The Internet Commerce Association (ICA) has posted a position paper and analysis of S. 2661, introduced on 2/25/08 in the US Senate. While we are firmly opposed to phishing and other criminal activities that may utilize domain names we are very concerned about the provisions of the proposal that appear to provide trademark owners with a means to avoid both UDRP and ACPA actions and alternatively bring private claims against domain names with a lower burden of proof and the potential for far higher monetary damages, without even requiring an allegation that the DN was in any way being utilized in a phishing scheme.

The proposal also contains a provision regarding access to WHOIS information that will likely generate major heartburn for free speech and privacy advocates.

We are carefully reviewing the legislation with an eye toward supporting and perfecting those provisions that fill existing gaps in anti-phishing law while striking or amending those provisions that provide an end run around UDRP and ACPA. If trademark owners believe that existing procedures do not give them adequate recourse against truly infringing websites they should make their case to ICANN and the Judiciary Committees, and not seek to establish a parallel and biased enforcement system nestled within the Federal Trade Commission Act.

— Philip S, Corwin, Counsel, Internet Commerce Association

The position paper follows:

Snowe Bill Threatens Domain Name Registrants with “Infringement” Enforcement That is More Expansive and Punitive Than the UDRP or Trademark Law

On February 25, 2008 U.S. Senator Olympia Snowe introduced S. 2661, the “Anti-Phishing Consumer Protection Act of 2008” (APCPA). The bill was also cosponsored by Senators Bill Nelson (D-FL) and Ted Stevens (R-AK). It has been referred to the Senate Committee on Commerce, Science and Transportation. No hearings have yet been scheduled on this proposal.

Initial ICA Position

Internet Commerce Association strongly supports efforts to thwart trademark infringement, criminal phishing schemes, and the furnishing of inaccurate WHOIS database information. S. 2661, however, contains provisions that are largely unrelated to these objectives and that radically and unnecessarily expand the rights of trademark owners to essentially provide them with monopoly rights on registered trademarks to the detriment of millions of individuals and businesses engaged in lawful and legitimate Internet commerce. Moreover, the proposal goes far beyond protecting trademarks to covering brand names and business names that might otherwise not be entitled to trademark protection. Such an expansion flies in the face of established trademark law, poses significant risks to Internet commerce, and would be burdensome on our justice system. ICA believes that the legislation can be perfected to eliminate these risks without hindering its ability to achieve the goal of preventing phishing and other fraudulent schemes that plague Internet commerce.

ICA is firmly opposed to the criminal activity of financial data phishing and will carefully review the portions of this legislation relevant to eradicating that activity with a view toward supporting those provisions that fill essential gaps in existing law.

However, ICA is also firmly opposed to the establishment of a parallel domain name infringement enforcement scheme that is more expansive and more onerous than the existing, highly effective remedies available to trademark owners through ICANN’s UDRP process and U.S. trademark law. Trademark owners already prevail in 85% of all UDRP complaints and nearly 100% of all ACPA cases. Yet some apparently now wish to establish a new regime for contesting allegedly “infringing” domains that is tilted even more in their favor by denying basic due process and substantive protections to domain name registrants—and that provides the possibility that they can use their power and influence to sway public officials to expend taxpayer dollars in defense of private intellectual property rights.

The overbroad and unnecessary trademark-like provisions of this bill are a recipe for massive reverse domain name hijacking by large corporations and are therefore a direct threat to the more than $10 billion in asset value created by the entrepreneurial ranks of professional domain name investors and developers, and to the beneficial goods, services, and information provided to consumers through their websites. ICA will work with the bill’s sponsors and other members of the Senate Commerce Committee with an eye toward eliminating or narrowing these unnecessary and duplicative provisions and assuring that any final legislation is focused solely on the criminal financial fraud of true phishing schemes.

