Yesterday I participated in a panel at the International Consumer Product Safety Conference sponsored by the International Consumer Product Health and Safety Organization (ICPHSO) held at the European Commission in Brussels Belgium. This conference brings together the global community of product safety engineers, manufacturers, retailers, regulators, inspectors, and counterfeiting investigators. The role of online fraud and illicit product traffic is clearly one of the conference priorities. I presented ten case studies of failures to enforce Uniform Dispute Resolution Process (UDRP) decisions and their disastrous effects. Even though the audience was comprised of experienced professions embedded in the global product safety industry, they were not aware of the problems related to this trademark-enforcement tool. The cases show instances where an Approved Dispute Provider notified ICANN of registrar non-compliance in a proceeding but no enforcement was issued by ICANN on the matter. Additionally, in some cases the domain name in question was never transferred rendering the processes pointless.
For those who do not know The Uniform Domain Name Dispute Resolution Policy (UDRP) is one of the cornerstones of Internet compliance, a critical building block of public trust. However, the UDRP only works if all the parties follow procedure. Basically, parties who feel their rights are being violated by a domain name can file a complaint with a designated Dispute Resolution Provider who will investigate and rule on the matter. The dispute provider either rules for the domain registrant, who then keeps the domain, or they rule in favor of the complainant in which case the sponsoring registrar is obligated to transfer the domain to the complainant according to their contract with ICANN to comply with the UDRP . Given that this is a contractual obligation of domain registrar it is a breach of their contract with ICANN to fail to do so.
Our research has found a number of troubling cases where the sponsoring registrar did not comply or cooperate with the UDRP. What is worse, ICANN did not issue any enforcement in the cases. ICANN's core responsibility is in oversight of the contracted parties that sponsor domain names. Through the Affirmation of Commitments ICANN begs for the public trust, but this trust is only earned through transparent accountability. While the UDRP is often seen as a device to protect trademark owners, it protects all Internet users by extension since many of the domains in question are used to deceive and defraud consumers.
In some of the most serious cases sites selling illicit prescription drugs and narcotics were the subject of the UDRP. One domain, nabpvipps.com, went so far as to impersonate the National Association of Boards of Pharmacy, the body that regulates pharmacies in the United States and Canada. Here we have a clear cut case of a malicious "domainer" not only violating a trademark, but also using the misrepresentation to target consumers and endanger the public health.
ABSystems Inc. (YourNameMonkey.com), Re: nabpvipps.com
In June 2012 the National Association of Boards of Pharmacy filed a complaint with the National Arbitration Forum (NAF) regarding the domain nabpvipps.com sponsored by ICANN Accredited Registrar ABSystems. The complaint notes that the domain was registered with ABSystems private WHOIS service and its associated web content sold illicit drugs for a known rogue online pharmacy. The registrar is required to comply with the process as part of its contract but the UDRP notes "After numerous requests, the Registrar, ABSystems Inc., has not confirmed [their sponsorship].” Confirming sponsorship and the status of the registration are key parts of the UDRP. Because of the lack of cooperation, the UDRP states the following:
"Registrar's non-compliance has been reported to ICANN."
The panel ordered the domain transferred 28 July 2012 but it never was. The domain in question was even still online until January 2013. A review of ICANN Compliance breach notices does not show any enforcement over this case. ABSystems would eventually be breached and terminated for an unrelated issue in December 2013, but if enforcement had begun the previous year, they may have been de-accredited even sooner. This was not an anomaly. Another rogue pharmacy at ABSystems and subject of a 2011 UDRP was toprxpartners.com. Same basic situation, same lack of enforcement, but two years earlier. Based on this case, ICANN had a window of enforcement two-years before the registrar was finally terminated. The NABP followed ICANN's documented procedures yet there was no enforcement. This represents a grave lapse in trust for ICANN. These are the cited cases:
Bargin Register Inc., Re: onduclair.com, et al.
Bargin Register Inc. appears to be a serial violator of UDRP non-compliance not only with the NAF but also with the World Intellectual Property Organization (WIPO). As with ABSystems, their non-compliance was reported more than once in previous years, but ICANN only recently began to enforce against them. In what seems a rare example, ICANN would eventually breach and terminate Bargin Register for failing to comply with a UDRP but also for owing $5,873.03 in accreditation fees. While this registrar is de-accredited, the question still remains what happened in the cases of onduclair.com, regionsbabk.com, thomsonreutes.com, and copapetrobras.com. The last case on the list is interesting because WIPO felt the need to admonish the registrar in a dedicated section of the ruling, which states in part:
"The Registrar's Inaction: As noted the Registrar failed to respond to four requests from the Center."
