|
The year 2017 turned out to be a record-setting year for domain name disputes, in two ways: The number of complaints filed as well as the total number of domain names in those complaints.
Specifically:
• The number of cases at the World Intellectual Property Organization (WIPO) crept up to 3,073 from 3,036 in 2016 (the previous record), a modest gain of just over 1 percent.
• Those cases included 6,370 domain names, up from 5,354 in 2016 (also a record-setting year), a spike of nearly 19 percent.
The 19 percent increase in the total number of disputed domain names is perhaps the most striking trend and is attributable to a number of large cases that included multiple domain names. As a result, the average number of domain names per case rose to 2.07 in 2017 from 1.76 in 2016. (See “Benefits and Challenges of Multiple Domain Names in a Single UDRP Complaint.”)
As always when I write about domain name dispute statistics, these numbers represent filings at WIPO, the only one of the five ICANN-accredited service providers under the Uniform Domain Name Dispute Resolution Policy (UDRP) that publishes real-time and detailed data. Therefore, the total number of UDRP filings and disputed domain names in 2017 was actually much higher (the Forum typically handles nearly as many cases as WIPO)—but, because WIPO is the largest UDRP provider, its statistics are indicative of trends in domain name disputes.
The record-setting year makes clear that domain name disputes are not going away and that the 18-year-old UDRP remains an important tool for trademark owners to fight cybersquatters. (See “How to Resolve a Domain Name Dispute.”)
The filings also show that cybersquatting is still a lucrative activity but also that the UDRP is a popular way to combat it.
As a result, comments from WIPO Director General Francis Gurry made in 2017, when reflecting on the previous record-setting year for domain name disputes in 2016, remains true today: “The continuing growth in cybersquatting cases worldwide shows the need for continued vigilance by trademark owners and consumers alike. This is even more important as a considerable number of these disputes involve incidents of online counterfeiting.”
While .com remains the most frequently disputed top-level domain (TLD) (followed by .net and .org), the new gTLDs are also partly responsible for an increase in UDRP complaints, with four new gTLDs among the top 10 appearing in disputes in 2017: .store, .site, .online, and .xyz. (See “.site Domain Names Eclipse .xyz in Dispute Proceedings.”)
An increase in phishing-related scams (where cybersquatters use domain names to impersonate others as part of an attempt to extract information from unsuspecting victims) also probably contributed to the larger number of domain name disputes. (See “Fighting Phishing with Domain Name Disputes.”)
Sponsored byRadix
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byIPv4.Global
“An increase in phishing-related scams (where cybersquatters use domain names to impersonate others as part of an attempt to extract information from unsuspecting victims) also probably contributed to the larger number of domain name disputes.”
Doug, how many UDRP disputes involved names involved in phishing, by which you measured this “increase”?
If one is a mark owner, for example a bank, and there is a phishing scheme going on, the timeline of the UDRP makes it an inefficient and ill-informed mechanism for dealing with it. At a minimum using the most optimistic assumptions - default situation, 20 day response time, 14 day decision time, 10 day post-decision transfer time, and immediate formal compliance check with the dispute resolution provider - using a UDRP as a vehicle to address phishing is a 44 day response.
That’s a completely ridiculous time period to have a phishing site in operation, which is why the UDRP is typically not used to address the tremendous volume of phishing incidents by those who use the appropriate tools.
But it would be interesting to know the numbers you used, Doug.
My observation is anecdotal (based on closely following this area), but a search of WIPO decisions shows “phishing” in 361 decisions for 2017; 294 decisions for 2016; and 175 decisions for 2015. I’ve not read all of the decisions but believe this indicates an increase.
I agree the UDRP is not ideal for fighting phishing, given the timeline you describe, but that hasn’t stopped trademark owners from using it—including banks, to use the example you cited. For example, in a UDRP case filed by Comerica Bank for the domain name
, the decision says: “The disputed domain name… was used in a phishing scam involving a clone of the Complainant’s website with a fraudulent log-in screen.”
I’m sure Comerica would have loved a quicker remedy, such as the URS (but it does not apply to .com).
