Don't scream reverse hijacking, this is a stolen domain name.
http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-0430
http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-0430
news Domain name ldw.com awarded to complainant at Wipo
- Thread starter Kate
- Start date
The views expressed on this page by users and staff are their own, not those of NamePros.
Gerard Hughes
Established Member
- Impact
- 18
From the link:
It was stolen in 2015, and set so nobody would notice the theft at the time :-0
It's good the UDRP worked this time, but that this all hinged on bad faith registration the domain matching a very clear trademark rather than just the fact that the domain was outright stolen makes it seem to me that ICANN needs to expand the UDRP beyond trademark issues, while maintaining protections so that UDRP can't be used to steal domains via reverse hijacking.
It was stolen in 2015, and set so nobody would notice the theft at the time :-0
It's good the UDRP worked this time, but that this all hinged on bad faith registration the domain matching a very clear trademark rather than just the fact that the domain was outright stolen makes it seem to me that ICANN needs to expand the UDRP beyond trademark issues, while maintaining protections so that UDRP can't be used to steal domains via reverse hijacking.
Because the name servers were purposefully left unchanged for months... Few entities are monitoring their domain names, they will react only when they notice the domain has stopped working
UDRP is designed to settle clear-cut TM issues. It's sometimes used to recover stolen domains but that does not always work. The key here is the lack of reply from respondent = loss by default.
A domain theft is much more complicated because you have to research domain history, the chain of ownership must be traced and documented, international investigations may be required, subpoenas filed at various places etc. Imagine if the domain has been transferred and 'laundered' multiple times. UDRP is only an arbitration procedure and not designed to handle complicated cases. The filing costs would then have to increase significantly. Panelists don't want to perform difficult work for a limited fee.
http://www.wipo.int/amc/en/domains/fees/
In a case like this, the panelist is actually stretching the scope of UDRP.
- Impact
- 9,825
Kate:
"lack of reply from respondent = loss by default."
This is not correct, technically. The Complainant must still prove their 3 points regardless. Quite often, even with no response, the panel has decided on behalf of the Respondent if the 3 points weren't made.
Lack of response applies to in rem filings at the Federal court in Virginia.
PS I am not a lawyer :P
"lack of reply from respondent = loss by default."
This is not correct, technically. The Complainant must still prove their 3 points regardless. Quite often, even with no response, the panel has decided on behalf of the Respondent if the 3 points weren't made.
Lack of response applies to in rem filings at the Federal court in Virginia.
PS I am not a lawyer :P
- Impact
- 18,354
That has problems of its own, since it will get into some very thorny issues, as Kate mentions above - the relevant evidence is most usually in the hands of people who aren't part of the proceeding and can't be compelled to produce it. You'd be surprised how many people let a domain name expire and then think it was stolen. While it might be possible to craft a reasonably policy around domain thefts, I'd prefer that was a standalone thing rather than an expansion of the UDRP, which is already poorly-understood enough.
Gerard Hughes
Established Member
- Impact
- 18
The judgement seemed to be full and independently considered findings by the panelist, not merely a finding for the plaintiff by default that assumes all of the plaintiff's claims are true.
Also not a lawyer
A big part of that problem would seem to be a lack of clear title for domains, instead the control of an email account is presumed to be ownership. Proxy protections seem to add to that. And having been a victim from both sides of the proxy issue (domain stolen because a hacker likely looked through high value domain WHOIS records looking for publicly listed emails to hack vs. that same hacker hiding behind the WHOISGUARD once having stolen the domain) I can see advantages and disadvantages to proxies from my own perspective. It seems to be that there should be more regulation of proxies, though, and I'm not sure what that would look like to meet the needs of privacy, but also not shield criminals on a routine basis, as happens now. It should not have to take $20,0000 to get a clearly stolen domain back. But, given that the domain community lives off of the liquidity of domains (even as they need them to be secure to actually keep their assets) I'm not picturing any big changes happening soon.
Last edited:
- Impact
- 18,354
....which is why I generally advise not using them. If you have privacy concerns, forming a corporation in, say, DE or some other states is not a tremendous expense.
But, yes, lack of a "title" system for domain registrations is the cause of a lot of problems.
Maybe a simple solution would be for the domain industry to require 2 factor authentication for any and all transfers by making the phone number of all Who is registrants hidden from public view so domain owners would feel comfortable putting their mobile numbers in as domain phone contact.
Bonus: My phone would stop ringing off the hook from web site designers, logo designers, seo experts etc. etc.
Bonus: My phone would stop ringing off the hook from web site designers, logo designers, seo experts etc. etc.
Gerard Hughes
Established Member
- Impact
- 18
I was wondering about that. If a domain is sold with WHOISGUARD to a new owner who also has WHOISGUARD, then would be no clear transfer of title in the ICANN record.
So, what about phone and email contact details? Is there a good compromise on that let's you put up contact info that shows clear title, but also doesn't expose an email account as an obvious target for hackers to compromise?
