UDRP cases soar at WIPO in 2021
The World Intellectual Property Organization has released statistics for cybersquatting cases in 2021, showing one of the biggest growth spurts in UDRP’s 22-year history.
Trademark owners filed 5,128 UDRP complaints last year, WIPO said, a 22% increase on 2020.
There have been almost 56,000 cases since 1999, covering over 100,000 domains names, it said.
The number of annual cases has been growing every year since 2013, its numbers show.
WIPO took a punt that the increase last year might be related to the ongoing coronavirus pandemic, but didn’t really attempt to back up that claim, saying in a release:
The accelerating growth in cybersquatting cases filed with the WIPO Center can be largely attributed to trademark owners reinforcing their online presence to offer authentic content and trusted sales outlets, with a greater number of people spending more time online, especially during the COVID-19 pandemic.
The number of domains hit by UDRP that include strings such as “covid” or “corona” or “vaccine” are pretty small, amounting to just a few dozen domains across all providers, searches show.
The growth does not necessarily mean the total number of UDRP cases has increased by a commensurate amount — some of it might be accounted for by WIPO winning market share from the five other ICANN-approved UDRP providers.
It also does not indicate an increase in cybersquatting. WIPO did not release stats on the number of cases that resulted in a domain name being transferred to the complaining trademark owner.
If you guessed Facebook’s “Meta” rebrand, you’re probably still a cybersquatter
Guessing that Facebook was about to rebrand its corporate parent “Meta” and registering some domain names before the name was officially announced does not mean you’re not a cybersquatter.
Donuts this week reported that its top-trending keyword across its portfolio of hundreds of TLDs was “meta” in October. The word was a new entry on its monthly league table.
We’re almost certainly going to see the same thing when Verisign next reports its monthly .com keyword trends.
The sudden interest in the term comes due to Facebook’s October 28 announcement that it was calling its company Meta as part of a new focus on “metaverse” initiatives.
The announcement was heavily trailed following an October 19 scoop in The Verge, with lots of speculation about what the name change could be.
Many guessed correctly, no doubt leading to the surge in related domain name registrations.
Unfortunately for these registrants, Facebook is one of the most aggressive enforcers of its trademark out there, and it’s pretty much guaranteed that Meta-related UDRP cases will start to appear before long.
While Facebook’s “Meta” trademark was only applied for in the US on October 28, the same date as the branding announcement, the company is still on pretty safe ground, according to UDRP precedent, regardless of whether the domain was registered before Facebook officially announced the switch.
WIPO guidelines dating back to 2005 make it clear that panelist can find that a domain was registered in bad faith. The latest version of the guidelines, from 2017, read:
in certain limited circumstances where the facts of the case establish that the respondent’s intent in registering the domain name was to unfairly capitalize on the complainant’s nascent (typically as yet unregistered) trademark rights, panels have been prepared to find that the respondent has acted in bad faith.
Such scenarios include registration of a domain name: (i) shortly before or after announcement of a corporate merger, (ii) further to the respondent’s insider knowledge (e.g., a former employee), (iii) further to significant media attention (e.g., in connection with a product launch or prominent event), or (iv) following the complainant’s filing of a trademark application.
Precedent for this cited by WIPO dates back to 2002.
So, if you’re somebody who registered a “meta” name after October 19, the lawyers have had your number for the better part of two decades, and Facebook has a pretty good case against you. If your name contains strings such as “login” or similar, Facebook’s case for bad faith is even stronger.
Of course, “meta” is a dictionary word, and “metaverse” is a term Facebook stole from science fiction author Neal Stephenson, so there are likely thousands of non-infringing domains, dating back decades, containing the string.
That doesn’t mean Facebook won’t sic the lawyers on them anyway, but at least they’ll have a defense.
.sucks registry probably “connected” to mass cybersquatter, panel rules
Vox Populi, the .sucks registry, is probably affiliated with and financially benefiting from a mass cybersquatter, a panel of domain experts has said.
In the UDRP case of Euromaster v Honey Salt, a three-person panel handed the complainant the domain euromaster.sucks, ruling that it was a case of cybersquatting.