Relevant provisions of ICA’s member Code of Conduct include:

• Protection of Intellectual Property Rights: A registrant shall follow accepted trademark law and respect the brands and trademarks of others. Members will not intentionally and in bad faith register and use a domain name that is identical or confusingly similar to a trademark or service mark. Registrants shall respond promptly to legitimate disputes relating to alleged infringement of intellectual property rights.
• Strict Adherence to Internet Fraud Laws: Members of ICA are committed to adhering to all applicable laws that seek to curb and control Internet fraud and abuse. Cybersquatting, the practice of registering and reserving an Internet domain name for the purpose of reselling it to the rightful owner at an inflated price, is condemned; as are practices such as phishing, which is the process of attempting to obtain the personal information of unsuspecting Internet users for illicit purposes.
• Access to Accurate WHOIS Data: A registrant will provide accurate domain name ownership and contact information to the WHOIS database in a timely manner so that domain name ownership is transparent. While a registrant may use a proxy service or other accepted means of privacy protection, a registrant should provide a timely response to any inquiry passed on via such proxy or related service or received directly when such service has complied with a lawful request for contact information.

While ICA is clearly committed to best practices and lawful conduct by domain name registrants, we are very concerned that this proposal would establish a separate and parallel system of trademark-related enforcement vis-à-vis domain names that is less balanced, broader and more punitive than existing ICANN arbitration procedures and relevant provisions of U.S. trademark law. For example, it appears that geo-domains, which are not subject to trademark restrictions, could be implicated under the proposal’s reference to “government offices”, and that generic domain names that do not violate trademark law could also be placed at jeopardy. In addition, there is no “bad faith” registration requirement for finding liability as there is under both the UDRP and ACPA. And the statutory damages available under the proposal are far in excess of those provided by trademark law.

This legislation was endorsed at introduction by the Coalition for Domain Name Abuse (CADNA), an organization of major brand owners that has consistently exaggerated the extent and negative effects of “cybersquatting” and has advocated a hyper-expansive view of the rights of trademark owners vis-à-vis domain name registrants. If enacted this bill would allow trademark and brand owners to encourage state and federal officials to bring what are in essence trademark infringement suits on their behalf without any need to allege, much less prove, that the targeted domain names were in any way involved with criminal phishing activities. It would also allow trademark owners to abandon use of the UDRP process and the ACPA since alleged “cybersquatting” could be targeted with lawsuits brought under this proposed law, with a lower burden of proof and the coercive power of far more substantial monetary penalties.

Further, the proposal unfairly targets domain name registrants for a widespread Internet practice—if its aim is to halt the advertising monetization of brand names and typographical variations thereof when consumers engage in direct Internet navigation or in web searches it utterly fails in that endeavor, as this activity is also engaged in systematically by search engines, web browsers, and ISPs. In fact, Verizon, a CADNA member, now serves up unrelated ads to its broadband ISP subscribers when they type in typo variations of trademarked names that correspond to unregistered websites.

Summary of the Legislation

Notwithstanding its title, the proposed legislation goes far beyond targeting “phishing”—the criminal misuse of e-mail and websites to falsely solicit financial information for fraudulent purposes—an activity that is already illegal and subject to enforcement under a variety of state and federal laws. It also establishes a parallel trademark-like infringement enforcement system that goes far beyond the provisions of ICANN’s Uniform Dispute Resolution Policy (UDRP) arbitration procedures as well as the U.S. Anti-Cybersquatting Protection Act (ACPA).

The proposed law would make it illegal for any person to use a website in violation of the anti-dilution provisions of U.S. Trademark law to solicit any information facilitating the purchase of goods and services by use of false or fraudulent pretenses or “misleading representations” that the solicitation was being made by or on behalf of a government office, nonprofit organization, business, or other entity.

It would also make it unlawful for any person to use a domain name in connection with the display of a webpage or an advertisement on a webpage if—

• The domain name was identical or confusingly similar to the name or brand name of a government office, nonprofit organization, business or other entity.
• The person had actual or implied knowledge that the domain name would likely mislead a computer user about any material fact regarding the webpage or advertisement.

