news Domain name ldw.com awarded to complainant at Wipo

[Kate]

Don't scream reverse hijacking, this is a stolen domain name.

On December 5, 2016, the Complainant discovered that its website using the Disputed Domain Name was not available. Humphrey investigated and discovered that the Disputed Domain Name had been transferred, without his knowledge or consent, to the Respondent.

Upon investigation Humphrey discovered that the Disputed Domain Name had been transferred from the Complainant’s registrar, Network Solutions, to another registrar, GoDaddy, on approximately June 9, 2015, and that the email address for the Disputed Domain Name had been changed to a similar but different email address that was not associated with the Complainant or Humphrey, and that the mailing address for the Disputed Domain Name had been changed to an address that was not associated with the Complainant or Humphrey.
...

http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-0430

 

[Gerard Hughes]

From the link:

Despite the transfer of the Disputed Domain Name from one registrar to another and from the Complainant to the Respondent, the “name servers” for the Disputed Domain Name were not changed until December 5, 2016. As a result, the Complainant’s website using the Disputed Domain Name remained active and, to the Complainant’s knowledge, unaffected. Only when the name servers were changed on December 5, 2016, did Complainant learn that the Disputed Domain Name had been transferred to the Respondent.

It was stolen in 2015, and set so nobody would notice the theft at the time :-0

It's good the UDRP worked this time, but that this all hinged on bad faith registration the domain matching a very clear trademark rather than just the fact that the domain was outright stolen makes it seem to me that ICANN needs to expand the UDRP beyond trademark issues, while maintaining protections so that UDRP can't be used to steal domains via reverse hijacking.

 

[Acroplex]

So, anyone buying LLL .com domains once they end up in China?

 

[Kate]

It was stolen in 2015, and set so nobody would notice the theft at the time :-0

Because the name servers were purposefully left unchanged for months... Few entities are monitoring their domain names, they will react only when they notice the domain has stopped working

It's good the UDRP worked this time, but that this all hinged on bad faith registration the domain matching a very clear trademark rather than just the fact that the domain was outright stolen makes it seem to me that ICANN needs to expand the UDRP beyond trademark issues, while maintaining protections so that UDRP can't be used to steal domains via reverse hijacking.

UDRP is designed to settle clear-cut TM issues. It's sometimes used to recover stolen domains but that does not always work. The key here is the lack of reply from respondent = loss by default.

A domain theft is much more complicated because you have to research domain history, the chain of ownership must be traced and documented, international investigations may be required, subpoenas filed at various places etc. Imagine if the domain has been transferred and 'laundered' multiple times. UDRP is only an arbitration procedure and not designed to handle complicated cases. The filing costs would then have to increase significantly. Panelists don't want to perform difficult work for a limited fee.

http://www.wipo.int/amc/en/domains/fees/

In a case like this, the panelist is actually stretching the scope of UDRP.

 

[Acroplex]

Kate:

"lack of reply from respondent = loss by default."

This is not correct, technically. The Complainant must still prove their 3 points regardless. Quite often, even with no response, the panel has decided on behalf of the Respondent if the 3 points weren't made.

Lack of response applies to in rem filings at the Federal court in Virginia.

PS I am not a lawyer :P

 

[jberryhill]

It's good the UDRP worked this time, but that this all hinged on bad faith registration the domain matching a very clear trademark rather than just the fact that the domain was outright stolen makes it seem to me that ICANN needs to expand the UDRP beyond trademark issues, while maintaining protections so that UDRP can't be used to steal domains via reverse hijacking.

That has problems of its own, since it will get into some very thorny issues, as Kate mentions above - the relevant evidence is most usually in the hands of people who aren't part of the proceeding and can't be compelled to produce it. You'd be surprised how many people let a domain name expire and then think it was stolen. While it might be possible to craft a reasonably policy around domain thefts, I'd prefer that was a standalone thing rather than an expansion of the UDRP, which is already poorly-understood enough.

 

[Gerard Hughes]

Kate:

"lack of reply from respondent = loss by default."

This is not correct, technically. The Complainant must still prove their 3 points regardless. Quite often, even with no response, the panel has decided on behalf of the Respondent if the 3 points weren't made.

Lack of response applies to in rem filings at the Federal court in Virginia.

PS I am not a lawyer :P

The judgement seemed to be full and independently considered findings by the panelist, not merely a finding for the plaintiff by default that assumes all of the plaintiff's claims are true.

Also not a lawyer

A domain theft is much more complicated because you have to research domain history, the chain of ownership must be traced and documented, international investigations may be required, subpoenas filed at various places etc. Imagine if the domain has been transferred and 'laundered' multiple times. UDRP is only an arbitration procedure and not designed to handle complicated cases. The filing costs would then have to increase significantly. Panelists don't want to perform difficult work for a limited fee.

