It’s the lawsuit shaking up the tech world - Facebook is suing an American domain name registrar Namecheap and its proxy service Whoisguard for allowing people to register domain names that “deceive people by pretending to be affiliated with Facebook apps.”
Fake domain names are often used in phishing attacks and Brisbane intellectual property and domain name lawyer Sandy Zhang says the Facebook lawsuit is trying to shift the responsibility to domain name registrars to take an active policing role.
Sandy Zhang, Senior Associate with EAGLEGATE Lawyers, which handles matters of Patent law, Copyright law, Trade Marks, Domain names and general Cyber law says the lawsuit has shone a light on the whole issue of how web domain names are administered.
Facebook claims Whoisguard registered 45 domain names — including instagrambusinesshelp.com, facebo0k-login.com, and whatsappdownload.site — that infringe on Facebook’s trademarks.
Faked domain names are frequently used to trick users into thinking a site is connected to a legitimate company. According to The Verge Facebook filed a similar lawsuit last October against domain registrar OnlineNIC and its proxy service ID Shield for registering nearly two dozen domain names, including www-facebook-login.com and hackingfacebook.net, some of which were being used for malicious activity.
Sandy Zhang says by agreement, domain names are administered by a number of bodies around the world, with ICANN being the peak body and country code top level domains like .au being administered by local bodies such as the .au Domain Administration (auDA).
“The administering authority generally licences the right to create new domain names to approved registrars. Registrars can then either directly “sell” (more accurately, licence) domain names to the general public or to wholesalers, or both. Typically, the service just involves allowing a registrant to check if a particular domain name is taken, and if it’s not taken, then allowing the registration for a fee.
“The domain name registration policies are mandated by the relevant domain authority. These policies will generally include things like good faith use and proper entitlement to use the domain name registered, but it has never been a registrar’s function or responsibility to actively police the registration or use of domain names under its management.
“Instead, registrars generally respond to complaints regarding a domain name being used in contravention of the policies that apply, and adopt a dispute resolution policy like the UDRP (Uniform Dispute Resolution Policy), which allows civil disputes between two persons over a domain name to be resolved,” he says.
Sandy says because of the way domain names work, there has long been a practice of people registering domain names similar to or appearing to be connected with famous brands. They do so for two key reasons. The less nefarious is cybersquatting – the person simply sits on the domain name and hopes to sell it back to the brand at a significant mark-up. The other, more sinister reason is phishing. This is where a person attempts to impersonate a legitimate company in order to steal personal information, including passwords and credit card details.
Complicating the matter and potentially assisting cybersquatters and phishing operators is the existence of domain privacy services. Registration of a domain name requires publication of the registrant’s details on a publicly searchable register. Domain privacy services will register the domain names on the real registrant’s behalf, so that public information does not show the actual owner.
“Many registrars offer this service as part of the domain registration package. In Australia for .au domains, this practice is prohibited due to an auDA policy, but for most other domain names including .com domains, the practice is allowed and widespread.”
He says what’s interesting about the recent Facebook lawsuit against Namecheap is that it tries to shift the responsibility to domain name registrars to take an active policing role.
“Facebook does have a point in these circumstances – there simply cannot be a legitimate purpose behind registering a domain name like facebo0k-login.com. However, not all cases are necessarily so straightforward. You need to remember that registering a domain name does not mean having a website. Many of the domain names in the lawsuit may not have any website attached. Without any web content, it can be difficult to tell if a domain name like instagrambusinesshelp.com is in fact legitimate.
Even assuming that these domain names are not legitimate, to what extent does a domain name registrar have to monitor its registrations, particularly if it gets thousands of registrations per day at prices of between $1-50 per year?
“It’s not possible for the registrar to conduct a full trade mark / legalities check for every little-known company that decides to register a domain name. If Facebook gets an exception because it is so well-known, then where do you draw the line? How well-known would you have to be?” he says.
Sandy thinks Facebook is fighting an uphill battle.
“I can see what it’s trying to say – Namecheap knows people register fraudulent / phishing domain names, it doesn’t actively police such registrations, and it continues offering domain privacy as part of its registration package, which can almost look like it encourages or at least doesn’t care about its domains being used for phishing.
“However, as an intermediary, domain name registrars are in a similar boat to search engines or ISPs, and its legal obligations will likely reflect this. It is impossible in practice for a domain name registrar to actively police its registrations; instead, as far as legal obligations go, it will probably only be required to properly and efficiently respond to complaints regarding domain names being used for fraudulent / phishing / other illegal purposes, including trade mark infringement,” he says.
Sandy says Namecheap’s policy of not revealing the domain name privacy client behind the actual domain registrations unless legally required to do so (and not just requested by a complainant) is also likely to be perfectly valid.
“Its clients have paid to have the information withheld, and the service is entirely legal. The only exposure tends to be where the evidence of illegal activity is so strong that continuing to withhold the information may amount to knowingly assisting the illegal activity.
“There have been a few cases in the USA relying on this type of argument against domain name privacy providers, but they have settled – I am not aware of a case that went to trial on this point. There was one case where a registrar, OnlineNIC, was sued by Verizon and lost, but that was a case where OnlineNIC itself engaged in cybersquatting,” he says.
Interestingly, in October last year Facebook announced a similar lawsuit against OnlineNIC, engaging the same attorney that won the case for Verizon. The lawsuit is still ongoing.
However, OnlineNIC has directly engaged in cybersquatting in the past, and it is known for being unresponsive to abuse reports and complaints. Assuming that the same circumstances exist in the Facebook lawsuit against OnlineNIC, that case may fall within the “knowingly assisting an illegal activity” category. Namecheap, on the other hand, is generally reputable and does regularly cancel registrations where it considers sufficient evidence of abuse has been provided.
The progress of these two lawsuits will no doubt be closely watched by the domain name industry.