Saturday, March 31, 2012

Point-Counterpoint: gTLDs Will NOT Become a Haven for Cybersquatters

Since first learning of the new gTLD program, I have been trying to determine a way for cybersquatting a gTLD to make sense. This is of course the first reaction of every commentator (check IPwatchdog’s coverage here for an example). ICANN comes back with mentions of steps to address this, but they generally ring hollow as descriptions of procedural steps that most do not trust the company to fairly or accurately enforce.

My take, from the beginning, has been that cybersquatting will not be a major issue in the new gTLD period.

1. The cost alone is prohibitive

ICANN requires a $185,000 application fee. This alone should deter almost any cybersquatter. Even at the height of the domain name speculation frenzy, I cannot recall transfers going for such high amounts. A cybersquatter would need to know that she could either generate this in sales through further registrations, or generate a lot of ad revenue.

The $185,000, however, is not the full cost. Operation of a gTLD will cost a minimum of $25,000 per year, although ICANN urges potential registrants to expect close to $100,000. For most, it will require a subcontractor to administer the domain. Cybersquatters tend to be opportunistic, looking for possible typos or search engine friendly variants that can be cheaply registered, monetized for a few months, and then cheaply dumped when the rights holder takes action.

2. The objection procedures are adequate

ICANN has developed some objection procedures (see my coverage here) to address potential cybersquatting (or other misuse). The legal rights objection follows basic trademark and UDRP theories for preventing potential cybersquatting dispute. The application period requires a background check into previous domain name registrations for evidence of cybersquatting. The registrations can only be pursued by individuals or companies in good standing.

On their own, these procedures might not be enough. Coupled with the high barriers to entry, I think they will generally prove adequate.

The biggest concerns with the objection procedures are the inherent and existing problems with UDRP proceedings. Reviews of cases have shown evidence of copying and pasting decisions (including in egregious examples the wrong domains!), the inherent bias in that the objector brings the proceeding, and therefore the fee, the inadequacy in number and training of the expert panelists, and the brevity of the proceedings. A company which has invested $185,000 plus could lose their entire application (and fee) over a proceeding where the entire filing needed to be less than 5,000 words or 20 pages.

3. History indicates this will not lead to a dramatic increase in cybersquatting

If nothing else, the gTLD period is highly unlikely to suddenly diverge from the history of adding top level domains and create an explosion of cybersquatting. Top level domains are added from time to time in the regular course of ICANN’s business, and each time there is potential cybersquatting issues. .xxx was recently heralded as the beginning of a long fight for legitimate interests to root out their porn cybersquatters. Instead, most pre-registered their domains and simply redirected them, otherwise the problems seem to mostly be between various companies fighting within the .xxx space. When Tuvalu was granted its own ccTLD of .TV, there was promise of a great new webspace for televisions websites. And yet today, .TV is almost unheard of.

Even if a cybersquatter is able to grab a .brand gTLD, it will still require users to actually type that address into their browser. All signs point to .com continuing as the default. Thus, cybersquatters will be forced to pay for advertising on top of the other fees to make a profit.

Next post, I will do a counter-point with the potential ways a cybersquatter COULD take advantage of a gTLD.

Tuesday, March 27, 2012

Behind the Headlines: Can Facebook Trademark "Book" in the User Agreement?

