It will soon be much harder for cybersquatters to take flight to another registrar when they’re hit with a UDRP complaint.
From July 31 next year, all ICANN-accredited registrars will be contractually obliged to lock domain names that are subject to a UDRP and trademark owners will no longer have to tip off the registrant they’re targeting.
Many major registrars lock domain names under UDRP review already, but there’s no uniformity across the industry, either in terms of what a lock entails or when it is implemented. Under the amended UDRP policy, a “lock” is now defined as:
a set of measures that a registrar applies to a domain name, which prevents at a minimum any modification to the registrant and registrar information by the Respondent, but does not affect the resolution of the domain name or the renewal of the domain name.
Registrars will have two business days from the time they’re notified about the UDRP to put the lock in place.
Before the lock is active, the registrants themselves will not be aware they’ve been targeted by a complaint — registrars are banned from telling them and complainants no longer have to send them a copy of the complaint.
If the complaint is dismissed or withdrawn, registrars have one business day to remove the lock.
Because these change reduce the 20-day response window, registrants will be able to request an additional four calendar days (to account for weekends, I assume) to file their responses and the request will be automatically granted by the UDRP provider.
The new policy was brought in to stop “cyberflight”, a relatively rare tactic whereby cybersquatters transfer their domains to a new registrar to avoid losing their domains.
The policy was approved by the Generic Names Supporting Organization in August last year and approved by the ICANN board a month later. Since then, ICANN staff has been working on implementation.
The time from the first GNSO preliminary issue report (May 27, 2011) to full implementation of the policy (July 31, 2015) will be 1,526 days.
You can read a redlined version of the UDRP rules here (pdf).
Clear-cut cases of cybersquatting seem to be among those .xyz domain names that Network Solutions has registered to its customers without their explicit request.
Some of the domains I’ve found registered in .xyz, via NetSol to the registrants of the matching .com or .net names, include my-twitter.xyz, facebook-liker.xyz and googledia.xyz.
They’re all registered via NetSol’s Whois privacy service, which lists the registrant’s “real” name in the Whois record, but substitutes mailing address, email and phone number with NetSol-operated proxies.
I think the chance of these names being paid for by the registrant is slim. It seems probable that many (if not all) of the squatty-looking names were registered via NetSol’s promotional program for .xyz.
As previously reported, NetSol has been giving away domain names in .xyz to owners of the matching .com names. Tens of thousands of .xyz names seem to have been registered this way in the last week.
The “registrants” did not have to explicitly accept the offer. Instead, NetSol gave them the option to “opt-out” of having the name registered on their behalf and placed into their accounts.
But it’s not clear how much, if any, support NetSol has received from the registry, XYZ.com. CEO Daniel Negari told Rick Schwartz, in a coy interview last week:
The Registry Operator is unable to “give away” free domain names. I never even saw the email that the registrar sent to its customers until I discovered it on the blogs.
The opt-out giveaway has also prompted speculation about NetSol’s right to register domains without the explicit consent of the registrant, both under the law and under ICANN contract.
Under the Registrar Accreditation Agreement, in order to register a domain name, registrars “shall require” the registrant “to enter into an electronic or paper registration agreement”.
That agreement requires the registrant to agree to, among many other things, the transfer or suspension of their domains if (for example) they lose a UDRP or URS case.
But that doesn’t seem to be happening with the opt-out names,
Barry Shein, president of The World, had shein.xyz registered on his behalf by NetSol on Saturday. He already owns shein.com, also registered with NetSol.
NetSol’s email informing him of the registration, which Shein forwarded to DI, reads as follows:
Dear Valued Network Solutions Customer,
Congratulations, your complimentary SHEIN.XYZ domain has arrived!
Your new .XYZ domain is now available in your Network Solutions account and ready to use. To go along with your new .XYZ domain, you have also received complimentary access to Professional Email and Private Registration for your .XYZ domain.
If you choose not to use this domain no action is needed and you will not be charged any fees in the future. Should you decide to keep the domain after your complementary first year, simply renew it like any other domain in your account.
We appreciate your business and look forward to serving you again.
Network Solutions Customer Support
Importantly, a footnote goes on to describe how NetSol will take a refusal to opt out as “continued acceptance” of its registration agreement:
Please note that your use of this .XYZ domain name and/or your refusal to decline the domain shall indicate acceptance of the domain into your account, your continued acceptance of our Service Agreement located online at http://www.networksolutions.com/legal/static-service-agreement.jsp, and its application to the domain.
So, if you’re a NetSol customer who was picked to receive a free .xyz name but for whatever reason you don’t read every marketing email your registrar sends you (who does?) you’ve agreed to the registration agreement without your knowledge or explicit consent, at least according to NetSol.
