How Cybersquatters Tarnish Brand Names

When the Web site FreeLegoPorn.com began publishing pornographic images created with Lego toys, trademark owner Lego Juris AS, which sells the popular plastic building blocks for children, acted quickly.

"The content available on the site consisted of animated mini-figures doing very explicit things. We were not amused," says Peter Kjaer, an attorney for Billund, Denmark-based Lego.

Lego didn't go to court. Instead, it filed a complaint with the World Intellectual Property Organization's (WIPO) Arbitration and Mediation Center, which ruled in its favor. The domain registrar for FreeLegoPorn.com, Scottsdale, Ariz.-based GoDaddy.com Inc., eventually shut down the site and transferred the domain name to Lego, in compliance with the Uniform Domain Name Dispute Resolution Policy (often called the UDRP), a procedure set up by the Internet Corporation for Assigned Names and Numbers (ICANN) to address domain-name brand abuse.

The UDRP process, set up 10 years ago, saves businesses time and money by getting offending sites down relatively quickly and without lengthy lawsuits. But it hasn't deterred cybersquatters, who lay claims to domain names that play on a virtually unlimited number of variations of well-known brand names, including common misspellings of those names, to drive traffic to their own sites.

People intending to visit a brand's Web site may instead end up on a cybersquatter's site and then be redirected to a phishing site, a Web page with objectionable content or -- most commonly -- advertising that may link to competing products and services. The most popular brands can be the target of thousands of cybersquatting sites.

Cybersquatting can damage a business's brand reputation and result in substantial losses. One company that has tried to defend itself is Verizon Communications Inc., which has aggressively pursued cybersquatters and reclaimed thousands of domain names related to its businesses. This year it activated many of those and set them up to redirect users back to its own Web site.

Brand Problems Online

Cybersquatters use variations on trademarked names to draw visitors to their sites. Those sites may contain offensive content or pay-per-click ads, or they may create a false association with the trademark owner or sell competing products. Some may combine offensive content and e-commerce -- featuring pornographic images and offers for sex toys or other products, for example.

Percentage Increases, 2007 to 2008:

* Cybersquatting: 18%

* Offensive content: 21%

* Pay-per-click advertising: 24%

* False association: 20%

* E-commerce/counterfeit product sites: 46%

Source: 2008 Brandjacking Index, MarkMonitor Inc., San Francisco

"We're on track to bring in 9 million new visitors, just from the names we've been able to get back," says Sarah Deutsche, vice president and associate general counsel at Verizon.

Malicious sites can create havoc with a brand's reputation. Sometimes, criminals copy a brand's entire Web site in order to collect usernames and passwords from unwitting visitors. They then try to figure out where else on the Web those names and passwords might work. "Guess the fake. You can't, usually. It's pretty nuts," says Fred Felman, chief marketing officer at MarkMonitor Inc., a San Francisco-based domain registrar that also monitors brand-abuse activity for corporate clients.

Eighty percent of the cybersquatting sites MarkMonitor tracked in early 2007 were still online one year later, Felman says. Why aren't brand owners pursuing them? Some businesses have had to prioritize which cybersquatters to pursue, while others have given up on the problem or chosen to ignore it.

Ignoring the problem is getting harder to do as the amount of brand abuse continues to rise. Cybersquatting activity rose by 18% last year, with a documented 440,584 cybersquatting sites in the fourth quarter alone, according to MarkMonitor's annual Brandjacking Index report.

Lego's Kjaer has noticed an uptick in activity as well. "The number of cases in our monitoring reports and number of UDRPs has definitely increased," he says. And WIPO cited an 8% jump in dispute filings in 2008, to 2,329 complaints -- a new record.

Push for Reforms

With ICANN preparing to open a potentially unlimited number of new top-level domains (beyond the current .com, .biz, etc.) as early as the first quarter of 2010, intellectual property holders worry that the cybersquatting problem may spin out of control. That has them pushing hard for reforms.

Ten years ago, most cybersquatters redirected users to porn sites or tried to sell domain names that included the names of major brands back to the companies that owned those brands. But today, advertising-based "domain parking" sites are the fastest-growing cybersquatting problem.

