Subdomains and online brand protection: what you need to know (long read)
Subdomains are predicted to become of greater concern to brand owners as adoption of orthodox domain name brand protection strategies expand, and certain intrinsic characteristics of subdomains increasingly appeal to bad actors. However, the legal and technical tools available for monitoring and addressing problematic subdomains are limited, and the subdomain space is neglected by brand owners, relative to the traditional parent domain space. In this in-depth analysis, Jeremy Speres, partner at Spoor & Fisher, takes a deep dive into the subdomain environment, exploring the policing and enforcement options open to rights holders.
What is a subdomain?
Here I use ‘parent domain’ in the colloquial sense of ‘domain name’ to mean a domain registered with a registrar, not in its more technical sense as a general relative term. Subdomains, in the colloquial sense used here, are not registered with registrars but form part of parents, preceding them in a URL, typically in the third, fourth and further levels. In the example ‘apps.shop.microsoft.com’, ‘apps’ and ‘shop’ are subdomains. ‘Microsoft.com’ is the parent.
Subdomains are created easily, at no cost, at the discretion of the parent domain’s registrant by configuring records on the parent’s authoritative Domain Name System (DNS) server / name server. Importantly, the name server is not necessarily provided by the registrar; often it is provided by a hosting provider or third party DNS provider. There are numerous DNS record types, eg, A records mapping domains to IP addresses for resolution of websites, and MX records specifying mail servers responsible for accepting email. Each subdomain can point to unique web content and can have other unique DNS records. The most common subdomain is ‘www’.
One could theoretically have thousands of subdomains beneath a parent, and up to 125 subdomain levels (separated by dots) preceding a two-level parent, assuming each level is only one character, subject to server limits and an overall 253 character limit.
The increasing relevance of subdomains to brand owners
An increased awareness of the value of domain name brand protection, drawing from its benefits for customer trust and organisational cybersecurity, is leading to increased use of its tools at the parent level. WIPO’s UDRP filing statistics for 2020 are set for a continuation of the trend of successive annual records. Defensive registrations and protected marks lists such as TREx, DPML, Uni EPS and AdultBlock now block off brands in large swathes of the parent space.
Thus, the room for bad actors to adopt domains in the parent level identical to the brand, or close enough to be believable, is contracting, at least in respect of those brands that embrace brand protection comprehensively (this discounts the expansive effect of the next round of new gTLDs).
At the same time, subdomains are attractive to bad actors. The technical methods available for detecting infringing subdomains are more complex, require greater investment and are often neglected by traditional domain monitoring efforts, as discussed below.
The legal mechanisms for taking down infringing subdomains are limited and costly, relative to the parent level. Alternative dispute resolution policies are almost never available for subdomains, although there are some interesting exceptions and near-exceptions (discussed shortly).
The brand can be used identically within the subdomain, without the need to typosquat in the parent level where the brand may be defensively registered or blocked, e.g. ‘microsoft.shop.tld’ vs ‘micr0soft.tld’. This carries perceived credibility and is more likely to be trusted by victims.
Identical use of a brand within a subdomain can be made to look benign, and the true parent disguised within what appears to be a lengthy URL, when combined with multiple generic terms at different levels, eg, ‘login.secure.microsoft.account.tld’.
In short, the number of possible brand parent domains is finite, whereas the number of subdomains is practically limitless. Hundreds of subdomains targeting many different brands can be adopted at a single parent, quickly and all for the cost of one parent.
Services abound for gratis or cheap ‘registration’ of subdomains using third party parents acting as private subdomain registries. This is not abusive per se, however, not necessarily being ICANN contracted parties, many subdomain registries do not offer alternative dispute resolution or abuse reporting procedures. Many don’t collect or release complete registrant information or impose terms prohibiting abuse. As such they are often attractive to bad actors and some are havens for abuse. In one case, Google de-indexed the entire ‘co.cc’ parent along with 11 million third party subdomain sites.