In determining whether the person had actual or implied knowledge of likely misleading effect the courts could look to a variety of factors, including the person’s “intent to divert consumers from the brand name or trademark owner’s online location…that could harm the goodwill…by creating a likelihood of confusion as to the source, sponsorship, affiliation, or endorsement of the website.” Another factor would be whether the person had offered to sell the domain name to any third party “without having used…the domain name in the bona fide offering of goods and services”, a provision that appears to be aimed directly at “parked” websites consisting solely of advertising links.

Again, despite the bill’s title, none of these trademark-related provisions contain any requirement that the domain name and website had actually been utilized to facilitate a criminal “phishing” scheme. They address essentially the same harms for which the UDRP and ACPA already provide remedies, but in a more expansive manner with the registrant at greater legal disadvantage and subject to harsher penalties.

Enforcement of the APCPA could be undertaken by—

• A state attorney general or any other official of a state
• The Federal Trade Commission (and any violation of the APCPA would be considered to be a violation of the Federal Trade Commission Act as an unfair and deceptive trade practice, and subject to its additional penalties and remedies)
• Federal banking and securities agencies, state insurance commissioners, and the Federal Communications Commission
• Interactive computer services (e.g., ISPs)
• Trademark owners

All of these parties could seek injunctions, enforcement, and recovery of actual monetary damages. In addition, interactive computer services and trademark owners could seek punitive damages for willful and knowing violations—the private right of action granted to these parties in a bill ostensibly aimed at criminal activity is highly questionable. In cases filed by the FTC, FCC, and state officials, cease and desist orders and injunctions could be obtained without any requirement to allege, much less prove, that the domain name registrant had actual or implied knowledge of likely misleading effect.

In actions brought by a state attorney general or other state official monetary damages could be sought in the amount of actual monetary losses or, in the alternative, statutory damages of $250 per violation up to a maximum of $2 million. However, a court could triple the statutory damages award, up to a maximum of $6 million, if it found that the defendant had willfully and knowingly violated the Act or if the unlawful activity included the use of a domain name in violation of the anti-dilution provisions of the Trademark Act. The court could also award attorney fees where a successful suit was brought by a state attorney general or other state official.

The proposal would also violate the legitimate privacy expectations of domain name registrants by requiring any U.S. based domain name registry or registrar offering proxy privacy protection services to cease blocking access to any information in the WHOIS database upon mere receipt of an e-mail or other written notice alleging that the use of a domain name was in violation of any provision of the Act. There is no requirement that the complainant provide any proof to back up the allegation or that it be made in good faith, and no penalties are provided to deter bad faith claims. The registrant is afforded no notice that such a complaint has been made or any opportunity to counter the allegation. Ironically, this provision could well be used by criminal elements to gain personal information that would assist the commission of identity thefts and other frauds, as the claimant could well submit it using a false identity, pseudonym, or even anonymously—in fact, such requests for the removal of privacy protection could even be generated automatically by bots. In addition to constituting a major threat to legitimate privacy and free speech expectations, this provision would place U.S.-based registrars at a considerable competitive disadvantage, as ICANN has just approved a procedure through which foreign-based domain name registrars may request national law exceptions to provide privacy shielding in excess of that required by the standard Registrar Accreditation Agreement and this option will certainly be utilized by registrars based within the European Union. In addition, ICANN is poised to begin approval of a slew of new generic Top Level Domain registries later this year and the ability to avoid APCPA compliance on this matter would provide newly authorized registries based in other nations with a significant competitive advantage over incumbent U.S.-based registries.

Finally, the bill would make it a crime for any person to knowingly, and with intent to defraud, use a website or domain name that falsely or deceptively represented itself as another’s business and use the website to get any other person to provide them with “any means of identification”. Violations would be subject to fines and imprisonment of up to five years.