How to win UDRP domain name disputes
Cecilia Borgenstam and Klara Sigvardsson are partners and co-founders of SILKA, a boutique consulting company which specialises in brand protection online. SILKA’s team has filed and won more than 800 domain name disputes for its well-known global brand clients.
In the below Q&A interview, Borgenstam and Sigvardsson share their insights about how the UDRP process works, recent trends in domain name disputes, and domain recovery strategies.
Tell us about SILKA
SILKA is a consulting firm with 15 specialists and offices in Stockholm and New York City. We specialise in brand protection online – specifically, domain name disputes and website takedowns. Since we focus solely on this niche area, we can maintain a very high success rate and that is why our clients choose to work with us.
In addition to the UDRP, we also handle all national dispute processes. SILKA’s main competition is large law firms, and we win clients based on our stronger expertise in this narrow field, coupled with faster turn-around times because we are much smaller and more agile.
What is the UDRP and how does it work?
The Uniform Domain Name Dispute-Resolution Policy or “UDRP” is an administrative process that trademark owners can leverage when disputes arise regarding domain name usage. The UDRP rules dictate that trademark-based domain name disputes must be officially resolved before a registrar is compelled to cancel or transfer a domain name. Trademark owners file a complaint against the domain name holder with a specific domain name dispute provider.
Currently there are six domain name dispute providers (see a list here) and the World Intellectual Property Organization (WIPO) is the most popular.
The UDRP is an efficient administrative procedure which is decided based upon submitted paperwork. The advantage of using UDRP rather than a lawsuit to settle a dispute is that a UDRP is a quick and cost-effective way to recover a domain name. To win a UDRP dispute, the trademark owner must meet three criteria:
1. The disputed domain-name must be identical or confusingly similar to a trademark that the complainant owns.
2. The complainant must substantiate that the respondent does not have legitimate rights to the domain. This can go beyond registered trademark rights at times, such as verifying that the respondent has not set up a business under the disputed name, and that they are not known by that name.
It is possible that the respondent has used a particular name for several years which has created their rights to the domain name. If the similarity is purely coincidental, for example, if someone registered the same company name 20 years ago, long before you registered your company and trademark, that is just coincidental and there is no UDRP case.
3. Thirdly, the complainant must show that the disputed domain name was registered in “bad faith” and that the registration is currently being used in bad faith. Bad faith means that there is clearly intent to deceive. This involves looking at the owner of the domain name, and then investigating how the website is being used, if there are misrepresentations regarding the trademark owner, and so forth.
Bad faith is a bit subjective and is sometimes not easy to spot. Trademark owners can easily pinpoint it when companies try to sell the disputed domains to them for financial gain, but there are other components as well.
Anyone can buy and sell a domain name to a company that has the trademark, but for a UDRP it is necessary to show that the company bought the domain solely for the purpose of selling it to the IP owner.
To show bad faith, it is also helpful to investigate the history of the disputed owner to show patterns of illicit behaviour or habitual fraud. This can entail looking at the company’s website and logo to see if they are imitating the legitimate business. These additional items are important to round out the totality of the UDRP case.
When should companies use UDRP for recovering a domain?
Before going the UDRP route, the company should determine whether the disputed domain is actually causing any damage to the business, to weigh whether or not it is worth the time and money to take action against it. Even if a domain name is identical or confusingly similar to your brand, is it negatively impacting the daily business or corporate reputation?
The UDRP is also a good option when you want to ensure that the specific URL will never be used in a harmful way again. Shutting down only the website is a quicker remedy than a UDRP, but the upside of the UDRP is that the complainant will ultimately gain ownership and hence full control of the domain-name. We often undertake both these actions—UDRP and website shutdowns—in parallel.
A UDRP has a much more predictable outcome than trying to only shut down the website connected to the domain-name. A UDRP has its set criteria, while webhosts set their own rules towards their clients and then choose whether they want to enforce them.
Also, if the UDRP panel rules in your favour, the respondent must cancel or transfer the domain-name. In effect, this makes an example out of the person or company which was using the domain-name inappropriately and shows that the trademark owner will not tolerate abusive domain name registrations.
A good example of when clients usually want ownership of the domain (rather than just having it cancelled) is when it has been involved in scam or phishing. Lately, a lot of domain names are being used for distributing fraudulent emails in phishing scams, and taking over ownership and the ultimate control over these domains down is usually an urgent matter for any company.
Who determines which party wins the UDRP dispute?
There are several UDRP dispute resolution providers, where WIPO and The Forum are the most used ones. They have a network of trademark lawyers who act as panellists in UDRP disputes. The standard is to have a one-person panel determining the decision in a UDRP case.
