ICANN & UDRP Update Mike Rodenbaugh

1. ICANN & UDRPUpdateMike Rodenbaugh Practicing Law Institute Advanced Seminar on Trademark Law July 16, 2008

2. Mike Rodenbaugh Formerly Yahoo!’s primary attorney in charge of trademark enforcement and defense. In 2007, Mike started his own firm assisting trademark owners with prosecution, enforcement, licensing and dispute resolution. 2

3. What is ICANN? Internet Corporation for Assigned Names & Numbers

4. ICANN mission statement • To coordinate, overall, the global Internet's system of unique identifiers, and to ensure stable and secure operation of the Internet's unique identifier systems. In particular, ICANN coordinates: • Allocation and assignment of the three sets of unique identifiers for the Internet: • Domain names (forming a system called the DNS) • Internet protocol (IP) addresses and autonomous system (AS) numbers • Protocol port and parameter numbers • Operation and evolution of the DNS root name server system • Policy development reasonably and appropriately related to these technical functions 4

5. ICANN Org Chart

6. Issues Important to Businesses • New Top-Level Domains (TLDs), including Internationalized Domain Names (IDNs) • WHOIS information • IP Rights Protection Mechanisms • Domain Tasting • Phishing & Malware • Registrar Accreditation Agreement • “GNSO Reform”

7. IDNs and new TLDs are coming! • العربية简体中文繁體中文Ελληνικάहिन्दी日本語한국어فارسیРусскийייִדישதமிழ் • .web, .blog, .sex … anywhere from 100 to 60 million other new TLD extensions

8. New Top Level Domains: Projected Implementation Timeline • gTLD Consensus Policy Approved – Q2 2008 • Draft RFP Posted – est. Q3 2008 • Final RFP Approved – est. Q4 2008 • First Round Implementation: Communications & RFP launch • Applications Accepted – est. early Q2 2009 • Successful TLD Applications Approved – est. Q3 2009 8

9. Recommendation 2Strings must not be confusingly similar to an existing top-level domain or a Reserved Name. • Rationale: A confusingly similar string could cause technical or consumer confusion. • Implementation Considerations: • A string that resembles another string is not necessarily confusingly similar. • Staff is exploring various options for implementation of this recommendation, including: • The application of an algorithm that provides guidance on which TLD strings are considered to be confusingly similar • Providing a capability for formal objection to be filed to an application by a third party on the grounds that the proposed gTLD is confusingly similar to an existing TLD. 9

10. Recommendation 3Strings must not infringe the existing legal rights of others that are recognized or enforceable under generally accepted and internationally recognized principles of law. • Examples of sources of legal rights include: • The Paris Convention for the Protection of Industrial Property (in particular trademark rights) • The Universal Declaration of Human Rights (UDHR) • The International Covenant on Civil and Political Rights (ICCPR) (in particular freedom of expression rights) 10

11. Recommendation 3 (Cont’d) • Procedure: A party holding rights that it believes would be harmed may file an objection to a proposed gTLD. • Key criterion: Legal rights must be recognized or enforceable under generally accepted and internationally recognized principles of law. 11

12. Recommendation 12Dispute resolution and challenge processes must be established prior to the start of the process. • It is important that all aspects of the application process be known before applications for new gTLDs are prepared and submitted. • Dispute resolution and challenge are intended to address two types of situations: • The filing of an objection against an application on certain specific grounds developed from the GNSO’s recommendations • When two or more applicants are vying for the same or confusingly similar new gTLD (“contention resolution”). 12

13. Recommendation 12 (Cont’d) Specific grounds from the GNSO recommendations: • Confusingly similar strings (Recommendation 2) • Legal rights of others (Recommendation 3) • Morality & public order (Recommendation 6) • Community opposition (Recommendation 20) The procedures, standing and criteria for assessment need to be developed, and ICANN Staff has begun this process in consultation with outside counsel and other experts. Session 3 13

14. IP Rights Protection Mechanisms • Cybersquatting and Phishing is too quick and easy, and remedies are too expensive and slow • Policy Development is needed to fix this • Potential options: • Standardized Sunrise Registration Process • Faster and cheaper pre-UDRP process, with rapid DNS suspension upon default • Rapid DNS suspension upon evidence of phishing or malware (to be tested in dotAsia?)

