Yet the summary Findings section in the published decision tells a different story:

FINDINGS
(1) the domain name registered by Respondent is identical or confusingly similar to a trademark or service mark in which Complainant has rights; and
(2) Respondent has no rights or legitimate interests in respect of the domain name; and
(3) the domain name has been registered and is being used in bad faith.

springwoodsrealty-decision(Emphasis added.)

The summary Findings section directly contradicts the actual findings by Panelist Lowry, and if accurate would have required the transfer of the domain name.  Was it mere sloppiness?  Did an assistant mistakenly copy and paste a findings section from an earlier decision where the domain name was ordered transferred?  What is clear is that no one bothers to proofread decisions for obvious errors before they are published in the public record.

This continues a long string of sloppiness in NAF published decisions.   Back in November 2013, I wrote about the common practice of NAF panels citing the same ancient, irrelevant decisions when denying a finding of Reverse Domain Name Hijacking, as in the Calibers.com decision.  Over a year and half later, NAF panels continue to routinely cite a 14-year-old case where the domain name was ordered transferred as justification for not finding RDNH where the complaint is denied.  Here is part of the rationale for denying a finding of RDNH in the gssf.com decision of July 20th in which the complaint was denied:

See World Wrestling Fed’n Entm’t, Inc. v. Ringside Collectibles, D2000-1306 (WIPO Jan. 24, 2001) (“Because Complainant has satisfied [all of] the elements of the Policy, Respondent’s allegation of reverse domain name hijacking must fail”)

The reasoning in these decisions is absurd as of course there would be no finding of RDNH when the Complainant wins, but that carries no weight in a case where the Complainant loses.   That NAF continues to publish decisions with this absurd logic after having been alerted to the problem over a year and a half ago indicates a troubling lack of any quality control.

Attorney Zak Muscovitch conducted a study in 2010 showing that NAF’s assignment of panelists was far from random with a high concentration of cases assigned to just 10 panelists.  When Muscovitch updated the study two years later, he found:

every single other Panelist was appointed to markedly more UDRP cases on average per year and per month as compared to the previous report. This suggests that DNattorney.com’s Original Study did not impact the NAF’s practice of concentrating UDRP disputes among a handful of Panelists.

George Kirikos has previously documented NAF’s habit of issuing embarrassing copy and paste decisions.  Shoddy practices is part of the reason why the ICA has called for an investigation of the NAF.

When an organization is entrusted with the responsibility and the power to order the transfer of valuable assets and to damage a person’s livelihood, it is disconcerted when it operates in such a sloppy manner.  How much of the sloppiness that is evident in the published decisions pervades the entire organization?

Everyone makes mistakes.  When a well-run organization makes mistakes and those mistakes are pointed out, the mistakes are fixed.  The NAF persists in making the same mistakes over and over.

Since that day, I’ve encountered numerous security flaws with Moniker’s system, including one that renders Portfolio MaxLock ineffective as it allows all the domains in an account to be transferred to another registrar without needing to answer the Portfolio MaxLock security questions.

As is well reported elsewhere, KeySystems caused massive disruptions when they replaced the legacy Moniker domain management system with a new system from their DomainDiscount24 (DD24) registrar. Unfortunately all the pain and trouble caused by the “upgrade” served primarily to replace a reasonably secure system with one with gaping security holes that have been exploited by hackers. The problem was exacerbated by Moniker’s failure to enact basic security procedures.

Another massive security breach was recently reported on Acro.net and DotWeekly. This appears to be a separate breach from the one I experienced which occurred in late August, as it happened much later and the IP involved was different, though it may involve the same people.

I called Moniker to alert them to the breach the same day I learned of it, and they locked down my account and the account that the stolen domains had been transferred to. Later that week I spoke to a manager at Moniker and exchanged emails with her. On September 5th, she wrote: “Our technicians are working very hard to ensure that breaches such as this never happened again.” Clearly they failed.

I was told that the technical team in Germany was investigating the breach and that I would receive a report within a few days. Despite several requests, it has now been over a month and I have yet to receive any account of what happened in the breach.

Yet from my own experience with the new Moniker interface I learned of several security flaws.

I had purchased and auto-renewed Portfolio MaxLock for several years on the old Moniker system. Portfolio MaxLock creates two security questions that must be answered successfully before any domain can be transferred out of the account. Portfolio MaxLock seemed to work well and I had peace of mind that the account was secure.

With the transition to the new DD24 interface, Portfolio MaxLock was dropped without any notice and I didn’t realize it was no longer active on my account.

When calling in to Moniker’s customer support team to make changes to the account, the customer support team verifies that you are the legitimate account owner by asking you to verify the following information from the account profile: Company name, company address, company phone number and they often, but not always, ask for the account email address. As most, if not all, of this information is available in public whois records, it is a ludicrous way to verify identity. A few years ago I changed the account email to be different from the whois email, but for many accounts the account email is likely the same as the whois email.

After my account was hacked the account email address was changed to one that was very similar to the correct one. It makes me wonder whether the hack was the result of social engineering one of the customer service reps. It is plausible that the hacker called to say that there was a typo in the account email address, and persuaded the customer service rep to make the slight change in the email address so that the email address then became one under the hacker’s control. I don’t know for certain since I haven’t received the report on how the breach happened so I can only speculate.