Recently, there has been a series of headlines proclaiming that Facebook is attempting to trademark the word “book” by placing it in the Statement of Rights and Responsibilities (pretty much the Terms of Service). The exact language reads as follows:
“You will not use our copyrights or trademarks (including Facebook, the Facebook and F Logos, FB, Face, Poke, Book and Wall), or any confusingly similar marks, except as expressly permitted by our Brand Usage Guidelines or with our prior written permission.”
As pointed out by Wired and the other sources covering this, there really is no way to use Facebook without accepting these terms. Therefore, the articles posit, Facebook must be gaining control over the word book! Wired even quotes a University of Minnesota Law Professor stating that trademark rights are about use, not registration.
While this is all true, the actual way this functions is much more complex. True, trademark rights are built around use. Facebook controls some of this, by using the same logos and phrases they become associated with the product, and thus trademarks. However, obviously letting a company gain trademark rights simply through use is self-serving. The other piece is that a trademark gains strength through secondary meaning, or when the public at large begins to associate the mark with the company.
Thus, as some of the articles hint at, by making users agree that “book” is a trademark of Facebook, it does strengthen Facebook’s rights. Trademark disputes almost always contain evidence of “fame” which literally means how famous or well known a mark is. This can be demonstrated through sales, advertising, and often simply market research consumer surveys. Theoretically, Facebook could argue in the future, everyone who uses our site (in other words almost everyone who has internet access) agrees that book is our trademark.
The problem, however, is that it is unlikely that a term buried in the agreement will make much of an impression on consumers. You could probably ask 100 consumers what Facebook protects in their Rights and Responsibilities, and it is likely that none of them will be very accurate. Simply placing this language in the Terms is not going to get Facebook a trademark.
The real strength is slightly more sinister. When news outlets, including Wired and NBC, ZDnet, and Entertainment Weekly cover it, more and more people become aware of it. In fact, even non-Facebook users are probably aware of this, simply from reading the headline. Worse still, it could be possible for many readers to see the headline “Facebook making trademark claim on word ‘book’” (direct quote from Entertainment Weekly). Now, if we go back to that hypothetical survey of the general public, when asked what Facebook’s trademark terms are, users may say “Oh, book!” thinking back on these articles. Evidence which Facebook could then assert against others, and which may have some weight.
And that, my friends, is the true genius behind this move. Facebook knows that people watch its legal terms for evidence of privacy abuses or other sliminess, and also that the traditional arguments for a trademark of the term “book” are incredibly difficult. Instead, Facebook has taken advantage of this, and used it to their advantage.

Saturday, March 24, 2012

NYC to Register .NYC gTLD

New York City has formally stepped forward and announced their intention to register a .nyc gTLD with ICANN. (Read articles here and here.) Although the official confirmation is welcome, this cannot be called a complete surprise.

New York has wisely decided to use an existing registry operator to administer the domain. This is also a predictable step. The costs, both financial and technical, with administering a gTLD are considerable. In fact, I would fathom that there is no way New York could muster the technical strength during the application period without sub contracting to an existing registry operator.

New York City has also given some guidance on what they plan to do with their gTLD, stating that businesses and users will have to show “a substantial and lawful connection” with the city or (according to an unquoted article) a “nexus” to the city.

Obviously, the difficulty then becomes how to define such a connection. Lawful seems clearly designed as an excuse to root out cybersquatters (and I suppose operators of unlawful, but New York City based businesses. We will have to wait for, but what is “substantial?” Does it mean a physical address? Within the five boroughs?  What if I am just outside the city limits? Also, isn’t requiring a physical address counter-intuitive to an internet based initiative? If I want to have, am I forced to surrender it when I have children and move to the suburbs?

The second issue is even more interesting (at least to me): under what scheme will these rights be handled? A web address is almost a property right, a location over which the owner has the right to exclude others from. Will New York City use existing real property law? Will registry operator Neustar get to decide? Will New York City set up an administrative code to decide?

The obvious answer is to simply let current law, including WIPO and UDRP procedures, control. The danger with this path is that it does not clearly provide authorization for domain name seizures.

This announcement is not all doom and gloom, however. Imagine if the city undertook an initiative to give resident’s virtual addresses corresponding to their physical address. I could have an email address that was the same as my mailing address, reducing reliance on the slower and more costly physical mail systems. There are some interesting possibilities. Will advertising be equally expensive on as it is at the real location?

Wednesday, March 21, 2012

What Happens to Companies that Get Hacked?

As our world continues to grow more connected and more of our services move online, a host of new problems have developed. One such problem is hacking, or compromising otherwise secure networks. Interestingly, hacking can take several forms. It may have a criminal elements, such as attempting to gain access to financial records, or hacking to disrupt essential computer systems. It may be designed to embarrass and humiliate, such as hacking social networks for private photos or to send inappropriate messages from a user's account. It may also be used as a form of guerrilla protest, or an attempt to vandalise.

Hacking now receives significant media coverage, as mainstream networks have covered the "lulzsec" and "anon" activities. Even the Sony PlayStation Network scandal was well publicized, even though it was contained within the PS3 network. The coverage drops, however, once the system has been restored, but what actually happens to the users who are hacked?