Many ccTLD registries operate official generic second level domains (ccSLDs), eg, ‘.com.cn’ and ‘.iwi.nz’, accepting user registrations at the third level. In ccTLDs allowing second level registrations, third parties can register parent domains mimicking ccSLDs, using subdomains beneath. As Lexsynergy reports, the Finnish ccTLD ‘.fi’ allows second level registrations, and the parent domain ‘com.fi’ is operated by a private party as a financial domain name registry. The subdomain ‘jpmorgan.com.fi’ forwarded to an official JP Morgan site for credibility and might have been used for phishing; it’s a believable domain mimicking an official ccSLD.
Generic or descriptive parents combined with brand-abusive subdomains carry credibility given that users are accustomed to legitimate subdomain use in a similar way by brands themselves, as in the fictitious example of the legitimate brand subdomain ‘shop.microsoft.com’ versus the brand-abusive subdomain ‘microsoft.shop.com’.
Wildcard or ‘catch-all’ DNS records can be implemented in terms of which non-existent subdomains still return valid DNS responses. For example, assuming a wildcard DNS record of ‘*.example.com’, ‘anysubdomain.example.com’ may still resolve to a website despite not having a specific DNS record configured. This can be abused to circumvent hostname based blocklists filtering for specific subdomains. The bad actor uses randomised, changing subdomains under a single parent in phishing campaigns for example, that won’t necessarily be blocked even if the parent domain is blocklisted.
Wildcard MX records can be used to gather email containing sensitive, exploitable information where the sender mistypes or misremembers the recipient’s address. A bad actor could set up a wildcard MX (mail server) record on a domain it controls, e.g. ‘*.bank.tld’. A real bank’s genuine domain could be ‘acmebank.tld’, which a customer might mistype or misremember as ‘acme.bank.tld’, inadvertently sending email to the bad actor’s domain. As the bad actor used a wildcard record, they catch all emails sent to any address containing ‘bank.tld’, regardless of the subdomain. It would be very difficult to prove that the bad actor is targeting any specific brand in this way. As we shall see, wildcarding per se is also not legally actionable, per decided case law.
Thus, it is predicted that subdomains will become increasingly utilised by bad actors as they evolve their techniques, and increasingly relevant to brand owners who have historically neglected the issue.
Monitoring for infringing subdomains
Traditional domain monitoring, at the parent level, proceeds off zone files released by registries containing information about all active domains. Releasing these is a contractual obligation of gTLDs per ICANN’s registry agreement; not necessarily so with ccTLDs, being largely independent of ICANN. The published zone files only cover parents, excluding subdomains. Additionally, the Registration Data Directory Service (RDDS), often colloquially called the ‘WHOIS’ system, does not include subdomain information.
There is typically no authoritative way for third parties to access the entire DNS zone for a parent, that is, all DNS records including subdomains associated with a parent, given administrators’ security concerns. Additionally, there is no authoritative historical database of DNS records, thus when DNS records such as subdomains change, that history is lost once the change propagates through the broader DNS system.
Monitoring subdomains is therefore technically challenging and requires investment in specialised technology; traditional domain monitoring thus often neglects subdomains.
Enter passive DNS. Typical DNS queries involve a client (a user’s computer) requesting a DNS record, eg, an IP address associated with a parent or subdomain. The query passes to a resolver (server) configured to recursively request the record from the hierarchy of name servers making up the broader DNS system, and the answer is returned to the client. For browsing websites, typically a user’s browser requests a domain’s IP address from the resolver, the resolver sends the answer back to the browser, and the website is retrieved from the web server at that IP address.
Passive DNS relies on sensors installed on resolvers to save the answers to DNS queries along with timestamps. Thus historical DNS records are generated which in turn are used for cybersecurity research and subdomain monitoring. This is costly; sensors need to be installed on enough resolvers to generate sufficient data to be useful. Passive DNS has therefore been neglected in the past by traditional domain monitoring efforts, and along with it, subdomains.
It’s not clear what effect the increasing and controversial adoption of DNS over HTTPS (DoH) and DNS over TLS (DoT) could have on passive DNS data collection. DoH and DoT encrypt DNS queries between client and resolver. Implementation at the application layer (eg, by the browser) could be leading to the concentration of DNS resolution with a small number of large DNS providers. Web browser Firefox recently enabled DoH by default for US users, sending all DNS requests to Cloudflare. If that trend continues, passive DNS collection might be undermined.
