ICANN & UDRPUpdate

Mike Rodenbaugh Practicing Law Institute

Advanced Seminar on Trademark LawJuly 16, 2008

2

Mike RodenbaughFormerly Yahoo!’s primary attorney in charge of trademark enforcement and defense.

In 2007, Mike started his own firm assisting trademark owners with prosecution, enforcement, licensing and dispute resolution.

What is ICANN?

Internet Corporation for Assigned Names & Numbers

4

ICANN mission statement

• To coordinate, overall, the global Internet's system of unique identifiers, and to ensure stable and secure operation of the Internet's unique identifier systems. In particular, ICANN coordinates:1. Allocation and assignment of

the three sets of unique identifiers for the Internet:

• Domain names (forming a system called the DNS)

• Internet protocol (IP) addresses and autonomous system (AS) numbers

• Protocol port and parameter numbers

2. Operation and evolution of the DNS root name server system

3. Policy development reasonably and appropriately related to these technical functions

ICANN Org Chart

Issues Important to Businesses

• New Top-Level Domains (TLDs), including Internationalized Domain Names (IDNs)

• WHOIS information• IP Rights Protection Mechanisms• Domain Tasting• Phishing & Malware• Registrar Accreditation Agreement• “GNSO Reform”

IDNs and new TLDs are coming!

• 简体中文 繁體中文 العربيةΕλληνικά हि�न्दी 日本語 한국어 יִידיש Русский فارسیதமிழ்

• .web, .blog, .sex … anywhere from 100 to 60 million other new TLD extensions

8

New Top Level Domains: Projected Implementation Timeline

• gTLD Consensus Policy Approved – Q2 2008

• Draft RFP Posted – est. Q3 2008

• Final RFP Approved – est. Q4 2008

• First Round Implementation: Communications & RFP launch

• Applications Accepted – est. early Q2 2009

• Successful TLD Applications Approved – est. Q3 2009

9

Recommendation 2Strings must not be confusingly similar to an existing top-level

domain or a Reserved Name.

• Rationale: A confusingly similar string could cause technical or consumer confusion.

• Implementation Considerations:– A string that resembles another string is not necessarily

confusingly similar.– Staff is exploring various options for implementation of

this recommendation, including:• The application of an algorithm that provides guidance on which

TLD strings are considered to be confusingly similar• Providing a capability for formal objection to be filed to an

application by a third party on the grounds that the proposed gTLD is confusingly similar to an existing TLD.

10

Recommendation 3Strings must not infringe the existing legal rights of others that

are recognized or enforceable under generally accepted and internationally recognized principles of law.

• Examples of sources of legal rights include:– The Paris Convention for the Protection of Industrial

Property (in particular trademark rights)– The Universal Declaration of Human Rights (UDHR)– The International Covenant on Civil and Political Rights

(ICCPR) (in particular freedom of expression rights)

11

Recommendation 3 (Cont’d)

• Procedure: A party holding rights that it believes would be harmed may file an objection to a proposed gTLD.

• Key criterion: Legal rights must be recognized or enforceable under generally accepted and internationally recognized principles of law.

12

Recommendation 12Dispute resolution and challenge processes must be established

prior to the start of the process.

• It is important that all aspects of the application process be known before applications for new gTLDs are prepared and submitted.

• Dispute resolution and challenge are intended to address two types of situations:1. The filing of an objection against an application on certain

specific grounds developed from the GNSO’s recommendations

2. When two or more applicants are vying for the same or confusingly similar new gTLD (“contention resolution”).

Session 3 13

Recommendation 12 (Cont’d)

Specific grounds from the GNSO recommendations: • Confusingly similar strings (Recommendation 2)• Legal rights of others (Recommendation 3)• Morality & public order (Recommendation 6)• Community opposition (Recommendation 20)

The procedures, standing and criteria for assessment needto be developed, and ICANN Staff has begun this processin consultation with outside counsel and other experts.

IP Rights Protection Mechanisms

• Cybersquatting and Phishing is too quick and easy, and remedies are too expensive and slow

• Policy Development is needed to fix this• Potential options:

– Standardized Sunrise Registration Process– Faster and cheaper pre-UDRP process, with rapid

DNS suspension upon default– Rapid DNS suspension upon evidence of phishing

or malware (to be tested in dotAsia?)

TM Office Comes to CA. - 2008 16

TM Office Comes to CA. - 2008 17

Domain Name Remedies

• Uniform Dispute Resolution Policy (UDRP)– Arbitration procedure mandated by ICANN via

domain name registration agreement– Rapid Time Scale – No Monetary Damages

• Anti-cybersquatter Consumer Protection Act (ACPA) – 15 USC 1125(d)– in personam– in rem

TM Office Comes to CA. - 2008 18

UDRP Elements

• Domain Name is identical or confusingly similar to a trademark in which Complainant has rights

• Respondent has no legitimate rights in the Domain Name– bona fide use or preparation to use prior to notice of

a dispute• Domain Name was registered and used in bad faith

– demonstrated specific intent

TM Office Comes to CA. - 2008 19

Recent UDRP Cases of Note

• Reseller makes bona fide offering and thus legitimate use?

