The apparent cyber heist of of $81 million from the Bangladesh central bank's U.S. account may cause some people to question the security of online banking. While the online theft prompted SWIFT -- a cooperative owned by 3,000 financial institutions around the world -- to make sure banks are following recommended security practices, the incident also could have ramifications for banking customers worldwide. Indeed, the Bangladesh online banking break-in comes just as the World Intellectual Property Organization (WIPO) identified the banking and finance industry as the second-most-popular sector to file cybersquatting complaints in 2015. Nine percent of all domain name disputes at WIPO last year were filed by bank and finance owners, second only to the fashion industry.

WIPO identified the following banking and finance entities as among the most active pursuers of cybersquatters: Banco Bradesco, Bank of Scotland, Bloomberg Finance, Comercia Bank, Intesa Sanpaolo, Lloyds, Saxo Bank and Sydbank.

At the Forum, the second most-active provider of domain name dispute services, the list of banks that filed domain name disputes in 2015 is more U.S.-centric, including complaints by American Express, Bank of America, Barclays, Discover Financial Services, OneWest Bank, Regions, TD Bank and Wells Fargo.

Using UDRP and URS to Fight Cybersquatters

While most of these cases were filed under the Uniform Domain Name Dispute Resolution Policy (UDRP), companies from the banking and financial services industries also are taking advantage of the new Uniform Rapid Suspension System (URS) to tackle registrations in the new generic top-level domains (gTLDs), such as .club, .guru, .services, .top, .wiki and .xyz. Morgan Stanley, Principal Financial Services and PayPal have all used the URS to their advantage.

In many cases, the domain name disputes initiated by banks involve phishing scams, that is, where the cybersquatter tries to trick a customer into providing his or her account information. For example:

• In one Wells Fargo case, involving the domain name <welilsfargo.com>, the UDRP panelist found that the registrant of the domain name was "seeking to deceive Internet users by providing a web site containing a near identical copy of [Wells Fargo's] web site and seeking to fraudulently obtain personal information from Internet users through a phishing scam."

• Similarly, in a UDRP case for <lloydsprivatecommercialfinance.com>, Lloyds Bank said that "[t]he disputed domain name is used to host a website appearing to offer financial services, but there is no proof there of any delivery of such services, nor any mention of any official authorization, as would be mandatory. The Respondent appears intent on making unjustified profits or defrauding consumers to reveal personal or proprietary information."

Phishing, Crimeware and Education

These banking-related cybersquatting cases are consistent with a general increase in phishing scams overall: The non-profit Anti-Phishing Working Group (APWG) reported that the financial services industry was the second-most-targeted industry sector in the fourth quarter of 2015 (behind only the retail/service sector). The APWG also notes that access to financial-based websites is the most common target for "crimeware" attacks, which it defines as "data-stealing malicious code designed specifically to be used to victimize financial institutions' customers and to co-opt those institutions' identities."

Although online banking is now commonplace, some customers continue to fall for some scams. Indeed, the Federal Trade Commission warns consumers that they should never click on links in email messages requesting financial information. And individual banks send similar messages. For example, Bank of America cautions their customers about the common "phony email ask[ing] you to go to a website that looks like a Bank of America site, but is actually a site the criminal has set up asking you to provide your personal account information."

Despite these warnings, phishing and crimeware attacks targeting the banking and finance sector are not likely to disappear anytime soon, as the reports from WIPO and the APWG make clear. While banks and financial service providers should continue to educate customers, tackling cybersquatters through the UDRP and URS remain important -- and very effective -- tools to ensure that online banking remains safe.

As a longtime member of ICANN's Intellectual Property Constituency (IPC), I’m impressed by the important work that this group does on behalf of trademark owners worldwide (as I've written before). While some die-hard IPC members spend countless (and, often, thankless) hours working virtually and in-person (at ICANN's global meetings) for the constituency, I find it very educational and worthwhile to participate on an ad-hoc basis. Thanks to active email discussion lists and remote participation technology, the IPC offers numerous opportunities to get engaged with important issues affecting, primarily, the intersection of trademarks and domain names.