However, for UDRP matters which have more complex elements, the complainant or respondent may request a 3-person panel for which they will pay an additional fee. Either party can request the appointment of a panellist from a certain jurisdiction, which is usually the jurisdiction where the requester is located.
How has GDPR impacted the UDRP process?
Before GDPR, filing large-scale UDRP complaints was more straightforward than today since it was easier to connect the abusive domain-name registrations to their respective owners. There was more transparency which made it easy for anyone to connect several domain names to the same owner and hence consolidate them all into only one UDRP proceeding.
Some specialist firms like ours use various tools to still be able to connect them based on other information, such as similarity of name servers, registration date, choice of registrar, webhost, website content, etc, but without access to these tools, GDPR mostly prohibits that now through its data privacy protections.
Also, assessing the merits of a case now requires more experience and more technical tools than before. Consulting companies like SILKA can still accomplish this kind of work because we know how to use other information to connect them to one owner.
Explain reverse domain name hijacking and what brands can do to avoid this
Reverse domain name hijacking is when a trademark owner, typically a well-known one, tries to obtain a domain name through a UDRP even though there really was no bad faith on the current owner’s part. Essentially, in this case, the trademark owner becomes the bad actor. Some trademark owners are under the impression that just because they have a registered trademark, they're entitled to the corresponding domain name. Reverse domain name hijacking occurs when a UDRP complaint is not well-founded and the argument supported by the filer or the trademark owner has been made in bad faith.
A company may know that they are very unlikely to succeed under the UDRP, but they really want the domain and this might be their last resort so they try to recover the domain name even though they cannot substantiate their claim. This is when a respondent can argue the case for ”reverse domain name hijacking”.
These are rare and companies should be very careful not to appear to be bullying the owner of the domain name. If the trademark owner goes too far and loses the UDRP case, that decision will be cited against them in future cases, potentially weakening their position in future UDRP claims. Companies should consult an expert before filing a UDRP to assess whether their case is suitable for UDRP or not and to ensure that it would not constitute reverse domain name hijacking.
Do you see other trends and issues impacting the UDRP right now?
There is a rise in domain names being used for malicious activity. This increased during the pandemic, probably because most people working from home did not have the same secure IT environment that they would normally have had in the office, and people in general were also shopping online more than before thereby making them more vulnerable to scams. A much larger portion of the UDRPs that we file now involve fraud than before the pandemic. We see an increased volume of phishing emails, fraudulent job offers, and other schemes from bad actors for collecting personal data.
Aside from the UDRP what other options exist to recover domains?
As a first step, companies can send a cease-and-desist letter, but we would recommend doing that only if you are certain that you have a case for a UDRP in case the letter does not have any effect. Otherwise, the letter becomes an empty threat. If you don't have a suitable case for UDRP, you can potentially file a lawsuit in local court. Another option is for the company to try to purchase the domain name outright.
What are the keys to domain recovery via UDRP?
The number one key to domain recovery is to ensure that you can prove bad faith. Don’t just make the assumption that because you have a trademark and are a large company, everyone should know who you are and you will have the right to this domain name.
You will need to prove that the owner of the domain name had your specific company and trademark in mind when they registered their domain. The bad faith criteria must be addressed in depth for any UDRP case.
What domain recovery trends do you see taking shape in 2022?
As mentioned before, there was an increase in email phishing activity and fraudulent activity during the pandemic. However, even though people are gradually going back into the office, we don’t see this illicit activity really decreasing. In fact, on the phishing side, it’s quite the opposite—the numbers are still going up.
In previous years, we were seeing more fake websites of various kinds, selling counterfeit products or trying to steal web traffic by directing the domain name to a website with pay-per-click links. Now the fraud is more malicious and sophisticated. It is not as simple as just looking at the unauthorized website to see the extent of the activity—it has gone behind the scenes more.
Bad actors are now doing more than just putting up a fake website imitating a legitimate company. Nefarious hackers are distributing emails impersonating the targeted company, tricking employees, vendors and customers into revealing personal and company data under false pretences.
We frequently see hackers register a domain name very similar to the domain name that a company would be using for its own email addresses. They will make only a slight change such as exchanging the letter “l” for the number “1”and send emails signed by the CFO or some other authority figure asking the recipient to pay an invoice or to provide sensitive information. SILKA is often brought in after the company has already paid several fake invoices and then realized that their legitimate vendor never received any funds.
Elisa Cooper is head of marketing at GoDaddy Corporate Domains. She can be contacted at: elisa@gcd.com
