ICANN & UDRP Update Mike Rodenbaugh Practicing Law Institute Advanced Seminar on Trademark Law July 16, 2008

2 Mike Rodenbaugh Formerly Yahoo!’s primary attorney in charge of trademark enforcement and defense. In 2007, Mike started his own firm assisting trademark owners with prosecution, enforcement, licensing and dispute resolution.

What is ICANN? Internet Corporation for Assigned Names & Numbers

4 ICANN mission statement To coordinate, overall, the global Internet's system of unique identifiers, and to ensure stable and secure operation of the Internet's unique identifier systems. In particular, ICANN coordinates: 1.Allocation and assignment of the three sets of unique identifiers for the Internet: Domain names (forming a system called the DNS) Internet protocol (IP) addresses and autonomous system (AS) numbers Protocol port and parameter numbers 2.Operation and evolution of the DNS root name server system 3.Policy development reasonably and appropriately related to these technical functions

ICANN Org Chart

Issues Important to Businesses New Top-Level Domains (TLDs), including Internationalized Domain Names (IDNs) WHOIS information IP Rights Protection Mechanisms Domain Tasting Phishing & Malware Registrar Accreditation Agreement “GNSO Reform”

IDNs and new TLDs are coming! العربية 简体中文 繁體中文 Ελληνικά हिन्दी 日本語 한국어 فارسی Русский ייִדיש தமிழ்العربية 简体中文 繁體中文Ελληνικά हिन्दी 日本語 한국어 فارسی Русский ייִדיש தமிழ்.web,.blog,.sex … anywhere from 100 to 60 million other new TLD extensions

8 New Top Level Domains: Projected Implementation Timeline gTLD Consensus Policy Approved – Q Draft RFP Posted – est. Q Final RFP Approved – est. Q First Round Implementation: Communications & RFP launch Applications Accepted – est. early Q Successful TLD Applications Approved – est. Q3 2009

9 Recommendation 2 Strings must not be confusingly similar to an existing top-level domain or a Reserved Name. Rationale: A confusingly similar string could cause technical or consumer confusion. Implementation Considerations: – A string that resembles another string is not necessarily confusingly similar. – Staff is exploring various options for implementation of this recommendation, including: The application of an algorithm that provides guidance on which TLD strings are considered to be confusingly similar Providing a capability for formal objection to be filed to an application by a third party on the grounds that the proposed gTLD is confusingly similar to an existing TLD.

10 Recommendation 3 Strings must not infringe the existing legal rights of others that are recognized or enforceable under generally accepted and internationally recognized principles of law. Examples of sources of legal rights include: – The Paris Convention for the Protection of Industrial Property (in particular trademark rights) – The Universal Declaration of Human Rights (UDHR) – The International Covenant on Civil and Political Rights (ICCPR) (in particular freedom of expression rights)

11 Recommendation 3 (Cont’d) Procedure: A party holding rights that it believes would be harmed may file an objection to a proposed gTLD. Key criterion: Legal rights must be recognized or enforceable under generally accepted and internationally recognized principles of law.

12 Recommendation 12 Dispute resolution and challenge processes must be established prior to the start of the process. It is important that all aspects of the application process be known before applications for new gTLDs are prepared and submitted. Dispute resolution and challenge are intended to address two types of situations: 1.The filing of an objection against an application on certain specific grounds developed from the GNSO’s recommendations 2.When two or more applicants are vying for the same or confusingly similar new gTLD (“contention resolution”).

Session 313 Recommendation 12 (Cont’d) Specific grounds from the GNSO recommendations: Confusingly similar strings (Recommendation 2) Legal rights of others (Recommendation 3) Morality & public order (Recommendation 6) Community opposition (Recommendation 20) The procedures, standing and criteria for assessment need to be developed, and ICANN Staff has begun this process in consultation with outside counsel and other experts.

IP Rights Protection Mechanisms Cybersquatting and Phishing is too quick and easy, and remedies are too expensive and slow Policy Development is needed to fix this Potential options: – Standardized Sunrise Registration Process – Faster and cheaper pre-UDRP process, with rapid DNS suspension upon default – Rapid DNS suspension upon evidence of phishing or malware (to be tested in dotAsia?)

TM Office Comes to CA

17 Domain Name Remedies Uniform Dispute Resolution Policy (UDRP) –Arbitration procedure mandated by ICANN via domain name registration agreement –Rapid Time Scale – No Monetary Damages Anti-cybersquatter Consumer Protection Act (ACPA) – 15 USC 1125(d) –in personam –in rem

TM Office Comes to CA UDRP Elements Domain Name is identical or confusingly similar to a trademark in which Complainant has rights Domain Name is identical or confusingly similar to a trademark in which Complainant has rights Respondent has no legitimate rights in the Domain Name Respondent has no legitimate rights in the Domain Name – bona fide use or preparation to use prior to notice of a dispute Domain Name was registered and used in bad faith Domain Name was registered and used in bad faith – demonstrated specific intent

