to connect. How will the requester's software display the error? Will it even know about the prohibition, as opposed to the simple fact that the destination isn't reachable? Does the exact language of the technical specification matter? It says:

A Destination Unreachable message that is received MUST be reported to the transport layer. The transport layer SHOULD use the information appropriately

In standards-speak, "SHOULD" is defined:

This word or the adjective "RECOMMENDED" means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before choosing a different course.

In other words, perhaps some network implementor did not pass on the code, in which case the application couldn't know.

We seem, then, to be stuck. The court's decision seems to imply the warning aspect is crucial but sites can't always warn people. And why is a password more of a warning than an explicit communication, as was, in fact, the case here?

Written by Steven Bellovin, Professor of Computer Science at Columbia University

On behalf of SIDN I was the focal point and moderator of the workshop on internet consolidation at EuroDIG in The Hague, June 2019. The following is the official report of the workshop I wrote and published on the EuroDIG wikipage. It is followed by the questions that remained open and identified potential next steps forward.

The fact that this workshop was able to tie into a previous workshop on internet consolidation at the IGF in Paris, November 2018 provided focus and allowed for considerable steps to be made in The Hague. Here is the report..

* * *

At EuroDIG 2019 a workshop was organised around the topic of consolidation on the Internet. It was organised around four angles: technique, competition, society and human rights and; future research. One thing became extremely clear: no one contested that consolidation is taking place nor that this already has and will have an impact on the Internet and consecutively on society. There also was consensus that this topic is not going away, that addressing it is urgent and more study/research and interaction between stakeholders is necessary. If anything, the workshop led to more questions being asked than answers given, which is telling in itself.

What is consolidation?

Consolidation, in this specific context, is the process by which internet activities and businesses get increasingly integrated, both vertically and horizontally or more simply put: where many of the same suddenly become fewer of the same. Another term often heard in this context is centralisation. This term is used when users have to go through one central point, e.g., to use a specific service or access a specific database. The two terms are not interchangeable.

A study by the Internet Society shows that consolidation takes place at different levels of the Internet. Applications, access provision, service infrastructure are mentioned, but beyond that, deep dependencies are created e.g., through total service environments.

Potential consequences of consolidation

In the Internet governance sphere, the topic of consolidation was raised by the Internet Engineering Task Force (IETF). It flagged the topic as important, something other stakeholders needed to learn more about. Jari Arkko presented on the topic at an IGF workshop in Paris, November 2018. The outcome led to a follow-up workshop at EuroDIG dedicated fully to the topic.

In short, it was explained, the Internet works because all involved, "the many to many," follow universal, mandatory and voluntary open-source rules and procedures, so-called internet standards. Now that the many become less and less, it changes the Internet and internet governance procedures. When one or a few organisations control large parts of the Internet, they also come to control access to the Internet, to data, determine success or failure of innovative products, privacy, free speech, etc. This leads to important questions societies need to address. Many of these major questions were asked during the workshop, fundamental questions that in part go right into the sort of society we all want to live in.

Already there are companies at the service level, in online retail, social media, search engines, DNS queries, etc. so big that they hold large percentages of the market and dominate at a regional and even global level. This comes with large economic power, political influence, the (potential) stifling or co-opting of innovation, etc. Competition rules are looked at to establish fair play and a level playing field, but do they?

Although there was no explicit consensus in the room, looking at the discussion with a helicopter view shows that the process of consolidation leads to feelings of discomfort and unease from all sides. Whether people have a background in business, human rights, access to data and services, etc., they all have questions in need of an answer towards both actions in the present as the outcome in the future. Academia aside, they all look to others, e.g. governments, competition authorities and policymakers for action and to provide answers.

Potential next steps

Competition law

An important remark at the session was the following: We already have competition laws, so why would we need new ones? There was no direct answer to this question, yet it is important to follow up on. It was pointed out e.g., that there is a need to look at companies and their strategies in different ways. Market power could also be measured in (the availability of) access to data and not just in traditional market shares or by looking differently at overall strategies of companies in the case of mergers or acquisitions. There is a need for debate whether current, mostly national competition law is sufficient within a global, internet environment.

Many in the room were alerted to the fact that the Dutch competition authority (ACM) had concluded a study into market power of Apple's app store and concluded that a formal investigation was called for.

Technical solutions

From the technical community came the question: "What do you want us to do"? Several possible future technical measures and solutions were suggested. E.g., to create better functioning interfaces that allow access to systems or opening up social media systems. There came no concrete answer from the non-technical community, except the conclusion that consolidation is a non-technical topic. The people responding stated that consolidation is an economic/competition law issue, so regulatory. There seems to remains one obvious role for technicians: flagging and explaining, but let's not conclude yet whether there is no role, as the technical community sees a potential role for itself. E.g. assisting smaller companies in collaborating in a better way. The value of these measures has to become clear.

Net neutrality

Another point made in this context was the need for net neutrality as this creates a situation of equal access for all. Another topic for future debate was identified.

