You receive a package of iPhones and they appear to have been ordered by an employee in the purchasing department (let’s call her Jane Doe), however, you weren’t expecting any iPhones.
Upon further inspection, you notice that the email address for the order was Janey.Doe@oklahomacounty.net. However, there is no “Janey” Doe working for the county, and the county’s website is “oklahomacounty.org,” not “oklahomacounty.net.” This type of fraudulent behavior was recently reported by the Oklahoma County Board of Commissioners, which reported that Namecheap Inc., a registrar of internet domains, had registered a private domain for oklahomacounty.net. The person who registered the .net domain then used fake email accounts with the domain to order thousands of dollars of products. After asking Namecheap to deregister the domain with no success, the County has sought an injunction from the Oklahoma County Court against the domain holder.
What the County is experiencing is a type of cybersquatting called typo-squatting or domain spoofing – where a domain name is changed slightly to impersonate another domain (think Amazon.com vs. Amazonn.com or Amazon.org). Often, these impersonators don’t just change the domain name, but may also duplicate the entire underlying website attempting to trick visitors into spending money on fake products or obtain their information for additional scams. Another common form of cybersquatting is bad faith cybersquatting, or registration of domain names for the sole intent of profiting off the goodwill associated with someone else’s trademark. These types of cyber-squatters often purchase a domain name containing a trademark of another entity and then attempt to sell it to the trademark owner for a profit.
While filing for an injunction with the County may result in an order forcing a domain registrar, such as Namecheap, to freeze, deregister, or transfer the domain, there are other options a person/entity may take if they experience cybersquatting. The most common and least costly way to attack a spoofed domain is through the Uniform Domain-name Dispute Resolution Policy (UDRP).
To purchase a domain, a person or company merely needs to decide what words they want to capture in the domain address, find out if the domain is available, and then use a registrar, like Namecheap, GoDaddy, or Domain.com, to register the desired domain. The person registering the domain can register privately, so their information is hidden from the public. The private registration can cause issues when a domain name infringes on the trademark of another person or entity, because without any real contact information there is no way to directly sue or contact the registrant of the domain except through the registrar. Due to the fast growth of the internet, numerous trademark and cybersecurity issues have arisen from spoofed domains. Thus, the UDRP was implemented to protect business and trademark owners from abusive or bad faith domain registrations that are confusingly similar to their own domains.
The UDRP allows the owner of a trademark (either a registered or common law trademark) to file a complaint with a dispute resolution service provider, such as the World Intellectual Property Organization (WIPO) or Forum. The complaint must allege 1) that the disputed domain is identical or confusingly similar to the Complainant’s trademark or service mark, 2) that the registrant of the disputed domain has no rights or legitimate interest in the domain name, and 3) that the disputed domain was registered in bad faith. When the trademark owner is relying on common law trademark rights instead of a registered trademark, there are additional evidentiary requirements that must be met to prove there are actual rights in the common law trademark (this evidence includes duration of use, types of advertising, sales evidence, public recognition, and customer surveys).
Once a UDRP complaint is filed, the registrar is notified and is required to provide the complaint to the registrant of the disputed domain, who can then respond with an answer. Notably, in most cases no response is filed – usually because the person who registered the disputed domain was using a fraudulent email address. Once the response date has passed, WIPO or Forum assigns the case to an administrative panel that will make a decision about the domain. It is important to note that the burden to prove bad faith domain registration in a UDRP process is on the complainant, and all three requirements mentioned above must be met, or the UDRP panel will issue a decision in favor of the registrant even if they fail to respond to the complaint. If the panel decides that the disputed domain is infringing and was registered in bad faith, the panel will notify all parties involved, and the registrant will be required to cancel or transfer the domain to the Complainant depending on what the Complainant asked for in the complaint. However, transferring the domain is typically the preferable outcome as it will prevent the domain from falling into the wrong hands again.
The UDRP process is typically less costly than litigation. It also provides a trademark or business owner with a quick review and outcome. The UDRP process is an important tool for companies in preventing fraud and trademark infringement like that experienced by the Oklahoma County Board of Commissioners.