Moniker keeps a handy IP log showing the IP address and date stamp of anyone who has logged in or attempted to log in to the account. Yet worryingly the day that the hacker logged into my account and pushed out the domains the IP log showed no access at all. The customer service reps said that should only happen if the account was accessed internally, such as by the customer service reps themselves. This was disturbing and reinforced my suspicion that the hack was the result of the hacker persuading a customer service rep to make the changes.

I received no email to the original account email when the account email was changed. After I suggested that it is a basic security rule to send an alert to the original email address when the account email is changed, the folks at Moniker agreed that sounded like a good idea and they would ask their team to implement it.

After the hack was discovered, my account was kept in locked status and I had to call customer support, often enduring lengthy waits on hold, and having to go through the drill mentioned above “proving” my identity before the customer service rep would temporarily unlock the account to allow me to make whatever changes I needed to make.

Eventually I decided that if I purchased Portfolio MaxLock that they would not need to lock down the account each time after I was done logging in. So I spent the $124 to purchase Portfolio MaxLock. I thought it would have been a nice gesture if they had offered Portfolio MaxLock at no charge, since my account had been breached and domains taken from it. But they didn’t offer, and I didn’t press it, so I paid for Portfolio MaxLock.

The new Portfolio MaxLock works somewhat differently than the legacy version, but the key functionality is the same as it requires that two security questions be answered before a requested job will run. According to the customer support reps, even they don’t know the answers to the questions, and it would take a high level member of the technical team to be able to reset the answers if I ever forgot them.

Once I got the hang of it, Portfolio MaxLock seemed to work well. If I wanted to have an auth-code sent to me, I would navigate to the desired domain in the admin interface to request the auth-code but then I would need to go to the Jobs section to answer the security questions before the job would execute and the auth-code would then be sent. Even minor items such as changing the Time to Live (TTL) record in the DNS required answering the security questions.

One day though, I couldn’t log into my account. I called Moniker customer support assuming that the account had been relocked. But the support rep said that it hadn’t been locked, but he did say the password had been recently changed. I hadn’t requested a password change and was suddenly concerned that my account had been hacked again. The rep investigated some more and said that someone had requested a password reset, but they weren’t logged in when they requested the password change. I asked if this meant that anyone could force the password on my account to be changed at any time. The rep said that this is the way the system works. So here is another flaw in the design. You may have your password memorized, or saved in a password keeper program, and anyone at any time could force the password on your account to change so that your password is obsolete.

You may question my complacency that I would leave my domains at Moniker through the flawed transition to the new interface that blocked account access for a long time. You may question my complacency that I didn’t immediately move out all of my domains after discovering the account breach. I also question my complacency.

Yet after weeks went by without any report of what had gone wrong with the breach and without any assurance that the problem had been fixed, combined with the troubling fact that no IP was logged the day the account was breached suggesting an internal system may have been compromised, I finally decided it was time to move away my domains.

The next time I talked to customer service, I told the rep that I had heard that Moniker had recently added a feature that allowed a bulk export of auth-codes. The rep showed me where to find the link in the interface. I clicked the link and received a message that the list of auth-codes would be sent to the account email address. I went to the ‘Jobs’ section where one must go to answer the Portfolio MaxLock security questions. But there was no need. A few minutes later a report with the auth-code of every domain in my account showed up in my inbox.

Even though I had paid to add Portfolio MaxLock to my account, and even though I couldn’t change the TTL for one domain without answering the security questions, the bulk auth-code export feature was added without linking it to Portfolio MaxLock so I was able to receive every auth-code for every domain in the account without needing to answer any security questions.

That is a major security flaw, but one would think it is of little practical consequence since the domains couldn’t be transferred out to a different registrar without unlocking them first. And when I navigated to the management page for an individual domain and requested to unlock it, that change required answering the Portfolio MaxLock questions first.

However, I noticed on the account summary page that lists all the domain in the account, there is a little ‘lock’ symbol beside each domain. The symbol shows whether the domain is locked or unlocked. A nice feature is that you can click on the ‘lock’ symbol to change its status, from unlocked to locked, or from locked to unlocked. When you click on the lock symbol to unlock the domain, you don’t need to answer the Portfolio MaxLock security questions.

So I tested out whether I could move domains to another registrar without needing to answer the Portfolio MaxLock questions. I chose a few domains, click the ‘lock’ symbol for each one to unlock the domains, and then entered the auth-codes for the domains at the gaining registrar. The auth-codes were accepted, the gaining registrar emailed me to approve the transfer, a little while later Moniker emailed me a link to cancel the transfers if I wanted to keep the domains at Moniker, and a few days later the domains moved to the new registrar.

So now as I transfer out the domains in my account, I don’t bother bulk unlocking the domains and then answering the Portfolio MaxLock security questions. I just go down the list of domains clicking the ‘lock’ symbol to unlock them. And the domains are leaving my Moniker account. And Portfolio MaxLock is still active on my account, utterly useless for safeguarding the domains.

I will give a shout-out to DomainTools, as thanks to their Registrant Alert report I learned that the domains had been moved out of my account in time to prevent them from being transferred away from Moniker. Moniker’s team froze the thief’s Moniker account that the domains had been moved to, and eventually moved the domains back to my account. I need to do a thorough review but I am not currently aware of any domains that are missing from the account.