Interaction between stakeholders

Overall there was one major development compared to Paris in November 2018. It became clear that there's a need to get to know each other, as some stakeholders were not familiar with each other, let alone with the work going on within their respective silo's. If anything, this was the step forward set between the session in Paris and the work leading up to the workshop in The Hague. The sharing of knowledge could lead to new actions within respective silo's. Whether by taking measures at the technical level, as information that authorities need to build cases on or as suggestions for using current policies or to create new ones. It was suggested to look into these options.

The good, the bad and the absent

Many people raised concerns, yet it proved hard to provide concrete, negative examples coming out of consolidation. "I cannot run my own private mail server anymore," was the most concrete one. A conclusion that can be drawn is that it seems that at this point in time those actively involved have grave concerns because market power has come to rest in too few hands. A situation that may come with potential negative effects (soon). Attention was drawn to the fact that not all stakeholders seem aware of the current developments and what they (may come to) mean to their respective positions and interests. On the other hand, ISOC's study shows the advantages of consolidation in e.g., cloud services and the global reach they provide even the smallest companies, although they come or may come soon with a vendor lock-in, as it becomes impossible to switch to another provider (with ease).

So what are the next steps? The workshop made clear that doors to other silo's need to be opened. Knowledge needs to be exchanged, and organisations can assist each other in developing answers to questions that are in need of an answer. Coordination between different stakeholders could be set up, and there is a strong need to provide convincing examples of whether consolidation is good and/or bad development. Finally, missing stakeholders need to be actively invited to these meetings.

Conclusion

This workshop contributed in a meaningful way to the debate on consolidation. It provided enlightenment to those involved, despite the fact that many questions remained in place. Fact is, many were raised for the first time with other stakeholders present. Questions that are in need of an answer that will take multiple stakeholders participating in the formulation of those answers. This starts with sharing experience and knowledge among each other. Conditions were created at EuroDIG in The Hague to do so.

Wout de Natris
Workshop focal point consolidation on behalf of SIDN
De Natris Consult

* * *

Questions in need of answers
For now, the following questions and action points were identified.

• A need to identify and understand the working of each layer of the Internet within this context
• A need to identify and understand the current situation in each layer of the Internet
• Establish the link between consolidation and net neutrality
• Does net neutrality also need to take into account free speech and innovation?
• Identify how each stakeholder community can contribute to answering identified questions
• Identify current and potential actions within and among stakeholder communities
• Establish how contributions from other stakeholders can assist (the actions of) others
• Do "classic" competition laws work for the Internet or is this a truly new environment?
• "The people" do not seem to worry. Should they? and if so, how do we tell them?
• What can (the strategy behind) mergers and acquisitions tell us about consolidation?
• Is there a need for standardisation in regulatory reporting to truly make comparisons or conclusions at the global level?
• Are security threats limited or rising because of consolidation?
• In what way can enabling smaller players from a technical point of view become an alternative to consolidation?
• How can consolidation be measured and quantified?

* * *

A word of gratitude – This workshop was made possible through the support of SIDN but would not have had this impact without the valuable input of Carl Gahnberg, Cristian Hesselman, David Korteweg, Jari Arkko, Marie-Noémie Marquez, Zoey Tung Barthelemy and all who contributed actively in the workshop itself or shared ideas in the preparatory process. The EuroDIG secretariat's Rainer Rodewald facilitated the whole process in a professional and extremely kind way.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

A U.S. court decision today determined net neutrality laws could return at the state level overruling Trump administration's effort to block states from passing their own net neutrality laws. The court, however, upheld the 2017 repeal of net neutrality laws. David Shepardson reporting in Reuters: "The U.S. Court of Appeals for the District of Columbia said the Federal Communications Commission erred when it declared that states cannot pass their own net neutrality laws and ordered the agency to review some key aspects of its 2017 repeal of rules set by the Obama administration. But it left open the possibility the FCC could seek to block state efforts on a case-by-case basis. The court also found that the FCC acted properly when it overturned a 2015 decision..."

Like the Internet Corporation for Assigned Names and Numbers (ICANN), the Uniform Domain Name Dispute Resolution Policy (UDRP) is consensus-driven; from the bottom up, not the top down. The result is a jurisprudence of domain names that develops in common-law fashion through Panel decisions that over time and through "deliberative conversations" among panelists resolve into consensus. We get some insight into how this consensus comes in a recent case, Dover Downs Gaming & Entertainment, Inc. v. Domains By Proxy, LLC / Harold Carter Jr, Purlin Pal LLC, D2019-0633 (WIPO May 22, 2019) (<doverdownsnews.com>), which I'll talk about further below.

Readers who keep abreast of UDRP decisions know there are daily lists. Panelists are constantly honing their constructions of the minimalist provisions of the UDRP, both applying and testing its core principles, clarifying concepts, offering new formulations in their attempt to get it right, and sometimes proposing new or modifying principles that have been agreed upon or rejected by consensus. There is one other player in this process that influences panelists by reinforcing the consensus once it has plainly been achieved, and that is the World Intellectual Property Association (WIPO) as publisher of Overviews of WIPO Panel Views on Selected UDRP Questions: Original edition (2005), 2^nd Edition, 2.0 (2011), and 3^rd Edition (2017) ("Jurisprudential Overview"). The Overviews (independently edited by panelists) record the evolution of the jurisprudence over time.