One possible remedy is an FTC case. According to the stipulated facts, on January 4, 2009, a brute force password guessing program was able to break into a Twitter users administrative account. Once accomplished, the hacker had access to every Twitter users profile, account settings, and both protected and public Tweets. This user, among other things, sent messages from Barack Obama's account offering free gasoline cards.

Disabling webcams doesn't have the same criminal panache as a good ol' fashioned ski mask.
On April 27, 2009, it happened again, when a hacker was able to break into a Twitter users personal email account (Twitter had a policy of not providing employees with work email accounts, and instead encouraged them to use a personal one). This time, the hacker went a reset the passwords of several users, and accessed private accounts.

The FTC challenged Twitter on two counts, the first that Twitter represented that it had taken reasonable security steps to protect information when it had in fact not, and that it represented to users that it would honor the privacy of a users settings.

The FTC entered into a consented order with Twitter to resolve the case (as expected). The settlement included several very specific steps Twitter must take to ensure compliance.

The first was to designate an employee or employees to be responsible for Twitter's information security plan.

The second was to identify reasonably foreseeable risks, both internal and external, that could create risk of intrusion. These risks included the areas of employee training and management, information systems including network and software design, and prevention, detection, and response to attacks. Twitter was also required to design and implement a plan to address these risks.

There also was a separate sub paragraph directing Twitter to maintain the privacy of user information, not just from outside sources but also internally. The FTC gave an outline of possible sources of verification and testing of the security and correctness of these implementations.

This agreement gave Twitter 60 days to implement the agreement, which was slated to last for 20 years.

There are a few takeaways from this case. First, you clearly do not want to FTC to have reason to issue such a complaint against your company. As a part of this agreement, Twitter does have some strict and onerous requirements. However, the order also makes it clear that Twitter had incredibly lax security policies. The cracked password was a short, all lowercase, dictionary word that was guessed by a brute force program, that simply guessed basic words, submitted them, and then tried again. The FTC noted also that Twitter did not have a policy of expiring passwords, of assessing password strength, or even of locking out users from repeatedly guessing.

Secondly, it appears that Twitter opened itself up to some liability in the realm of privacy. The FTC noted that Twitter repeatedly asserted that direct messages and protected tweets were private, when in fact every single Twitter employee had access to them. Although not explicitly stated, it does appear that if Twitter had disclosed that employees could access private user content, there would have not been a case.

Tuesday, March 20, 2012

gTLDs and Property Rights: Legal Rights Objection

With the opening of the top level domain space, ICANN and the Internet community face a potential wave of new infringers and cybersquatters. ICANN has openly discussed the possible issues, and has put forth a procedure for addressing them. The gTLD Applicant Handbook describes the “Legal Rights Objection” as the best remedy for a proposed gTLD that infringes an existing legal right.

ICANN contemplates several possible standards that are very similar to trademark law. The applied for string may not take “unfair advantage of the distinctive character or the reputation” of an established mark. A second impermissible use is one that “unjustifiably impairs the distinctive character or the reputation” of the existing mark or name. Finally, the proposed string must not “otherwise create[] an impermissible likelihood of confusion” between the applied for string and the existing mark.

The existing legal right is proposed to exist in either a registered or unregistered service mark. Despite using language generally consistent with trademark principles, there are other legal rights contemplated. For example, very specific language describes the possibility of an IGO organization’s name or acronym as an existing legal right which new gTLDs must stay clear of. Although generally an IGO should register for rights in the various locations that it operates, ICANN specifically calls them out. Perhaps this is ICANN’s attempt to recognize the completely international nature of the internet domain space.

Interestingly, ICANN describes separate standards for evaluating a legal rights objection based on trademark rights or an existing IGO. There are eight non-exclusive factors for evaluating an objection based on trademark rights.

The first is whether the applied-for gTLD is identical or similar to the legal rights objector’s mark. This can include in appearance, phonetic sound, or meaning.

The second is whether the objector’s acquisition and use of rights in the mark has been bona fide. This rule seems to be contemplating the possibility of a “reverse troll,” that is a case where the applicant is a bona fide user, and the objector is a holder of a trademark for reasons other than legitimate use. An interesting issue that may arise are situations where both the objector and the applicant lack bona fide rights to the particular mark.