It makes me sad to write this post. I was one of Moniker’s first customers. I was a Moniker customer before there was a Moniker, before it was a registrar, back when it was DomainSystems, a NetworkSolutions reseller. When Monte was changing the name from DomainSystems he asked my opinion of the new ‘Moniker’ name. I told him I had always thought the word was spelled “Monicker”. But Moniker is a great name, and Moniker has been the home of my core domain portfolio for nearly as long as Telepathy has been in business.

So it is sad to say goodbye to Moniker, and to witness the self-destruction of this company that played such a large role in the development of the domain industry.

I must say that everyone I dealt with at Moniker after the breach was friendly and helpful to the extent that they could be. But they were saddled with a buggy system, and they couldn’t provide the account security that the customers needed. Yet someone continues to make poor decisions, such as the recent one to change all the passwords and send out the new passwords in unencrypted plain text emails.

Unfortunately it appears that Moniker’s President, Bonnie Wittenburg, is experiencing serious health issues as her email auto-reply includes the following message: “I am out of the office on medical leave and will be out for several weeks.” Bonnie’s absence may be contributing to the lack of leadership and the ineffective response to the security breaches so far. I wish Bonnie, and Moniker, a return to good health. But I will be watching from a distance.

Digital DC’s mission, according to the website, is to promote DC as “the leading community in the innovation and high-tech economy”. Announced in March by soon-to-be ousted Mayor Vincent Gray, Digital DC is offering $1 million in funding to tech companies that move into a so-called “tech corridor” in a mostly residential, transitional neighborhood.

The organization has a sharp looking website but hasn’t yet chosen which high-tech companies will receive the “catalytic” government grants.

Today the Huffington Post published an article on the difficulties domain owners face trying to recover stolen domains. The focus of the story is on Michael Lee and his years long struggle to recover mla.com.

Interesting reading for all domain investors.

Pibus found bad faith because that the seventeen year-old holdon.com domain was interfering with the Complainant’s business-

The Panel is further prepared to accept the Complainant’s uncontested assertions that the use of the disputed domain name in association with a click-through site has interfered and/or is interfering with the Complainant’s business, and that the disputed domain name is leading Internet customers seeking the Complainant’s website to the Respondent’s unauthorized website for purposes of monetary gain. In the absence of any evidence to the contrary, the Panel finds that the disputed domain name was registered and used in bad faith by the Respondent.

I fail to see how using, in a non-infringing way, a generic domain that long predates the existence of the Complainant is interfering with the Complainant’s business.  If merely using the holdon.com is interfering with Amicus Trade’s business, then the domain began interfering with the Complainant’s business the moment that Amicus Trade starting making use of the ‘holdon’ brand fifteen years ago.  Yet as the domain predates the business, it makes no sense to accuse the domain of interfering with the business.  Why is the current use bad faith when the previous uses of the holdon.com domain were not?   Are owners of generic domains not allowed to place ads on their websites that don’t infringe on any other trademarks?  Is it bad faith to try to make money from your website when you aren’t infringing on anyone else’s trademark rights?

The domain owner failed to file a response.  Even so, in order to succeed in a UDRP the Complainant must demonstrate that the registration and use is in bad faith.

Pibus’ position that placing non-infringing ads on a non-distinctive domain is bad faith use targeting the trademark holder is an overreach.  It expands the rights of trademark holders far beyond any legal foundation.  This approach also has the practical effect of putting every parked non-distinctive domain at risk, if the domain is at all similar to an existing trademark.

The HoldOn.com decision, and other similar decisions such as the MyArt.com decision and the Ovation.com decision, pervert the intention of the UDRP.  In these cases the UDRP is not, as it is supposed to be, a procedure for protecting trademark holders from blatant cybersquatters.  Instead, in these cases the UDRP is a tool whose purpose is to steal from their owners valuable non-distinctive domains that are coveted by the trademark holders but to which the trademark holders have no legal right.

HBO acquired the 1996 registered piedpiper.com domain from the original owner last year with the help of Markmonitor.  The original owner lived in Hamelin, Germany, the source of the nearly thousand year-old tale of the Pied Piper of Hamelin, and had a website with information about the region around Hamelin at PiedPiper.com.

Sorry… You didn’t have any trouble reading that did you?

In a decision released this morning NAF panelist Sandra Franklin determined that the domain “Guaiky.com” is confusingly similar to “Quirky.com.”

As you can see, no one reading “guaiky” would think of “quirky”. The first letter is different. The third letter doesn’t exist in the mark. And the consonant “r” that is in the mark is missing from the domain. The transformation of “guaiky” to “quirky” is similar to turning “right” into “wrong”, which Franklin also accomplished with her decision.

The “confusingly similar” test has long been a playground for Panelists’ more creative impulses. “MADDHATTEntertainment” was found confusingly similar to “MADD”. “Uniprotein” was found confusingly similar to “Universal”. And most notoriously, “Bodacious-tatas” was found confusingly similar to “tata”.