• NASCARtours.com – Respondent prevails because he offers ‘only tours of NASCAR events’ and provides prominent disclaimer

• GE-Merlin.com – Complainant prevails because of likely initial interest confusion, despite sale only of Merlins, and prominent disclaimers

Recent UDRP Cases of Note

• MySpace.co.uk (Nominet) – Complainant prevails though domain registered six years before MySpace existed, but was used only for PPC ad site

• TheEconomist.com – Respondent prevails as he swears he had never heard of the magazine when he registered the domain, and showed a picture of “Alan Greenspan – The Economist of the Century” at site

TM Office Comes to CA. - 2008 20

TM Office Comes to CA. - 2008 21

UDRP Related Issues of Note

• Each UDRP Provider implements its own procedural rules

• Naming RespondentsIf “privacy service” is listed as the registrant, registrar will change the owner when a UDRP complaint is filed –requiring an amendment to the Complaint.

• Supplemental Filings

TM Office Comes to CA. - 2008 22

UDRP Practice Pointers

• Always request transfer; never cancel• Treat the Complaint like a motion for summary

judgment• Follow up to make sure the name is

transferred and that it doesn’t resolve to the old website– The registrar is responsible for transferring the

domain name

23

ACPA Cases of Note• Vulcan Golf et al. vs. Google et al. (USDC N.D. IL,; Case

No. 07-Civ-3371)– Class action against registrants, parking companies,

and advertisers– Motion to dismiss denied in part (RICO and some

state claims dismissed; federal TM claims remain)• Dell and Yahoo! et al v. BelgiumDomains et al (USDC

S.D. FL; Case No. 07-Civ-22674)– Civil case for cybersquatting, counterfeiting, TM

infringement– Federal seizure raid conducted with US Marshals– Pre-judgment asset freeze (+1 million domain

names and millions of dollars)

24

ACPA Cases of Note• Vulcan Golf et al. vs. Google et al. (USDC N.D. IL,; Case No. 07-Civ-

3371)– Class action against registrants, parking companies, and

advertisers– Motion to dismiss denied in part (RICO and some state claims

dismissed; federal TM claims remain)

• Dell and Yahoo! et al v. BelgiumDomains et al. (USDC S.D. FL; Case No. 07-Civ-22674)

– Civil case for cybersquatting, counterfeiting, TM infringement– Federal seizure raid conducted with US Marshals– Pre-judgment asset freeze (+1 million domain names and

millions of dollars)

25

Domain Name “Tasting”

• Register and “taste” name for 5 days• Measure traffic & revenue via PPC ads• Return 98% of domains for full refund• Keep and pay for profitable domain names• Monetize domain names via PPC ads,

popups, redirection– Get paid by Google or Yahoo!– Wait for C&D, UDRP or ACPA complaint

TM Office Comes to CA. - 2008 26

Domain Name Kiting

• Repetitive Tasting – Registrars and registrants taste (monetize)

domain names in bulk and delete them– Then, using an automated process, they

automatically re-register them... again and again.

– Often through affiliated entities, in effort to evade detection

• Source: Verisign’s .com registry report, Apr. 2007

ISP Use of Non-registered Domains

TM Office Comes to CA. - 2008 29

TM Office Comes to CA. - 2008 30

Policy and Legislative Developments

Coalition Against Domain Name Abuse (CADNA)

Internet Commerce Association (ICA)

ICANN– Registries (not VeriSign) – deterring tasting / kiting– ICANN – “taxing” tasting / kiting through registration

fees– ICANN – studying “front-running”

Next Steps: Policy Development Process – Potential Options

• Eliminate Add-Grace Period – require full payment before activation of a domain name

• Eliminate AGP, with exceptions for ‘legitimate uses’

• No refund for ICANN portion of registration fee

• “Excess Delete Fee” – no refund if deletes in any given month exceed 10% of new registrations

TM Office Comes to CA. - 2008 32

Front-running

• Aka Domain Name Spying– Registrar obtains information that a domain

name is of interest to a consumer• They monitor the WHOIS queries

– Then the Registrar “registers” the domain name if the consumer doesn’t immediately register it

– This prevents the consumer from registering the domain name at another registrar

– Also prevents cybersquatters from registering

WHOISWhois is a publicly-accessible database containing contact information of website owners.

Registrant for JOE6PK.COMJoseph Q. Paquette1787 St. Paul St.Denver, Colorado 80206United States

Administrative Contact:Joseph Q. Paquette joe@joe6pk.com1787 St. Paul St.Denver, Colorado 802061-303-245-4567

Technical Contact:Domains R Usinfo@domainsRus.com123 Main StLos Angeles, CA 850001-480-555-1000United States

ICANN contracts require collection and public access to Whois data.