The third factor is a single lengthy sentence; “Whether and to what extent there is recognition in the relevant sector of the public of the sign corresponding to the gTLD, as the mark of the objector, of the applicant or of a third party.”  The “public recognition” may be a fame or secondary meaning analysis; however it is important to note that the “relevant sector” of the public must be considered. It is unclear if this is similar to a “channels of trade” determination or if there are other divisions. Could a trademark holder without a significant online presence be blocked from challenging an otherwise infringing gTLD string because the “relevant sector” includes only internet users?

The fourth factor considers the applicant’s intent in pursuing the registration. This is further defined by sub-factors. The first is whether the applicant had knowledge of, or “could not have been reasonably unaware of,” the objectors existing mark. The second is whether the applicant has previously engaged in registering or operating confusingly similar domain names. ICANN has clearly considered the possibility of various opportunistic possible registrations, including those that are fundamentally infringing or in bad faith. However, ICANN has also chosen to include a knowledge requirement.

ICANN has instructed dispute resolution providers to consider the extent the applicant has prior use with the mark, which can also be proven through “demonstrable preparation to use” the mark with goods or services “in a way that does not interfere with the legitimate exercise by the objector.” This factor would give weight to co-existing marks or previous settlement agreements. However, this could spell trouble for licensors who have given licensees permissions to use the licensor’s mark.

The sixth factor is to consider the applicant’s other intellectual property rights in the same sign or mark, and again, if those rights were acquired bona fide. This inquiry should extend to one question further, however, and also consider whether the use of the gTLD will be consistent with the applicant’s other intellectual property rights in the mark.

The seventh factor succinctly asks “to what extent the applicant has been commonly known by the sigh corresponding to the gTLD” and if the planned use of the gTLD will be consistent with this prior use.

The eighth and final factor asks if the applicant’s “intended use of the gTLD would create a likelihood of confusion with the objector’s mark as to the source, sponsorship, affiliation, or endorsement of the gTLD.” This has the potential to be a powerful tool for objectors who desire to block a similar gTLD registration. The applicant could have full rights to the mark, be using the mark in bona fide good faith, and could otherwise not be infringing in any way on the objector’s mark, but the objector could still make a strong case for the disallowance of the gTLD.

It is important to remember that the legal rights objection process has an important distinction from the string contention process. String contention (covered here) is designed to resolve disputes between competing interests where each party is attempting to register a gTLD. With the legal dispute process, an objector would be likely attempting to block a gTLD registration without filing their own or filing their own but under a different mark.

This perhaps may be the best evidence of ICANN’s good faith in opening the gTLD space for registration. While each new gTLD operator will provide significant financial compensation for ICANN, as well as furthering ICANN’s stated goals of access and openness, the legal rights objection could actually stop both of these from occurring. A strong objector could theoretically close down a variety of potential gTLDs if they already had a strong enough mark.

Sunday, March 18, 2012

Are Google Keywords Protectable?

Mary Kay, Inc., v. Amy L. Weber
601 F.Supp.2d 839

This case answers the age old question, “When is a touch of pink a touch too much?”

Mary Kay is a distributor and wholesaler of cosmetics. Mary Kay relies primarily on a network of independent sales representatives to sell the products to consumers. In Mary Kay parlance, they are Independent Beauty Consultants (“IBCs”) and the top one each year gets a special pink Cadillac as a reward (Fun fact: This is the only example of a custom color created by Cadillac). At the time Defendant Ms. Weber was involved, Mary Kay simply sold the products to the IBC, who then disbursed with them as she saw fit. Mary Kay had no influence over the price or methods, but did require each IBC to order at least $200 worth of product each month.

Ms. Weber appears to have done this for some time, but eventually stopped placing orders. To dispose of her leftovers, she began selling on eBay. Ms. Weber found a ready market, and began buying and selling Mary Kay products through eBay, eventually setting up her own eBay store, “marykay1stop.” When marykay1stop came to the attention of Mary Kay, legal letters were exchanged, culminating in a conversation with a paralegal at Mary Kay. As a result, Ms. Weber changed the name of her store to Touch of Pink and registered

Doubt Ms. Weber will be driving one of these anytime soon.
Ms. Weber asserted fair use as an affirmative defense. After a look at the relevant case law, the court found that using a trademarked name to attract search results is protected through fair use. The court noted, citing a law review article, that Internet search engines would be rendered useless if sellers were not allowed to include trademark names as search terms. Fairly describing a cosmetic as Mary Kay brand is an accurate description that enables users to find what they are looking for. This was held despite the fact that Ms. Weber had purchased 79 Google keywords relating to Mary Kay at a cost of $20,000 per month.

