On October 28, 2019, Facebook filed a lawsuitagainst domain name registrar OnlineNic and its affiliated WHOISprivacy service, Domain ID Shield, in connection with the registration of domainnames that Facebook alleges are intentionally designed to mislead and confuseend users into believing that they are interacting with Facebook, given the useof various Facebook trademarks in the domain names. More specifically, the lawsuit raises claimsof cybersquatting under the United States Anti-cybersquatting ConsumerProtection Act (ACPA), trademark infringement, false designation of origin, andtrademark dilution. Among the 20 domainnames specifically mentioned in the lawsuit are facebook-pass.com,facebook-pw.com, www-facebook-login.com, www-facebook-pages.com,iiinstagram.com, login -lnstargram.com, and m-facebook-login.com.
In the complaint, filed in the US District Court for theNorthern District of California, Facebook says it took legal action becauseOnlineNIC has not been responsive to its reports of abuse regarding the variousdomain names registered through OnlineNic and Domain ID Shield that makeunauthorized use of Facebook’s trademarks. It also notes in the lawsuit thatwhen Facebook requested that OnlineNic disclose the underlying registrant datafor the domain names (shielded by Domain ID Shield), OnlineNic did not providethis information. Facebook states thatit proactively reports instances of abuse with domain name registrars and theirprivacy/proxy services, and often works with them to take down maliciousdomains but some registrars, like OnlineNic, do not investigate or even respondto abuse reports, despite ICANNrequirements mandating that they do so. The lawsuit further notes that OnlineNic has ahistory of harboring cybersquatting and other forms of domain abuse, citingInternet security group statistics identifying OnlineNic as the managingregistrar for domains reported for abuse in approximately 40,000 instances, andidentifying OnlineNic as one of the top 20 domain name registrars used forabusive domain name registrations.
OnlineNic has been the subject of several previous lawsuitsby major brand owners. For example, thedomain name registrar was ordered to pay $33.15 million dollars in damages toVerizon Wireless in 2008 for registering over 660 domain names that wereconfusingly similar to the VERIZON mark (pursuant to a default judgment). Yahoo! Inc. and Microsoft Corporation havealso previously sued OnlineNic on similar grounds, and the registrar and itsprivacy service affiliate have been the respondents in multiple administrativecomplaints filed under the Uniform Domain-Name Dispute-Resolution Policy (UDRP).
Facebook publicly stated that they “don't want people to bedeceived, so [they] track and take action against suspicious and misleadingdomains, including those registered using privacy/proxy services that allowowners to hide their identity.” The lawsuit comes at a time when changes toglobal privacy regulations has made it more difficult to identify and takeenforcement action against bad actors online. When the European Union General Data Protection Regulation (GDPR) wentinto effect in May 2018, ICANN implemented globalchanges to its domain name registration data processing rules thatapplied nearly-global redactions to most domain name registrationinformation. Historically, thisinformation has been available to law enforcement authorities, cybersecurityprofessionals, and brand protection agents and facilitated relatively rapidinvestigation and response to online abuse. Now, the vast majority of thisinformation is not publicly available, and legitimate users of the data must goto each individual registrar with ad hoc requests for the data. In many cases,registrars refuse to disclose the data without a court order or simply fail torespond to requests at all – a problem that ICANN itself refuses to address aspart of its contractual compliance program and remains unresponsive to the communitiesrequest to move forward with the privacy and proxy policy implementation. Accordingly, while a few registrars areworking in good faith to provide such data to legitimate third-parties forlegitimate purposes, the vast majority have proven uncooperative.
OnlineNic represents just one of many such registrars, andFacebook’s lawsuit is a natural product of the post-GDPR environment that hasseverely restricted the self-help tools available to those who work to mitigateabuse in the DNS. Hopefully, the lawsuitspurs other registrars to take more seriously their obligation to providereasonable access to non-public domain registration data for legitimateconsumer protection related purposes. Inaddition, it very starkly illustrates the need for a unified system foraccessing non-public domain registration data for these legitimatepurposes. Although the ICANN communityis developingsuch a system, its progress has been slow and recent estimatessuggest that no such system would likely be implemented until at least 2021.
We would encourage other brand owners tocarefully document instances of registrar recalcitrance in disclosingregistrant data for brand enforcement or other consumer protection efforts orin otherwise adequately responding to well-founded reports of domain nameabuse. This material should also besubmitted to the ICANN Compliancedepartment where a registrar has not met its basic obligation to appropriatelyreview and respond to reports of abuse and provide reasonable access tonon-public registration data for a legitimate purpose. Where these problems have been consistentlyand pervasively inhibiting your enforcement program, or where particularregistrars have been especially uncooperative, additional legal action akin toFacebook’s lawsuit might be warranted. Ultimately, it is consumers and Internet users who suffer most in theface of unmitigated phishing, fraud, counterfeiting, and other cybercrime.