Safenames Ltd - Domain name policing and enforcement
In May 2021, a fraudster was jailed for four years after he was found faking covid-19 text messages purporting to be from the NHS, banks and other commercial organisations. As part of the scam, he set up bogus websites impersonating the ‘gov.uk’ domain, requesting victims’ personal financial information to verify their identity and entitlement to receive the vaccine.
Unfortunately, this illustrates a situation that is all too common in today’s digital world.
As domain names continue to grow in importance, they draw the attention of those that seek to take unfair advantage of these valuable assets.
According to the Cyber Security Breaches Survey 2021, phishing remains the most common threat experienced by businesses and charities in the United Kingdom. Nevertheless, because domain names are often overlooked as part of many security solutions, they are often targeted by cyber criminals who use them to carry out phishing attacks.
Now more than ever, there is a need for legal departments to become more involved in the security of their company’s domain portfolio.
The role of legal in domain management
The concept of ‘domain management from a legal perspective’ puts legal teams at the heart of a company’s domain management strategy. It is also an approach that seeks to strengthen a brand’s legal position online by adopting a range of preventative and reactive measures.
Legal teams understand the inherent risk that come with managing a company’s valuable intellectual property. In fact, the key elements of managing a trademark portfolio are somewhat similar to those of managing a domain portfolio. As a result, legal teams are in the best position to establish a registration and enforcement strategy.
Creating an optimal domain portfolio
One of the problems in an expansive domain space is how to tackle growing numbers of infringements. Companies cannot be expected to register every possible variation of their brand across numerous domain extensions. Legal teams, therefore, need to collaborate with wider business groups such as marketing and IT to create the best registration strategy.
The first step is to determine which domain names should fall into the company’s portfolio. At a minimum, a good portfolio should include the following:
- corporate name domains – domain names still remain a key identifier of a company’s mission and values, and are a primary point of contact with consumers;
- brand-related domains - branded domains should be registered to avoid damage or confusion as to the source of goods and services, through the sale of counterfeit or competing products;
- marketing campaigns – domain names are registered on a first-come, first-served basis, so having product or campaign-related domains within a portfolio early on can remove the strain, and often expense, of having to acquire them in the days leading up to an important launch; and
- brand presence – this would mainly include ccTLDs where a brand has a strong presence in that jurisdiction.
Once a company has identified which domain names require protection, the legal team need to create clear internal guidelines on how they should be registered, who they should be registered to and what should be done if the domain is already registered to a third party.
In most cases, a defensive strategy will be less expensive and more efficient than an aggressive enforcement approach.
Pre-emptive measures would include the use of the following:
- Sunrise registration periods – a pre-registration period in which trademark holders are given an early opportunity to register domain names identical to the textual elements of their trademarks. Legal teams should be cognisant of emerging domain extensions that may create an association with their brands (eg, ‘.app’ or ‘.store’).
- Blocking services - some domain registries also provide blocking services, which allow rights holders to block identical and confusingly similar terms across their TLD portfolio. Legal teams should carefully analyse the specific domain spaces where these blocking mechanisms exist and weigh up the costs and possible reputational damage if these were to be used abusively.
- Defensive registrations - an important consideration for legal teams is how recoverable a domain name is within a particular jurisdiction. ccTLDs such as Russia (‘.ru’) and Germany (‘.de’), which lack administrative procedures like the UDRP, create a barrier to recovering domain names that fall into the wrong hands. Even where these ccTLDs do not fall within the registration strategy, perhaps due to a lack of presence in those markets, it will still be prudent to register these domain names defensively to block others from claiming them.
Despite best efforts, cyber criminals will always find creative ways to hijack a company’s brand identity through the registration of confusingly similar domain names. This is where the legal team can really shine. Armed with expert knowledge and foresight, legal teams can develop an enforcement strategy to react quickly to any new threats.
Still, it will be virtually impossible for a company to act on every case of abuse; the ones that try end up playing an infinite game of whack a mole.
As part of a company’s enforcement strategy, legal teams will need to establish a criteria or priority system to determine which domains to recover and the appropriate methods to do so.
For example, the UDRP continues to be an efficient and inexpensive method of enforcement. It also applies to most ccTLDs, which either adopt or provide an alternative mechanism built on the principles found in the UDRP. When a domain falls into one of the protection categories set out above, legal teams should be sure to take swift action.
If a domain does not form part of a company’s portfolio plan or defensive registration strategy, a company may still want to act to stop the abuse. But how can legal teams avoid a situation in which domain recovery leads to an inflated domain portfolio?
Suspension, retention and monitoring
In a previous article, we discussed the importance of domain and website takedowns as an effective solution to online threats. In addition, the URS is another mechanism employed by legal teams to address the worst cases of abuse across new gTLDs, but without the burden of maintaining a list of obscure variations of the company’s brand name. But that is not to say that inactive domains cannot still form part of an effective enforcement strategy.
One of the most effective tools in tackling online infringement is education. Legal teams should use recovered domains to educate consumers, distributors and affiliates through the use of landing pages. A recovered domain could provide guidance to victims of fraud, trusted sources of information or even act as a deterrent for other would-be infringers. Domain names used in this way can have a far wider impact on the fight against cybercrime than simply redirecting them to the brands’ official website. Legal teams will need to periodically review the domain portfolio and decide the appropriate time to phase out and drop domains once they have fulfilled their purpose.
Legal teams also need to be vigilant to the ever-changing domain landscape and ensure they are up to date with specific registration policies. For example, Australia (‘.au’) and Canada (‘.ca’) have eligibility rules that require domain applicants to have a local presence or some other connection to that jurisdiction. If the domain owner fails to maintain that presence throughout the term of its registration, it is no longer eligible to hold that domain. In a jurisdiction where an infringer has used their local presence to secure a domain, legal teams may prefer to monitor the situation and report breaches of registry policies rather than going through the time and expense of legal action.
In conclusion, domain names serve many different purposes; they can help enhance marketing efforts or increase brand identity. Nevertheless, their inherent strengths should not overshadow the weaknesses that come from having a poor domain management strategy.
When a company looks at domain management through the lens of a knowledgeable and proactive legal team, it will be in a better position to mitigate and resolve instances of brand abuse.