Doug, you are considered an expert in this field. Perhaps there is a difference in academic perspectives, but my understanding is that when one makes a quantitative statement, then the expert is assumed to be basing the quantitative statement on actual data. Saying something has "increased due to X" based on a "hunch" or "closely following this area" is not a proper quantitative basis for what you said. We used to live in a world where one could expect authorities to state facts reasonably based on data, and not to propose hunches, guesses, or flat-out misinformation as "facts". Of course, especially for those of us in the US, it is quite obvious that "opinion stated as fact" is good enough as "fact" for many. Following that up with one anecdote and a keyword count of the word "phishing" is not a proper basis to assess how many times, in any of the years you mentioned. For example, the word "phishing" appears in all of the following UDRP decisions: D2017-1233 Complaint denied D2017-0167 Complaint denied D2016-2347 Complaint denied D2016-1506 Complaint denied D2016-1350 Complaint denied So, yes indeed, there are lawyers who will approach all problems as nails if the only tool they have is a hammer. But it is beyond clear that: 1. Simply because there are people who use this remarkably slow and inefficient tool to play whack-a-mole with phishing, does not make it an advisable course for anyone with a serious security interest in phishing takedowns. 2. The keyword "phishing" within the text of a UDRP decision is not a reliable indicator or mechanism of counting how many times the UDRP was employed to take down a phishing site. Quite obviously, I have "anecdotally" provided five cases to your one, in which the word "phishing" appears in the text of a UDRP decision in which the complaint was denied. So if we go by "who has more anecdotes" as a substitute for a quantitative basis for a quantitative statement, does five beat one? Pretty obviously the text of UDRP decisions include the text of allegations made therein, whether they were actually present or not (or whether the word 'phishing' appeared for other reasons such as a catalog of generally abusive behaviors whether present in the case or not). And now someone is going to run off and say "Berryhill supports phishing". No, I don't. What I do support is intellectual honesty. You do not know how many times the UDRP was used in 2017 to take down phishing sites. You do not know how many times the UDRP was used in 2016 to take down phishing sites. You have no quantitative basis for stating "An increase in phishing-related scams (where cybersquatters use domain names to impersonate others as part of an attempt to extract information from unsuspecting victims) also probably contributed to the larger number of domain name disputes." You have further made it clear in your follow-up that this was just something you believe. I have a lot of respect for you Doug, and it is only out of respect that I would suggest - as with your "hunch" about new gTLDs which you had to backtrack from previously - that you take your platform as an expert seriously, and that when you make a factual statement of some kind that you have a factual basis for it. We see enough non-factual argument in policy areas of all kinds. If you want to propose a testable hypothesis, then you can use a word like "maybe" instead of "probably". Words like "probably" and "increase" have meanings. Your statement, based on a hunch, might even be quantitatively correct. But "guessing right" is not a substitute for having a factual basis for a statement proposed as a fact. That's all.
Finally, in order to make a quantitative statement about the incidence of anything, you have to normalize the data to the size of the sample. For example, if domain name registrations increased by, say, 10%, and abuse increased by 5%, then the incidence of abuse DECREASED. Yes, the raw number is an increase, but this is like saying "there are more congenitally blind people in the US today than there were in 1800" as a basis for concluding that preventive efforts to combat congenital blindness are a failure. This is pointed out every year, and then ignored every following year when the same half-baked statistics and assumptions are trotted out. Now, sure, in a world where a talk show host is taken as an authority on vaccinating children against disease, these sorts of numbers sound meaningful. But I would put it to you, Doug, and we will have the same January conversation next year, as we do every year, that the "increase in UDRP cases" is most likely due to the "increase in domain registrations". The last time we crunched those numbers, we found that the simple increase in domain registrations proportionally exceeded the increase in domain disputes. Since you are an expert, Doug, and I will tell you I haven't crunched this years' numbers, would you care to guess what is "probable" in those terms - i.e. Do you believe, without looking, that UDRP cases increased by a greater proportion than domain name registrations in 2017? Yes or no? Because if it turns out that domain registrations subject to the UDRP increased by a greater proportion than UDRP cases, then the increase in UDRP cases is "probably" a consequence of there being more domain names. Period. It's just hard to believe this has to be explained on an annual basis.
I just noticed that the domain name got stripped from my previous comment. The domain name used in a phishing scam against Comerica Bank is the (ironic) typo conmerica.com. Here’s the UDRP decision: http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-1686
So now I made a typo of my own (which inadvertently confirms the problem)! The subject line in my previous post should have been, of course, “Comerica phishing case” (not “Comercia”).
A third record broken in 2017 is that the 35 findings of abuse of process (reverse domain hi-jacking) in cases initiated in 2017 at WIPO exceeded the number of instances of abuse of the policy than any other year in the history of the UDRP.
As a proportion of WIPO UDRP cases, this works out to around 1%.
If we take UDRP cases as a measure of domain abuse, it becomes clear that the incidence of domain abuse is proportionally lower than the incidence of abuse of the process designed to remedy domain abuse. Perhaps someone will come up with a better metric and some actual data, so it may or may not be reasonable to believe that as many as 1 out of every 100 of domain name registrations are abusive. But if the process itself does turn out to have a greater incidence of abuse than the system which it is intended to regulate, I would suggest there is a problem there.