The court did note that even if the fair use defense was available to the defendants, there was still a likelihood of confusion analysis. The court used the “digits of confusion” test, including the following seven factors, reviewed in turn.

1) The type of the mark allegedly infringed and 2) the similarity of the two marks: The court found these to be nearly identical.

3)The similarity of the products or services: Again, they are nearly identical.

4)The identity of the retail outlets and purchasers: Neither had retail outlets, but both sold to individuals interested in Mary Kay cosmetics. Although Mary Kay sells through IBCs, they also make products available directly through their website.

5)The identity of the advertising media used: Both use Internet based advertising, including Google.

6)The defendant’s intent: The court looked to the disclaimer stating that there was no relationship between the Weber site and Mary Kay. The court noted that it was hidden on the bottom of the About page, and furthermore that such disclaimers do not carry evidentiary weight if they are confusing or not prominently displayed. Overall, the court found this factor to weigh neither for nor against confusion.

7) Any evidence of actual confusion: There was evidence of at least one customer of Ms. Weber contacting Mary Kay customer service, as well as a market research survey conducted by Mark Kay. There were evidentiary issues which mostly discounted the survey, but overall the court found evidence weighing in favor of confusion.

Weighing these seven factors, the court found that there was a genuine issue of material fact as to confusion, and based on this, denied summary judgment for defendant Weber.

This case contained a careful analysis of Internet business principles. The court was able to draw distinctions between print and online advertising, and also thoughtfully understood the use of trade names as search engine identifiers. It appears that this was the last time this case was before a judge, so we unfortunately do not get to read the dramatic conclusion.

Thursday, March 15, 2012

Subpoenas Issued for Twitter Accounts

Apparently New York prosecutors are issuing subpoenas for the Twitter accounts of Occupy Wall Street protestors. Although this is generally outside the scope of this blog, it is interesting to note the new role of the Internet in legal proceedings. It appears that prosecutors are looking towards the tweets as evidence of knowledge of the illegality of the protestor's actions.

The protester mentions in the article that all of his tweets are public, and still posted. He suggests that this negates the need for a subpoena. However, courts have previously held that publicly available information  that tends to suggest the possible existence of private information is discoverable in civil cases.

Wednesday, March 14, 2012

gTLDs and Property Rights: String Confusion

ICANN's Applicant Guidebook (Jan. 2012 revision available here) lists several objections to proposed gTLD domain names. One such possible objection is string confusion. The string confusion objection is designed to prevent similar top level domains from registering, resulting in confusion. ICANN has established that “string confusion exists where a string so closely resembles another that it is likely to deceive or cause confusion” and that “it must be probable, not merely possible that confusion will arise in the mind of the average, reasonable Internet user.” ICANN's Applicant Guidebook, 3-18. ICANN further clarifies, “Mere association, in the sense that the string brings another string to mind, is insufficient to find a likelihood of confusion.” Id.

Despite using language similar to the likelihood of confusion standard from trademark law, the string confusion objection as contemplated by ICANN is designed to protect against a uniquely Internet issue. Computers can read any variation in domains as unique, but humans are more likely to confuse them if they share similarities in pronunciation or appearance. Therefore, while the website "www.lawschoolrulez.adobodobanana" is located at a completely distinct and separate address as "www.lawschoolrulez.adododobanana," most users (read: humans) would struggle mightily with even appreciating the distinctions.

ICANN further notes that “mere association” between two proposed strings, or a string which “brings another string to mind,” are both insufficient grounds for a string confusion objection. Applicant Guidebook, 3-18. Again, this is because a string confusion objection is not a trademark remedy. It is uniquely related to our own inability to perceive small variations in complicated, unfamiliar character strings.

In the far flung future, when our machine overlords download their history into their mechanical offspring, I hope they cite this article as evidence of our inferiority.