16. TM Office Comes to CA. - 2008 16

17. Domain Name Remedies Uniform Dispute Resolution Policy (UDRP) Arbitration procedure mandated by ICANN via domain name registration agreement Rapid Time Scale – No Monetary Damages Anti-cybersquatter Consumer Protection Act (ACPA) – 15 USC 1125(d) in personam in rem TM Office Comes to CA. - 2008 17

18. UDRP Elements Domain Name is identical or confusingly similar to a trademark in which Complainant has rights Respondent has no legitimate rights in the Domain Name bona fide use or preparation to use prior to notice of a dispute Domain Name was registered and used in bad faith demonstrated specific intent TM Office Comes to CA. - 2008 18

19. Recent UDRP Cases of Note Reseller makes bona fide offering and thus legitimate use? NASCARtours.com – Respondent prevails because he offers ‘only tours of NASCAR events’ and provides prominent disclaimer GE-Merlin.com – Complainant prevails because of likely initial interest confusion, despite sale only of Merlins, and prominent disclaimers TM Office Comes to CA. - 2008 19

20. Recent UDRP Cases of Note TM Office Comes to CA. - 2008 20 MySpace.co.uk (Nominet) – Complainant prevails though domain registered six years before MySpace existed, but was used only for PPC ad site TheEconomist.com – Respondent prevails as he swears he had never heard of the magazine when he registered the domain, and showed a picture of “Alan Greenspan – The Economist of the Century” at site

21. UDRP Related Issues of Note Each UDRP Provider implements its own procedural rules Naming Respondents If “privacy service” is listed as the registrant, registrar will change the owner when a UDRP complaint is filed –requiring an amendment to the Complaint. Supplemental Filings TM Office Comes to CA. - 2008 21

22. UDRP Practice Pointers Always request transfer; never cancel Treat the Complaint like a motion for summary judgment Follow up to make sure the name is transferred and that it doesn’t resolve to the old website The registrar is responsible for transferring the domain name TM Office Comes to CA. - 2008 22

23. ACPA Cases of Note Vulcan Golf et al. vs. Google et al. (USDC N.D. IL,; Case No. 07-Civ-3371) Class action against registrants, parking companies, and advertisers Motion to dismiss denied in part (RICO and some state claims dismissed; federal TM claims remain) Dell and Yahoo! et al v. BelgiumDomains et al (USDC S.D. FL; Case No. 07-Civ-22674) Civil case for cybersquatting, counterfeiting, TM infringement Federal seizure raid conducted with US Marshals Pre-judgment asset freeze (+1 million domain names and millions of dollars) 23

24. ACPA Cases of Note Vulcan Golf et al. vs. Google et al. (USDC N.D. IL,; Case No. 07-Civ-3371) Class action against registrants, parking companies, and advertisers Motion to dismiss denied in part (RICO and some state claims dismissed; federal TM claims remain) Dell and Yahoo! et al v. BelgiumDomains et al. (USDC S.D. FL; Case No. 07-Civ-22674) Civil case for cybersquatting, counterfeiting, TM infringement Federal seizure raid conducted with US Marshals Pre-judgment asset freeze (+1 million domain names and millions of dollars) 24

25. Domain Name “Tasting” Register and “taste” name for 5 days Measure traffic & revenue via PPC ads Return 98% of domains for full refund Keep and pay for profitable domain names Monetize domain names via PPC ads, popups, redirection Get paid by Google or Yahoo! Wait for C&D, UDRP or ACPA complaint 25

26. Domain Name Kiting Repetitive Tasting Registrars and registrants taste (monetize) domain names in bulk and delete them Then, using an automated process, they automatically re-register them... again and again. Often through affiliated entities, in effort to evade detection TM Office Comes to CA. - 2008 26

27. Source: Verisign’s .com registry report, Apr. 2007

29. ISP Use of Non-registered Domains TM Office Comes to CA. - 2008 29

30. Policy and Legislative Developments Coalition Against Domain Name Abuse (CADNA) Internet Commerce Association (ICA) ICANN Registries (not VeriSign) – deterring tasting / kiting ICANN – “taxing” tasting / kiting through registration fees ICANN – studying “front-running” TM Office Comes to CA. - 2008 30

31. Next Steps: Policy Development Process – Potential Options Eliminate Add-Grace Period – require full payment before activation of a domain name Eliminate AGP, with exceptions for ‘legitimate uses’ No refund for ICANN portion of registration fee “Excess Delete Fee” – no refund if deletes in any given month exceed 10% of new registrations

32. Front-running Aka Domain Name Spying Registrar obtains information that a domain name is of interest to a consumer They monitor the WHOIS queries Then the Registrar “registers” the domain name if the consumer doesn’t immediately register it This prevents the consumer from registering the domain name at another registrar Also prevents cybersquatters from registering TM Office Comes to CA. - 2008 32

33. WHOIS Registrant for JOE6PK.COM Joseph Q. Paquette 1787 St. Paul St. Denver, Colorado 80206 United States Administrative Contact: Joseph Q. Paquette joe@joe6pk.com 1787 St. Paul St. Denver, Colorado 80206 1-303-245-4567 Technical Contact: Domains R Us info@domainsRus.com 123 Main St Los Angeles, CA 85000 1-480-555-1000 United States Whois is a publicly-accessible database containing contact information of website owners. ICANN contracts require collection and public access to Whois data.