TM Office Comes to CA Recent UDRP Cases of Note Reseller makes bona fide offering and thus legitimate use? Reseller makes bona fide offering and thus legitimate use? NASCARtours.com – Respondent prevails because he offers ‘only tours of NASCAR events’ and provides prominent disclaimer NASCARtours.com – Respondent prevails because he offers ‘only tours of NASCAR events’ and provides prominent disclaimer GE-Merlin.com – Complainant prevails because of likely initial interest confusion, despite sale only of Merlins, and prominent disclaimers GE-Merlin.com – Complainant prevails because of likely initial interest confusion, despite sale only of Merlins, and prominent disclaimers

Recent UDRP Cases of Note MySpace.co.uk (Nominet) – Complainant prevails though domain registered six years before MySpace existed, but was used only for PPC ad site MySpace.co.uk (Nominet) – Complainant prevails though domain registered six years before MySpace existed, but was used only for PPC ad site TheEconomist.com – Respondent prevails as he swears he had never heard of the magazine when he registered the domain, and showed a picture of “Alan Greenspan – The Economist of the Century” at site TheEconomist.com – Respondent prevails as he swears he had never heard of the magazine when he registered the domain, and showed a picture of “Alan Greenspan – The Economist of the Century” at site TM Office Comes to CA

21 UDRP Related Issues of Note Each UDRP Provider implements its own procedural rules Each UDRP Provider implements its own procedural rules Naming Respondents Naming Respondents If “privacy service” is listed as the registrant, registrar will change the owner when a UDRP complaint is filed –requiring an amendment to the Complaint. Supplemental Filings Supplemental Filings

TM Office Comes to CA UDRP Practice Pointers Always request transfer; never cancel Always request transfer; never cancel Treat the Complaint like a motion for summary judgment Treat the Complaint like a motion for summary judgment Follow up to make sure the name is transferred and that it doesn’t resolve to the old website Follow up to make sure the name is transferred and that it doesn’t resolve to the old website – The registrar is responsible for transferring the domain name

23 ACPA Cases of Note Vulcan Golf et al. vs. Google et al. (USDC N.D. IL,; Case No. 07-Civ-3371) Vulcan Golf et al. vs. Google et al. (USDC N.D. IL,; Case No. 07-Civ-3371) – Class action against registrants, parking companies, and advertisers – Motion to dismiss denied in part (RICO and some state claims dismissed; federal TM claims remain) Dell and Yahoo! et al v. BelgiumDomains et al (USDC S.D. FL; Case No. 07-Civ-22674) Dell and Yahoo! et al v. BelgiumDomains et al (USDC S.D. FL; Case No. 07-Civ-22674) – Civil case for cybersquatting, counterfeiting, TM infringement – Federal seizure raid conducted with US Marshals – Pre-judgment asset freeze (+1 million domain names and millions of dollars)

24 ACPA Cases of Note Vulcan Golf et al. vs. Google et al. (USDC N.D. IL,; Case No. 07- Civ-3371) – Class action against registrants, parking companies, and advertisers – Motion to dismiss denied in part (RICO and some state claims dismissed; federal TM claims remain) Dell and Yahoo! et al v. BelgiumDomains et al. (USDC S.D. FL; Case No. 07-Civ-22674) – Civil case for cybersquatting, counterfeiting, TM infringement – Federal seizure raid conducted with US Marshals – Pre-judgment asset freeze (+1 million domain names and millions of dollars)

25 Domain Name “Tasting” Register and “taste” name for 5 days Measure traffic & revenue via PPC ads Return 98% of domains for full refund Keep and pay for profitable domain names Monetize domain names via PPC ads, popups, redirection –Get paid by Google or Yahoo! –Wait for C&D, UDRP or ACPA complaint

TM Office Comes to CA Domain Name Kiting Repetitive Tasting –Registrars and registrants taste (monetize) domain names in bulk and delete them –Then, using an automated process, they automatically re-register them... again and again. –Often through affiliated entities, in effort to evade detection

Source: Verisign’s.com registry report, Apr. 2007

ISP Use of Non-registered Domains TM Office Comes to CA

TM Office Comes to CA Policy and Legislative Developments Coalition Against Domain Name Abuse (CADNA) Internet Commerce Association (ICA) ICANN –Registries (not VeriSign) – deterring tasting / kiting –ICANN – “taxing” tasting / kiting through registration fees –ICANN – studying “front-running”

Next Steps: Policy Development Process – Potential Options Eliminate Add-Grace Period – require full payment before activation of a domain name Eliminate AGP, with exceptions for ‘legitimate uses’ No refund for ICANN portion of registration fee “Excess Delete Fee” – no refund if deletes in any given month exceed 10% of new registrations

TM Office Comes to CA Front-running Aka Domain Name SpyingAka Domain Name Spying –Registrar obtains information that a domain name is of interest to a consumer They monitor the WHOIS queriesThey monitor the WHOIS queries –Then the Registrar “registers” the domain name if the consumer doesn’t immediately register it –This prevents the consumer from registering the domain name at another registrar –Also prevents cybersquatters from registering

WHOIS Whois is a publicly- accessible database containing contact information of website owners. Registrant for JOE6PK.COM Joseph Q. Paquette 1787 St. Paul St. Denver, Colorado United States Administrative Contact: Joseph Q. Paquette 1787 St. Paul St. Denver, Colorado Technical Contact: Domains R Us 123 Main St Los Angeles, CA United States ICANN contracts require collection and public access to Whois data.

