The domain name <xn--ea-gpa2a.com> is confusingly similar to the trademark IKEA.
The domain name <xn--oogle-wmc.com> is confusingly similar to the trademark GOOGLE.
And the domain name <xn--nke-jua.com> is confusingly similar to the trademark NIKE.
That's what panels found in decisions under the Uniform Domain Name Dispute Policy (UDRP), despite the appearance of domain names that, at first glance, might appear to have little or no connection to the trademarks at issue. These "internationalized domain names" (IDNs) are simply "formed using characters from different scripts."
What is Punycode?
In each case, the disputed domain names contained something called "punycode" -- a technology for converting characters using the ASCII character set (largely based on the Latin alphabet, which is used in the English language) -- into letters used in some other languages.
So, the three domain names listed above appear like this when translated from punycode to their corresponding characters:
<xn--ea-gpa2a.com> = <ıĸea.com>
<xn--oogle-wmc.com> = <ɢoogle.com>
<xn--nke-jua.com> = <nıke.com>
While punycodes can serve a useful function by allowing IDNs that contain characters appropriate for certain audiences, they can also be used for malicious purposes, such as "deceptive [domain names] used for phishing-style attacks" or other "malicious" endeavors, as Symantec has explained.
So, naturally, domain names with punycode have been used by cybersquatters, including the three examples above.
Panels Consider Punycode Translations
In domain name dispute decisions, panels have typically examined the translated version of a domain name containing punycode (not the punycode itself) when analyzing the first factor of the UDRP: whether the domain name is identical or confusingly similar to a complainant's trademark.
In the Nike case, the panel observed that previous decision "have treated Punycode iterations of domain names in an identical manner with their IDN [internationalized domain name] counterparts." As a result, the panel compared the trademark NIKE to the domain name <nıke.com> (and not to the domain name <xn--nke-jua.com>).
The earliest reference to punycode in a UDRP decision appears to have occurred in 2007, in a dispute over the domain name <têtu.com>. In that case, the panel wrote that "the <têtu.com> domain name is one and the same with its Punycode translation, <xn--ttu-fma.com>, for purposes of this proceeding."
And in the IKEA case, the panel said that differences between the domain name <ıĸea.com> and the trademark IKEA were "almost imperceptible, and the use of Punycode to create a domain name indistinguishable from a well-known trademark manifestly does not prevent a finding of identity or confusing similarity between the two."
While the WIPO Overview of UDRP decisions doesn't specifically refer to punycode by name, it does note that "the use of non-Latin internationalized or accented characters" can be considered nothing more than a typo in certain cases.
Punycode Abuses
As noted above, cybersquatters can readily abuse domain names containing punycode, by confusing consumers into believing that a domain name is associated with a trademark owner. Although consumers might be unlikely to type one of these IDNs, it's easy to see how someone could be tricked into clicking a link that appears to be something that it's not.
For example, in the Google case noted above, the UDRP panel found that the registrant of the domain name <ɢoogle.com> had acted in bad faith because Google demonstrated that "Respondent’s conduct online has been nefarious through screenshots of the resolving website which purportedly displays an attempt to download malware... as well as recognition Respondent has received online for its actions in spamming online."
And in one documented sophisticated phishing attack, a domain name using punycode was employed as part of a scam to direct Microsoft users to "a fake Office 365 login page to obtain the user's Office 365 account ID and password."
Trademark owners should be aware of how these internationalized domain names can be abused -- and be prepared to take appropriate action, including under the UDRP.