When the Web site FreeLegoPorn.com began publishing pornographic images created with Lego toys, trademark owner Lego Juris AS, which sells the popular plastic building blocks for children, acted quickly. "The content available on the site consisted of animated mini-figures doing very explicit things. We were not amused," says Peter Kjaer, an attorney for Billund, Denmark-based Lego.
Lego didn't go to court. Instead it filed a complaint with the World Intellectual Property Organization's (WIPO) Arbitration and Mediation Center, which ruled in its favor. The domain registrar for FreeLegoPorn.com, Scottsdale, Ariz.-based GoDaddy.com Inc., eventually shut down the site and transferred the domain name to Lego, in compliance with the Uniform Domain Name Dispute Resolution Policy (often called the UDRP), a procedure set up by the Internet Corporation for Assigned Names and Numbers (ICANN) to address domain-name brand abuse.
(ICANN is the international organization that coordinates the Internet's domain-naming system. Domain registrars are companies accredited by ICANN or a national authority to sell and register domain names on behalf of individuals, companies or other organizations.)
The UDRP process, set up 10 years ago, saves time and money by getting offending sites down relatively quickly and without lengthy lawsuits. But it hasn't deterred cybersquatters, who can come up with domain names that play on a virtually unlimited number of variations on well-known brand names, including common misspellings of those names, to drive traffic to their own sites.
People intent on visiting a brand's Web site may instead end up on a cybersquatter's site and then find themselves redirected to a phishing site or a site with objectionable content or -- most commonly -- advertising that may link to competing products and services. The most popular brands can be the target of thousands of cybersquatting sites.
Bad for business
Cybersquatting can damage a company's brand reputation and result in substantial business losses. One company that has tried to defend itself is Verizon Communications Inc., which has aggressively pursued cybersquatters and reclaimed thousands of domain names related to its businesses. This year it activated many of those and set them up to redirect users back to its own Web site.
"We're on track to bring in 9 million new visitors, just from the names we've been able to get back," says Sarah Deutsche, vice president and associate general counsel at Verizon.
But it's not just the big names like Verizon that are suffering. Green energy is a hot topic right now, so cybersquatters have been targeting wind and solar energy start-ups, Deutsche says. "A lost sale for them is a huge hit."
Malicious sites can create havoc with a brand's reputation. In some cases, criminals have copied a brand's entire Web site in order to collect usernames and passwords. They then try to figure out where else on the Web that name and password might work. "Guess the fake. You can't, usually. It's pretty nuts," says Mark Feldman, chief marketing officer at MarkMonitor Inc., a San Francisco-based domain registrar that also monitors brand abuse activity for corporate clients.
Eighty percent of the cybersquatting sites MarkMonitor tracked in early 2007 were still online one year later, Feldman says. Why aren't brand owners pursuing them? Some businesses have had to prioritize which cybersquatters to pursue, while others have given up on the problem or have chosen to ignore it.
Ignoring the problem is getting harder to do as the amount of brand abuse continues to rise. Cybersquatting activity rose by 18% last year, with a documented 440,584 cybersquatting sites in the fourth quarter of last year alone, according to MarkMonitor's annual Brandjacking Index report.
Lego's Kjaer has noticed an uptick in activity as well. "The number of cases in our monitoring reports and number of UDRPs has definitely increased," he says. And WIPO cited an 8% jump in dispute filings in 2008, to 2,329 complaints -- a new record.
Now, ICANN is preparing to open a potentially unlimited number of new top-level domains (beyond the current .com, .biz, etc.) as early as the first quarter of 2010, and intellectual property holders worry that the cybersquatting problem may be spinning out of control. That has them pushing hard for reforms.
Ten years ago, most cybersquatters redirected users to porn sites or tried to sell domain names associated with major brands back to their rightful owners. But today advertising-based "domain-parking" sites are the fastest growing cybersquatting problem.
"Domainers" build portfolios of thousands of domain names and profit by reselling the names or selling advertising on those sites. They may generate revenues by posting pay-per-click ads (where the site owner receives payment every time a visitor clicks on an advertising link) and other advertising content.
Advertising-supported domain-parking sites that exploit trademarked names damage those brands by diverting traffic away from the brand owner's site -- or worse, by linking prospective customers to competitors' products. InterContinental Hotels Group suffers from both, says Lynn Goodendorf, global head of data privacy at Denham, England-based IHG.
Goodendorf says she doesn't like domain-parking cybersquatters, but she has to prioritize her activities. IHG will go after cybersquatters when the sites include objectionable content -- as Lego did in the FreeLegoPorn.com case -- or if they contain malware or refer visitors to competitors.
Although she's not happy about it, the company doesn't have the time or resources to pursue cybersquatting domainers whose sites contain more generic advertising, Goodendorf explains.
Even domain-parking sites that don't include advertising are a problem, contends Verizon's Deutsche. "Cybersquatters who register and hold onto valuable brands harm trademark owners by taking names the trademark owner could use for itself," she says.
Domain parking has transformed from a cottage industry to a big business over the past five years, as has cybersquatting activity associated with domain parking, says Doug Isenberg, an attorney at The GigaLaw Firm, an Atlanta-based firm that specializes in domain-name disputes. The reasons are simple: Start-up costs for domainers are low, the potential financial gain is huge, and cybersquatting penalties -- the potential loss of the domain name in a UDRP proceeding -- are small.
Domainers who register variations on popular trademarked names can drive up site traffic. This increases income -- and the value of the domain name, which they can then resell at a premium.