For example, at the recent ICANN meeting in Marrakech, Morocco, the Generic Names Supporting Organization Council (a part of ICANN's policy development entity) approved a working group to review all rights protection mechanisms in the generic top-level domains (gTLDs), an area that is of obvious importance to IPC members, who will certainly contribute greatly to its work.

Still, despite all of the the IPC's significance, I often find that many people are simply unaware of what this constituency is -- or, at least, what it does and who drives it. Fortunately, the IPC recently published an updated "one-pager" (well, it's really a 2-page PDF document) about itself, which provides some great introductory information.

Among other things, the document makes clear that the IPC is "primarily focused on trademark, copyright and related intellectual property rights, and their effect on and interaction with the domain name system (DNS)."

The IPC's "key" issues, as described in the document, are as follows:

• WHOIS/registration directory services, including WHOIS accuracy, availability of WHOIS information, translation and transliteration of WHOIS information, privacy and proxy services, and advancements in “next generation” registration directory services.
• Reviews of ICANN’s New gTLD Program including competition, consumer trust and consumer choice, and planning for subsequent rounds.
• Reviews of rights protection mechanisms (RPMs) for the New gTLD Program and for “legacy” gTLDs, including the Uniform Rapid Suspension System (URS), the Trademark Clearinghouse (TMCH), and the Uniform Domain-Name Dispute-Resolution Policy (UDRP).
• Internet governance, including the IANA Stewardship Transition and the associated process to enhance ICANN accountability.
• Issues related to geographical indications and other geographic terms.
• Abuses and concerns related to the New gTLD Program, both overall and with specific registries and new gTLDs.
• Strong, consistent enforcement of ICANN’s contracts with registries and registrars, especially new provisions regarding the protection of intellectual property rights.

I recommend the IPC one-pager for anyone interested in learning more about these issues, including those who might want to join the constituency and further contribute to the protection of intellectual property on the Internet.

As an attorney who spends every day helping clients protect themselves online, imagine my surprise when I received an email from YouTube with the subject line, "Your video has been removed from YouTube." And the email was intended for me, not for one of my clients. Amazingly, the video that YouTube removed was one I created -- about how to protect yourself online! It was a recording of a webinar I had recently presented, titled "Domain Name Disputes: What Happened in 2015 (and How to Protect Yourself in 2016 and Beyond)." The video had been published on YouTube for several days before I included a link to it on my GigaLaw blog. Within a few hours, YouTube removed it.

Why? Good question.

What the 'Community Guidelines' Forbid

YouTube's email simply said:

The YouTube community flagged one or more of your videos as inappropriate. After reviewing the content, we’ve determined that the videos violate our Community Guidelines.

Naturally, I "Googled" "youtube community guidelines" (since YouTube's email perplexingly did not contain a link to them), which led me to a page warning users, "Don't cross the line." The page identifies the following types of taboo videos:

• Nudity or sexual content
• Harmful or dangerous content
• Violent or graphic content
• Copyright
• Hateful content
• Threats
• Spam, misleading metadata, and scams

Of course, these categories are just shorthand for more complete descriptions. Reading the headings alone isn't very informative. For example, most videos are protected by copyright law -- the question is whether the user who posts the video has appropriate rights to do so.

In any event, it was impossible even to imagine which of these categories might have been implicated in the decision to remove my video. After all, I (and my co-presenter) created all of the content in the video, which consisted solely of PowerPoint slides and our narration. No music, no movie clips, no photographs. Certainly no nudity (though there is one slide that discusses the impact of adult-related domain names -- .adult, .porn, .sex and .sexy -- on trademark owners). Nothing that could possibly be considered harmful, dangerous, hateful (I've served as a member of the ADL Anti-Cyberhate Working Group) or threatening. And nothing related to spam, scams or the like. After all, these are the issues I counsel my clients to avoid.

My Successful Appeal to YouTube

So, embarrassed that my webinar video had been taken down so soon after I informed my blog readers that it had been posted, I immediately (within 17 minutes) responded to YouTube, via their "appeal" process, which essentially consisted of a short form. I had room for perhaps a sentence or two -- nothing that would allow for much explanation or legal argument.

And then, about 15 hours later, I received another email from YouTube:

After further review, we've determined that your video doesn't violate our Community Guidelines. Your video has been reinstated and your account is in good standing.