"Domainers" build portfolios of thousands of domain names and profit by reselling the names or selling advertising on those sites. They may generate revenue by posting pay-per-click ads and other advertising content.

Advertising-supported domain-parking sites that exploit trademarked names damage those brands by diverting traffic away from the brand owner's site -- or, worse, by linking prospective customers to competitors' products. InterContinental Hotels Group suffers from both, says Lynn Goodendorf, global head of data privacy at Denham, England-based IHG.

Goodendorf says she doesn't like domain-parking cybersquatters, but she has to prioritize her activities. IHG will go after cybersquatters when the sites include objectionable content or if they contain malware or refer visitors to competitors. Although Goodendorf isn't happy about it, the company doesn't have the time or resources to pursue cybersquatting domainers whose sites contain more generic advertising, she explains.

Glossary of Domain Practices

Cybersquatting: The practice of abusing trademarks within the Internet Domain Name System.

Typosquatting: The practice of registering domain names that feature common misspellings or typographical errors in trademarked names.

Domain parking: The practice of registering domains for potential future development. Parked domains may include pay-per-click advertisements.

Domaining: The practice of buying, selling and monetizing domain names.

Domainer: A person or business that buys, sells and monetizes domain names for financial gain.

Domain tasting: The practice of registering a domain name, then using ICANN's five-day free grace period to monitor traffic volumes and determine whether the domain should be dropped based on a cost-benefit analysis.

Domain kiting: The process whereby domains are registered and dropped within the five-day ICANN grace period and then registered again for another five days. Kiting a domain lets the registrant gain the benefit of ownership without ever paying for the domain.

Source: MarkMonitor Inc., San Francisco

Even domain-parking sites that don't include advertising are a problem, contends Verizon's Deutsche. "Cybersquatters who register and hold on to valuable brands harm trademark owners by taking names the trademark owner could use for itself," she says.

Domain parking has changed from a cottage industry to a big business over the past five years, as has cybersquatting activity associated with domain parking, says Doug Isenberg, an attorney at The GigaLaw Firm, which specializes in domain-name disputes. The reasons are simple: Start-up costs for domainers are low, the potential financial gain is huge, and the penalties for cybersquatting -- the possible loss of the domain name in a UDRP proceeding -- are small.

Domainers who register variations on popular trademarked names can drive up site traffic. This increases income -- and the value of the domain name, which they can then resell at a premium.

The cost of maintaining a domain can be as little as $6 per year. "If you can make $1 a year on domain traffic, that's worth keeping," Isenberg says.

Domainers may keep thousands -- or hundreds of thousands -- of domain names. While some domainers are legitimate, most aren't, Deutsche contends -- and she has sued many of them. "Tens of thousands of variations of our brand are being monetized by domainers -- including some accredited registrars," she says.

The distinction between domain-name brand abuse (cybersquatting) and domain parking is important, says Jeffrey Eckhaus, general manager at domain registrar eNom Inc. in Bellevue, Wash. "Cybersquatting is illegal in the U.S., while domaining is a legitimate business," he says. ENom supports domainers with advertising services, but domaining is "not the main focus of eNom's business," Eckhaus adds.

But domain parking is part of the core business model of some registrars, says Steve Metalitz, president of the Intellectual Property Constituency (IPC), an ICANN-sanctioned organization that lobbies for brand owners.

Trademark holders have responded to the problem by buying up "defensive" domain names so that cybersquatters can't use them, hiring monitoring services, pursuing violators through the UDRP process and, increasingly, taking cybersquatters to court.

Dealing with the problem isn't cheap. IHG has registered 4,200 domain names to protect its seven brands, which include such well-known names as Holiday Inn and Crowne Plaza, Goodendorf says.

Verizon has registered more than 10,000 domain names, mostly to protect its three most visible brands: Verizon, VZ and FiOS. "It's extremely costly," Deutsche says.

As expensive as maintaining thousands of defensive registrations might be, paying $6 a year to maintain a domain name is far cheaper than the $1,500 fee to file a UDRP case with WIPO, especially when a business has hundreds or even thousands of complaints to address, Isenberg says.