It’s one of 21 .sucks UDRP complaints filed against Honey Salt, a Turks & Caicos company operating under unknown ownership believed to own hundreds or thousands of brand-match .sucks domains.
It’s lost 17 of the 19 so-far decided cases. It also won one case on a technicality and another early case on the merits after mounting a free-speech defense that subsequent panels have not bought.
What’s new about this one is that the WIPO panel — Lawrence Nodine, Douglas Isenberg and Stephanie Hartung — is the first to follow the money and openly infer a connection between Honey Salt and Vox Pop.
The panel said that it “infer[s] that the Respondent [Honey Salt] and Registry [Vox Pop] are connected”, and that Vox is probably trying to make money by charging trademark owners premium fees for their own brands.
Vox Pop has previously denied such a connection, when I first made the same inference last October.
Regular readers will recall that Honey Salt has registered hundreds of .sucks domains and pointed them to a wiki-style web site called Everything.sucks, ostensibly run by a third-party, US-based non-profit.
Rather than containing original “gripe” content, which could easily enable it to win a free-speech UDRP defense, Everything.sucks simply populates its site with poor-quality, context-free content scraped by bots from social media and third-party web sites such as TrustPilot and GlassDoor.
Originally, each page carried a banner linking to a secondary market page at Uniregistry or Sedo where the domains could be purchased, often at cost price.
That quickly disappeared when the first UDRP cases started rolling in, and earlier this year Everything.sucks said on each page that it refused to sell its domains to anyone, instead offering a free transfer.
It even published the pre-authorized transfer codes on each page, meaning literally anyone could seize control of the domain in question without asking permission from or negotiating with Honey Salt in advance.
The problem with that is that transfers are not free. Some domains are flagged as premium — including lots of brand-matches — and have transfer fees in the thousands of dollars. Even the cheapest still carry the base registry fee.
Many registrars steer well clear of this model, disallowing any .sucks transfers.
One registrar that reliably does allow .sucks transfers is Rebel, which is sister company to Vox Pop under the Momentous group of companies. It offers .sucks domains at the registry wholesale fee, which is $200 for an non-premium.
It’s been painfully obvious since the outset that the only parties that stand to make a profit on the Everything.sucks business model are the registry and its affiliated companies — it simply doesn’t make sense that Honey Salt would invest hundreds of thousands of dollars in trademark-infringing domains, simply to hand them over at cost.
But the Euromaster panel is the first to infer the connection, or at least the first to publicly infer the connection.
Euromaster had filed a supplemental document in its complaint pointing out that the “free” transfer of euromaster.sucks would in fact cost a “premium” fee of $2418.79. The registrar quoting that fee is not revealed.
The WIPO panel asked Honey Salt for an explanation and it sounds like it got a bunch of procedural waffle in response.
This led to the following discussion, to which I’ve added some emphasis:
The Panel also finds that Respondent [Honey Salt] has failed to show that it has no financial interest in the Disputed Domain Name. Complainant’s Supplemental submissions demonstrate that Complainant’s chosen registrar quoted a fee of USD 2418.79 to transfer the Disputed Domain Name. Complainant’s report is consistent with M and M Direct Limited v. Pat Honey Salt, Honey Salt Limited, WIPO Case No. D2020-2545, where a different panel conducted an independent investigation and reported that the domain name at issue in that case was not offered “free” as promised, but instead that registrars classified the domain names at issue as “premium” and quoted transfer fees of USD 3,198 and USD 4,270 respectively.
This directly contradicts any claim to be offering a free and noncommercial service, and given that any registration would result in a fee being paid to the Registry by a registrar, leads the Panel to infer that the Respondent [Honey Salt] and Registry [Vox Pop] are connected.
Given the prior decision in M and M Direct, and the evidence that Complainant’s Supplemental submissions, the Panel afforded Respondent an opportunity to submit additional argument and evidence to explain the inconsistency. Respondent made no effort to do so, but instead only opposed consideration of Complainant’s supplemental evidence and repeated its previous contentions. The Panel rejects the objections to Complainant’s Supplemental submission, and emphasizes that Respondent was given an opportunity fully to respond.