Good news, of course. Though, in the maddening interim, I had replaced the video link in the blog post with a new copy of my webinar video, this time hosted on Vimeo instead of YouTube. (There are plenty of arguments out there about which service is better, but I won't digress.) I had become impatient and did not want the entire business day to pass with the video offline.

Although I was happy that YouTube had restored the video, I remained perplexed. Why was it taken down in the first place? Why wasn't I given an opportunity to respond to any complaints before it was taken down (as is common in copyright-related situations under the Digital Millennium Copyright Act)? And why was it reinstated?

So, I asked YouTube. Via email. Twice. But, of course, no answer.

YouTube's lack of a response is frustrating, but understandable. After all, Google reported last year that it receives 2.2 million takedown requests every day.

Lessons About Online Publishing

While, in a sense, all's well that ends well, the experience has certainly left me frustrated -- and more empathetic to website publishers who have to deal with issues like this all of the time.

So, what did I learn? At least three important lessons:

• Using a free service (such as YouTube) often means that customer service will be lacking, or absent. While I was frustrated that YouTube's decision seemed arbitrary, I had few grounds for complaint, and certainly no real person to whom I could complain.

• Web hosting services typically give themselves broad discretion to take down their users' content. Even Vimeo, which offers paid services, reserves for itself the right to "suspend, disable, or delete" a user's account "if Vimeo determines" that a user has violated its agreement (which, like YouTube, has its own guidelines).

• Always have a backup plan. Fortunately, YouTube quickly (and rightly) restored my video, but not before I reposted it with Vimeo. While I was able to do so as soon as possible, there was some true "downtime" where users couldn't view the video. With better planning, I could have replaced the video even more quickly.

Click above for a replay of the GigaLaw webinar, "Domain Name Disputes: What Happened in 2015 (and How to Protect Yourself in 2016 and Beyond)." The webinar was presented live on February 17, 2016. In this webinar, Doug Isenberg of GigaLaw and Troy Fuhriman of MarkMonitor provide an overview of domain name disputes in 2015, including important trends and new developments. The arrival of hundreds of new top-level domains (such as .xyz, .club and .email) has created new opportunities for cybersquatters, as trademark owners face new threats online. Learn how the Uniform Domain Name Dispute Resolution Policy (UDRP) and the new Uniform Rapid Suspension System (URS) can help trademark owners protect their brands on the Internet.

Playing time is approximately one hour.

The much-maligned Uniform Rapid Suspension System (URS) is not only failing to catch on -- it's actually starting to fade. Once envisioned as a popular rights-protection mechanism for trademark owners under the new generic top-level domain names (gTLDs), the URS instead is seldom used. In fact, despite the growth in new gTLD registrations, the URS is in decline.

As the chart above clearly shows, the number of URS complaints filed at the Forum (formerly the National Arbitration Forum) -- the most popular URS service provider -- dropped 13% last year, from 242 complaints in 2014 to 211 complaints in 2015. (The total number of disputed domain names in those URS complaints effectively remained unchanged, from 258 to 257.)

At the Asian Domain Name Dispute Resolution Centre, the story is even more dramatic, with only 7 URS complaints decided in 2015 -- a 59% dip from the 17 URS determinations in 2014.

And, when you consider that the total number of domain names registered under the new gTLDs actually increased 200% from the end of 2014 to the end of 2015, the decline in URS activity is especially significant. Said another way: In 2014, one in every 14,326 new gTLD registrations was subject to a URS complaint, but in 2015 the ratio dropped to only one in 51,378.

While it might be tempting to think that the paltry number of URS complaints being filed is an indication that cybersquatting is becoming less rampant, the overall number of domain name disputes tells a different story, given the 4.5% spike in cases at WIPO and a 23.9% increase in the total number of disputed domain names at the Forum last year.

So, why is the URS so unpopular?