Subdomains can also be detected using Certificate Transparency (CT). SSL/TLS certificates are issued to domain holders by Certificate Authorities (CAs), typically to encrypt communication between browsers and sites. CT increases accountability by requiring CAs to submit certificates to public logs, including any subdomains covered by certificates. Bad actors often obtain certificates to add credibility to sites, and CT logs can be searched for brand-abusive subdomains, but only those for which bad actors have obtained certificates. A popular CT search tool is https://crt.sh.
Advanced search engine operators (aka Google dorking) can be used. Using the ‘inurl’ operator, one can reveal URLs incorporating a brand and thus abusive subdomains. The limitations of this approach are, firstly, the results are not limited to subdomains but cover the full URL, thus many false positives may be generated. Secondly, the results are limited to those indexed by Google.
Domain permutation engines such as DNStwist generate commonly abused domain variations. Although largely limited to the parent level, they can be used for finding brand abusive domains spanning the dots into subdomain levels, e.g. ‘mi.cro.soft.tld’.
Enforcement against subdomains
Legal remedies available to address infringing subdomains are limited relative to those available at the parent level. By ‘infringing subdomain’ I mean one that itself takes advantage of a brand and is used in an abusive way, or one that does not itself take advantage of the brand, eg, a generic subdomain, but which is used in a brand-abusive way.
Intermediaries having technical control over the subdomain or content could be engaged, including the registry, registrar, hosting provider and DNS provider. However, they often have less incentive to act against subdomains than for parents.
Registrars are obliged under clause 3.18.1 of the ICANN Registrar Accreditation Agreement (RAA) to take ‘reasonable and prompt steps to investigate and respond appropriately’ to abuse reports. Under Specification 11 of the ICANN Registry Agreement (RA), registries must require registrars to prohibit IP infringement in their registrant registration agreements. Unlike the RAA, the RA doesn’t appear to expressly oblige registries to investigate and respond to abuse reports, other than those from law enforcement, governmental and quasi-governmental agencies.
Nevertheless, under privity rules, brands lack contractual leverage with registrars and registries as non-parties to the RAA or RA. Third-party beneficiary claims are not viable as clauses 7.5 and 7.8 of the RAA and RA respectively exclude it; such a claim brought against registrar Tucows by a spam victim failed in the US Court of Appeals, Ninth Circuit. These provisions also only apply to ICANN accredited registrars for gTLDs, not ccTLDs.
Given widely divergent interpretations of these provisions in the ICANN community, ICANN Contractual Compliance won’t direct a registry or registrar to suspend IP abusive domains. Registries and registrars often take the view that they should not be arbiters of illegality and simply refer the aggrieved brand holder to the site operator or host, which is often ineffective (see below), or arbitral policies such as the UDRP. Some registries and registrars do however assist.
For infringing subdomains, the registry or registrar could suspend (not delete) the parent by placing it on 'serverHold' or 'clientHold' status respectively. This is a blunt, potentially disproportionate tool suspending the entire parent and all subdomains. As there may be non-infringing content elsewhere, registries and registrars are often understandably reluctant to do so, especially where they don’t control the authoritative name server or host and can’t take the targeted approach of suspending only the subdomain or content. See, for example, the case of ‘mooo.com’, a legitimate subdomain registry mistakenly seized by US authorities in an anti-counterfeiting operation, inadvertently terminating 84,000 innocent sites hosted on subdomains. This is exploited by bad actors by including innocuous content and subdomains elsewhere under a parent. Additionally, legitimate domains often have vulnerabilities allowing bad actors to hijack subdomains. This happened to Microsoft recently due to misconfigured or forgotten subdomains, leading to advertisements for Indonesian casinos on subdomains under ‘microsoft.com’. Suspending the entire parent in those circumstances is obviously problematic.
Recently, a large group of prominent registries and registrars committed to a DNS Abuse Framework, which is to be welcomed. The framework doesn’t include IP infringement in its conception of abuse, and specifically raises the proportionality issue in relation to subdomains. As Brian J Winterfeldt observes, proportionality is not a concern where the domain is not being put to any use other than the infringing use.