34. WHOIS info is vital Shows ownership information for domains Includes complete contact information Available to any Internet user Used by businesses to verify customers Used by IP and law enforcement to protect brands and prevent consumer fraud Provides accountability

35. What happens to Whois under the Operational Point of Contact (OPoC) Proposal? • Registrant for JOE6PK.COM • Joseph Q. Paquette • 1787 St. Paul St. • Denver, Colorado 80206 • United States • Administrative Contact: • Joseph Q. Paquette joe@joe6pk.com • 1787 St. Paul St. • Denver, Colorado 80206 • 1-303-245-4567 • Technical Contact: • Domains R Us • info@domainsRus.com • 123 Main St • Los Angeles, CA 85000 • 1-480-555-1000 • United States OPoC could be anyone: • Corporate IT department • Domain portfolio manager • Registrant • Registrar • Third parties and proxy services 5 Operational Point of Contact

36. Phishing Attacks Multiply • Number of incidents and of targeted brands continues to rise • Sophistication and efficiency of attacks continues to rise – esp. “fast flux” abuses • Social networks frequently targeted, enabling spear phishing • Phone phishing now common • IDNs becoming more widespread

37. Fast-Flux for Phishing Increasing More Players? More “how-to” kits seen on flux and fraud DNS networks High volume of lures for fast-flux incidents – personalized & tracking More Targets Attacks against traditional targets continue relentlessly “Little Guys” hit hard with fast-flux on first ever phish Overwhelming infrastructure and personnel Losses occurring quickly – major cash-outs in short amount of time More Sophistication! Routine blocking of monitoring efforts Better DNS set-ups (self-defined, and use of ccTLD nameservers) Finding and using the worst registrars to handle mitigation CrimeDNS = High availability DNS systems for hire SSAC Report (SAC 025); GNSO Issues Report GNSO Working Group now underway

38. SSAC: possible mitigation steps Authenticate contacts before permitting changes to name server configurations. Implement measures to prevent automated (scripted) changes to name server configurations. Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart the double flux element of fast flux hosting. Implement or expand abuse monitoring systems to report excessive DNS configuration changes. Publish and enforce a Universal Terms of Service agreement that prohibits the use of a registered domain and hosting services (DNS, web, mail) to abet illegal or objectionable activities (as enumerated in the agreement) and include provisions for suspension of domain names that are demonstrated to be involved in fast flux hosting.

39. Malware proliferation Change in emphasis - now Crimeware Organized crime with specialists creating sophisticated attacks Open up computers to become zombies Install keyloggers and scan for user/pass Capturing and using address books Direct targets for sophisticated social engineering Going after “whales” - people with high-value assets

40. Registrar Risks • There are several risky registrars with access to the TLD registry zones • Hiding identities/locations • No or SLOW response to abuse issues • Registrar in-a-box – no one is actually there • Handing out access to criminals posing as “resellers” • No rules or requirements from ICANN on reseller accreditation • Shields financial transaction from registration process • No accountability

41. Process Flow: Registry Suspension of Phish Domains

42. Registrar Accreditation Agreement (RAA) • Review of RAA which has been in force since May 2001, as a result of RegisterFly fiasco in early 2007 • Six specific amendments are proposed, as a result of consultations between ICANN Staff and the Registrars’ Constituency • include terms under which a registrar can be sold and continue to retain its ICANN accreditation • address the responsibilities of a parent owner/manager when one or more of a "family" of registrars fails to comply with ICANN requirements • require registrars to escrow contact information for customers who register domain names using Whois privacy and Whois proxy services • augment the responsibilities placed on registrars with regard to their relationships with resellers • require operator skills training and testing for all ICANN-accredited Registrars • include additional, graduated contract enforcement tools

43. Inter-registrar Transfer Policy • Policy Development Process to clarify four points of the RAA re denial of transfer request • Denial for non-payment • Denial for lock status • Denial for 60 days of initial registration period • Denial for 60 days after previous transfer • Second PDP about to begin • Require registrant email address in WHOIS? • Require electronic authentication of email? • Allow ‘partial bulk transfers’?

44. GNSO “Reform” • All of ICANN’s SO’s must undergo a review every three years, per bylaws • There is sentiment that GNSO does not work as effectively as it should • Subcommittee of ICANN Board Governance Committee has made a proposal, subsequent and different than two other expert reviews • Proposal would cut Business interests (BC, IPC and ISCPC) from 1/3 voting power, to 1/5

45. Help!! • Please join the Business Constituency! • 1500 euro/year for large enterprises • 500 euro/year for small enterprises • Active mailing list & regular teleconferences • Influencing ICANN policy development on behalf of all businesses • www.bizconst.org • mike@rodenbaugh.com