Franklin relies on the 13-year old belken.com decision that found “Belken” confusingly similar to “Belkin” as support for her finding that “Guaiky.com” is confusingly similar to “Quirky.com”. If a case that found that swapping one vowel in the fifth position for another vowel justifies a finding of consuming similarity that involves three transformations to a seven-letter word then nearly any fanciful mark could be used to go after thousands of dictionary word domains. Similar reasoning would find Disney confusingly similar to “Kidney.com” or would allow Verizon to go after “Derision.com”. Since consumers are so easily confused by swapping three-letters, much less one letter, what a nightmare it is to live in a world where ABC, BBC, and NBC are all television channels.

Franklin drew criticism for an earlier decision where she found eHelper.com to be a typo of edHelper.com, in ordering the transfer of that valuable non-distinctive domain.

Franklin is also the author of the “horrible” UDRP decision awarding the valuable, non-distinctive domain NiceCar.com owned by 13-years by a Korean to an American company with a trademark that post-dates the domain registration date by several years.

Franklin ordered the transfer of HealthySolutions.com despite a lack of evidence that when the domain owner registered the domain 13 years earlier that he was targeting the trademark holder. Franklin also ordered the transfer of the non-distinctive domain MedicalPark.com.

Franklin’s approach to the UDRP – finding “guaiky.com” confusingly similar to “quirky.com”, ignoring a domain owner’s legitimate interest in owning valuable non-distinctive domains such as eHelper.com, NiceCar.com, HealthySolutions.com or MedicalPark.com, finding that the reason a Korean individual registered and held for 13-years a domain, NiceCar.com, based on a commonly used generic phrase was in a bad faith effort to target a small American company’s unregistered usage of that phrase – makes a mockery of the UDRP policy. Her apparent goal is to find a way to transfer these domains regardless of the facts and she’ll twist the UDRP policy into unrecognizable shapes to achieve that goal.

Franklin has decided hundreds of cases as a sole panelist in the last few years, mostly for NAF but some as well at WIPO. A review of these cases show that if you appear before her with a complaint that isn’t formally deficient, with evidence that you had some trademark use, registered or unregistered, for your mark that predates the registration date of the domain, and the issue isn’t a pre-existing business or legal dispute, that you will win 100% of the time.

Put another way, in hundreds of cases over the last couple of years, when a Complainant can show some trademark use that predates the domain registration, Franklin has never found that the Respondent had a legitimate interest in its domain name. She has also never found, under this circumstance, that the domain owner’s registration or use was in good faith.

The integrity of the UDRP depends upon the integrity of the Panelists in honoring the policy as written. Franklin, and panelists who take a similar approach, are turning the UDRP into a tool for domain theft.

Updated Feb 9

===

Nat Cohen is a long time domainer who specializes in generic domains. This post, which Nat prepared, is one that is important to all domain owners.
About Nat – He has built up many of his Properties including OceanCity.com and Maryland.com. He lives with his wife and family in Washington DC. Nat is a longtime friend.

A Problem at the Core of the Internet

Those who care about the development of the Internet should pay attention to a problem festering at its core. Domain names, the building blocks of the Internet, are governed by such a flimsy, easily-abused set of rules that ownership rights in domain names are not secure. This problem affects both those within and outside the domain industry.

“Going Rogue”

Domains are the only asset class where owners are required to subject their ownership rights to cancellation by an arbitration panel. The poorly paid, loosely accredited arbiters who decide these cases are guided by a vague set of rules, the Uniform Dispute Resolution Policy or “UDRP”. There is no procedure for reviewing the decisions of the arbiters to ensure that the decisions comply with the guidelines. Arbiters enjoy free rein in interpreting the rules as they see fit and can act with impunity.

Most arbiters are sincere, fair-minded, hard-working, distinguished legal professionals who make a genuine effort to carefully and faithfully apply the UDRP rules. Yet their good work is undermined by weak procedural safeguards that allow a minority of arbiters to mishandle the power entrusted to them to order the cancellation of a registrant’s rights to a domain name and the transfer of that domain name to a new owner for the flimsiest of reasons.

Individuals and small businesses are losing their long-held domains in arbitration to covetous newcomers who are not entitled to them. Last year a Korean dentist lost opendental.com to a company that did not exist at the time he initially registered the domain. A technology enthusiast recently lost parvi.org to the City of Paris in spite of the arbiter finding that there was no evidence that he registered the domain in bad faith and despite of his clear legitimate use of the domain to promote new software he was developing.

‘Fox Guarding the Henhouse’

Arbiters are selected by providers of arbitration services, primarily WIPO and NAF, and the arbitration venue is in turn selected by the Complainant. WIPO and NAF are competing in the marketplace to offer services to their customers. The customers they are catering to are people or businesses who want domains transferred to them.

WIPO and NAF offer seminars on how to succeed at a UDRP. They offer pre-written complaints where the arguments are made for the complainant and all the complainant has to do is fill in the blanks. They develop supplemental policies heavily tilted in favor of the complainant governing the timing and admissibility of initial and follow-up submissions. A new entrant, the Czech Arbitration Court, has offered to aggressively lower the cost of a complaint to attract Complainants raising the question as to the quality of the panelists willing to work on an assembly line system churning out mass produced decisions at the lowest cost. One of the original arbitration providers, eResolution, stopped offering arbitration services after complaining that WIPO created a perception in the marketplace that Complainants were more likely to win cases at WIPO than at eResolution which led to a steep drop in the number of Complainants who selected eResolution as an arbitration venue. The NAF has been found to be biased in favor of credit card companies and has been banned from deciding credit card disputes, yet ICANN still empowers them to decide domain name arbitrations. Competitive pressures will increasingly push the arbitration venues to lower standards and to adopt ever more pro-Complainant policies, or see themselves shut out of the market.