As I've written before, the reasons are many:

• The URS is still a relatively new dispute policy and, therefore, is not nearly as well-known as the Uniform Domain Name Dispute Resolution Policy (UDRP).  (Indeed, WIPO -- the largest provider of all domain name dispute services -- does not accept URS cases.)
• The URS only allows a trademark owner to temporarily suspend a domain name (whereas the UDRP allows a trademark owner to obtain a transfer of the domain name) and, therefore, is often a less attractive option.
• The URS has a high burden of proof, which, combined with the strict word limit and lack of much precedent, can make it challenging for a trademark owner to prevail. (Indeed, the URS itself makes clear that it is "not intended for use in any proceedings with open questions of fact, but only clear cases of trademark abuse.")
• Despite the increase in the number of new gTLD registrations, new gTLDs in general are not popular with the public overall -- so trademark owners may consider cybersquatting in the new gTLDs a threat not always worth pursuing.

Still, the URS is a good option for trademark owners under certain circumstances, but if the current trend is any indication, the UDRP will remain the preferred domain name dispute policy.

As promised at an end-of-the-year (2015) announcement, the U.S. Copyright Office has now launched a comment submission process about the "safe harbor provisions" of the Digital Millennium Copyright Act (DMCA). The DMCA is often used by copyright owners to get infringing content -- images, text, videos, music, even software -- removed from problematic websites.

Section 512 of the DMCA, commonly referred to as the "safe harbor" or "take-down" provision of the law, provides an incentive for "service providers" such as website hosting companies and online publishers (including those who accept user-generated content) to remove infringing content posted by their customers under certain circumstances, including a proper notice from the copyright owner.

Since the arrival of the DMCA in 1998, website operators can avoid liability for their customers' infringing activities if, among other things, they appoint an agent to receive notices and "expeditiously... remove, or disable access to, the material that is claimed to be infringing."

Through the years, Section 512 of the DMCA has been both praised and criticized by just about everybody -- copyright owners, website operators, publishers, bloggers and more.

There's no doubt that Section 512 is frequently invoked by copyright owners. For example, Google has reported that it receives 2.2 million take-down notices every day.

But also, a controversy over music in a personal video on YouTube has been litigated for years, with the U.S. Court of Appeals for the Ninth Circuit ruling last year that copyright owners must consider the "fair use" doctrine before submitting a take-down notice.

A lot has changed since the DMCA was enacted 18 years ago. Indeed, in a Federal Register notice about the comments, the Copyright Office said:

Today, copyright owners send takedown notices requesting service providers to remove and disable access to hundreds of millions of instances of alleged infringement each year. The number of removal requests sent to service providers has increased dramatically since the enactment of section 512....

 

While Congress clearly understood that it would be essential to address online infringement as the internet continued to grow, it was likely difficult to anticipate the online world as we now know it...

As a result, website operators can become overwhelmed with take-down notices while copyright owners of all sizes often find the process unpredictable and frustrating.

So, the Copyright Office wants to know (among many other things):

• Are the section 512 safe harbors working as Congress intended?
• How effective is section 512’s notice-and-takedown process for addressing online infringement?
• Does the notice-and-takedown process sufficiently address the reappearance of infringing material previously removed by a service provider in response to a notice?
• How effective is the counternotification process for addressing false and mistaken assertions of infringement?

The Copyright Office is accepting comments on these and other questions until March 21, 2016. The answers it receive could shape the future of fighting infringement on the Internet.

However, unless and until anything changes, copyright owners and website publishers will continue to rely on the DMCA's notice and take-down provisions as a popular method for coping with infringing content online.

Big corporate mergers sometimes create big domain name headaches. Aside from increasing the burden and expense of managing a potentially extra-large portfolio of domain name registrations, a prominent merger can alert cybersquatters about new opportunities. This is especially true when the merger is -- as is usually the case -- announced before completion and when the deal is quite large.

For example, the recently announced $15.4 billion deal between Newell Rubbermaid and Jarden will, as The Wall Street Journal reported, combine such high-profile brands as Sharpie markers and Baby Jogger strollers with Rawlings baseball gloves and Mr. Coffee machines. And the $16.5 billion deal between Johnson Controls and Tyco will bring together prominent brands from the automotive and HVAC industries with security and fire-suppression products.

Big corporate mergers are nothing new, of course. But companies are wise to consider important domain name issues as a part of the process.