The "dead ends," which are the subject of this essay are principles and proposed standards that appear insightful when formulated but are seen by their fellow panelists as misguided. A jurisprudence that develops without the benefit of appellate review (as is the case with the UDRP) is bound to produce constructions that are distributed on either side of what panelists as a whole regard as the correct rails. It is clear in reading Dover Downs Gaming & Entertainment, Inc. v. Domains By Proxy, LLC / Harold Carter Jr, Purlin Pal LLC, D2019-0633 (WIPO May 22, 2019) (<doverdownsnews.com>) that panelists make known their thinking about revolutionary proposal both informally (behind the scenes) and in their published decisions, although the consensus may take years to unfold. The great value of Dover Downs is that it opens up an insider's view of the internal mechanism or process that over time creates consensus. The dead-end principle highlighted in that decision involved the free speech defense. It was formulated in 2007 and finally declared dead in 2017 with the publication of a "new consensus" reported in WIPO Overview 3.0.

There is no ignominy in formulating or proposing modifications to establish principles or propose new standards even though on reflection by a panelist's peers they prove not right for the jurisprudence; that's how law progresses: some ideas thrive, and others fail. It is particularly impressive when one of the outstanding UDRP panelists addresses a formulation of his own that met the dead-end fate and the manner in which he dispassionately dissects the underlying reason for his proposing then abandoning it. I will return to Dover Downs after a quick review of some minor and one other major dead end.

The consensus view is that the "sole lodestar for a Panel must be the Policy… WIPO decisions have steadfastly maintained that the laws of any particular country do not apply to the dispute," Edmunds.com, Inc. v. Ult. Search Inc., D2001-1319 (WIPO February 1, 2002); and in another case the Panel stated that UDRP "operates within its own unique context," Diet Center Worldwide, Inc. v. Jason Akatiff, D2012-1609 (WIPO October 5, 2012). That "unique context," which has several layers of meaning, is driven by the panelists themselves who corporately create consensus, which is then further reinforced through the WIPO Overviews.

Minor examples of dead ends include: 1) granting Complainant's request for transfer of a dictionary word trademark ("Crew") on the theory that Respondent was "a speculator who registers domain names in the hopes that others will seek to buy or license the domain names from it"; 2) suggesting that the proper standard for deciding bad faith should be clear and convincing rather than a preponderance of the evidence; 3) arguing that a complaint is premature if the domain name is passively held; and 4) that using a service "gives rise to a rebuttable presumption of bad faith registration and use." In all four of these, the proposed principles or standards were either ignored or received negative reviews from other panelists and died on the vine.

The first major idea to fail was offered by the Panel who decided the first UDRP case (2000), although in that case, World Wrestling Federation Entertainment, Inc. v. Michael Bosman, D1999-0001 (WIPO January 31, 2000) his constructions were among those that have become the core principles of the UDRP. He offered his new construction on the same issue of conjunctive bad faith in dissent in 2009 and then successfully applied it as sole Panel in Octogen Pharmacal Company, Inc. v. Domains By Proxy, Inc. / Rich Sanders and Octogen e-Solutions, D2009-0786 (WIPO August 19, 2009):

[After] a careful reading of the language of the Policy, the Panel is convinced that both the Telstra [Corporation Limited v. Nuclear Marshmallows, D2000-0003 (WIPO February 18, 2000)] approach [passive use of domain names] and the language of the Policy itself [Paragraph 2, Representations] provide a basis for panels to broaden their position on this issue [of bad faith registration]

This insight led him ineluctably to conclude that under some circumstances involving use of the domain name "registration of the domain name could be said to be retroactively in bad faith” (Emphasis added). In other words, even if the domain name was registered in good faith, bad faith could still be found if justified by the bad faith.

The Octogen construction was "not universally accepted," and ultimately it was abandoned as a dead end. In a 2013 decision, the Panel acknowledged as much, Guru Denim Inc. v. Ibrahim Ali Ibrahim abu-Harb, D2013-1324 (WIPO September 27, 2013). There is a passing notice of the construction's demise in WIPO Overview 3.0, NB following paragraph 3.2.1, although while it was being actively argued through many decisions it did lead another Panel to formulate a theory of cybersquatting based on renewal of registration with knowledge of a complainant's right that also came to a dead-end, Eastman Sporto Group LLC v. Jim and Kenny, D2009-1688 (WIPO March 1, 2010).

The proposed principle at the center of Dover Downs was first presented in an exceedingly diplomatic dissent in Richard Starkey v. Mr. Bradley, FA0612000874575 (Forum February 12, 2007) (<ringostarr.mobi>. The Panel (the same as in Dover Downs) reasoned that the complaint should have been denied even though the parties were UK based because the choice of mutual jurisdiction was U.S., and for efficiency UDRP decisions should conform to.

the likely outcome if domain name disputes were to proceed to litigation [in the U.S], [which would help] panels . . . ensure consistent application of the law and can help discourage unnecessary litigation, thus advancing the goals of expedience and efficiency that underlie the Policy."