These problems are not new. The ‘systematic unfairness in the ICANN UDRP’ was detailed in a thoroughly researched paper by Professor Michael Geist published in — 2001. One promising idea to reduce bias is to randomly assign cases to the different arbitration bodies. Yet no concerted effort has been made to correct the problem of bias and now, ten years after the introduction of the UDRP, the problem is as bad as it has ever been.

Mission Creep

The UDRP was intended to deal with clear cases of cybersquatting. Over time, due to panels willing to accommodate aggressive complainants, the standard is moving closer to ‘use it or lose it’ where panelists will order the transfer of a domain to whom they believe to be the “more deserving” party. Arbiters are issuing decisions stating to the Respondent, in essence, ‘you knew that the Complainant had a good use for the domain and you weren’t using it, so your continuing to hold and renew the domain is evidence of bad faith’. This line of reasoning was used in ordering the transfer of OpenDental.com, as mentioned above, and DKB.com, where one bank had stopped using a domain that another bank wanted.

The NAF acknowledged this broadening of the scope of the UDRP in a comment letter:

Panelists have taken the opportunity, over time, to agree with those complainants and broaden the scope of the UDRP, but it started out as a mechanism only for clear cut cases of cybersquatting.

The erosion of the original UDRP protections are decried by panelist Diane Cabell in a dissent:

Today, many panels will find proof of all three of the Policy’s elements simply from the existence of a mark of any kind with arguments that any mark is by definition identical or confusingly similar, that any use by any party other than a mark owner can only be illegitimate, and that bad faith necessarily exists if there is no legitimate interest.

That takes us back to the beginning, which I find disheartening.

The combination of the broader scope of the UDRP and arbiters who freely reinterpret the UDRP guidelines are putting at risk generic domains that were registered with no bad faith intent. The levees have been breached and many previously protected domains will be washed away in a flood of speculative UDRP complaints.

Bad Faith

Absent a finding of bad faith, a panelist may not order the transfer of a domain name. Most UDRP disputes turn on whether the registrant exhibited bad faith in her registration and use of the disputed domain. Bad faith is a question of intent. To determine bad faith requires looking into the soul of the person who registered the domain to determine her intention at the time of registration – which may have occurred a decade prior to the UDRP proceeding. UDRP proceedings are particularly ill suited for determining ‘bad faith’ as the evidentiary record is so slight. There is no opportunity for discovery, to examine witnesses under oath, or similar fact finding powers that are available in a court trial.

Often the only evidence supporting a finding of bad faith are ad links provided by a third party to whom the domain has been licensed. Arbiters will rely on the existence of these links to make the ‘reasonable inference’ that the original intention of the domain owner in registering a valuable generic domain years earlier was primarily to profit from such links, even though the links may have first appeared years after the original registration. On such reasoning valuable generic domains that have been held for years without problem are suddenly lost.

Anything.com has one of the best generic portfolios in the world. They have been registering generic domains since at least 1997 and registered flamingo.com in 1998 before monetization of domains through pay-per-click advertising had gotten off the ground. Four years later in 2002, the Flamingo Hotel in Las Vegas filed a UDRP objecting to links on the parking page at flamingo.com. In spite of Anything.com’s arguments that they registered flamingo.com simply because it was a generic domain, and in spite of one panelist’s dissent that the links did not prove that the domain was registered in bad faith four years earlier, the other panelists determined the links “to more than adequately support an inference regarding Respondent’s intention on registering the disputed domain name”. The Flamingo Hotel won.

In a more recent example, Bigfoot Ventures, a company with far-flung media interests, purchased several three-letter dot-com domains from BuyDomains in May 2008. BuyDomains had owned many of these domain for several years prior to the sale. At the end of May 2008, the same month that Bigfoot had acquired the domains and before it had even switched the hosting for the domains, Bigfoot was hit by a UDRP Complaint. The Complainant was a Mexican Airline known by the initials VTP and the domain the airline wanted was vtp.com. The arbiter found that the presence of advertising links on the webpage that predated Bigfoot’s purchase of the domain was evidence of Bigfoot’s bad faith. Shortly after Bigfoot spent $40,000 to acquire vtp.com, the panelist ordered its rights to the domain canceled and the domain transferred to the Mexican airline.

Cases like these show how valuable generic domains can be lost due to dubious reasoning resting on the slimmest of evidence.

‘Punishment fit the crime’

The only remedy available through the UDRP is draconian – the cancellation of all rights to the domain, usually combined with the order to transfer the domain to the complaining entity. There is no option available to allow the domain owner to cure any problem, no option to pay a monetary penalty, no temporary loss of use. The only penalty, no matter how minor the injury done, or even when there is no injury, is the utter loss of rights in the domain.