The Panel finds that Complainant’s evidence raises substantial questions about the credibility of Respondent’s assertion that it has no financial interest in the Disputed Domain Name and whether Respondent’s offer to transfer the Disputed Domain might, directly or indirectly, financially benefit Respondent. Accordingly, the Panel finds that Respondent has not carried its burden to show that its use is noncommercial
In other words, the panel suspects that Vox Pop is in on Honey Salt’s bulk-cybersquatting game.
The closest any other UDRP panel has come to making this link was in a recent case filed by multiple, unrelated trademark owners, where the panel, while denying the complaint on procedural grounds, suggested that aggrieved trademark owners instead invoke ICANN’s Trademark Post Delegation Dispute Resolution Procedure.
The Trademark PDDRP is a mechanism — so far unused and untested — that allows trademark owners to allege registry complicity in cybersquatting schemes. Think of it like UDRP for cybersquatting registries.
Frankly, I’m amazed it hasn’t been used yet.
Panel hands .sucks squatter a WIN, but encourages action against the registry
A UDRP panel has denied a complaint against .sucks cybersquatter Honey Salt on a technicality, but suggested that aggrieved trademark holders instead sic their lawyers at the .sucks registry itself.
The three-person World Intellectual Property Organization panel threw out a complaint about six domains — covestro.sucks, lundbeck.sucks, rockwool.sucks, rockfon.sucks, grodan.sucks, tedbaker.sucks, tedbaker-london.sucks, and tedbakerlondon.sucks — filed jointly by four separate and unrelated companies.
The domains were part of the same operation, in which Turks & Caicos-based Honey Salt registers trademarks as .sucks domains and points them at Everything.sucks, a wiki-style site filled with content scraped from third-party sites.
Honey Salt has lost over a dozen UDRP cases since Everything.sucks emerged last year.
But the WIPO panel dismissed the latest case without even considering the merits, due to the fact that the four complainants had consolidated their grievances into a single complaint in an apparent attempt at a “class action”.
The decision reads:
although the Complainants may have established that the Respondent has engaged in similar conduct as to the individual Complainants, which has broadly-speaking affected their legal rights in a similar fashion, the Complainants do not appear to have any apparent connection between the Complainants. Rather it appears that a number of what can only realistically be described as separate parties have filed a single claim (in the nature of a purported class-action) against the Respondent, arising from similar conduct. As the Panel sees it, the Policy does not support such class actions
The panel decided that to force the respondent to file a common response to these complaints would be unfair, even if it is on the face of it up to no good.
Making a slippery-slope argument, the panel suggested that to allow class actions might open up the possibility of mass UDRP complaints against, for example, domain parking companies.
So the case was tossed without the merits being formally considered (though the panel certainly seemed sympathetic to the complainants).
But the sting in the tale comes at the end: the panel allowed that the complainants may re-file separate complaints, but also suggested they invoke the Trademark Post Delegation Dispute Resolution Procedure.
That’s interesting because the Trademark PDDRP, an ICANN policy administered by WIPO and others, is a way to complain about the behavior of the registry, not the registrant.
It’s basically UDRP for registries.
The registry for .sucks domains is Vox Populi, part of the Momentous group of companies. It’s denied a connection to Honey Salt, which uses Vox sister company Rebel for its registrations.
According to ICANN: “The Trademark PDDRP generally addresses a Registry Operator’s complicity in trademark infringement on the first or second level of a New gTLD.”
Complainants under the policy much show by “clear and convincing evidence” that the registry operator or its affiliates are either doing the cybersquatting themselves or encouraging others to do so.
There’s no hiding behind shell companies in tax havens — the policy accounts for that.
The trick here would be to prove that Honey Salt is connected to Vox Pop or the Momentous group.
Nothing is known about the ownership of Honey Salt, though Whois records and UDRP decisions identify a person, quite possibly a bogus name, as one “Pat Honeysalt”, who has no digital fingerprint to speak of.
The most compelling piece of evidence linking Honey Salt to Vox is gleaned by following the money.
The current business model is for Everything.sucks to offer Honey Salt’s domains for “free” by publishing transfer authorization codes right there on the squatted domain.
But anyone attempting to claim these names will still have to pay a registrar — such as Rebel — a transfer/registration fee that could be in excess of $2,000, most or all of which flows through to Vox Pop.