UDRP at a Glance

$1,500: Cost to file a Uniform Domain Name Dispute Resolution Policy complaint

85%: Complainant success rate in UDRP process

60-70 days: Average time to a decision

2,329: Cybersquatting complaints filed with WIPO in 2008

8%: Increase in complaints over previous year

Most UDRP Filings, by Industry

1. Biotech and pharmaceuticals

2. Banking and finance

3. Internet and IT

4. Retail

5. Food, beverage and restaurants

Sources: WIPO and ICANN

But even if it pays for thousands of defensive registrations, a company can't rest easy. Goodendorf says cybersquatters can continue to register new variations of IHG's brand names, often in combination with other words, such as a city name, and many of these sites take visitors to competitors' properties or other travel industry Web sites.

"We cannot possibly buy every conceivable combination," she says. The company has prioritized which cybersquatters to go after based on factors such as the offending site's name, content and amount of traffic diverted from IHG properties. "We have to figure out where the most serious harm is -- and what is actionable," Goodendorf says. Therefore, many cybersquatters go unchallenged.

Monitoring services offered by companies like MarkMonitor or Arlington, Va.-based Cyveillance Inc. can alert a business to the existence of cybersquatters. But the services cost thousands of dollars annually, and the business still needs to review each case.

"Small to medium-size businesses are screwed," Felman says. "They can't afford our services. They can't afford lawyers. Consumers and small businesses get harmed the most."

IHG uses Cyveillance's monitoring services and receives daily alerts. "I have a person who does nothing but sort through those alerts and decide which to pursue. That's her full-time job," Goodendorf says.

Once a company has determined that it wants to pursue a cybersquatter, it must decide what action to take. It might start by paying a brand-protection service provider like MarkMonitor to contact the domain-name registrant and registrar and ask to have the site taken down. If the registrant is unresponsive, the brand owner has several other options.

Intellectual property owners can sue cybersquatters under the federal Anticybersquatting Consumer Protection Act, but that's expensive and limits damages to $100,000; they can try to shut down sites containing copyrighted content under provisions of the Digital Millennium Copyright Act; and in some cases, they might be able to pursue violators for trademark abuse under provisions of the Lanham (Trademark) Act.

The least expensive approach is to file a UDRP complaint with a dispute-resolution provider such as WIPO or the National Arbitration Forum. But even when the complainant wins -- which, according to WIPO, happens 85% of the time -- that's not always the end of it. Cybersquatters can delay the transfer by challenging it in court.

Some registrars can be uncooperative, too, failing to complete domain-name transfers within the specified 10 days, Isenberg says. ICANN hasn't done enough to deal with complaints about such registrars, he adds. "They get a slap on the wrist and then it happens again," he says.

What Businesses Want

Businesses want ICANN to do more to combat the cybersquatting problem. The following are some of their recommendations.

* Make the loser pay: Require the loser of a UDRP decision to pay all costs of preparing the case. That would give cybersquatters a financial disincentive, which is lacking today.

* Validate registrations: Require registrars to do more to validate the domain-name registrant's identity information in Whois databases. Critics argue that some registrars accept even clearly bogus data, such as fields filled with zeros or gibberish.

* Disclose hidden relationships: Require registrars to divulge more details on their business relationships. Critics believe that registrars doing business under different names might run pay-per-click sites that are involved in cybersquatting. Today those relationships aren't typically disclosed and are difficult to track down.

* Fast-track UDRP cases: While UDRP disputes are usually resolved within about two months, that still doesn't get the most offensive sites down fast enough. Brand owners want an expedited process for such cases. ICANN is reviewing a proposal for such a system, called the Uniform Rapid Suspension System, submitted in May.

While IHG uses UDRP, Verizon has passed on that approach because, Deutsche says, a separate complaint must be filed for every domain-name infringement. With tens of thousands of cases to prosecute, the company decided to declare all-out war on cybersquatters. "We've brought high-profile lawsuits against some of them, and there's been a noticeable drop in the last couple of years in [Verizon-related] cybersquatting," Deutsche says.