WHOIS info is vital Shows ownership information for domains Includes complete contact information Available to any Internet user Used by businesses to verify customers Used by IP and law enforcement to protect brands and prevent consumer fraud Provides accountability

Registrant for JOE6PK.COM Joseph Q. Paquette 1787 St. Paul St. Denver, Colorado United States Administrative Contact: Joseph Q. Paquette 1787 St. Paul St. Denver, Colorado Technical Contact: Domains R Us 123 Main St Los Angeles, CA United States What happens to Whois under the Operational Point of Contact (OPoC) Proposal? Operational Point of Contact OPoC could be anyone: Corporate IT department Domain portfolio manager Registrant Registrar Third parties and proxy services 5

Phishing Attacks Multiply Number of incidents and of targeted brands continues to rise Sophistication and efficiency of attacks continues to rise – esp. “fast flux” abuses Social networks frequently targeted, enabling spear phishing Phone phishing now common IDNs becoming more widespread

Fast-Flux for Phishing Increasing More Players? – More “how-to” kits seen on flux and fraud DNS networks – High volume of lures for fast-flux incidents – personalized & tracking More Targets – Attacks against traditional targets continue relentlessly – “Little Guys” hit hard with fast-flux on first ever phish Overwhelming infrastructure and personnel Losses occurring quickly – major cash-outs in short amount of time More Sophistication! – Routine blocking of monitoring efforts – Better DNS set-ups (self-defined, and use of ccTLD nameservers) – Finding and using the worst registrars to handle mitigation CrimeDNS = High availability DNS systems for hire SSAC Report (SAC 025); GNSO Issues Report GNSO Working Group now underway

SSAC: possible mitigation steps Authenticate contacts before permitting changes to name server configurations. Implement measures to prevent automated (scripted) changes to name server configurations. Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart the double flux element of fast flux hosting. Implement or expand abuse monitoring systems to report excessive DNS configuration changes. Publish and enforce a Universal Terms of Service agreement that prohibits the use of a registered domain and hosting services (DNS, web, mail) to abet illegal or objectionable activities (as enumerated in the agreement) and include provisions for suspension of domain names that are demonstrated to be involved in fast flux hosting.

Malware proliferation Change in emphasis - now Crimeware Organized crime with specialists creating sophisticated attacks Open up computers to become zombies Install keyloggers and scan for user/pass Capturing and using address books – Direct targets for sophisticated social engineering – Going after “whales” - people with high-value assets

Registrar Risks There are several risky registrars with access to the TLD registry zones – Hiding identities/locations – No or SLOW response to abuse issues – Registrar in-a-box – no one is actually there Handing out access to criminals posing as “resellers” – No rules or requirements from ICANN on reseller accreditation – Shields financial transaction from registration process No accountability

Process Flow: Registry Suspension of Phish Domains

Registrar Accreditation Agreement (RAA) Review of RAA which has been in force since May 2001, as a result of RegisterFly fiasco in early 2007 Six specific amendments are proposed, as a result of consultations between ICANN Staff and the Registrars’ Constituency – include terms under which a registrar can be sold and continue to retain its ICANN accreditation – address the responsibilities of a parent owner/manager when one or more of a "family" of registrars fails to comply with ICANN requirements – require registrars to escrow contact information for customers who register domain names using Whois privacy and Whois proxy services – augment the responsibilities placed on registrars with regard to their relationships with resellers – require operator skills training and testing for all ICANN-accredited Registrars – include additional, graduated contract enforcement tools

Inter-registrar Transfer Policy Policy Development Process to clarify four points of the RAA re denial of transfer request – Denial for non-payment – Denial for lock status – Denial for 60 days of initial registration period – Denial for 60 days after previous transfer Second PDP about to begin – Require registrant address in WHOIS? – Require electronic authentication of ? – Allow ‘partial bulk transfers’?

GNSO “Reform” All of ICANN’s SO’s must undergo a review every three years, per bylaws There is sentiment that GNSO does not work as effectively as it should Subcommittee of ICANN Board Governance Committee has made a proposal, subsequent and different than two other expert reviews Proposal would cut Business interests (BC, IPC and ISCPC) from 1/3 voting power, to 1/5

Help!! Please join the Business Constituency! – 1500 euro/year for large enterprises – 500 euro/year for small enterprises – Active mailing list & regular teleconferences – Influencing ICANN policy development on behalf of all businesses