The Panel followed Starkey with two more decisions (this time as sole Panel) in Xtraplus Corporation v. Flawless Computers, D2007-0070 (WIPO March 9, 3007) (<zipzoomflysucks.com> and in Sermo, Inc. v. CatalystMD, LLC, D2008-0647 (WIPO July 2, 2008). He justified his analysis on the grounds of efficiency:

The benefits of this approach are many. Although consistency may remain an elusive goal, this approach would help promote predictability in the UDRP system in that parties would know in advance which national laws (and, with respect to the specific question here, which "view" of the Decision Overview) would most likely apply.... [I]t would help support the UDRP itself by helping to ensure that the UDRP is seen as a fair, consistent, and predictable legal system, instead of an unfair, inefficient system that results in random decisions (based on the identity of the panelist) or erroneous decisions that are disregarded and voided by courts in those cases in which paragraph 4(k) has been invoked.

Other panelists did not see any "benefits of this approach." For them, the proposal strayed from the "sole lodestar" concept resulting in unacceptable inconsistency that had the potential of "fragment[ing] [the UDRP] into a series of different systems.'" In particular, they found the Sermo formulation unnecessary and were "skeptical that either the analysis or the solution offered in Sermo to the local law problem is wholly convincing."

By 2005, the date of publication of Overview 1.0, there had already developed a split over the free speech defense: was it to be applied to the domain name or to the content of the resolving website? The split (essentially two ways of addressing the issue) is reported in Overviews 1.0 and 2.0 under the heading "Can a criticism site generate rights or legitimate interests in the disputed domain name?" WIPO 1.0 and 2.0 split the answer to this question into two views:

View 1 (1.0): The right to criticize does not extend to registering a domain name that is identical or confusingly similar to the owner's registered trademark or conveys an association with the mark. (Overview 2.0 adds clarifying language — "does not necessarily extend" for example (emphasis added)--which has found its way into Overview 3.0, discussed further below.)

View 2: Irrespective of whether the domain name as such connotes criticism, the respondent has a legitimate interest in using the trademark as part of the domain name of a criticism site if the use is fair and non-commercial.

View 1 panelists — the "Domain Name itself is misleading" approach — believe that application of the defense is contingent on the composition of the domain name. View 2 — a "complaints site" approach — panelists focus on the content of the website without regard to the composition of the domain name. These formulations have now been replaced by a newly stated consensus, neither one nor the other but more of View 1 than View 2. WIP0 Overview 3.0, Paragraph 2.6 states "UDRP jurisprudence recognizes that the use of a domain name for fair use such as non-commercial free speech, would in principle support a respondent's claim to a legitimate interest under the Policy [it is not automatic]." But, there is a "but." The consensus continues:

2.6.1 To support fair use under UDRP paragraph 4(c)(iii), the respondent's criticism must be genuine and non-commercial; in a number of UDRP decisions where a respondent argues that its domain name is being used for free speech purposes the panel has found this to be primarily a pretext for cybersquatting, commercial activity, or tarnishment.

This returns us to the more recent dead-end construction which is at the center of the decision in Dover Downs. Had the Sermo formulation been adopted as a consensus view it would have had the effect of subordinating UDRP jurisprudence to local law, precisely what other panelists were unwilling to accept. They saw it as hostile to prior established consensus, which of course it was. While the Panel continued defending the "benefits of this approach" in Dover Downs he nevertheless bows to fellow panelists in accepting their verdict:

this Panel strongly believes that it is ... important for the UDRP to articulate a consistent view rather than to allow the schism between these views to fester.

The reason for this is that a

consistent approach provides a more reliable system of law where the parties can anticipate a result under the UDRP that will not depend on the panel assigned.

In taking this position, the Dover Downs Panel has come around to recognizing that certain constructions (his included) are damaging to the UDRP if allowed (in his words) "to fester." For that reason, "this Panel supports the position expressed in the WIPO Overview 3.0, which reflects the consensus that has coalesced around a compromise position." The compromise position is set out in Paragraph 2.6 and subparts. In essence, the test is whether the use creates an "impermissible risk of user confusion through impersonation" (2.6.2).

While the Starkey/Sermo approach appeared logical, it concealed a bias ultimately unacceptable to "many stakeholders, notably including the majority of panels to consider this issue." I find this last statement of particular interest because it reveals the source of pressures that drive consensus. (No different, I might add, from the pressures in ICANN working groups). In reflecting on these oppositions and the downside of the local law/conflict of laws approach, the Starkey/Xtraplus/ Sermo Panel concludes "it is equally important for the UDRP to articulate a consistent view rather than to allow the schism between these views to fester… [and therefore] supports the position expressed in the WIPO Overview 3.0, which reflects the consensus that has coalesced around a compromise position."