A thought experiment using a brick and mortar example may help clarify the situation. Imagine a longtime lot owner whose landscaping company plants a sign on her property that might violate the Home Owner Association (HOA) rules of her community. Then imagine that when the neighbor living in the house adjacent to the lot complains, the HOA transfers ownership of the lot to the neighbor with no compensation due to the lot owner. Far fetched? Similar outcomes are occurring regularly under the UDRP.

Admittedly this example is not that accurate. To make it more accurate the neighbor would choose the person deciding whether the sign violated the HOA rules from several people each of whom promotes himself as being more Complainant friendly than the previous one. Further, the HOA would make no effort to police the arbiters to ensure that they are actually deciding cases according to the HOA rules. Now you have a more accurate model of how the UDRP operates.

Would you want to live and invest in this neighborhood? Of course not. This would be the last place you would want to put your money.

The Morality of Speculation

Certain panelists appear to view investment in domain names as inherently bad faith. Their perspective appears to be that any value associated from an undeveloped domain must be due to a parasitic attempt to profit from the legitimate development activity of others. Therefore in a dispute where the Complainant is actively making use of a term while the Respondent is merely parking a domain similar to that term, then the inference is drawn that the parking activity is a bad faith attempt to profit from the Complainant’s business activities. The panelists who hold this view do not appear to give credence to the possibility that domains have inherent value due to their generic meaning, or that these generic domains will attract direct navigation traffic.

This view is articulated in the dissent in the Geometric.com case (in which I was the Respondent). In the panelist’s words:

Respondent engages in the business strategy of choosing words or phrases commonly used in commerce…

The majority opinion concludes that the Respondent did not have actual knowledge of this specific Complainant at the time Respondent registered the Disputed Domain Name and that any subsequent actions of Respondent are irrelevant. No consideration has been given to the artful strategy underlying Respondent’s activities.

Unfortunately, I cannot join my distinguished colleagues in approving Respondent’s actions without an analysis focusing on the underlying strategy.

I understand this panelist’s position to be that if the underlying strategy is to speculatively register domains with the intent to profit – in general – from the value created by others, then the strategy employed is illegitimate and the registration is fundamentally in bad faith – irrespective of the specific facts of the particular case. Should the registration be challenged in a UDRP by a company making commercial use of the term on which the disputed domain is based then the domain registration must be canceled – not because the registration targeted the particular Complainant in bad faith, but because the strategy of speculative registration is itself evidence of bad faith.

This view undermines the entire industry that has been built around investment in domain names. If domain names are not viewed as having inherent value, then any speculative registration must be an attempt to profit from value created by others. In this view, every speculative registration is in bad faith and must be canceled by any party who meets the test of having a common law or registered trademark that is similar to the domain name.

This position has a moralistic tone. Speculation is evil is the underlying moral principle. This view allows panelists to cast themselves as modern-day Robin Hoods, wresting a domain from the clutches of greedy speculators to deliver it safely into the hands of an upstanding business that can put the domain to honest, productive use.

Speculation draws criticism wherever it occurs whether the market is foreign currency, stocks or domain names. Speculation serves a purpose in keeping the markets for oil, gold, pork bellies and other commodities fluid and in setting prices so that farmers and natural resource companies can sell on the futures market goods that don’t yet exist and thereby obtain a steady, predictable income while transferring all the risk to the speculators.

The critics overlook that investment and speculation are often the first stage of development. Before a city exists someone has to own the land. Someone has to take their hard earned cash and speculate that the raw land will someday be worth something. Then someone else will speculate that people will want to live in that location and will buy the land, subdivide it, clear the land, and put in roads and utilities. Then builders may come to build homes ‘on spec’ – on speculation – and build a house with no guaranty of a sale in the hopes that someone will want to live there. The city that eventually grows on what was once raw land would never have existed if it hadn’t been for speculative activity at every stage of development.

In the early days of the Internet, speculators depleted their savings to spend tens or hundreds of thousands of dollars on new-fangled intangible things called domain names that most people thought were worthless. They paid millions of dollars to the domain registry and registrars who in turn used that money to strengthen the infrastructure of the Internet and to market the benefit of domain ownership and to promote the advantages of doing business online. To meet the demand created by the early investors, tools were developed to simplify web site building and to ease the transition of commerce to the Internet. The critical mass of domain ownership made possible by the purchases of speculators jump started the Internet economy. The speculators that risked their life savings because of their faith in the future of the Internet are now losing what they risked so much to acquire due to certain arbiters who view speculation as illegitimate.

Conclusion

The entire system, from the lack of oversight from ICANN, to the pro-Complainant bias exhibited by WIPO, NAF and the other arbitration providers, to panelists who substitute their personal views for the agreed language of the UDRP, fails to protect the domain owner and leads to loss of confidence in ownership rights on the Internet. The combined actions, and inaction, of these groups are like termites eating away at the foundation of a house. If left uncorrected, the house will collapse. The growth of the domain industry requires stronger protection of domain name registration rights.

Acknowledgements

This article is largely based on original research and revealing articles by Andrew Allemann at DomainNameWire.com and Mike Berkens at TheDomains.com. The ideas in this articles are not original and have been stated in one form or another by many different people, in a variety of venues, over many years. Jeremiah Johnson and Phil Corwin at the ICA are battling huge odds to protect the interest of domain owners. Several lawyers are on the front lines representing domain owners in UDRP disputes, among them Ari Goldberger, John Berryhill, Paul Keating, Brett Lewis, Stevan Lieberman, and Zak Muscovitch. Thanks to Larry Fischer for the opportunity to post here. A big thank you to the dedicated panelists who do their best to maintain the integrity of the UDRP process and who deliver fair, well-reasoned decisions.