If we ignore the mark-up charged by non-Rebel registrars, the only party that appears to be profiting from Honey Salt’s activities appears to be the .sucks registry itself, in other words.
On its web site, Everything.sucks says it’s a non-profit and makes the implausible claim that it’s just a big fan of .sucks domains. Apparently it’s a fan to the extent that it’s prepared to spend millions registering the names and giving them away for free.
An earlier Everything.sucks model saw the domains listed at cost price on secondary market web sites.
The Trademark PDDRP, which appears to be tailor-made for this kind of scenario, has not to my knowledge been used to date. Neither WIPO nor ICANN have ever published any decisions delivered under it.
It costs complainants as much as $30,500 for a three-person panel with WIPO and has a mandatory 30-day period during which the would-be complainant has to attempt to resolve the issue privately with the registry.
The six domains in the UDRP case appear to have all gone into early “pending delete” status since the decision was delivered and do not resolve.
.sucks mystery deepens. Who the hell is Pat Honeysalt?
Another two .sucks domain names registered by the gTLD’s most prolific registrant have been found to be cases of cybersquatting, but now the squatter’s true identity is becoming more opaque.
In two recently decided UDRP cases before WIPO, registrant Honey Salt Ltd was found to have cybersquatted by registering and offering for sale bfgoodrich.sucks, uniroyal.sucks and tetrapak.sucks.
While earlier cases filed with the Czech Arbitration Forum had identified Honey Salt as a Turks & Caicos company, the latest few WIPO cases say it is a UK-based company.
However, searches at UK Companies House do not reveal any company matching that name.
The latest WIPO cases also identify an individual allegedly behind said company as a respondent, one “Pat Honeysalt”.
That’s either a pseudonym, or we’ve found one of those people who have somehow managed to keep their name out of Google’s index despite being well-funded and tech-savvy.
Honey Salt is believed to be the registrant of thousands of .sucks domains, all matching the trademarks of big companies, which all point to Everything.sucks, a wiki-style web site comprising scraped third-party criticism targeting the brands in question.
Its defense in its UDRP cases to date has been that it is providing non-commercial free speech criticism, and that the inclusion of “.sucks” in the domain means users could not possibly believe the site is officially sanctioned by the brand.
All but one UDPR panel has so far not believed this defense, with panelists pointing out that the domains in question are usually listed for sale on the secondary market (sometimes at cost, sometimes at an inflated price).
They further point out that the criticism displayed on the Everything.sucks site was written by third parties, often prior to the registration of the domain in question, so Honey Salt cannot claim to be exercising its own free-speech rights.
Honey Salt is represented in its UDRP cases by the very large US-based law firm Orrick, Herrington & Sutcliffe, which also represents .sucks registry Vox Populi.
Everything.sucks, in losing UDRPs, puts the lie to the .sucks business model
The World Intellectual Property Organization has delivered its first UDRP decision concerning a .sucks domain name, ruling that the name sanofi.sucks is in fact cybersquatting.
The three-person panel ruled that the domain was identical or confusingly similar to a trademark owned by Sanofi, a French pharmaceuticals manufacturer involved in producing vaccines for the COVID-19 virus.
That was despite the fact that the registrant, affiliated with the Everything.sucks project, argued that nobody would think a domain name ending in “.sucks” would be affiliated with the trademark owner.
That argument flies in the face of official .sucks registry marketing from Vox Populi Registry, which positions .sucks as a place for brand owners to consolidate and manage customer criticism, feedback and support.
The sanofi.sucks case is one of two UDRP losses in the last few weeks for Honey Salt, a Turks and Caicos-based company that is believed to account for over a third of all .sucks registrations.
Honey Salt has registered thousands of brand names in .sucks, linking them to a wiki site operated by Everything.sucks Inc that contains criticism of the brands concerned copied from third-party web sites such as TrustPilot and GlassDoor.
There’s evidence that Everthing.sucks and Honey Salt are affiliated or share common ownership with Vox Pop, but the registry has denied this.
In the Sanofi case, Honey Salt mounted a free speech defense, saying it was providing a platform for legitimate criticism of the company and that Sanofi was using the UDRP to silence such criticism.