Panels have noticeably begun employing the "impersonation" analysis to find abusive registration. There is, though a casualty, namely that respondents have lost a valuable evidentiary advantage of having the benefit of the doubt; now if there is any doubt it will favor complainants, particularly against defaulting respondents (this may be true, incidentally, not only of free speech disputes). It also a full circle back to UDRP as the Panels' "sole lodestar" in determining the issue of rights.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

Chinese citizens will be required to let telecommunications carriers to scan their faces in order to sign up for internet access or to get a new phone number. The new rule, which is planned to take place starting December of this year, was announced by China's Ministry of Industry and Information Technology (MIIT) on September 27. Victoria Song reporting in Gizmodo writes: "On top of requiring carriers to use facial recognition to see whether an applicant matches their ID, people will no longer be able to transfer SIM cards to others. ... MIIT [also] wants carriers to verify whether mobile or landline phones are correctly registered under real names, and terminate those that aren't."

Domain Enforcement – In a Post-GDPR World (A Complimentary Guide, Download Here)The implementation of the General Data Protection Regulation (GDPR), and ICANN's conservative temporary policy, which favors privacy and limits registrar liability, has made domain enforcement against cybersquatters, cyber criminals and infringement more difficult, expensive and slow.

With heightened concerns over privacy following high-profile breaches of consumer data and its subsequent illicit use and distribution, there is no question that consumer data protection practices would come under scrutiny. GDPR is an attempt to address consumer privacy, and ICANN's temporary specification, which implements GDPR, allows wholesale redaction of registrant contact data for both consumers and those with malicious intent. The unintended result of ICANN's action is that, in most cases, little more than the registrant's country and state or province is now available in WHOIS records.

This has made it easier for individuals and/or entities with less than honorable intentions to operate anonymously. Fulfillment of requests from law enforcement, investigators, and intellectual property rights holders with a legitimate need for registrant contact data has been vastly reduced, and in many cases, has resulted in the doors being left wide open for the rampant abuse of domain registration.

Although this landscape might appear bleak at first glance, there are options for intellectual property holders and their legal teams to employ in a post-GDPR domain naming system (DNS). The redaction of the WHOIS records, while frustrating, doesn't necessarily mean effective brand protection in the DNS is out of reach.

Since the implementation of GDPR, by working with registrars and making requests for our clients, we've developed best practices on how to format, transmit, and justify registrant contact requests. We've discovered that there is a tremendous variety in how each request must be constructed. Each registrar has specific steps, leading to a diverse set of requirements that varies from registrar to registrar and in some cases, situation to situation. And, there are varied results depending upon the registrar and circumstances of the request.

As a result of this work, we've developed a set of notices that have assisted our clients in obtaining speedier and more efficient resolution of domain infringement issues. Brandholders can adapt and modify these notices to fit their strategies and goals.

Brands and their customers suffer the effects of fraud and the betrayal of trust when bad actors are allowed to operate with impunity online. To help combat abuses and make digital channels safer for everyone, we've decided to make those notices and observations about their application available to brandholders and their legal teams with an accompanying guide to domain enforcement post-GDPR.

Written by Frederick Felman, Chief Marketing Officer at AppDetex

Or why you want to stay with paper ballots

There has been a significant focus over the past two years on the vulnerability and cyber threat risks faced for voting systems at the local level. That focus has typically been on State and local jurisdictions like cities, counties and towns, and resulted in the creation of the DHS Elections Infrastructure Information Sharing and Analysis Center (ISAC) to assist. However, there are other local governance entities at significant risk as well.

Home and condo owner associations (HOAs) abound in many countries as a means of local community governance. They also hold elections for their Boards of Directors and amend their legal instruments. In the past few years, e-Voting has been hyped to these associations as a kind of snake oil. While online polling may be useful for gauging sentiments on issues, it can go horribly wrong when used for key governance activities. The following is an actual recent case study of what, by any measure, was an e-Voting debacle.

A Northern Virginia homeowners association thought it would attempt e-Voting for an election of Directors and amending covenants. During the process of notifying homeowners and balloting, one homeowner who happened to be a cybersecurity expert thought something was wrong with what he was seeing and took screenshots. The simple ten-digit number for verifying identity seemed insufficient, and the embedded links to other sites inexplicable. What he subsequently discovered revealed the profound challenges faced by these associations. Tracing the information brought back memories of Cliff Stoll's Cuckoo's Egg tracking.

It turned out the e-voting provider was actually a one-person Oregon company that had been administratively dissolved for several months; that its headquarters was a small local law office, and the mailing address was a strip mall UPS mailbox. Technically, the service was being run on a server in a small Salt Lake City office, and the purported online security was a free 3-month quickie digital certificate that involved no identity checking. The balloting process also involved a "registration" screen to capture homeowner information with a link to a Florida LLC also run out of a UPS mailbox on a local server. Although the Oregon provider's online brochure suggested it had many satisfied customers, the server in Utah revealed only one other HOA customer in Texas.