I note that some domains have the have an email at the domain as the contact info. That seems like a problem if the domain is stolen, as access to that email account as "proof" of ownership would go with the stolen domain, and the thief could email all they wanted to and from the domain as the domain "owner. "
As to a DE corporation, it looks like I'd have to also register the corporation in CA, and pay an $800 annual franchise fee to CA, in addition to Delaware's fees and for a registered agent. But, I'm completely ignorant on the ins and outs of corporations, so I'm not sure if I'm understanding the issues right... But if I'm reading it right hat's a pretty high fee to pay annually for privacy unless you need a corporation for other purposes.
Last edited:
There are ccTLDs that offer partial or full whois privacy, .ca is just an example.
The registry demands full and accurate identification, but there is no reason why the data should be exposed to the whole world, including spammers and thieves.
The current whois model in gTLDs is broken (NB: Icann does not regulate ccTLDs).
In spite of Icann-mandated reminders, whois records are often inaccurate. And if the E-mail address is no longer current, then you don't get the reminder anyway.
I agree that incorporating is the way to go, for privacy and tax benefits.
In practice, domain theft seems to always take place through hijacking of the E-mail account or phishing.
So the best way to keep your domains safe is to keep your E-mail safe.
Also, it is good practice to use an E-mail address for your registrar account, that is different than that shown in the whois record.
The thing is, there is a lack of awareness among end users, that domain names are valuable assets that can be stolen. More generally, few people have good computer hygiene and understanding about online security. Hacking is the disease of the 21st century.
The registry demands full and accurate identification, but there is no reason why the data should be exposed to the whole world, including spammers and thieves.
The current whois model in gTLDs is broken (NB: Icann does not regulate ccTLDs).
In spite of Icann-mandated reminders, whois records are often inaccurate. And if the E-mail address is no longer current, then you don't get the reminder anyway.
I agree that incorporating is the way to go, for privacy and tax benefits.
In practice, domain theft seems to always take place through hijacking of the E-mail account or phishing.
So the best way to keep your domains safe is to keep your E-mail safe.
Also, it is good practice to use an E-mail address for your registrar account, that is different than that shown in the whois record.
The thing is, there is a lack of awareness among end users, that domain names are valuable assets that can be stolen. More generally, few people have good computer hygiene and understanding about online security. Hacking is the disease of the 21st century.
Gerard Hughes
Established Member
- Impact
- 18
Interesting. I suppose it is only the "free speech" aspect of domains and internet communications that doesn't make me stand up and shout that we need exactly that for all domain registrations right this minute. I don't object to a government registry of car ownership in the least. But there does seem to be a different nature to the two. Even so, it is sure as heck a lot easier to get back a stolen car if you can physically locate it. You don't have to go to a $4,000 trademark panel and argue that the stolen car is a bad faith use of your mark
Last edited:
Gerard Hughes
Established Member
- Impact
- 18
I expect that many registrars make handy profits off of domain thieves, not just from registration fees, but even from complying with subpoenas by people trying to get the domains back. And since the registrar is rarely sued directly, they get to charge for complying with subpoenas. One registrar I saw charges $150 an hour *and* $.50 a page for copies, which seems to be more than a bit of a mark up.
Now it could well be that thieves cost registrars more than they bring in. I don't really know. But there definitely seems room for a registrar to use ICANN rules to avoid all sorts of culpability - "we were just reasonably relying on industry standards of care" or some such. IANAL, though.
Gerard Hughes
Established Member
- Impact
- 18
A good recommendation. For active domainers I can't see a downside to that. For me, my special domain registration seemed secure because I didn't use it for anything else, so little chance of phishing or man in the middle hacks. But on the other side, I didn't immediately know the account had been hacked because I didn't use the account for anything else.
So, I'd add that automatic account alerts to your everyday email are important to add to a special domain controlling email.
Similar threads
New posts ➔
-
Uizl.com for sale
- 3 posters
- tricksroad
-
The USA Political Thread- 442 posters
- Cannuck
-
PianoApartments.com 1288$- Post by yasserarafa
Polls of interest ➔
-
What are your strengths as an investor?- 181 voters
- 26 replies
-
What's your domain portfolio size?
- 450 voters
- 134 replies
-
How do you think a potential buyer first checks if your domain is for sale?- 469 voters
- 52 replies
Hot this week ➔
-
Reflections on Palindrome Domain Names- 15 comments
- 75 points
-
Celebrating my 100th Post- 14 replies
- 23 points
-
The kong.ai UDRP decision deserves scrutiny- 8 comments
- 3 points
-
What Founders Are Actually Launching On in 2026- 7 comments
- 23 points
-
Is domains a your full time business ?- 7 replies
- 7 posters
Hot this month ➔
-
Most Domains Don't Sell Because...
- 59 comments
- 64 points
-
WTB: LWord.com, LLWord.com, LLLWord.com, budget is $10-$3000 per domain.
- 48 replies
- 1 point
-
Seeking Premium One-Word Domains ( .IO / .AI / .ORG) — Wholesale Only
- 48 replies
- 42 posters
-
How do you spot domain trends BEFORE they explode? (like claw keyword did)- 44 replies
- 5 points