"A lot of times you'll go out and find 100 brand infringements, and 30 or 40 are coming from the same entity," says James Brooks, director of product management at Cyveillance. Aggressively pursuing those firms, as Verizon has done, may cause cybersquatters to look for "softer targets," he says.

But more cases pile up on the docket every day. For example, Deutsche recently learned of Verizson.com, a Web site that includes affiliate advertising. The owners of such sites get paid a few cents whenever visitors view ads on the site or click on advertising affiliate links.

Many intellectual property holders, already overwhelmed by cybersquatting activities, fear that the problem will become untenable when ICANN makes a potentially unlimited number of new generic top-level domains (GTLD) available in early 2010. Currently, ICANN supports 16 domains, including .com and .net.

Deutsche questions the need for new TLDs, given the limited success other new domains have had compared with .com. Nearly three quarters of all domain-name registrations under ICANN's administration are in the .com domain, and 92% are in the .com, .net and .org domains. She alleges that the primary motive for adding GTLDs, driven by registrars, is to sell more defensive domain names to intellectual property holders.

Paul Levins, vice president of corporate affairs at ICANN, calls Deutsche's assertion "mischief-making." Use of the newest GTLDs, such as .tel and .mobi, is growing, he says. Plus, two ICANN-commissioned economic impact reports, published in March, show that increased competition would benefit consumers, adds Levins. He notes that intellectual property concerns "can be addressed through existing legal mechanisms and appropriately designed ICANN procedures for protecting intellectual property."

But businesses worry that, without additional protections, it will be impossible to protect their brand names online in an expanded GTLD universe. Goodendorf, for instance, frets that IHG will be forced to buy the same set of defensive domain names for each new top-level domain. "That will run up our costs even more, [and] it's going to become more confusing for people to find what they're trying to find."

Intellectual property owners complained loudly to ICANN through the IPC, one of several advisory groups to the ICANN board. In response to those concerns, ICANN asked the IPC to come up with recommendations.

It formed the Implementation Recommendation Team, which on May 29 issued a report to ICANN listing suggestions for dealing with the new top-level domains. These include the establishment of a list of trademarked names that can't be sold in the new GTLDs, a provision for rapid takedowns of sites that blatantly violate trademarks, disablement of offending domains instead of transferring ownership and requiring the complainant to pay for their registration, and a mechanism for challenging any new registry that is involved in cybersquatting or colludes with cybersquatters.

A decision on the report's recommendations is expected, possibly as early as this month, following a period of public comment and discussions this summer. It's unclear how many of the report's recommendations will be adopted, but the IPC's Metalitz says ICANN has done a good job so far in responding to the concerns of intellectual property holders. "The board recognized that there is a problem. They won't roll out the new GTLDs until that problem is resolved," he says.

Unfortunately, the proposal applies only to new GTLDs, even though the biggest problems are tied to the existing ones, Metalitz says. Even if every recommendation is adopted for the new GTLDs, getting the same rules applied to existing domains like .com will be tough, he adds. "The problem is, you have entrenched interests that are resistant to change."

However, ICANN may be able to apply the new rules as existing registrar contracts expire, Levins says. "We may be able to retrofit the features that are in the new GTLD agreements to address abuse."

Meanwhile, the cybersquatting pandemic shows no signs of abating. While ICANN has made strides in improving oversight through its audits of registrars, the potential financial gains from cybersquatting remain too high and penalties too small to stop the growth in domain-name brand abuse, let alone deter the practice. That's why the IRT recommendations, even if applied to existing top-level domains, aren't likely to completely solve the underlying problem.

But the GTLD issue has intensified the focus on trademark abuse in domain names, and the matter now has ICANN's full attention. So the GTLD proposals could be a catalyst for change -- eventually. For Metalitz and the intellectual property owners he represents at the IPC, those recommendations amount to one small step in the right direction.

This version of this story originally appeared in Computerworld's print edition. It's a modified version of an article that first appeared on Computerworld.com.