A big part of that problem would seem to be a lack of clear title for domains, instead the control of an email account is presumed to be ownership. Proxy protections seem to add to that. And having been a victim from both sides of the proxy issue (domain stolen because a hacker likely looked through high value domain WHOIS records looking for publicly listed emails to hack vs. that same hacker hiding behind the WHOISGUARD once having stolen the domain) I can see advantages and disadvantages to proxies from my own perspective. It seems to be that there should be more regulation of proxies, though, and I'm not sure what that would look like to meet the needs of privacy, but also not shield criminals on a routine basis, as happens now. It should not have to take $20,0000 to get a clearly stolen domain back. But, given that the domain community lives off of the liquidity of domains (even as they need them to be secure to actually keep their assets) I'm not picturing any big changes happening soon.

 

[jberryhill]

Proxy protections seem to add to that.

....which is why I generally advise not using them. If you have privacy concerns, forming a corporation in, say, DE or some other states is not a tremendous expense.

But, yes, lack of a "title" system for domain registrations is the cause of a lot of problems.

 

[DNWon]

Maybe a simple solution would be for the domain industry to require 2 factor authentication for any and all transfers by making the phone number of all Who is registrants hidden from public view so domain owners would feel comfortable putting their mobile numbers in as domain phone contact.
Bonus: My phone would stop ringing off the hook from web site designers, logo designers, seo experts etc. etc.

 

[Gerard Hughes]

....which is why I generally advise not using them. If you have privacy concerns, forming a corporation in, say, DE or some other states is not a tremendous expense.

But, yes, lack of a "title" system for domain registrations is the cause of a lot of problems.

I was wondering about that. If a domain is sold with WHOISGUARD to a new owner who also has WHOISGUARD, then would be no clear transfer of title in the ICANN record.

So, what about phone and email contact details? Is there a good compromise on that let's you put up contact info that shows clear title, but also doesn't expose an email account as an obvious target for hackers to compromise?

I note that some domains have the have an email at the domain as the contact info. That seems like a problem if the domain is stolen, as access to that email account as "proof" of ownership would go with the stolen domain, and the thief could email all they wanted to and from the domain as the domain "owner. "

As to a DE corporation, it looks like I'd have to also register the corporation in CA, and pay an $800 annual franchise fee to CA, in addition to Delaware's fees and for a registered agent. But, I'm completely ignorant on the ins and outs of corporations, so I'm not sure if I'm understanding the issues right... But if I'm reading it right hat's a pretty high fee to pay annually for privacy unless you need a corporation for other purposes.

 

[Kate]

There are ccTLDs that offer partial or full whois privacy, .ca is just an example.
The registry demands full and accurate identification, but there is no reason why the data should be exposed to the whole world, including spammers and thieves.
The current whois model in gTLDs is broken (NB: Icann does not regulate ccTLDs).

In spite of Icann-mandated reminders, whois records are often inaccurate. And if the E-mail address is no longer current, then you don't get the reminder anyway.
I agree that incorporating is the way to go, for privacy and tax benefits.

In practice, domain theft seems to always take place through hijacking of the E-mail account or phishing.
So the best way to keep your domains safe is to keep your E-mail safe.
Also, it is good practice to use an E-mail address for your registrar account, that is different than that shown in the whois record.

The thing is, there is a lack of awareness among end users, that domain names are valuable assets that can be stolen. More generally, few people have good computer hygiene and understanding about online security. Hacking is the disease of the 21st century.

 

[Gerard Hughes]

There are ccTLDs that offer partial or full whois privacy, .ca is just an example.
The registry demands full and accurate identification, but there is no reason why the data should be exposed to the whole world, including spammers and thieves.

Interesting. I suppose it is only the "free speech" aspect of domains and internet communications that doesn't make me stand up and shout that we need exactly that for all domain registrations right this minute. I don't object to a government registry of car ownership in the least. But there does seem to be a different nature to the two. Even so, it is sure as heck a lot easier to get back a stolen car if you can physically locate it. You don't have to go to a $4,000 trademark panel and argue that the stolen car is a bad faith use of your mark

 

[DNWon]

Monopolies are typically slow to change, adapt and innovate and very rarely, if ever, have their customers best interests at heart!

 

[Gerard Hughes]

Monopolies are typically slow to change, adapt and innovate and very rarely, if ever, have their customers best interests at heart!

I expect that many registrars make handy profits off of domain thieves, not just from registration fees, but even from complying with subpoenas by people trying to get the domains back. And since the registrar is rarely sued directly, they get to charge for complying with subpoenas. One registrar I saw charges $150 an hour *and* $.50 a page for copies, which seems to be more than a bit of a mark up.

Now it could well be that thieves cost registrars more than they bring in. I don't really know. But there definitely seems room for a registrar to use ICANN rules to avoid all sorts of culpability - "we were just reasonably relying on industry standards of care" or some such. IANAL, though.

 

[Gerard Hughes]

Also, it is good practice to use an E-mail address for your registrar account, that is different than that shown in the whois record.

A good recommendation. For active domainers I can't see a downside to that. For me, my special domain registration seemed secure because I didn't use it for anything else, so little chance of phishing or man in the middle hacks. But on the other side, I didn't immediately know the account had been hacked because I didn't use the account for anything else.

So, I'd add that automatic account alerts to your everyday email are important to add to a special domain controlling email.