Webinar: ICANN enforcement and Uber’s anti-counterfeiting efforts

The methods for identifying and abating brand-related domain abuse have shifted radically, but with a surge in COVID-19-related domain name registrations, what can brands do?

In association with  Appdetex, WIPR yesterday, June 18, outlined the hike in pandemic-related domain names and the difficulties associated with using Whois post-General Data Protection Regulation (GDPR).

At the end of March this year, approximately 22,000 domains registered contained the strings ‘COVID’, ‘COVID-19’, or ‘Coronavirus’.

Faisal Shah, CEO and co-founder of Appdetex, added that Whois research service Domain Tools had launched a threat list which reports that, as of June 16, more than 175,000 COVID-related domains had been registered. This includes references to N95 masks, drug treatments and vaccines.

“Many of these COVID names … contain the names of brands in the string. It’s a little concerning,” he said.

A toothless system

However, for those looking to use Whois system to identify bad actors, it’s not an easy process.

“No matter the crisis, the changes to the Whois system based on the introduction of GDPR has made the task of investigating these issues more difficult,” said Alex Deacon, founder of Cole Valley Consulting.

The utility of the Whois system diminished after GDPR came into force, he added, and the “valuable resource essentially disappeared”.

“Bad actors know the accountability mechanisms for the Domain Name System via the Whois system has changed in their favour,” said Deacon. “They’re taking advantage of it.”

Prior to May 25, 2018, when GDPR came into force, the Internet Corporation for Assigned Names and Numbers (ICANN) created a temporary specification for registration data, allowing for the broad redaction of data in the Whois system.

It then introduced an expedited policy development process, to evaluate the temporary specification and ensure Whois was GDPR compliant. Phase 1 replaced the temporary specification, making it permanent. Phase 2, which Deacon said is wrapping up now, was to define a system for access and disclosure of non-public data.

GDPR is an untested law but one which also carries the risk of fines and so registrars and registrants have taken a “very conservative approach” to minimise the risk to their bottom line, he said.

Deacon claimed: “The fear of risk and liability has resulted in a policy that, in my opinion, is much worse than even the temporary specification. It also falls well short of the communities’ needs.”

He believes that there’s really no guarantee that IP interests and the interests of security professionals will get the required information disclosed, even if they have a legitimate interest, a proper legal basis and a fully compliant request.

“The way the policy is evolving, it’s clear that even where there is systemic abuse of this process, where there may be registrars or registries who decide they won’t ever respond to [a request for redacted information], ICANN compliance won't have the teeth. Actually they’re not even willing to override any of the decisions made by the registrar or registry,” Deacon concluded.

Susan Kawaguchi, policy advocate and enforcement strategist at Appdetex, outlined her experience of responses to requests for redacted Whois data, explaining that without Whois, it’s very difficult to contact a registrant.

“It appears that registrants are appearing to block those communications,” said Kawaguchi. While some registrants do not have forms to request emails, they are not standardised, making it difficult in enforcing effectively against large numbers of domain names.

“Registrars often complicate things, by including or sending a message to the registrant that they have no responsibility to respond. It’s true, but it would be in their best interests,” she added.

Uber’s efforts

Uber has seen some domain-related abuse but not a huge spike amid the pandemic, said Raphael Gutierrez, director of IP at the company.

He cited a series of cases Uber has tackled recently, including the launch of a food delivery service, launched by a strip club in Portland, called Boober Eats.

The Boober Eats reportedly used a font that was identical with Uber’s own font in its old branding, and also used a similar fork logo.

It was a clear case of infringement, said Gutierrez, but added that Uber had to be careful how “it was going to approach somebody who showed this entrepreneurial spirit and was keeping people employed during the COVID-19 shutdown”.

“We wanted to make it very clear we were objecting to the name and not service in general,” he said. The owner of Boober Eats agreed to remove all uses of the name.

Uber also faces infringement in app stores—a few years ago, Uber launched a lite version of its drive app, but bad actors subsequently published fake lite versions of other apps. Gutierrez said that he sees “infringers pivoting every time brand owners do”.

On social media, the distribution of referral codes is a problem for Uber. Initially, Uber submitted the takedowns in house, but the numbers got too big.

“This was the first time we approached a brand protection company like Apptedex. We weren’t able to keep up with volume,” said Gutierrez, adding that it wanted a company to submit takedowns and have a portal to track enforcement efforts.

Finally, while counterfeiting wasn’t originally a problem for Uber, the introduction of a pilot programme providing lighted signs to Uber drivers in certain markets also introduced counterfeits to the market.

“Bad actors could potentially purchase the signage and pose as legitimate drivers,” said Gutierrez. Taking a multi-pronged approach, Uber asked Apptedex to implement its marketplace module to scour the marketplace platforms.

After noticing counterfeit Lyft signs on platforms, Gutierrez reached out to the company’s counsel. In partnership, the companies sent a detailed letter to the online marketplaces, explaining to them why there should be no Uber or Lyft signage on their platforms.

Gutierrez added: “As any brand holder or outside counsel knows, it can be a game of whack-a-mole with any online enforcement.”

Listen to the full webinar, “Domain Name Abuse: Coping with COVID-19, ICANN and GDPR”,  here. You’ll also find out about best practice for the now-distributed teams fighting abuse and the implications of Whois developments on brand protection.

For more information on opportunities to participate in a webinar, contact Sarah Gooding on sgooding@newtonmedia.co.uk.

To listen to LSIPR's and WIPR's back catalogue, visit our  BrightTALK channel.