– See more at: http://directnavigation.com/2010/01/udrp-a-guest-post-every-domainer-must-read/#sthash.qnE2tb4n.dpuf

The new owner is Liberty Global, the $35 billion market cap international cable company.  Liberty.com changed hands in April 2013.

In 2011, Liberty.com was listed for sale by the former owner for $10,000,000.  At that time, the sales page stated that the owner had already turned down two offers for Liberty.com of a million dollars each.  While the sales price can’t be independently verified, it seems reasonable for such a premium domain.  Liberty Global is a publicly traded company, so perhaps the sales price will be revealed in its company filings.

Liberty.com was the subject of a UDRP dispute in 2000.  The Complainant was a London retail store.  Fortunately the domain owner prevailed.

“Liberty” related domains seem to attract UDRP disputes from companies who take the liberty of filing baseless complaints attempting to liberate the domains from their current owners.  My own Libertad.com domain – “Libertad” means “Liberty” in Spanish – was hit with a UDRP Complaint in 2011.  Thanks to the response prepared by Ari Goldberger and Jason Schaeffer of Esqwire.com, the complaint was unsuccessful.

What has led to the surge of RDNH decisions this year?

A radical new approach to the UDRP by a few panelists is encouraging companies to file abusive complaints.  These are complaints that fail to meet the UDRP requirement that complainants demonstrate that the disputed domain was registered in bad faith.  Filing a complaint without any evidence of bad faith registration is an abuse of the UDRP process and grounds for a finding of Reverse Domain Name Hijacking.  When Panelists who reject the radical reinterpretation of the UDRP are assigned to decide disputes where complainants have failed to provide evidence of bad faith registration, they are frequently finding the complainants guilty of Reverse Domain Name Hijacking.

The radical new approach some panelists are now taking is to replace the “REGISTRATION in bad faith” standard with a “RENEWED in bad faith” standard.  This approach is illegitimate for the many reasons discussed in the  “Push to Adopt ‘Renewed in Bad Faith’ standard puts Investment Domains at Risk” post.  The primary flaw with the “renewed in bad faith” approach is that it is based on language from a part of the policy that has no bearing on how domain disputes are to be decided.   The relevant section of the policy where the dispute procedures are specified clearly states that “registration in bad faith” is one of the criteria that must be demonstrated for a complaint to be successful.

Those panelists who are championing the “renewed in bad faith” standard are ordering the transfer of domain names that everyone agrees were registered in good faith, including domains that were registered years before the complainant even existed.  Encouraged by the prospect of being able to use this new weaker standard to seize domains that they have long coveted, companies are now filing complaints targeting domains that were registered in good faith and where there is no evidence of bad faith registration.

The “renewed in bad faith” standard eliminates the heart of the UDRP – the requirement that the Complainant must demonstrate that the domain owner has registered and used the domain in bad faith.  What the “renewed in bad faith” standard boils down to is that a Complainant no longer needs to meet three rigorous tests to seize a domain through a UDRP.  Instead, for some panelists, under the “renewed in bad faith” standard, the Complainant merely needs to demonstrate some current bad faith use.

Some UDRP panels are taking this inappropriately weakened standard and then further weakening it by vastly expanding the definition of “bad faith”.  For example, UDRP panels have found that the following can be evidence of supposed bad faith: offering a domain for sale, renewing a domain name that is no longer “needed” that another company wants, parking a domain, one’s registrar parking a domain without one’s knowledge- as in the recent Ovation.com decision, and even passive holding- in other words doing nothing with the domain.  Some panelists apparently believe that investing in domain names is an inherently bad faith activity.  In their view, any domain held by a domainer to which another company could claim trademark rights is one that has likely been renewed in bad faith and therefore should be transferred away.

The “renewed in bad faith” standard is such a low hurdle that it can be trivially easy to pass.  Since some panelists are now implementing the UDRP using the “renewed in bad faith” standard, for companies who want to obtain a domain currently held by a domainer, or by another business that is no longer using it, the first choice now is often to file a complaint.

Companies are thus abusing the UDRP to obtain valuable domains.  UDRP panels recently ordered the transfer of the following domains-

• Ovation.com
• 8×8.net
• Canary.com
• Vanity.com
• Big5.com
• Fobus.com
• WAFU.com
• DriveUps.com

Although not all of these decisions relied primarily on the “renewed in bad faith” interpretation, Ovation.com and Big5.com are two that explicitly did.

The UDRP was established to combat “clear-cut cybersquatting”, such as the recent disputes against the “swarovskijewelrywholesale.com” and “ukjimmychooshoes.com” domains.  Now, however, the UDRP is increasingly being used not only to prevent clear-cut cybersquatting but as a means for companies to acquire valuable domains that they are unwilling to purchase in the marketplace.