Where third party name servers are used, they are often not ICANN contracted parties with abuse investigation obligations for the specific parent. They have even less incentive to suspend subdomains, despite often being the only party able to in a targeted, proportionate way. Even if they do assist by deleting the subdomain’s DNS records, the name servers can be changed and the subdomain reinstated quickly by the registrant, without parent suspension.
If a privacy service is listed as registrant in the parent’s WHOIS (a ‘proxy’ service), a rights holder might sue the service, and possibly an associated registrar, for abusive subdomains. Clause 18.104.22.168 of the RAA requires registration agreements to incorporate provisions requiring the listed registrant to disclose details of any licensee of the domain, failing which, they accept liability for harm. Facebook argued this in recently suing registrar Namecheap for infringing customer domains. Namecheap raised the no third-party beneficiary defence and the Tucows precedent.
Do DNS intermediaries - registries, registrars and DNS providers - have any incentive to suspend subdomains to avoid contributory liability? For parents, this was decided in favour of registrars in the US in 1999 in Lockheed Martin v NSI, and US cases continue to be decided accordingly. Contributory liability for subdomains seems even more unlikely under US law, where a registry or registrar is further removed and especially where not also the DNS provider or hosting provider.
In Petronas v GoDaddy a US District Court ruled that the registrar’s web forwarding service, under which domains redirect to other URLs, was not actionable against the registrar. Although this type of forwarding is performed at the hosting server level (discounting CNAME DNS records), it is analogous to a name server maintaining subdomains.
Interestingly, the US Anti Cybersquatting Consumer Protection Act (ACPA) has been found inapplicable to subdomains given the definition of ‘domain name’ requiring registration by a registrar. So brand owners enjoy relatively less protection in the US in relation to subdomains compared to parents. An ACPA claim against an intermediary for subdomains would thus not be possible, and even if the ACPA did apply, it includes a safe harbour for registries and registrars.
Under EU law the question of DNS intermediary liability is not harmonised. A small number of national cases have found registrar liability or suspension-on-notification obligations, but it’s rare, fact specific, and disparate national laws apply. A German court concluded that a registrar is secondarily liable for failing to take action once notified of ‘blatant’ infringement. A French Appeals Court ruled that registrars have an obligation to act diligently once notified. Sebastian Schwemer cites a number of European cases rejecting liability.
Under EU law, proportionality is a well-established principle, codified in the IP Enforcement Directive. EU DNS intermediaries and courts may thus be particularly wary of the subdomain proportionality concern. The Council of European National Top-Level Domain Registries (CENTR) recognises the proportionality issue, mentioning subdomains, in relation to take-downs. SIDN, the Dutch ccTLD registry, exhorts registrars to consider proportionality when considering take-downs.
Forward-looking arguments are made to shoehorn DNS intermediaries into ISP safe harbour provisions, but it’s largely accepted that they don’t apply to DNS intermediaries, which thus have less incentive for take-downs. See the excellent articles by Schwemer and Truyens & Van Eecke. The EU Commission is however considering DNS intermediaries in coming revisions to the EU ISP safe harbours, with its Digital Services Act. ICANN has raised concerns.
The hosting provider can be engaged for content take-down, and registrars routinely direct brand holders to the host. However, where content is not obviously infringing, the hosting provider has no incentive to assist. For example, a subdomain consisting of a brand where the site content is non-infringing, for purposes of traffic diversion. If the host assists, a game of whac-a-mole can ensue, as the bad actor shifts hosts while retaining the parent and subdomain. If the host sits behind a reverse proxy like Cloudflare, it may be near impossible to establish the host’s identity.
Alternative dispute resolution / arbitral policies
If intermediary actions aren’t fruitful, for parents one would typically look to alternative dispute resolution (ADR) policies like the UDRP (‘policy’). However, almost none apply to subdomains.
It is long-established that the UDRP does not apply to subdomains, given the policy’s references to the domain being registered with a registrar, thus it will not assist where the parent is not confusingly similar to the trade mark. One would be left with court litigation for abusive use of a subdomain like ‘microsoft.shop.tld’. There are however a few interesting exceptions and near-exceptions discussed below.