Sanofi claimed that the domain had in fact been registered for commercial purposes and to unfairly suggest an official connection to the company.
But what’s interesting is how Honey Salt argues that the domain itself, regardless of the associated web site’s content, is not confusingly similar to the Sanofi mark. The WIPO panelsts wrote, with my added emphasis:
The Respondent maintains that the disputed domain name is not identical or confusingly similar to a trademark in which the Complainant has rights. According to it, the “.sucks” gTLD is not like other generic TLDs, and its pejorative nature renders the disputed domain name as a whole nonidentical and prevents confusion, and the inclusion of “.sucks” in the disputed domain name makes clear that the associated website is not affiliated with the Complainant, but instead contains criticism of it and of its business.
In other words, if you visit a .sucks domain, you automatically will assume that the site is not associated with the brand owner.
Honey Salt seems to have made an identical argument in the UDRP case of cargotec.sucks, which it also lost at the Czech Arbitration Forum last month. The panelists in that decision summarized the company’s defense like this:
The TLD at issue here, however, .sucks, is not like other generic top level domains. Its pejorative nature renders the domain name as a whole nonidentical and prevents confusion… The inclusion of “.sucks” makes abundantly clear that the website is not affiliated with Complainant and instead contain criticism of its business.
Again, this is completely contrary to the stated goal of the .sucks registry.
Vox Pop has from the outset claimed that .sucks domains are a way for brands to aggregate customer feedback and criticism in one place, using a .sucks domain controlled by the brands themselves.
That purpose goes all the way back to its 2012 ICANN new gTLD application and continues to this day on its official web site and Twitter feed, which is primarily used to goad companies undergoing media controversies into registering and using their .sucks exact-match.
Hey, @WWE, everyone gets criticized, but not everyone has the stones to own it. You? I mean, you likely already control https://t.co/qHuEXjfVn5, why not use it? What do you think, @bleedingcool? https://t.co/Yv6b9OEaFp
— DotSucks (@dotsucks) January 24, 2021
Back in 2015, Vox Pop CEO John Berard told us:
A company would be smart to register its name because of the value that consumer criticism has in improving customer loyalty, delivering good customer service, understanding new product and service possibilities… They’re spending a lot more on marketing and customer service and research. This domain can another plank in that platform
Vox Pop even owns and uses voxpopuli.sucks and dotsucks.sucks, where it hosts a little-used forum welcoming criticism from people who say the company sucks.
But Honey Salt, its largest registrant by a significant margin, is now on-record stating that .sucks domains only imply ownership by third parties and could not possibly be confused with brand-owner ownership.
If the Many Worlds interpretation of quantum mechanics is correct, there exists a corner of the multiverse in which Honey Salt and Everything.sucks are just fronts for the entities that also control Vox Pop and its top registrar, Rebel.com. In that universe, it would be trippy indeed for the registry’s own affiliates to admit its entire stated business model is bullshit.
In our universe, that particular cat, which very probably has a goatee, is still firmly in the box, however.
Speculative forays into science fiction aside, Honey Salt’s record on UDRP is now three losses versus one win. It has six more cases pending at WIPO
Security firm sues Facebook to overturn UDRP loss of “good faith” typo domains
Security company Proofpoint has sued Facebook in order to keep hold of several typo domains that are deliberately intended to look like its Facebook and Instagram brands.
Proofpoint wants an Arizona court to declare that facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net and instagrarn.org are not cases of cybersquatting because they were not registered in bad faith.
Proofpoint — a $7 billion company that certainly does not phish — uses the domains in anti-phishing employee training services, as it describes in its complaint:
Proofpoint uses intentionally domain names that look like typo-squatted versions of recognizable domain names, such as
, and the other Domain Names at issue in these proceedings. By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names.
Employees who click the bogus links are taken to harmless web pages describing how they were duped.
The court case comes shortly after Facebook prevailed in a UDRP case filed with WIPO.
In that case, the panelist decided that Proofpoint had no legitimate interest in the domains because they led to web sites that linked to Proofpoint’s web site, where commercial services are offered.
He therefore found that the names had been registered in bad faith, because visitors could assume that Facebook or Instagram in some way endorsed these services.