Let’s be clear.  Just because a domain has substantial inherent value doesn’t mean it is, or should be, immune from loss through the UDRP.  It is possible that a domain owner registered and used a valuable non-distinctive domain to target a trademark owner.  Yet in each of these eight cases, it was either impossible for the domain to have been registered in bad faith because the trademark rights came after the domain registration (Big5.com, Ovation.com), or there was legitimate prior use (Vanity.com, Big5.com, Ovation.com), or there was substantial doubt about the domain owners’ intentions and a clear finding of bad faith couldn’t have been made based on the record.  In cases where there are substantial doubts about a domain owner’s intentions, UDRP panels often revert to the formula “on the balance of probabilities” in making its determination that the domain owner had bad-faith intentions.  In other words, the panel doesn’t have clear-cut evidence but it is nevertheless willing to deprive a domain owner of his or her domain based on speculation rather than convincing evidence.

With the prospects of seizing valuable domains never better, it is no surprise that companies are filing complaints for domains even where they have no evidence that those domains were registered in bad faith.

The fate of those complaints now more than ever depends on which panelist is assigned to the dispute.  A panelist favoring the “renewed in bad faith” approach will not be troubled by a lack of evidence of bad-faith registration.  But panelists who adhere to the UDRP  as it is written, on the other hand, reject complaints that are filed without evidence that the domain was registered in bad faith.

Tony Willoughby appears to be one of the panelists who is rejecting the attempt to change the way the UDRP is implemented.  Of the last five RDNH decisions, two of them were handed down by Tony Willoughby.  The primary basis for each of his RDNH findings was that the complainant produced no evidence of bad-faith registration.

Panelist Alan Limbury also had a hand in two RDNH decisions issued in recent months.  In the SquareGrouper.com decision, which he wrote, the primary reason he gave for making a finding of RDNH was that the complainant produced no evidence that the domain was registered in bad faith.

In my view Willoughby and Limbury are doing the correct thing by sticking to the clear language of the UDRP and upholding over a decade of precedent.  They are also being consistent with historical precedent by finding guilty of RDNH those complainants who fail to bring forth evidence of bad-faith registration.

It is irresponsible of panelists who support the “renewed in bad faith” approach to try to upend a decade’s worth of UDRP practice with a highly speculative and ultimately insupportable “re-interpretation” of the UDRP.  They may think they have found a clever way to make the UDRP more effective at fighting cybersquatting.  Instead, they have turned the UDRP into even more of a casino than it is already.  They have destroyed the uniformity that was supposed to have been the promise of a “UNIFORM Domain Name Dispute Resolution Procedure”.  They have encouraged a flood of frivolous complaints.

Even worse, they are facilitating the theft of domains that were not intended to be lost by those who drafted the UDRP as a limited tool to combat “clear-cut cybersquatting”.  The most glaring example of the way that the UDRP has been perverted by the “renewed in bad faith” approach is the  dispute over the Ovation.com domain that was ordered transferred.

The Ovation.com dispute and other complaints filed against similarly valuable domains, along with the record number of RDNH decisions, are not merely indications that companies are becoming more aggressive in using the UDRP to try to hijack domain names.  They are also a sign that the UDRP process itself is increasingly being hijacked by companies who see it as a way to acquire valuable domains on the cheap by using the UDRP to legitimize the theft of domains.

The risk of being found guilty of Reverse Domain Name Hijacking is far outweighed by the opportunity to obtain a domain worth tens of thousands or more.  The RDNH finding is a meaningless slap on the wrist that carries with it no monetary penalty, so is no deterrent at all.

Even the risk of being hit with an RDNH finding for filing a frivolous complaint is smaller than it should be.  UDRP panels are very creative in finding excuses for letting complainants off the hook. There is a clear double standard where abusive complaints are excused because the complainant was simply confused or ignorant:

The very obviousness of the gap in the Complainant’s case suggests more strongly that the Complainant seriously misunderstood what was required for a finding in paragraph 4(a)(iii) of the Policy, rather than that the Complaint was brought dishonestly.  (imagem.com)

Although Complainant’s case was seriously deficient, it nevertheless believed that it was justified in filing the Complaint.  (jwines.com)

Whether this was due to intentional bad faith or mere incompetence, the Panel is unable to judge.  (westcoastuniversity-edu.com)

I have yet to see a UDRP decline to order a transfer by offering similar excuses for a Respondent’s bad-faith conduct.

The extreme reluctance that many panels have in finding RDNH stands in sharp contrast with their eagerness and creativity in justifying the transfer of domains away from their owners.

Yet even in spite of this reluctance to find RDNH, the number of abusive complaints has grown so large that panels are finding RDNH in record numbers.

The number of RDNH findings by year tells the story.

Year       Number of RDNH findings

2000           6

2001          14

2002         23  (19 if .biz STOP decisions are excluded)

2003          5

2004          6

2005          8

2006         9

2007         7

2008       13

2009       13

2010        11

2011        14

2012       14

2013       24 to date

Source: RDNH.com

The number of RDNH cases in 2013 has surged far beyond the number of cases found in any of the prior ten years.

The UDRP is currently in turmoil, providing no clear guidance to either domain owners or complainants as to the standards under the UDRP.  This turmoil offers a tremendous opportunity for complainants at the expense of domain owners.   For complainants it offers the best odds yet to play in the UDRP casino to win valuable domains as prizes.  For domain owners it is their properly registered domains that are the prizes that are up for grabs.