Domain name theft: Knowing where to turn

Acme Billing’s pursuit of its allegedly stolen domain names through the courts highlights the lack of legal mechanisms available to brand owners whose website names have been hijacked. TBO reports.

Online retailer Acme Billing claims to have filed “the first federal US lawsuit of its kind” for the alleged theft of its domain names, but it does not think the case will be the last. David Weslow, partner at law firm Wiley Rein and representing Acme Billing, said in October that the retailer is just the latest victim “in a growing number of domain name thefts”.

In August, an anonymous person in China hacked into 35 of the company’s domain names and transferred them from its account with internet domain registrar and web hosting company GoDaddy without its permission. Acme quickly retrieved 21 of them after it demonstrated sufficient evidence to GoDaddy that it owns the domains.

However, 14 remain out of Acme’s hands and form part of a lawsuit filed on October 21 at the US District Court for the Eastern District of Virginia. Acme alleged that the hacker acted in “bad faith” after it “knowingly and intentionally accessed Acme Billing’s domain name management ... without authorisation”.

The potential damaging consequences of hacking to the goodwill of a brand are similar to those of cybersquatting, says Brian Winterfeldt, partner at law firm Katten Muchin Rosenman.

“Domain theft has similar consequences to other bad acts against brand owners in the domain space, such as cybersquatting. It harms brand owners by allowing unauthorised third parties to unfairly trade on a brand’s goodwill by falsely associating themselves, and any goods or services they may offer in connection with the domain name, with the true brand owner,” he says.

“Domain theft occurs when the brand owner has registered the domain name but the third party steals the domain from the brand owner’s domain registrar account through computer hacking and places it in its own account.”

The 14 domain names at the centre of the Acme Billing dispute, which are used to sell goods such as handbags and watches and provide services including real estate and travel, have just three letters (such as aij.com) or four numbers (such as 7204.com).

A constant concern

Acme’s action perhaps gives the impression that domain name theft is a new problem for domain name owners, but it is in fact a constant concern for brands. While the more common practice of cybersquatting takes up a lot of a brand’s focus when protecting itself online, the threat of a domain being hacked into remains a serious worry.

Marina Lewis, attorney at Finnegan Henderson Farabow Garrett & Dunner, says of hacking: “If it does happen then it is a huge problem, because it involves essentially the brand and its online presence being hijacked by another party.

“If you’ve got a walmart.com or a mcdonalds.com and you find all of your internet traffic is being diverted to another source, it is a ‘hold everything’ moment—time to focus on the issue,” she says.

Going through the courts can take up a lot of resources for brand owners. The adoption of the Anticybersquatting Consumer Protection Act in 1999 provided support for US brand owners when protecting domain names incorporating their trademarks. In the same year the Uniform Domain-Name Dispute-Resolution Policy (UDRP), administered by ICANN, was established to tackle the problem of cybersquatting.

Hacked domains do not necessarily contain a trademark, meaning the conventional method of going through the UDRP is not easily open to Acme. It would be particularly tricky for Acme to retrieve the allegedly stolen domain names through the UDRP.

While lawyers and brand owners are forthcoming in their support for a mechanism such as the UDRP in cases of cybersquatting, there appears to be some confusion about how it can address the issue of domain name theft.

"Several states in the US have now determined that a right to a domain name is an intellectual property right."

Lewis notes that the UDRP has been unpredictable in its dealings with domain hacking. “Even in cases where there is a trademark right in a stolen domain, the UDRP has still been inconsistent,” she says.

“I’ve seen some panel decisions which state quite frankly ‘this is not a situation for the UDRP, it is an issue of theft or fraud—this is not about bona fide trademark rights or anything like that, and you guys need to go to law enforcement or a court’.

“I’ve seen other panels that come back with exactly the opposite opinion, saying there is nothing that shows evidence of bad faith or registration in use more clearly than stealing somebody’s domain name and then trying to sell it back to them. It is just clear-cut bad faith,” she adds.

Acme Billing’s pursuit of its allegedly stolen domain names through the courts highlights the lack of legal mechanisms available to brand owners. Lewis talks of a general dissatisfaction with the lack of clarity in the UDRP’s attitude towards domain name theft, although she expects the authorities to introduce new mechanisms to deal with the problem.

“We are going to see more resources made available to the victims of domain theft. More states in the US are recognising domain theft as the basis for civil action. There is an issue over whether this is a property right—the alleged conversion.

“You don’t ‘own’ a domain name. You can’t own it any more than you can own a phone number, but several states in the US have now determined that a right to a domain name is an intellectual property right.

“We’re going to see more resources and we’re going to see more avenues for recovery for brand owners,” she says.

Winterfeldt adds: “Given the increasing amount of computer crime in general, we would not be surprised to see a corresponding increase in domain name theft. Of course, as domain name registrars and brand owners become more aware of these kinds of attacks, we expect to see more robust security measures put in place to prevent them.

“Therefore, we hope that it will not become increasingly necessary to file lawsuits, but rather that better preventive measures will be developed to prevent the crime in the first place.”

Protective strategy

Brands register domain names for a variety of reasons, but ensuring that they remain protected requires a strategy. The indiscriminate registration of all suitable domain names is not necessarily the best plan for a particular brand.

“You just can’t go everywhere and register every possible domain name and every misspelling of it,” says Lewis. “It is a hard line to draw in taking the most preventive measures available, without completely blowing the budget. Brand owners are not in the business of owning thousands of these domain names—in terms of practicality domain theft does not come up that often.”

Protecting a brand, however, will need to take into account the potential damage caused by the theft of its domain name.

As Lewis and Winterfeldt note, the effect of domain theft on a brand is similar to that of cybersquatting and many brands have developed sophisticated policies to respond to bad faith registrations efficiently.

Many brands purchase domain names containing their trademarks through a defensive strategy to avoid cybersquatting, or sit on them until they find a purpose for them, such as a new service they may launch in the future. But without “consistent and current” security measures taken by brands, says Lewis, domain names can be hacked.

Winterfeldt notes that overall more can be done to protect brands online by regulatory bodies such as ICANN.

“Certainly government and other regulatory bodies with jurisdiction over the operability of the domain name system, such as ICANN, could do more to protect brands against domain name theft, as well as more common forms of IP infringement and the resulting harm to consumers, such as cybersquatting, abusive domain registry practices targeting brand owners, and so on,” he says.

Acme has gone through a district court in order to pursue this matter, but while it waits for a judgment the goodwill of its brand is being steadily harmed. Lewis and Winterfeldt believe domain name hacking will be addressed in time, just as the mechanisms to deal with cybersquatting have become more sophisticated since the creation of the UDRP in 1999. But meanwhile we must wait for such measures to come into place.