The cost of maintaining a domain can be as little as $6 per year. "If you can make $1 a year on domain traffic, that's worth keeping," Isenberg says.
Domainers make a living by keeping thousands -- or hundreds of thousands -- of domain names. While some domainers are legitimate, most are not, Verizon's Deutsche contends -- and she has sued many of them. "Tens of thousands of variations of our brand are being monetized by domainers -- including some accredited registrars," she says.
Drawing a distinction between domain-name brand abuse (cybersquatting) and domain parking is important, says Jeffrey Eckhaus, general manager at domain registrar eNom Inc. in Bellevue, Wash. "Cybersquatting is illegal in the U.S., while domaining is a legitimate business," he says. ENom supports domainers with advertising services, but domaining is "not the main focus of eNom's business," Eckhaus says.
But domain parking is part of the core business model for some registrars, including Cambridge, Mass.-based Sedo.com LLC, says Steve Metalitz, president of the Intellectual Property Constituency (IPC), an ICANN-sanctioned organization that advocates on behalf of brand owners.
Trademark holders have responded to the problem by buying up "defensive" domain names so that cybersquatters can't use them, hiring monitoring services, pursuing violators through the UDRP process, and, increasingly, taking cybersquatters to court.
Dealing with the problem is not cheap. IHG has registered 4,200 domain names to protect its seven brands, which include such well-known names as Holiday Inn and Crowne Plaza, Goodendorf says.
Verizon has registered more than 10,000 domain names, mostly to protect its three most visible brands: Verizon, VZ and FiOS. "It's extremely costly," Deutsche says.
As costly as maintaining thousands of defensive registrations might be, paying $6 per year to maintain a domain name is far cheaper than the $1,500 fee to file a UDRP case with WIPO, especially when a business has hundreds, or thousands, of complaints to address, Isenberg says.
But even if it pays for thousands of defensive registrations, a company can't rest easy. Goodendorf describes the problem: Cybersquatters continue to register new variations of IHG's brand names, often in combination with other words, such as a city name, and many of these sites take visitors to competitors' properties or other travel industry Web sites.
"We cannot possibly buy every conceivable combination," she says. The company has prioritized which cybersquatters to go after based on factors such as the offending site's name, content and amount of traffic diverted from IHG properties. "We have to figure out where the most serious harm is -- and what is actionable," Goodendorf says. Many cybersquatters go unchallenged.
Monitoring services offered by companies like MarkMonitor or Arlington, Va.-based Cyveillance Inc. can alert the business to the existence of cybersquatters. But the services cost thousands of dollars per year, and the business still needs to review each case.
"Small to medium-size businesses are screwed," Feldman says. "They can't afford our services. They can't afford lawyers. Consumers and small businesses get harmed the most."
IHG uses Cyveillance's monitoring services and receives daily alerts. "I have a person who does nothing but sort through those alerts and decide which to pursue. That's her full-time job," Goodendorf says.
Once a company has determined that it wants to pursue a cybersquatter, it must decide what action to take. It might start by paying a brand-protection service provider like MarkMonitor to contact the domain-name registrant and registrar and ask to have the site taken down. If the registrant is unresponsive, the brand owner has several other options.
Intellectual property owners can sue cybersquatters under the federal Anticybersquatting Consumer Protection Act, but that is expensive and limits damages to $100,000; they can try to shut down sites containing copyrighted content under provisions of the Digital Millennium Copyright Act; and in some cases they may be able to pursue violators for trademark abuse under statutes of the Lanham Act.
The least expensive approach is to file a UDRP complaint with a dispute-resolution provider such as WIPO or the National Arbitration Forum. But even when the complainant wins, which according to WIPO happens 85% of the time, that's not always the end of it. Cybersquatters can delay the transfer by challenging it in court.
Some registrars can be uncooperative, too, failing to complete domain-name transfers within the specified 10 days, Isenberg says. ICANN hasn't done enough to deal with complaints about such registrars, he adds. "They get a slap on the wrist and then it happens again," he says. (See "Registrars under fire in domain disputes" for more information.)
While IHG uses UDRP, Verizon has passed on that approach because, Deutsche says, a separate complaint must be filed for every domain-name infringement. With tens of thousands of cases to prosecute, the company decided to declare all-out war on cybersquatters. "We've brought high-profile lawsuits against some of them, and there's been a noticeable drop in the last couple of years in [Verizon-related] cybersquatting," Deutsche says.
"A lot of times you'll go out and find 100 brand infringements, and 30 or 40 are coming from the same entity," says James Brooks, director of product management at Cyveillance. Aggressively pursuing those firms, as Verizon has done, may cause them to look for "softer targets," he says.
But more cases pile up on the docket every day. For example, Deutsche only recently learned of verizson.com, a Web site that includes affiliate advertising. The owners of such sites get paid a few cents whenever visitors view ads on the site or click on advertising affiliate links.
In some cases, ads refer potential visitors to competitors' sites. In others, Google ads may refer the visitor back to Verizon. "We end up paying Google, who pays the cybersquatter," Deutsche says.
Many intellectual property holders, already overwhelmed by cybersquatting activities, fear the problem will become untenable when ICANN makes a potentially unlimited number of new generic top-level domains (GTLD) available in early 2010. Currently, ICANN supports 16 domains, including .com.
Verizon's Deutsche questions the need for new TLDs, given the limited success other new domains have had relative to the .com domain. Nearly three quarters of all domain-name registrations under ICANN's administration are in the .com domain, and 92% are in the .com, .net and .org domains. She alleges that the primary motive, driven by registrars, is to sell more defensive domain names to intellectual property holders.