Tackling bad faith registration of domain names in a fast-changing landscape

By John McElwaine, Partner, and Christopher D. Casavale, Associate, Nelson Mullins LLP, Charleston, South Carolina, USA

The “Dot Com” boom of the late 1990s ushered in the commercialization of the Internet and spawned the expansion of the domain name system. These positive developments, however, also gave rise to the problem of cybersquatting – the bad faith registration of domain names, especially well-known trademarks, in the hope of reselling them at a profit.

On the 20th anniversary of the implementation of the Uniform Domain Name Dispute Resolution Policy (UDRP), which has been highly successful in tackling cybersquatting, we reflect on the origins of the policy and its effectiveness, as well as how it may evolve in the years ahead.

The origins of the UDRP

Acknowledging the threat that cybersquatting represented to consumer trust and to the safety, security, and stability of the Internet, in the late 1990s the United States Government asked the World Intellectual Property Organization (WIPO) to conduct a consultative study on domain name and trademark issues and to develop recommendations to combat related online abuses. WIPO’s recommendations culminated in the UDRP, which has proven to be a highly successful and effective online tool for protecting brand owners’ rights and for building consumer confidence in global e-commerce.

In April 1999, WIPO presented its report to the then-newly-formed Internet Corporation for Assigned Names and Numbers (ICANN) recommending a quick, efficient, cost-effective and uniform procedure to address cybersquatting. The WIPO Report also provided forward-looking recommendations on registrant contact information, a topic that ICANN is only now addressing following the implementation of the European Union’s General Data Protection Regulation (GDPR). In the six months following the launch of the WIPO report, the ICANN community, through its multi-stakeholder policy development process, made a few minor changes to WIPO’s proposed policy.

Unpacking the UDRP

The UDRP requires a complainant to establish three elements, namely, that:

• the domain name is confusingly similar to the complainant’s trademark;
• the registrant has no rights or legitimate interests in the domain name; and that
• the domain name has been registered and is being used in "bad faith".

A successful UDRP complainant can elect either to have the disputed domain name transferred to its control, or to have it cancelled. The UDRP was adopted as a binding “consensus policy” (meaning the UDRP was required to be implemented by registries and registrars to all ICANN-managed domains, such as “.com”) by the ICANN Board in October 1999. A month later, the WIPO Arbitration and Mediation Center (“the WIPO Center”) became the first accredited UDRP dispute-resolution service provider, and in December 1999, the first domain name case was filed with the WIPO Center.

The first 20 years: trends and challenges

The first domain name case was brought by the World Wrestling Federation for <worldwrestlingfederation.com>. Over the following 12 months, the WIPO Center handled 1,857 domain name cases. Ten years later, in 2010, it managed 2,696 UDRP cases. With the exception of a small dip in its caseload in 2013, the WIPO Center has seen continuing year-on-year increases in the numbers of domain name cases filed. In 2019, the WIPO Center estimates it will handle some 3,600 cases – its largest annual load since the launch of the UDRP in 1999.

The success of the UDRP and its global acceptance, are without question. So far, it has been used by brand owners the world over, who have filed over 45,000 cases with the WIPO Center. From the outset, the majority of complainants using the UDRP have resided in the United States, with France, the United Kingdom, Switzerland and Germany rounding out the top five.

In 2019, the United States accounted for 32 percent of brand owners (“complainants”) filing their cases with the WIPO Center. Similarly, the majority of respondents to these cases (i.e. the individual or entity who registered the domain name which is the subject of a case) have resided in the United States, followed by those in China, the United Kingdom, Spain, France and Australia. In 2019, the United States accounted for 26 percent of WIPO respondents to UDRP-related cases.

The UDRP has proven to be a flexible and valuable tool for brand owners in combatting the many different and new ways in which bad actors abuse trademark rights online. Indeed, some of the specific issues brand owners have had to grapple with over the last 20 years did not exist when the UDRP was adopted in the late 1990s. Two decades later, the UDRP continues to provide domain name owners with a fair procedure for tackling such abuses.

Importantly, the broad letter of the UDRP was sufficiently comprehensive to allow for the development of a body of case law to address new and evolving abuse scenarios. For instance, the issue of potential “bait and switch” schemes by resellers was addressed in the seminal Oki Data case (WIPO Case No. D2001-0903), in which a test was set forth to determine whether a dealer’s use of a mark in a domain name may be characterized as bona fide fair use.

Another notable phenomenon was the increase in attempts to monetize and resell domain names that were valuable due to the goodwill of the brand featured in them – but over which the registrant had no rights – and which were merely “held” without resolving to an active website. Such “passive holding” was addressed in the seminal Telstra v Nuclear Marshmallows case (WIPO Case No. D2000-0003), in which the totality of the circumstances was considered (namely that it was clear that the trademark owner had been targeted) to determine bad faith.