Many well-known companies have failed to register domain names that contain obvious trademark combinations created by a merger. In many cases, the companies resorted to filing complaints under the Uniform Domain Name Dispute Resolution Policy (UDRP) to obtain control of those domain names:

• Before Chevron and Texaco announced that their merged company would be known as "ChevronTexaco," a cybersquatter registered the domain names <chevrontexaco.info> and <chevrontexaco.org>. In finding that the registrant acted in bad faith, the UDRP panel wrote: "Despite Respondent’s protestations that it had no idea that Complainant was going to choose the name CHEVRONTEXACO for its merged company, Respondent admits that it was fully aware that both marks were registered trademarks of the Complainant. Further, proof submitted by Respondent shows that he closely monitored and was fully aware of the merger activities of the Complainant, and of the likelihood that CHEVRONTEXACO would be used as Complainant’s name and mark."

• On the same date that information leaked about a merger between Thermo Electron and Fisher Scientific, a cybersquatter registered the domain names <thermofisherscientific.com> and <fisherthermo.com>. In their UDRP complaint, the companies argued that the registrant of the domain names was "opportunistically engaged in bad faith registration," and the panel agreed -- calling the timing of registration "a compelling indication of bad faith."

• Not all merger-related domain name issues involve well-known global corporations. In 2005, according to a UDRP decision, the Nordic media "widely reported" that a company in Finland known as Orion Corporation  "planned to demerge into two separate companies, one of which would be Oriola-KD Corporation" -- which promptly encouraged one cybersquatter to register the domain name <oriola-kd.com>. The UDRP panel said the domain name registration was nothing more than "an opportunist act by an alert entrepreneur with a view to making a profit."

These same issues arise not only during corporate mergers but also when information about highly anticipated products is leaked. For example, a cybersquatter registered the domain name <amazonfirephone.us> only "days after publication of an article on the tech website BGR under the headline, 'Insider reveals launch timing and specs for mysterious Amazon smartphone,' and the same day on which Complainant filed applications to register the trademark AMAZON FIRE with the USPTO [U.S. Patent and Trademark Office]."  (Disclosure, I represented Amazon.) The dispute panel called this "opportunistic bad faith."

While all of these disputes ultimately resulted in transfers of the relevant domain names to their trademark owners, the legal proceedings created expenses and delays.

Of course, it's impossible to anticipate every possible trademark combination, typo and top-level domain name that will lead to a dispute; so, it's impossible to avoid every potential cybersquatting problem created by a merger or new product. Fortunately, when those problems inevitably arise, trademark owners can use the UDRP and other dispute policies to reclaim their domain names.

The number of domain name complaints climbed by 4.5 percent in 2015, reaching the third-highest level since the launch of the Uniform Domain Name Dispute Resolution Policy (UDRP) in 1999. Although the total number of disputed domain names in those complaints actually dropped -- by more than 22 percent -- the decrease was largely due to one unusually large case in 2014 (a single eBay dispute with 1,152 domain names) that skewed the numbers. As a result, the average number of domain names per complaint decreased to 1.58 from 2.13.

These statistics are from the World Intellectual Property Organization (WIPO), the largest of the four ICANN-accredited domain name dispute providers. (As I've noted before, the other providers -- the Forum, the Czech Arbitration Court and the Asian Domain Name Dispute Resolution Centre -- don't provide the same type or frequency of filing data.)

The increase in the number of complaints filed at WIPO is consistent with current trends, as both WIPO and the Forum reported a steady or slight increase in filings the previous year. The total number of domain name disputes at WIPO has been rising (though not consistently) since 2003.

Importantly, the WIPO statistics do not include filings under the Uniform Rapid Suspension System (URS), which applies to the new top-level domains. (That's because WIPO is not a URS service provider.) Perhaps some trademark owners selected the URS over the UDRP, a factor that actually may have kept the number of UDRP filings from increasing even more than 4.5 percent.

Here are a few other data points from domain name dispute filings at WIPO last year:

• The number of .com domain names dropped significantly, from 3,341 the previous year to 2,732. Still, .com remains by far the most popular TLD in a domain name dispute. (With 262 disputed domain names, .net placed a distant second.)
• At 62 disputed domain names, .xyz represented the new gTLD that appeared most often in a UDRP complaint. (The .xyz domain became popular because of an early free-registration program, and Google's new parent company, Alphabet, brought attention to it by registering abc.xyz.)
• Other popular new gTLDs that were subjected to UDRP complaints included .club (24 domain names), .email (20), .website (15), .online (15), .pub (13), .moscow (11) and .paris (10).