When the cybersecurity expert (who also happened to be a lawyer), examined the HOA Board minutes to see how the arrangement was approved, the record revealed a sole source award based on a recommendation of the association's management contractor, and that it was one-tenth the amount normally charged. No one apparently checked the Oregon State records, which showed the e-Voting company was dissolved by the State Corporations Office — which was a common occurrence in the provider's corporate record. It turns out that the e-Voting awardee also was a sponsor at the association management contractor's tradeshow.

When the e-Voting agreement was obtained, what was found was equally disturbing. It was a one-sided, unconscionable license agreement where the association conveyed homeowner records to the provider to harvest and use for other purposes. Not only was no security provided, but the association was required to indemnify the e-vote provider against almost every possible harm! The really ludicrous provision was an attached "privacy policy" that cited at the outset that its website "follows principles set out in" an official-looking document. The citation was actually a 1980 report from the Paris-based OECD organization dealing with the politics of the time - U.S. based data processing companies - and ten years before web technology was even developed.

After all this became known, the association quickly switched back to paper ballots for its election, although the adoption of its covenant amendments remains open to challenge. However, it has no real ability to recover the homeowner records and additional information collected through the e-Voting provider's registration process.

There are important lessons here. The bottom line is that paper ballots sent by postal mail retain many critically necessary features like integrity, auditing, ease of use, and compliance with multiple applicable legal requirements. Paper ballots also automatically resolve issues like who has the authority to vote when several parties own the property. The Americans with Disabilities Act requirements are especially important for senior communities, and paper ballots are generally sufficient.

Conversely, homeowner and condo associations have no real cyber defense capabilities. Nor do these entities have the ability to assess and evaluate the completely unregulated gaggle of providers of e-Voting services that abound across the Internet or their proffered licensing arrangements and privacy policies. Indeed, these providers could exist anywhere today.

The problems here are local, interstate, and international in scope, and action going forward is urgently needed. Local Property Owner Associations plainly should not be using e-Voting for significant governance requirements that require any legal sufficiency, as neither the associations nor their management contractors have essential legal and cybersecurity technical skill sets. The risks of e-Voting far exceed benefits that are basically vacuous.

State legislatures need to adapt their laws to either exclude e-Voting for local governance actions, or if allowed, only using companies subject to regulatory mandates that include compliance with essential standards, certification, and continuous monitoring. Federal and State agencies responsible for elections security and consumer protection such as the Department of Homeland Security (DHS) and the Federal Trade Commission (FTC) at the national level, need to devote resources and impose e-Voting provider requirements.

Written by Anthony Rutkowski, Principal, Netmagic Associates LLC

There are predatory-domain name registrants, and there are registrants engaged in the legitimate business of acquiring, monetizing and reselling domain names. That there are more of the first than the second is evident from proceedings under the Uniform Domain Name Dispute Resolution Policy (UDRP). "Given the human capacity for mischief in all its forms, the Policy sensibly takes an open-ended approach to bad faith, listing some examples without attempting to enumerate all its varieties exhaustively. Worldcom Exchange, Inc v. Wei.com, Inc., D2004-0955 (WIPO January 5, 2005). But, it is also evident that the Policy is even-handed, and that some of the "mischief" comes from mark owners. Metamark (UK) Limited v. Andrew Longton / Metamark Corporation, FA190900 1864151 (Forum September 30, 2019) (METAGLIDE and <metamark.com> in which the Complainant not only failed to prove the domain name was identical or confusingly similar to its mark, but the domain name was registered 20 years before the mark came into existence).

The question to be answered in UDRP proceedings, and no less so in actions under the Anticybersquatting Consumer Protection Act (ACPA), is whether a challenged registrant knowingly registered a domain name corresponding to a mark with the unlawful purpose of taking advantage of its goodwill and reputation. Mark owners may be irked that certain words and combinations are already registered, but they forget there are competing interests in the cyber marketplace, and getting there first is a time-honored practice. It is not unlawful to have registered (before the existence of a mark) or to register domain names (after it) identical or confusingly similar to marks if there is neither intention to target nor knowledge of the mark. Sarah Lonsdale & Stuart Clark t/a RocknCrystals v. Domain Admin / This Domain is For Sale, HugeDomains.com, D2019-1584 (WIPO September 6, 2019) (<rockncrystals.com>).

The UDRP jurisprudence that has developed over the past twenty years confirms three points: a) that a mark owner's exclusive rights are no greater than the law allows, b) that the facts will be weighed (as one would expect in an adjudicative proceeding) to determine the lawfulness of domain name registrations, and c) that the law is no less protective of Respondent as it is of Complainant. In FPK Services LLC DBA HealthLabs.com v. Contact Privacy Inc. Customer 1241257718 / Michael Gillam, D2019-1483 (WIPO October 10, 2019) Complainant's mark predated <healthlab.com>, but "there is nothing in the record to indicate that Respondent was aware of Complainant or its alleged mark at the time the Domain Name was acquired in 2017). One of the factors Panels take into account is the strength or weakness of the mark; as the Panel points out, descriptive marks are not inherently distinctive absent proof of secondary meaning.