The UDRP also provides robust free speech protections, which are of course, balanced by cases involving claimed free speech which is really a pretext for commercial gain – for example, in a case involving <walmartcanadasucks.com> (WIPO Case No. D2000-0477).

Emerging domain name issues

Today, brand owners and Internet users contend with issues such as the misuse of domain names to further the sale of counterfeit products, phishing schemes and fraud. In 2019, 16 percent of domain name cases filed with the WIPO Center involved instances of phishing schemes, 8 percent of cases involved an allegation of fraud and nearly 6 percent of them involved the sale of counterfeit goods or services. Two-thirds of the cases related to counterfeit products involved the fashion, retail and luxury goods industries. The banking industry was the primary target for both fraud and phishing schemes, accounting respectively for 21 percent and 34 percent of cases handled by the WIPO Center in 2019.

Furthermore, while having clear merit, the development and implementation of privacy and proxy services for domain name registrations (services that allow domain name registrants to keep their contact information private) have contributed to the ease with which bad actors can carry out their abusive activities on the Internet. In 2004, less than 5 percent of domain name cases handled by the WIPO Center involved privacy proxy services. By 2011, nearly 30 percent of domain name cases filed at the WIPO Center involved privacy proxy services. Then, in 2018, with the implementation of privacy rules relating to the European Union’s Global Data Privacy Regulation (GDPR), the WIPO Center saw an increase of nearly 45 percent in cases involving such services.

In the fast-changing online landscape, the UDRP has proven its resilience, adaptability, and capacity to address the emerging online issues that brand owners face. It remains an invaluable tool to uphold consumer trust, protecting them against bad online actors and to maintain the safety, security, and stability of the Internet.

The future

As we look to the future, an important first milestone is ICANN’s upcoming review of the UDRP. In 2020, an ICANN working group will begin to look at whether the UDRP, in connection with other ICANN-created rights protection mechanisms (RPMs), “collectively fulfill the purposes for which they were created, or whether [improvements] are needed, including to clarify and unify the policy goals.” 

On the brand protection side, ICANN’s UDRP review is likely to consider a number of requested changes, including whether to:

(i) change the bad faith registration “and” use element to bad faith registration “or” use – to address scenarios where an older domain name openly infringes a newer brand;

(ii) implement a “loser pays” element (similar to the practice in trademark opposition and cancellation proceedings in the European Union);

(iii) develop a WIPO-managed UDRP appeals process. The current system requires appeals to be brought before a court of competent jurisdiction, which requires significant time and money; and

(iv) implement bars on future domain name registrations for repeat offenders.

Other suggested topics for consideration include adding a statute of limitations, including a mediation phase prior to arbitration (for example, so that an incidental infringing link could be removed without repossessing the domain name itself), and allowing longer deadlines to respond to claims of infringement.   

Regardless of individual viewpoints on the UDRP, it will be critical for the ICANN working group tasked with its review to be aware of the risks of making incidental or on-the-fly adjustments to a legal instrument with 20 years of case law behind it. Change can be positive, but with consumer trust in the Internet at stake, the working group must be well informed and must guard against undoing 20 years of good work.

AI’s potential to generate efficiency gains

In the years ahead, it is possible that technologies based on artificial intelligence (AI) will be leveraged to bring efficiencies to this arbitration process. For example, the WIPO Overview 3.0 (a summary of UDRP case law) could serve as a basis for developing an algorithm to identify common fact patterns or potentially infringing domain names. Similar tools have been employed in other fields, for example, to automate trademark searches. AI may also be used to analyze and measure other objective indicators of “bad faith”. As an example, EURid, the .EU registry, is successfully using AI to develop tools to proactively examine domain name registration data to identify domains name that may have been registered with an infringing or unlawful intent. EURid’s AI program reports that so far malicious domain registrations have been identified with a 92 percent accuracy rate.

Potential for broader application

The UDRP was the first foray into addressing trademark abuse on the Internet. One important question now is whether it is possible to use the knowledge, expertise and processes developed under the UDRP to address other similar disputes.

Notice and takedown processes to deal with conduct that violates certain laws, such as copyright infringement, or platform terms of service, have been effective but blunt instruments. Moreover, the internal decision-making associated with such processes is not transparent, resulting in an actual, or perceived lack of, predictability in the application of the IP policies of platforms. 

A quick and efficient dispute resolution process similar to the UDRP could help handle social media violations including fake news; social media handle infringement (e.g., your Facebook business page name); phishing or other fraud involving trademark impersonation; or copyright, defamation, and other terms of services violations relating to content posted on online platforms. 

Using the model of an arbitration-light process such as the time-tested and successful UDRP (with its body of case law set out in the WIPO Overview 3.0) to handle these types of disputes would ensure due process and transparency through the application of a uniform set of rules. Such a model would thus provide predictability and stability for all involved – Internet users, platforms and online businesses could all benefit.