Highlights Need for Domain Registration Data Access Improvements Now
On October 28, 2019, Facebook filed a lawsuit against domain name registrar OnlineNic and its affiliated WHOIS privacy service, Domain ID Shield, in connection with the registration of domain names that Facebook alleges are intentionally designed to mislead and confuse end users into believing that they are interacting with Facebook, given the use of various Facebook trademarks in the domain names. More specifically, the lawsuit raises claims of cybersquatting under the United States Anti-cybersquatting Consumer Protection Act (ACPA), trademark infringement, false designation of origin, and trademark dilution. Among the 20 domain names specifically mentioned in the lawsuit are facebook-pass.com, facebook-pw.com, www-facebook-login.com, www-facebook-pages.com, iiinstagram.com, login -lnstargram.com, and m-facebook-login.com.
In the complaint, filed in the US District Court for the Northern District of California, Facebook says it took legal action because OnlineNIC has not been responsive to its reports of abuse regarding the various domain names registered through OnlineNic and Domain ID Shield that make unauthorized use of Facebook’s trademarks. It also notes in the lawsuit that when Facebook requested that OnlineNic disclose the underlying registrant data for the domain names (shielded by Domain ID Shield), OnlineNic did not provide this information. Facebook states that it proactively reports instances of abuse with domain name registrars and their privacy/proxy services, and often works with them to take down malicious domains but some registrars, like OnlineNic, do not investigate or even respond to abuse reports, despite ICANN requirements mandating that they do so. The lawsuit further notes that OnlineNic has a history of harboring cybersquatting and other forms of domain abuse, citing Internet security group statistics identifying OnlineNic as the managing registrar for domains reported for abuse in approximately 40,000 instances, and identifying OnlineNic as one of the top 20 domain name registrars used for abusive domain name registrations.
OnlineNic has been the subject of several previous lawsuits by major brand owners. For example, the domain name registrar was ordered to pay $33.15 million dollars in damages to Verizon Wireless in 2008 for registering over 660 domain names that were confusingly similar to the VERIZON mark (pursuant to a default judgment). Yahoo! Inc. and Microsoft Corporation have also previously sued OnlineNic on similar grounds, and the registrar and its privacy service affiliate have been the respondents in multiple administrative complaints filed under the Uniform Domain-Name Dispute-Resolution Policy (UDRP).
Facebook publicly stated that they “don't want people to be deceived, so [they] track and take action against suspicious and misleading domains, including those registered using privacy/proxy services that allow owners to hide their identity.” The lawsuit comes at a time when changes to global privacy regulations has made it more difficult to identify and take enforcement action against bad actors online. When the European Union General Data Protection Regulation (GDPR) went into effect in May 2018, ICANN implemented global changes to its domain name registration data processing rules that applied nearly-global redactions to most domain name registration information. Historically, this information has been available to law enforcement authorities, cybersecurity professionals, and brand protection agents and facilitated relatively rapid investigation and response to online abuse. Now, the vast majority of this information is not publicly available, and legitimate users of the data must go to each individual registrar with ad hoc requests for the data. In many cases, registrars refuse to disclose the data without a court order or simply fail to respond to requests at all – a problem that ICANN itself refuses to address as part of its contractual compliance program and remains unresponsive to the communities request to move forward with the privacy and proxy policy implementation. Accordingly, while a few registrars are working in good faith to provide such data to legitimate third-parties for legitimate purposes, the vast majority have proven uncooperative.
OnlineNic represents just one of many such registrars, and Facebook’s lawsuit is a natural product of the post-GDPR environment that has severely restricted the self-help tools available to those who work to mitigate abuse in the DNS. Hopefully, the lawsuit spurs other registrars to take more seriously their obligation to provide reasonable access to non-public domain registration data for legitimate consumer protection related purposes. In addition, it very starkly illustrates the need for a unified system for accessing non-public domain registration data for these legitimate purposes. Although the ICANN community is developing such a system, its progress has been slow and recent estimates suggest that no such system would likely be implemented until at least 2021.
We would encourage other brand owners to carefully document instances of registrar recalcitrance in disclosing registrant data for brand enforcement or other consumer protection efforts or in otherwise adequately responding to well-founded reports of domain name abuse. This material should also be submitted to the ICANN Compliance department where a registrar has not met its basic obligation to appropriately review and respond to reports of abuse and provide reasonable access to non-public registration data for a legitimate purpose. Where these problems have been consistently and pervasively inhibiting your enforcement program, or where particular registrars have been especially uncooperative, additional legal action akin to Facebook’s lawsuit might be warranted. Ultimately, it is consumers and Internet users who suffer most in the face of unmitigated phishing, fraud, counterfeiting, and other cybercrime.
For more information about this topic, please contact any of the following team members.
Brian J. Winterfeldt, firstname.lastname@example.org
Griffin M. Barnett, email@example.com
Francisco Cabrera, firstname.lastname@example.org