I am not a lawyer, but I’ve studied enough law to know that this is a dubious way to make a contract. Lawyers I’ve shown this disclaimer to have laughed out loud.
Of course, because each registrant already owns a matching .com, they’ve already accepted NetSol’s registration agreement and terms of service at least once before.
This may allow NetSol to argue that the initial acceptance of the contract also applies to the new .xyz domains.
But there are differences between .com and .xyz.
Chiefly, as a new gTLD, .xyz registrants are subject to policies that do not apply to .com, such as the Uniform Rapid Suspension policy.
URS differs from UDRP in that there’s a “loser pays” model that applies to complaints involving over 15 domains.
So these .xyz registrants have been opted into a policy that could leave them out of pocket, without their explicit consent.
Of course, we’re talking about people who seem to be infringing famous trademarks in their existing .com names, so who gives a damn, right?
But it does raise some interesting questions.
Who’s the registrant here? Is it the person who owns the .com, or is it NetSol? NetSol is the proxy service, but the .com registrant’s name is listed in the Whois.
Who’s liable for cybersquatting here? Who would Twitter file a UDRP or URS against over my-twitter.xyz? Who would it sue, if it decided to opt for the courts instead?
What do Mark Zuckerberg, Oprah Winfrey, Donald Trump, Jeff Bezos and the Saudi royal family have in common?
Their .ceo domain names all belong to the same guy, a registrant from Trinidad and Tobago who as of last night was responsible for 40% of hand-registered .ceo domains.
Andrew Davis has registered roughly 100 of the roughly 250 .ceo names sold since the new gTLD went into general availability on March 28, spending at least $10,000 to do so.
I hesitate to call him a cyberquatter, but I have a feeling that multiple UDRP panels will soon be rather less hesitant.
Oh, what the hell: the dude’s a cyberquatter.
Here’s why I think so.
According to Whois records, Davis has registered dozens of common given and family names in .ceo — stuff like smith.ceo, patel.ceo, john.ceo, wang.ceo and wolfgang.ceo.
So far, that seems like fair game to me. There are enough CEOs with those names out there that to register matching domains in .ceo, or in any TLD, could easily be seen as honest speculation.
Then there are domains that start setting off alarm bells.
zuckerberg.ceo? zuck.ceo? oprah.ceo? trump.ceo? bezos.ceo?
Sure, those are names presumably shared by many people, but in the context of .ceo could they really refer to anyone other than Mark Zuckerberg, Oprah Winfrey, Donald Trump and Jeff Bezos?
I doubt it.
Then there are a class of names that seem to have been registered by Davis purely because they show up on lists of the world’s wealthiest families and individuals.
The domains slim.ceo, walton.ceo, and adelson.ceo match the last names of three of the top ten wealthiest people on the planet; arnault.ceo matches the name of France’s second-richest businessman.
getty.ceo, rockefeller.ceo, hearst.ceo, rothschild.ceo… all family names of American business royalty.
Then there’s the names of members of actual royalty, the magnificently wealthy Saudi royal family: alsaud.ceo, saud.ceo and alwaleed.ceo.
Still, if Davis had registered any single one of these names he could make a case that it was a good faith registration (if his name was Walton or Al Saud).
Collectively, the registration strategy looks very dodgy.
But where any chance of a good-faith defense falls apart is where Davis has registered the names of famous family-owned businesses where the name is also a well-defended trademark.
bacardi.ceo… prada.ceo… beretta.ceo… mars.ceo… sennheiser.ceo… shimano.ceo… swarovski.ceo… versace.ceo… ferrero.ceo… mahindra.ceo… olayan.ceo…
There’s very little chance of these surviving a UDRP if you ask me.
Overall, I estimate that at least half of Davis’ 100 registrations seem to deliberately target specific high net worth individuals or famous brands that are named after their company’s founder.
The remainder are generic enough that it’s difficult to guess what was going through his mind.
On his under construction web site at andrewdavis.ceo, Davis says:
I am the owner of Hundreds of the Best .CEO Domains available on the web.
My collection comprises of the Top Premium .CEO Domains (in my opinion).
My list of domains contains the First or Last names of well over 1 Billion people around the world.
I offer Email and Web Link Services on each of these sites, so that these Domains can be shared with many people around the world, particularly CEOs, Business Owners and Leaders, or those aspiring to become one.
On each of Davis’ .ceo sites, he offers to sell email addresses (eg firstname.lastname@example.org) for $10 a month and third-level domain names (eg blog.walton.ceo) for $5 a month.
A UDRP panelist is going to take this as evidence of bad faith, despite Davis’ disclaimer, which appears on each of his web sites. Here’s an example from bacardi.ceo:
This Website (Bacardi.CEO) is NOT Affiliated with, nor refers to, any Trademark or Company named “Bacardi”, that may or may not exist.