The Second WIPO Internet Domain Name Process, considering the policy soon after adoption, specifically addressed subdomains. At paragraph 294, it recognised the difficulties that inapplicability to subdomains raises. It appeared to accept the policy’s applicability to subdomains if incorporated into agreements between parent registrants and subdomain users, but recognised the enforceability and proportionality difficulties discussed above. The process concluded that registrants of parents corresponding to country codes (eg, ‘jp.com’) acting as private subdomain registries should take steps to render the UDRP applicable and implement its decisions.
Some private country-code subdomain registries have heeded this call. CentralNic operates many (eg, ‘.uk.com’) and has a custom Dispute Resolution Policy similar to the UDRP, albeit different in significant ways as Doug Isenberg reports. The ‘.co.com’ subdomain registry adopted the UDRP.
In the only UDRP decision I’m aware of to substantively consider the possibility of the policy applying to subdomains, the panelist in EFG Bank European Financial Group SA v Domain Consults rejected the policy’s application on the basis that the subdomains were not registered with a registrar under a registration agreement incorporating the policy. However, per the panelist:
“Although there may be no reason in principle why the UDRP could not apply...to a sub-domain name registered with a regist[rar] via a registration agreement that incorporates the UDRP..., it would seem to be incumbent on a complainant...either to show evidence of such UDRP applicability, or failing that, the consent of the registrant…it might also be necessary to confirm that the registrar could implement any panel decision...”
Interestingly, a few new gTLDs expressly and contractually subject all subdomains to the UDRP, intentionally or unintentionally. See clause 2.10 of the ‘.rugby’ registry policy document, clause 10 for ‘.icu‘, clause 4.11 for ‘.tickets‘ and clause 5.3 for ‘.art‘. There may well be others. Some variant of the following is prescribed:
“A registrant may not... sell, license or lease subdomains... For the avoidance of doubt, all policies herein apply in full force to any sub-domains howsoever created.”
As these policy documents expressly subject parents to the UDRP, they would appear to do likewise to subdomains. If these documents are in turn incorporated by reference into registration agreements for parents, as the registry policy mandates and as at least some registrars do, then the parent registrant would appear to expressly bind their subdomains contractually to the UDRP. It then becomes arguable that the UDRP applies to any subdomains created and used by that registrant itself, and possibly to any licensed to third parties as an implied or express term. Unlike in EFG, here the parent registrant (and possibly its licensees) has explicitly and contractually subjected its subdomains to the UDRP.
Pursuing this argument would not be without significant difficulties. Even though the registrant has expressly agreed that the UDRP applies to subdomains, the policy itself does not anticipate application to true subdomains not registered with a registrar, and in respect of which a registrar may play no part if not the DNS provider. A panel’s subject matter jurisdiction then is problematic. Consider also the policy’s remedies – cancellation or transfer; only the former is applicable to true subdomains, not both. Depending on whether the registrar is also the DNS provider, decisions may not be enforceable in a targeted way (ie, cancelling only the subdomain versus the entire parent). True subdomains are distinguished from those under subdomain registry services, where the registry itself often acts as a combined registry/registrar or where the subdomain is registered via a third party registrar; in either case the registry or registrar is able to implement decisions.
One counter would be to argue for a non-standard, broad interpretation of ‘registered’, so as to stretch it to cover the entry of DNS records for subdomains. This would only assist where the parent’s registrar also maintains the name servers, given the policy’s references to registration with a registrar. Another would be to raise the suggestion in EFG that consent to the UDRP’s applicability would suffice. The panelist specifically raised the issue of enforceability, implying that if the decision was implementable then application to the subdomain may be appropriate. If consent will suffice there, then why not express prior agreement à la ‘.rugby’ etc, where the registrar is also the DNS provider and able to implement the decision by cancelling the subdomain, including permanently?