Related Reading

How to Protect Your Brand

Cybersquatters are siphoning away increasing numbers of users from the Web sites of businesses large and small. Using variations on trademarked names, cybersquatters may lure prospective customers to pornographic Web sites, malware sites, sites hawking counterfeit goods, or pay-per-click advertising sites, some of which lead viewers to competitors' products and services.

They're doing so right under the noses of trademark holders, but many companies remain blissfully ignorant of what's going on -- or how it can affect their business. In addition to losing revenue from customers who never reach their true Web sites, companies may find that cybersquatters have irrevocably damaged their reputations.

While cybersquatters have been around almost as long as the Web itself, the problem is getting worse. What should you do to protect your business? We asked for tips from legal professionals, as well as from experts at brand-abuse monitoring vendors and companies such as Lego and InterContinental Hotels Group (IHG) that have successfully fought cybersquatters. Here's what they had to say.

1. Establish a policy to deal with the problem. Take the time to create a detailed policy, then follow up with surveillance and policing, says Peter Kjaer, an attorney at Lego.

2. Monitor new domain registrations. IHG uses a monitoring service that alerts the company when potentially infringing domain names are registered. Those services aren't cheap -- basic monitoring services from Cyveillance, for example, run $5,000 to $10,000 per year. "But at least you can identify unauthorized registrations and know what's registered and who's registering it," says Lynn Goodendorf, global head of data privacy at IHG.

Incomplete or fictitious registration information is a tip-off that the entity is not aboveboard, she says.

Organizations that do their own monitoring often use Google to see if common misspellings and other variations on a trademarked domain name have been registered, says Doug Isenberg, an attorney at The GigaLaw Firm. The Domain Tools Web site allows Whois lookups of trademarked name variations to see they've been registered as domain names. It also offers other monitoring and lookup services.

When checking for misspellings of your brand, remember that not all keyboards are in QWERTY format, says James Carnall, manager of the cyberintelligence division at Cyveillance. "Stay on top of what devices are selling well and what logical thumb mistakes are being made on those devices," he suggests.

3. Build a portfolio of defensive domain-name registrations. This includes common misspellings or other errors users might enter when typing your brand names. Registering a domain name can cost as little as $6 per year. Recovering one from a cybersquatter costs much more.

4. Check Your trademarks. Make sure your trademark portfolio is up to date in all parts of the world, Isenberg advises. "A trademark application can go a long way in a domain-name dispute," he says.

5. Pick your battles. "You can't go after every cybersquatter out there. But you can go after those causing the most damage or creating the most problems for you," Isenberg says. That means prioritizing domain-name abuse cases. Lego, for example, looks at how much traffic the offending site receives, as well as the domain name and content on the site, before making a decision, Kjaer says.

6. Pursue violators. Depending on the circumstances, victims may be able to sue under the federal Anticybersquatting Consumer Protection Act or the Lanham (Trademark) Act. If content infringes on copyright, it may be possible to have the site taken down immediately -- sometimes the same day -- under the Digital Millennium Copyright Act.

Lawsuits are expensive, but they can work, Isenberg says. Picking a few high-profile cases can act as a deterrent. "You create a reputation that you aggressively pursue [cybersquatter] domain-name registrants," he says.

But the least expensive approach is to file a complaint with a dispute-resolution provider such as the World Intellectual Property Organization or the National Arbitration Forum. The complainant must successfully argue that the domain name is identical or confusingly similar to the brand name, and that the owner has no rights to or legitimate interests in that name and is using it in bad faith.

The process takes about two months from complaint to decision. If the complainant wins and the owner does not file an appeal, the site must be taken down within 10 days of the decision.

7. Get involved. Join the Intellectual Property Constituency, which represents the interests of trademark and copyright owners to the Internet Corporation for Assigned Names and Numbers, the organization that coordinates the Domain Name System on the Internet.

"Many decisions made by ICANN have a critical impact on the interests of intellectual property owners who seek to protect their rights online," says IPC President Steve Metalitz. "The Intellectual Property Constituency is a key channel for input into those decisions."

Subscribe to the Today in Tech Newsletter

Comments