Although the limited popularity of most new gTLDs and their staggered launch dates probably means it's too early to know what impact they'll ultimately have on the dispute system, it's clear that domain name disputes overall are on the rise.

In any event, the increase in UDRP complaints indicates that trademark owners must remain vigilant about protecting themselves online, because cybersquatting remains a problem.

The launch of new adult-related top-level domains is reminiscent of the early days of cybersquatting, when domain name registrants created pornographic websites that contained trademarks owned by well-known brands. The new TLDs -- .adult, .porn, .sex and .sexy -- pose new threats for trademark owners online, especially for those who don't want their brands associated with the adult industry.

(To be clear, by "adult," I am referring here of course not to the definition of the word as "fully developed and mature" but instead to the definition as "dealing in or with explicitly sexual material.")

Already, cybersquatters using the new adult TLDs have begun to target trademark owners online -- and, in some cases, the trademark owners are fighting back.

For example, complaints under the Uniform Domain Name Dispute Resolution Policy (UDRP) and the Uniform Rapid Suspension System (URS) have been filed over the domain names <audi.sexy>, <citibank.porn>, <ibm.sexy>, <linkedin.sex> (disclosure: I represented the complainant), <marlboro.sexy> and <verizon.porn>. All of the reported decisions have been in favor of the trademark owners.

In one UDRP case, simply associating the .porn TLD itself with a well-known trademark -- even in the absence of a website using the domain name -- was sufficient for the panel to find bad faith (one of the three requirements in every UDRP proceeding). In that case, the panel wrote:

Complainant argues that Respondent’s use of Complainant’s CITIBANK mark in combination with the “.porn” gTLD tarnishes the CITIBANK mark through falsely implying that Complainant is somehow connected to the adult entertainment industry. The Panel agrees and finds that Respondent has demonstrated bad faith.

This conclusion is an unusual -- but increasingly popular -- reference to the relevance of the TLD in a domain name dispute. (See "When is the Top-Level Domain (TLD) Relevant in a Domain Name Dispute?")

Still, the <citibank.porn> decision is consistent with numerous other UDRP cases involving adult-themed websites, even before the arrival of the new TLDs. Indeed, nearly 2,000 WIPO and more than 700 Forum decisions contain the word "pornographic."

For example, in a 2005 decision involving the domain name <holidayinnmanassas.com>, one UDRP panel wrote that "[i]t is well established that using another’s well-known mark to attract Internet users to a pornographic website constitutes bad faith use of the domain name." (Disclosure: I represented the complainant.)

Another 2005 decision involved the domain name <gapclothing.info>, which was linked to  websites "displaying pornography and other adult content as well as links to other sexually explicit sites." In that case, the panel found bad faith even though it was obvious that the content was not related to the owner of the GAP clothing trademark, due to the trademark doctrine of "initial interest confusion." The panel said:

The present case involves the deliberate diversion of Internet users who intend to access a website connected to the Complainant and the taking of unfair advantage of the Complainant’s goodwill. It is the case that internet users who visit the Respondent’s website would be unlikely to be confused into believing that it was the Complainant’s website. However, in the view of the Panel and in line with other decided cases under the Policy, the deliberate creation of “initial interest confusion” and the consequent diversion of internet traffic is sufficient to establish bad faith on the Respondent’s part.

Interestingly, the new adult TLDs are not the first adult TLDs. As domain name watchers and many trademark owners know, .xxx was launched in 2011 (five years after ICANN first rejected it). But, .xxx has never proven very popular, and only 36 UDRP disputes for .xxx domain names have been filed at WIPO and the Forum in the past 4+ years. All but one of the decisions resulted in a transfer to the trademark owner.

So, if .xxx is any indication, .adult, .porn, .sex and .sexy might not create too many problems for trademark owners online. On the other hand, the existence of five adult-themed TLDs instead of just one certainly offers more opportunities for cybersquatters.

In any event, the UDRP (which allows a disputed domain name to be transferred) and the URS (which allows a disputed domain name to be suspended) are effective legal tools for any company that finds its trademarks registered in the new adult TLDs. If past decisions offer any lessons for the future, trademark owners generally should be successful in fighting these cybersquatters.