The Complainant is GitHub, Inc. of San Francisco, California, United States of America (“United States”), represented by Chestek Legal, United States.
The Respondent is Domain Administrator, See PrivacyGuardian.org of Phoenix, Arizona, United States / Alex Bro of Wood Dale, Illinois, United States.
The disputed domain name <github-sso.com> is registered with NameSilo, LLC (the “Registrar”).
The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on September 6, 2018. On September 7, 2018, the Center transmitted by email to the Registrar a request for registrar verification in connection with the disputed domain name. On September 7, 2018, the Registrar transmitted by email to the Center its verification response disclosing registrant and contact information for the disputed domain name which differed from the named Respondent and contact information in the Complaint. The Center sent an email communication to the Complainant on September 13, 2018 providing the registrant and contact information disclosed by the Registrar, and inviting the Complainant to submit an amendment to the Complaint. The Complainant declined to amend the Complaint.
The Center verified that the Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).
In accordance with the Rules, paragraphs 2 and 4, the Center formally notified the Respondent of the Complaint, and the proceedings commenced on September 18, 2018. In accordance with the Rules, paragraph 5, the due date for Response was October 8, 2018. The Respondent did not submit any response. Accordingly, the Center notified the Respondent’s default on October 9, 2018.
The Center appointed Evan D. Brown as the sole panelist in this matter on October 18, 2018. The Panel finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.
The Complainant operates a website that hosts its users’ software code. Like many websites, participating in the Complainant’s website requires creating a username and password combination that is used to log in to the platform. The Complainant owns a number of trademark registrations for the mark GITHUB, including United States Reg. No. 3,805,847, which issued on June 22, 2010.
The Respondent registered the disputed domain name on August 5, 2018. The Complainant submitted a sworn declaration of one of its security operations engineers explaining how someone (presumably the Respondent or someone working in concert with him) set up a Github account under the username “sso‑login” and proceeded to create a fake page on the Github platform. The fake page was designed to resemble the real <github.com> login page, and contained fields for collecting usernames and passwords. The use of the “sso-login” username caused the URL of the fake page (“www.sso-login.github.io”) to appear legitimate, and to induce unsuspecting users to enter their login credentials, thinking they were actually logging into Github. But underneath the surface, so to speak, something sinister was occurring – the creator of the fake page had embedded code that caused the login credentials to be uploaded to a service residing on a server associated with the disputed domain name. The disputed domain name was being used to support technology that was fraudulently collecting purloined Github login credentials.
The Complainant contends that the disputed domain name is identical or confusingly similar to the Complainant’s registered trademarks; that the Respondent has no rights or legitimate interests in respect of the disputed domain name; and that the disputed domain name was registered and is being used in bad faith.
The Respondent did not reply to the Complainant’s contentions.
To succeed, the Complainant must demonstrate that all of the elements listed in paragraph 4(a) of the Policy have been satisfied:
(i) the disputed domain name is identical or confusingly similar to a trademark or service mark in which the Complainant has rights;
(ii) the Respondent has no rights or legitimate interests in respect of the disputed domain name; and
(iii) the disputed domain name has been registered and is being used in bad faith.
The Panel finds that all three of these elements have been met in this case.
The incorporation of a trademark in its entirety is sufficient to establish that a domain name is identical or confusingly similar to a complainant’s registered mark. See Britannia Building Society v. Britannia Fraud Prevention, WIPO Case No. D2001-0505. In this case, the disputed domain name contains the Complainant’s trademark GITHUB in its entirety. The additional letters “sso” in this context – which, according to the Complainant, refer to the online authentication technology “single sign on” – do not prevent a finding of confusing similarity.
A registered trademark provides a clear indication that the rights in the mark shown on the trademark certificate belong to its respective owner. See Advance Magazine Publishers Inc., Les Publications Conde Nast S.A. v. Voguechen, WIPO Case No. D2014-0657. The Complainant has demonstrated its rights because it has shown that it is the owner of valid and subsisting trademark registrations for the mark GITHUB as noted above.
Accordingly, the Panel finds that the Complainant has shown that the disputed domain name is identical or confusingly similar to a trademark in which the Complainant has rights.
The Panel evaluates this element of the Policy by first looking to see whether the Complainant has made a prima facie showing that the Respondent lacks rights or legitimate interests in respect of the disputed domain name. If the Complainant makes that showing, the burden of demonstrating rights or legitimate interests shifts to the Respondent.
The Complainant has made a prima facie showing that the Respondent lacks rights or legitimate interests in respect of the disputed domain name. By failing to respond to the Complaint, the Respondent did not overcome its burden of demonstrating rights or legitimate interests, and no other facts in the record tip the balance in the Respondent’s favor.
Paragraph 4(c) of the Policy instructs respondents on a number of ways they could demonstrate rights or legitimate interests (“you” and “your” in the following refers to the particular respondent):
(i) before any notice to you of the dispute, your use of, or demonstrable preparations to use, the domain name or a name corresponding to the domain name in connection with a bona fide offering of goods or services; or
(ii) you (as an individual, business, or other organization) have been commonly known by the domain name, even if you have acquired no trademark or service mark rights; or
(iii) you are making a legitimate noncommercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue.
In this case, the principal indicator of the lack of rights or legitimate interests comes from the alleged fraudulent nature of the Respondent’s use of the disputed domain name to engage in the unauthorized collection of Github login credentials from unsuspecting users. See Regeneron Pharmaceuticals, Inc. v. Nikki Dockum, Tred, WIPO Case No. D2018-0155; Syngenta Participations AG v. Guillaume Texier, Gobain ltd, WIPO Case No. D2017-1147 (registrant cannot acquire rights or legitimate interests by the use of a domain name as an email address from which to send phishing emails). Accordingly, the Respondent does not have any rights or legitimate interests in regard to the disputed domain name.
The Policy requires the Complainant to establish that the disputed domain name was registered and is being used in bad faith. Based on the available record, the Panel finds that the Respondent registered and is using the disputed domain name in bad faith. Registering and using the disputed domain name as an essential part of the unauthorized collection of Github login credentials from unsuspecting users is a strong example of bad faith under the Policy.
Accordingly, the Complainant has satisfied this third element of the Policy.
For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the disputed domain name, <github-sso.com>, be transferred to the Complainant.
Evan D. Brown
Sole Panelist
Date: October 18, 2018