Both the UDRP and the ACPA are crafted to combat cybersquatting and to some extent, have overlapping jurisdictions, although there are good reasons for filing a claim in federal court for the opportunity of pleading in the alternative for trademark infringement. The UDRP is not a trademark court, and for cybersquatting, it should not be assumed that the outcomes will be the same in both fora. A Panel's judgment applying UDRP law may be different from a Judge's under the ACPA.

Take, for example, a claim mislabeled as cybersquatting, which is more likely actionable (if actionable at all) for trademark infringement. That which is outside the scope of the UDRP can be within the scope of the ACPA;, or if not that, of the Lanham Act § 43(a). The Panel in Ascension Health Alliance v. Prateek Sinha, Ascension Healthcare Inc., D2018-2775 (WIPO January 25, 2019) (<ascension healthcare.com>) suggests the claim is in the wrong forum: "[a]lthough Complainant may have the starting ingredients of an ordinary, trademark infringement case against Respondent, the Complainant has not demonstrated to the satisfaction of the Panel that Respondent is not making a bona fide offering of services." See also Trivago N.V. v. Adam Smith, D2019-1957 (WIPO October 20, 2019) (<TRIVAGO and <traveltrow.com>. "Complainant [may very well have] a valid trademark infringement or unfair competition cause of action against Respondent in a court of law.")

The reason for different results begins with different evidentiary requirements. Under the UDRP, a trademark complainant prevails only on proof of bad faith registration and bad faith use; bad faith use alone is insufficient (the conjunctive model). In contrast, the ACPA is satisfied on either/or proof: bad faith registration or bad faith use or trafficking in bad faith (the disjunctive model), with the result that mark owners can lose in the UDRP and prevail in the ACPA. Two cases illustrating this point are Newport News Holdings Corporation v. Virtual City Vision, Incorporated, d/b/a Van James Bond Tran, 650 F3d 423 (4th Cir. 2011) for <Newport news.com>; and Bulbs 4 E. Side, Inc. v. Ricks, 199 F.Supp.3d 1151 (S.D. Tex., Houston Div. August 10, 2016) for <justbulbs.com>).

In the earlier UDRP Newport News proceeding, the Respondent had successfully argued it had rights or legitimate interests because it was using the domain name in good faith to "disseminate city information in an effort to increase tourism and other visitor traffic to the city"; but years after the UDRP defendant changed its use to compete with Plaintiff. It would not have been actionable in a new UDRP but became actionable under the ACPA. The "just bulbs" Plaintiff was unsuccessful in two UDRP complaints before it prevailed on summary judgment on the ACPA claim; its trademark infringement motion was denied on a finding of genuine issues of material fact.

There is also another related difference in the jurisprudence applied in UDRP proceedings and court actions. Under the UDRP, a renewal of registration of a domain name arguably used in bad faith but registered in good faith is not actionable, while under the ACPA and the Lanham Act, it is. Under UDRP renewal is simply regarded as a continuation of the registrant's holding, not a new registration. (Bad faith is measured from the registration of the domain name by the challenged registrant). In Tergus Pharma, LLC v. Domain Administrator, DomainMarket.com, D2019-1787 (WIPO September 24, 2019) (<tergus.com>) the Panel noted that

the clear consensus view of WIPO UDRP panels is that the mere renewal of the domain name registration is not the relevant point in time to assess if there was bad faith in the "registration" of the domain name for purposes of the Policy, paragraph 4(a)(iii).

This is so, even though the Respondent appears subsequently to be using the domain name in bad faith: "[F]or whatever reasons, [Respondent] mentions the Complainant on the web page advertising the Domain Name on the [its] website. Far from enhancing the value of the Domain Name, this may serve to warn a prudent bidder that it could be buying a lawsuit or a UDRP action." The UDRP consensus is described in WIPO Overview 3.0 at section 3.9.

Contrast for renewal as bad faith an ACPA decision (direct action in federal court), Jysk Bedn Linen v. Dutta-Roy, 810 F.3d 767, 777 (2015) the court noted that "[i]n a sense, the cybersquatter muddies the clear pool of the trademark owner's goodwill and then profits off the resulting murkiness." Re-registration with knowledge of the trademark is a key factor in determining bad faith in this particular case.

[w]hen Dutta-Roy re-registered bydesignfurniture.com under his own name rather than Jysk's, he was expressing his intent or ability to infringe on Jysk's trademark. He admitted that he never had used the domain names in the bona fide offering of any goods or services. His demand for money can be looked at in two ways, and they are two sides of the same coin. First, the amount of money demanded could show how much he believes the domain name smudges the goodwill of the trademark — that is, how much money Jysk would lose out on if Dutta-Roy were to use the domain names to misdirect Jysk's customers. Second, the amount of money demanded could show how much value he believes Jysk puts on the domain names. In either case, bad-faith intent abounds.

And concluded:

It would be nonsensical to exempt the bad-faith re-registration of a domain name simply because the bad-faith behavior occurred during a noninitial registration, thereby allowing the exact behavior that Congress sought to prevent.