WHOIS info is vital

• Shows ownership information for domains• Includes complete contact information• Available to any Internet user• Used by businesses to verify customers• Used by IP and law enforcement to protect

brands and prevent consumer fraud• Provides accountability

Registrant for JOE6PK.COMJoseph Q. Paquette1787 St. Paul St.Denver, Colorado 80206United States

Administrative Contact:Joseph Q. Paquette joe@joe6pk.com1787 St. Paul St.Denver, Colorado 802061-303-245-4567

Technical Contact:Domains R Usinfo@domainsRus.com123 Main StLos Angeles, CA 850001-480-555-1000United States

What happens to Whois under the Operational Point of Contact (OPoC) Proposal?

Operational Point of Contact

OPoC could be anyone: Corporate IT department Domain portfolio manager Registrant Registrar Third parties and proxy

services

5

Phishing Attacks Multiply

• Number of incidents and of targeted brands continues to rise

• Sophistication and efficiency of attacks continues to rise – esp. “fast flux” abuses

• Social networks frequently targeted, enabling spear phishing

• Phone phishing now common• IDNs becoming more widespread

Fast-Flux for Phishing Increasing• More Players?

– More “how-to” kits seen on flux and fraud DNS networks– High volume of lures for fast-flux incidents – personalized & tracking

• More Targets– Attacks against traditional targets continue relentlessly– “Little Guys” hit hard with fast-flux on first ever phish

• Overwhelming infrastructure and personnel• Losses occurring quickly – major cash-outs in short amount of time

• More Sophistication!– Routine blocking of monitoring efforts– Better DNS set-ups (self-defined, and use of ccTLD nameservers)– Finding and using the worst registrars to handle mitigation

• CrimeDNS = High availability DNS systems for hire• SSAC Report (SAC 025); GNSO Issues Report• GNSO Working Group now underway

SSAC: possible mitigation steps• Authenticate contacts before permitting changes to name server

configurations.• Implement measures to prevent automated (scripted) changes to name

server configurations.• Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to

thwart the double flux element of fast flux hosting.• Implement or expand abuse monitoring systems to report excessive DNS

configuration changes.• Publish and enforce a Universal Terms of Service agreement that prohibits

the use of a registered domain and hosting services (DNS, web, mail) to abet illegal or objectionable activities (as enumerated in the agreement) and include provisions for suspension of domain names that are demonstrated to be involved in fast flux hosting.

Malware proliferation

• Change in emphasis - now Crimeware• Organized crime with specialists creating

sophisticated attacks• Open up computers to become zombies• Install keyloggers and scan for user/pass• Capturing and using address books

– Direct targets for sophisticated social engineering– Going after “whales” - people with high-value

assets

Registrar Risks• There are several risky registrars with access

to the TLD registry zones– Hiding identities/locations– No or SLOW response to abuse issues– Registrar in-a-box – no one is actually there

• Handing out access to criminals posing as “resellers”– No rules or requirements from ICANN on reseller

accreditation– Shields financial transaction from registration process

• No accountability

Process Flow: Registry Suspension of Phish Domains

Registrar Accreditation Agreement (RAA)• Review of RAA which has been in force since May 2001, as a result of

RegisterFly fiasco in early 2007• Six specific amendments are proposed, as a result of consultations

between ICANN Staff and the Registrars’ Constituency– include terms under which a registrar can be sold and continue to retain its

ICANN accreditation– address the responsibilities of a parent owner/manager when one or more of

a "family" of registrars fails to comply with ICANN requirements– require registrars to escrow contact information for customers who register

domain names using Whois privacy and Whois proxy services– augment the responsibilities placed on registrars with regard to their

relationships with resellers– require operator skills training and testing for all ICANN-accredited Registrars– include additional, graduated contract enforcement tools

Inter-registrar Transfer Policy

• Policy Development Process to clarify four points of the RAA re denial of transfer request– Denial for non-payment– Denial for lock status– Denial for 60 days of initial registration period– Denial for 60 days after previous transfer

• Second PDP about to begin– Require registrant email address in WHOIS?– Require electronic authentication of email?– Allow ‘partial bulk transfers’?

GNSO “Reform”

• All of ICANN’s SO’s must undergo a review every three years, per bylaws

• There is sentiment that GNSO does not work as effectively as it should

• Subcommittee of ICANN Board Governance Committee has made a proposal, subsequent and different than two other expert reviews

• Proposal would cut Business interests (BC, IPC and ISCPC) from 1/3 voting power, to 1/5

Help!!

• Please join the Business Constituency!– 1500 euro/year for large enterprises– 500 euro/year for small enterprises– Active mailing list & regular teleconferences– Influencing ICANN policy development on behalf

of all businesses• www.bizconst.org• mike@rodenbaugh.com