A reply would be to argue that even if the registrar is the DNS provider and able to cancel the subdomain, it would be prohibited from preventing name server substitutions. Registrars are required to impose a lock on the domain once a complaint is filed, preventing transfer. The definition of ‘lock’ in the UDRP Rules precludes one affecting ‘resolution of the domain’. So a recalcitrant registrant could change the name servers upon receipt of a complaint to a party not contracted to ICANN, rendering any subdomain decision unenforceable. This is ultimately a persuasive practical argument against application of the UDRP to true subdomains (not necessarily those of subdomain registries), even where there has been express agreement to the policy’s application.
An interesting question is whether the UDRP would assist where the offending domain has the brand or confusingly similar term ‘spanning the dots’ across the parent and subdomain levels, eg, ‘micro.soft.tld’. The first element of the UDRP requires the complainant to establish standing by proving that the domain is identical or confusingly similar to its trade mark. It is well-established that spanning the dot between the TLD and the parent can satisfy the first element, e.g. MR GREEN trademark v ‘mr.green’ domain. What about spanning the next dot? If the parent alone is confusingly similar to the brand there is no difficulty, but what about cases such as ‘micro.soft.tld’ where the parent, ‘soft’, is not, but the combination of parent and subdomain is, and where the combination has been used (and ‘registered’ in the stretched sense) in bad faith? There are, as far as I can tell, no UDRP decisions considering the issue.
Again the problem of subdomains not being registered with a registrar arises and may well be prohibitive. Naturally, the subdomain can be considered for the second (rights or legitimate interests) and third (bad faith) elements of the UDRP, but the problem is significant at the first. Can it be argued that the subdomain somehow imputes confusing similarity onto the parent? Panels have in the past considered elements beyond the domain itself, specifically website content, in order to confirm confusing similarity under the first element. See for example the case of VF Corporation v Vogt Debra. The trademark was EASTPAK and the domain ‘bagpakonline.com’, in which the trademark is not easily recognised. The panellist looked to the domain’s website, which included the EASTPAK mark, and found confusing similarity under the first element. The same occurred with CLASH OF CLANS v ‘clashbot.org’ and GOLDEN GOOSE DELUXE BRAND v ‘goldenoutlet2017.com’. The WIPO Overview of WIPO Panel Views on Selected UDRP Questions 3.0 seems to recognise the practice of considering the broader case context and websites, at paragraphs 1.7 and 1.15. Depending on the circumstances, there may likewise be room to argue that the subdomain should be considered in assessing confusing similarity of the parent.
Where the subdomain and parent combination has blatantly been created and used in bad faith, and where some part of the trademark is recognisable in the parent, the inclination of the panel may be to come to the complainant’s aid by allowing this kind of imputed confusing similarity. Nevertheless, the foregoing ‘registered with registrar’ problem may be insurmountable. If that is the case, it does leave a disparity in the protection afforded to brand owners based merely on dot placement that does leave one with a sense of injustice in blatant cases; dot spanning between parent and TLD is actionable, not necessarily so at the next dot.
What about wildcarding subdomains, discussed above? There has apparently only been one UDRP decision considering the issue. In PwC Business Trust v Ultimate Search the panel accepted that the presence of wildcard DNS records, which resulted in subdomains identical to the complainant’s trademark resolving to the respondent’s website, was not evidence of bad faith. This makes sense where there is no evidence of the respondent intentionally defining specific, non-wildcard subdomains targeting the brand. The problem however is that in the presence of a wildcard DNS record, it would be very difficult to establish whether resolving subdomains are the result of the wildcard or another, specific, intentional DNS record targeting the brand, without access to the zone file for the domain which is almost always only accessible to the registrant and DNS provider.
In the only instance of which I’m aware in which a TLD specifically addresses subdomain infringement in a dispute resolution policy, the New Zealand Domain Name Commission has implemented an innovative mechanism in its ‘.nz’ Dispute Resolution Service (DRS). Adopted in 2014 when second level registrations were introduced, clauses 4.3 and 4.4 extend the policy to true subdomains, but only those at the third level where the parent is registered at the second level; where the parent is registered at the third level under one of the pre-existing ccSLDs (eg, ‘.co.nz’) the policy won’t apply to the fourth level subdomains. The subdomain provisions apply where the second level parent is a generic term, eg, ‘shop.nz’, the registrant has added a subdomain that is identical or similar to the complainant’s mark, eg, ‘microsoft.shop.nz’, and the subdomain is considered an ‘unfair registration’. The use of the term ‘registration’ here in relation to subdomains lends support to the stretched interpretation of ‘registered’ discussed above.