There can be no safe harbor for domain name holder, 15 U.S.C. § 1125(d)(1)(B)(ii), where it has no legal basis for re-registering the domain name.

The benefit of filing a complaint in federal court is that plaintiffs are not confined to cyber-piracy claims; they can plead in the alternative for relief under the Lanham Act, § 43(a). As noted in the Ascension Health Alliance and Trivago cases, it is not as though Complainants are entirely wrong in challenging unlawfully registered domain names, but their remedy may lie in federal court under the Lanham Act as a backup to their cyber-piracy claims.

This brings us to a more recent federal case that illustrates the benefit. In ZP_314_v_ ILM_Capital., 1:16-cv-00521-B (S.D. Alabama September 30, 2019) the court found Plaintiff was entitled to relief for trademark infringement on summary judgment but not its ACPA claim, (My thanks to Evan Brown for bringing this case to my attention in one of his blog posts). In an earlier decision on competing summary judgment motions reported at 335 F.Supp.3d 1242 (2018) the Court concluded that Plaintiff stated a claim under the ACPA:

As a preliminary matter, the undersigned notes that the parties dispute whether Defendants' re-registration of the subject domain names in March 2017 and May 2018 constitutes an actionable offense under the ACPA… The Eleventh Circuit firmly resolved this issue when it held that, "[t]he plain meaning of register includes a re-registration[,]" such that re-registration falls under the purview of the ACPA. Jysk, 810 F.3d at 777 ("It would be nonsensical to exempt the bad-faith re-registration of a domain name simply because the bad-faith behavior occurred during a noninitial registration, thereby allowing the exact behavior that Congress sought to prevent.")

But there is a difference between having an actionable claim for bad faith use and proving the elements for it on trial. For an ACPA claim, the "only element requiring proof at trial was bad faith intent to profit" (15 U.S.C. § 1125(d)(1)(A). The phrase "intent to profit" is not found in the UDRP, although implicit in Paragraph 4(b)(iv): "by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other on-line location, by creating a likelihood of confusion with the complainant's mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your web site or location."

In ZP No. 314 (trial decision, page 35) the Court distinguishes "bad faith intent to profit" from mere bad faith:

Without question, the factors enumerated above [referring to the statutory nine factors of the ACPA] strongly suggest bad faith on the part of Defendants. This finding is bolstered by evidence from which it reasonably can be inferred that Defendants' conduct in registering domain names that are identical or confusingly similar to the marks of ZP, their direct competitor, was not an isolated occurrence, but appears to be Defendants' mode of operation.

"Mere bad faith" is sufficient for a UDRP award, but not in court: "proving mere bad faith is not enough" because "[a] defendant is liable only where a plaintiff can establish that the defendant had a 'bad faith intent to profit.'" 15 U.S.C. §1125(d) (emphasis in original), citing Southern Grouts & Mortars, Inc. V. 3M Company, 575 F.3d 1235, 1246 (11th Cir. July 23, 2009). Under the UDRP, "mere bad faith" is sufficient if coupled with bad faith registration.

Having resolved the ACPA claim by dismissing it, the court then turned to the § 43(a) claim. It found that the "only question that remained at trial was whether Defendants' use of the marks after July 2017 constituted 'use in commerce.'" Here, the court distinguishes between cyber-piracy and trademark infringement (pages 24):

In the present case, the court previously found as a matter of law that the domain names at issue were confusingly similar to ZP's marks and that ZP had acquired secondary meaning (i.e., had a protectable interest in the marks) after July 2017… Therefore, the only question that remained at trial [the 43(a) claim] was whether Defendants' use of the marks after July 2017 constituted "use in commerce."

And the court found that Plaintiff proved it was (page 27):

Based on the foregoing, the court finds that Defendants' use and re-registration of the eight infringing domain names after July 2017 (when ZP had obtained trademarks on "One Ten" and "One Ten Student Living"), which included "parking" eight infringing domain name webpages with ZP's marks prominently displayed at the top of the page, with click through links to various other vendors' goods and services, constituted use in commerce under common law and the Lanham Act.

Jysk and ZP No. 314 the factual circumstances are outside the scope of the UDRP because in Jysk the bad faith follows a re-registration of the domain name and in ZP there is insufficient evidence in the summary judgment submission to support cybersquatting.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

Russia has passed a law banning the sale of certain devices such as smartphones, computers and smart televisions if not pre-installed with Russian software. The law will come into force in July 2020. The law, more specifically, states that devices from other countries can be sold with their default pre-installed software; however, they also need to have the Russian alternatives installed. Oleg Nikolayev, a co-author of the bill, explains (as reported by Interfax news agency): "When we buy complex electronic devices, they already have individual applications, mostly Western ones, pre-installed on them. Naturally, when a person sees them… they might think that there are no domestic alternatives available. And if, alongside pre-installed applications, we will also offer the Russian ones to users, then they will have a right to choose." The new bill is facing criticism by Russian manufacturers and distributors. There are also concerns about the potential for Russian-made software to be used to spy on users. (BBC)