Proofpoint wants the court to reverse that decision and allow it to keep the names. Here’s the complaint (pdf).
It strikes me as at the very least bad form for Facebook to go after these domains, given that Proofpoint is tackling the Facebook phishing problem at source — user idiocy — rather than the reactive, interminable UDRP whack-a-mole Facebook seems to be engaging in.
WIPO handles 50,000th UDRP case as coronavirus drives complaints
The World Intellectual Property Organization handled its 50,000th UDPR case on November 20, the organization has announced.
It’s taken WIPO, which designed the policy and was the first to administer it back in 1999, over two decades to reach this milestone.
WIPO said that the 50,000 cases cover almost 91,000 domains, with complaints and respondents from over 180 countries.
The organization believes the coronavirus pandemic this year has driven growth, with an 11% increase in cases recorded between January and October. There were 3,405 cases over this period.
Erik Wilbers, director of the WIPO Arbitration and Mediation Center, said in a press release:
With a greater number of people spending more time online during the pandemic, cybersquatters are finding an increasingly target-rich environment. Rights owners, meantime, are stepping up their brand enforcement on the Internet as they further shift to marketing and selling online.
Karklins beats LaHatte to chair ICANN’s Whois privacy team
Latvian diplomat and former senior WIPO member Janis Karklins has been appointed chair of the ICANN working group that will decide whether to start making private Whois records available to trademark owners.
Karklins’ appointment was approved by the GNSO Council last week. He beat a single rival applicant, New Zealand’s Chris LaHatte, the former ICANN Ombudsman.
He replaces Kurt Pritz, the former ICANN Org number two, who quit the chair after it finished its “phase one” work earlier this year.
Karklins has a varied resume, including a four-year stint as chair of ICANN’s Governmental Advisory Committee.
He’s currently Latvia’s ambassador to the United Nations in Geneva, as well as president of the Arms Trade Treaty.
Apparently fighting for Latvia’s interests at the UN and overseeing the international conventional weapons trade still gives him enough free time to now also chair the notoriously intense and tiring Expedited Policy Development Process on Whois, which has suffered significant burnout-related volunteer churn.
But it was Karklins’ one-year term as chair of the general assembly of WIPO, the World Intellectual Property Organization, that gave some GNSO Council members pause.
The EPDP is basically a big bloodless ruck between intellectual property lawyers and privacy advocates, so having a former WIPO bigwig in the neutral hot seat could be seen as a conflict.
This issue was raised by the pro-privacy Non-Commercial Stakeholders Group during GNSO Council discussions last week, who asked whether LaHatte could not also be brought on as a co-chair.
But it was pointed out that it would be difficult to find a qualified chair without some connection to some interested party, and that Karklins is replacing Pritz, who at the time worked for a new gTLD registry and could have had similar perception-of-conflict issues.
In the end, the vote to confirm Karklins was unanimous, NCSG and all.
The EPDP, having decided how to bring ICANN’s Whois policy into compliance with the General Data Protection Regulation, is now turning its attention to the far trickier issue of a “unified access model” for private Whois data.
It will basically decide who should be able to request access to this data and how such a system should be administered.
It will not be smooth sailing. If Karklins thinks international arms dealers are tricky customers, he ain’t seen nothing yet.
UDRP complaints hit new high at WIPO
The World Intellectual Property Organization handled 3,447 UDRP cases in 2018, a new high for the 20-year-old anti-cybersquatting policy.
The filings represent an increase of over 12% compared to the 3,074 UDRP cases filed with WIPO in 2017. There were 3,036 cases in 2016
But the number of unique domains complained about decreased over the same period, from 6,370 in 2017 to 5,655 domains in 2018, WIPO said today.
The numbers cover only cases handled by WIPO, which is one of several UDRP providers. They may represent increases or decreases in cybersquatting, or simply WIPO’s market share fluctuating.
The numbers seem to indicate that the new policy of redacting Whois information due to GDPR, which came into effect mid-year, has had little impact on trademark owners’ ability to file UDRP claims.
UPDATE: This post was updated a few hours after publication to remove references to the respective shares of the UDRP caseload of .com compared to new gTLDs. WIPO appears to have published some wonky math, as OnlineDomain noticed.
Recent Comments