The approach taken to enforcement of subdomain decisions under the ‘.nz’ DRS neatly and fairly solves the enforcement problem discussed above in relation to the UDRP, in a graduated, proportional way. First, the complainant is required to ask the registrant to cease use of the subdomain, failing that an Expert may grant an order requiring the registrant to delete the subdomain. If that order is not followed, the parent domain will be suspended and only reinstated once the expert’s order has been implemented.
Nineteen years since the Second WIPO Process, there doesn’t appear to be any reason to limit its call regarding subdomains to country-code parents; the same rationale would apply to generic parents. Additionally, subdomain abuse doesn’t just happen through subdomain registries; often it’s via true subdomains. ADR authorities could consider the viability of extending policies to subdomains, and the ‘.nz’ DRS approach appears attractive. If this approach is acceptable for third level subdomains and generic parents, then it may well be extensible to subdomains at all levels and not just for generic parents.
One concern would however stem from the fact that the parent is not transferred to the successful complainant, which could lead to repeat complaints being necessary where the same subdomain is adopted again after reinstatement of the parent. This could be addressed with additional provisions providing e.g. for lengthy or even permanent suspensions. Additionally, implementation of subdomain decisions would be administratively more burdensome on providers and may not necessarily be scalable.
As mentioned, the ACPA has specifically been found inapplicable to subdomains. However, interestingly, some US states have sought to address this need in specific scenarios. For instance, New York and Texas have laws making it illegal for ticket websites to use subdomains containing the name of a performer, venue, event, etc. California seems poised to adopt a similar law.
In GoForIt Entertainment LLC v DigiMedia.Com LP, the complainant sued for trademark infringement in circumstances where the defendant had implemented wildcard DNS records. Some browsers at the time automatically appended a TLD to queries entered by the user, and this practice resulted in users who queried the complainant’s GOFORIT trademark ending up at a subdomain consisting of the trademark on the defendant’s parent domain ‘com.org’, which served up pay-per-click ads. The court rejected the notion that this constituted use in commerce for purposes of trademark infringement and thus found that subdomain wildcarding, per se, is not actionable.
Are the registrants of parents who licence subdomains to third parties liable for the conduct of their licensees? As discussed, registrar-registrant registration agreements must impose liability on registrants for the harm of licensees where their identity is not disclosed. Interestingly though, clause 22.214.171.124 of the RAA only imposes this obligation for licensing use of a ‘Registered Name’, which is defined in the RAA as a domain about which data is maintained ‘in a Registry Database’. That prima facie excludes subdomains as their records are not registry maintained. Nevertheless, many registration agreements don’t exclude third-party beneficiaries, thus a third party beneficiary claim under a registration agreement for subdomain licensing might be possible, depending on contractual language.
Interestingly, the registrant agreement prescribed for ‘.ca’ domains by the Canadian Internet Registration Authority (CIRA) at article 4.1.8 specifically addresses the issue of subdomain licensing. The registrant of the parent agrees to be “wholly responsible for the use and operation” of any subdomain. The agreement does not appear to exclude third-party beneficiary claims. Thus, the parent registrant might be sued on this basis, and registry and registrar agreements should be checked for similar clauses.
As we’ve seen, bad actors increasingly have reason to adopt brand-abusive subdomains. DNS intermediaries largely have no liability and thus no legal incentive to assist (although some do assist). Detecting offending subdomains is not straightforward, but there are good providers who employ the indirect detection techniques discussed above who should be engaged by brands. The paucity of applicable ADR mechanisms is known to bad actors, who exploit this. ADR authorities could consider the viability of extending ADR policies to subdomains, possibly along the lines adopted by the ‘.nz’ DRS. Contractual language in DNS intermediary agreements aimed at curbing abuse by subdomain licensees could be adopted or clarified where appropriate.