If this paragraph does not make the issue clear, it goes on to state:
"The Registrar's continued silence, which until an explanation be provided the Panel will presume to be intentional, is unhelpful and irresponsible"
WIPO does not stop with the registrar, but continues with a message to ICANN itself:
"A failure on ICANN's part to take appropriate steps to address registrar conduct such as has occurred in this and the Onduline case can only come at a cost to the credibility of its processes in the eyes of interested parties"
While this decision was rendered in September 2011, there is no accompanying enforcement from ICANN. It would take another two years and additional UDRPs without response before ICANN would act.
35 TECHNOLOGY CO, Re: emersonchina.com
As with others above cases, the NAF reported to ICANN in October 2013 that the registrar did not comply with the process . The panel decided in favor of the complainant on 28 October 2013, yet available records as of this writing show that the domain is still sponsored by 32 TECHNOLOGY and is still held by the registrant in the complaint, meaning it has not been transferred to the complainant. The complainant, Emerson Electric Co., sells various electronic goods and engineering supplies. It is possible this domain is selling counterfeit electronics which pose a great risk to consumers. Of important note is the fact that 35 Technology partner registrar OnlineNIC is also an ICANN-accredited registrar and has been sued by Louis Vuitton Malletier, Microsoft, Yahoo, and Verizon for trademark infringement.
Without belaboring the point, we briefly list the remaining cases: Netlynx, Inc. (Re: kmartdrugstore.com); URL SOLUTIONS INC. (Re: deluxor.com]), URL Solutions has been breached, but not for this UDRP issue, rather of failing to pay ICANN $6,618.38; Power Brand Center Corp (Re: enterpricess.com). ICANN did not issue enforcement in this matter, but did issue a breach notice for Power Brand Center's failure to pay ICANN $17,725.21 in accreditation fees; WEBAGENTUR.AT INTERNET SERVICES GMBH, (Re: istckphoto.com); TODAYNIC.COM, INC. (Re: itsyoga.com); Center of Ukrainian Internet Names (Re: cigaretteskent.com) The associated website had been active long after the decision with the headline "Kent cigarettes online at the lowest prices. We deliver all over the USA." Clicking through the site takes visitors to hqcigarettes.com which ships cigarettes to various locations in violation of local laws; DomReg Ltd. d/b/a LIBRIS.com (Re: parallam.com) decision states in part: "There are a number of aspects of the Registrar's conduct in this matter which the Panel finds reflecting negatively on the Registrar...The Registrar's actions in this case are ones that the ICANN may wish to investigate further.”
Critics who complain about rampant cybercrime and trademark abuse are often met with the assertion that ICANN either has a process in place to deal with it or no mandate to address these issues. However, here we see a number of troubling specific cases where ICANN has a documented role of enforcement but no enforcement can be demonstrated. As Internet users we must take this very seriously and view it through the obligations laid out in the Affirmation of Commitments. To further this investigation I asked ICANN Compliance what happened to these cases at the 2014 ICANN Meeting in Singapore. The recorded transcript response to the problem from ICANN Staff was:
"There had been problems globally in compliance and issues and communications difficulties."(MP3)
This shocking yet vague response only creates more questions. In the interests of ensuring the consumer trust ICANN must explain these cases and enforce all the outstanding UDRP decisions. In examples where the registrar has been terminated for other reasons ICANN may consider the issue resolved, but this completely besides this point. One must further consider the fact that registrars who did receive enforcement for non-implementation of a UDRP decision also owed ICANN money for accreditation fees. Internet users need assurances that process works effectively and enforcement occurs rapidly and equally.
The cases above cover the entire spectrum of products that impact consumer health and safety: drugs, electronics, banking, and large retail operations which sell an array of consumables. This was not a failure of the consumer to report fraud, nor is it a failure the brand owner to enforce their trademark, nor a failure of the dispute provider to conduct their duties. The process failed each time in the same place. We put this information forward for the benefit of Internet users and business to further enhance the existing enforcement structure. Broader audiences are now aware of the problem of process within ICANN. More information about these cases will be released in a report to be released next week.
Written by Garth Bruen, Internet Fraud Analyst and Policy Developer