This Website does NOT refer to any Specific Individual Person(s) named “Bacardi”.
This Website aims to provide Services for ANY Person named “Bacardi”, particularly: CEOs, Business Owners and Leaders.
Bacardi.CEO is an Independent and Personal Project/Service of Andrew Davis.
I must admit I admire his entrepreneurship, but I fear he has stepped over the line into cybersquatting that a UDRP panelist will have no difficulty at all recognizing.
Davis has already been hit with a Uniform Rapid Suspension complaint on mittal.ceo, presumably filed on behalf of billionaire Indian steel magnate Lakshmi Mittal and/or his company ArcelorMittal.
It’s not clear from the name alone whether mittal.ceo is a losing domain under URS’ higher standard of evidence, but I reckon the pattern of registrations described in this blog post would help make for a pretty convincing case that would put it over the line.
I should add, in fairness to .ceo registry PeopleBrowsr, that the other 60% of its zone, judging by Whois records, looks pretty clean. Small, but clean.
The first new gTLD domain name has been lost to a UDRP complaint.
The famous German bike maker Canyon Bicycles won canyon.bike from a registrant who said he’d bought the name — and others — in order to protect the company from cybersquatters.
The panelist in the case, WIPO’s Andrew Lothian, declined to consider the fact that the TLD was related to Canyon’s business in making his decision. Finding confusing similarity, he wrote:
The Panel finds that, given the advent of multiple new gTLD domain names, panels may determine that it is appropriate to include consideration of the top-level suffix of a domain name for the purpose of the assessment of identity or similarity in a given case, and indeed that there is nothing in the wording of the Policy that would preclude such an approach. However, the Panel considers that it is not necessary to do so in the present case.
Canyon had argued that the fact that it’s a .bike domain reinforced the similarity between the domain and the mark, but it’s longstanding WIPO policy that the TLD is irrelevant when determining confusing similarity.
The domain was registered under Whois privacy but, when it was lifted, Canyon looked the registrant up on social media and discovered he was very familiar with the world of bikes.
The registrant told WIPO that he’s registered Canyon’s mark “with the best of intentions”.
Apparently, he’s registered more than one famous brand in a new gTLD in the belief that the existence of the program was not wildly known, in order to transfer the domains to the mark holders.
He claimed “that many companies have been content with his actions” according to the decision.
But the fact that he’d asked for money from Canyon was — of course — enough for Lothan to find bad faith.
He also chose to use the fact that the registrant had made no attempt to remove the default Go Daddy parking page — which the registrar monetizes with PPC — as further evidence of bad faith.
The domain is to be transferred.
ICANN has moved closer to cracking down on cybersquatters who try to flip their domains when they discover they’ve been hit with a UDRP complaint.
Under recommendations approved by the GNSO Council yesterday, registrars would be bound by a much stricter set of UDRP-related domain locking rules in future.
So-called “cyberflight” — where squatters transfer their domains to a new registrar or registrants — appears to be a relatively infrequent problem, but when it does happen it causes big headaches for UDRP providers and trademark owners.
A survey of UDRP providers carried out as part of the GNSO’s policy development process discovered that the vast majority of registrars already lock domains hit by UDRP.
The problem is, they said, that locking practices are not uniform. Some registrars take well over a week to lock domains, and what the “lock” entails differs by registrar.
The recommendations of the GNSO’s Final Report on the Locking of a Domain Name Subject to UDRP Proceedings Policy Development Process, adopted by the Council yesterday, seek to standardize the process.
After being told about a complaint against one of its domains, the registrar in future would have a maximum of two business days to put a lock — preventing any changes in registrant or registrar — in place.
The lock would remain until the UDRP was resolved, but there would be various safeguards in place to enable complainants and respondents to settle their differences outside of the UDRP.
The lock would not prevent registrars or proxy/privacy services revealing the true identity of the registrant — that wouldn’t count as a change of registrant.
To prevent registrants abusing the two-day window to sell their domains or switch registrars, they would not be told about the existence of the UDRP until the domain had been locked.
The UDRP rules currently require the complainant to send a copy of their complaint to the domain owner at the same time it is filed with the UDRP provider.
But the GNSO has now recommended getting rid of this rule, stating: “as a best practice, complainants need not inform respondents that a complaint has been filed to avoid cyberflight.”
The registrant would be informed later by the UDRP provider instead.
Registrars would be prohibited from tipping off the registrant until the lock was in place.
The July 2013 recommendations (pdf) came out of a working group that was formed in April 2012, in response to policy ideas floated in 2011.
The GNSO’s resolution calls for ICANN staff to work with members of the working group on an implementation plan, which would eventually be put to the ICANN board for approval.
Once through the board, the new policy would become binding on all ICANN-accredited registrars.