So, you’re ready to take your business onto the Internet, and the most sensible way to do that is to register your well-known trademark as a domain name.  You try to do so, but learn that another party already has registered your trademark as a domain name.  Your brand may have been cybersquatted.  What are your options?

By the time you see the flags, it may be too late - cyberpirates have already made off with your valuable trademark.

“Cybersquatting” is a term that was coined to describe the bad faith registration and use of another party’s trademark as a domain name, with the intent to profit somehow from the good will of that trademark.  The term harkens back to the practice of illegal tenants “squatting” in derelict or condemned buildings.

A party injured by cybersquatting can sue under the Anticybersquatting Consumer Protection Act, or ACPA.  The ACPA became a part of the U.S. trademark statute, also known as the Lanham Act.

(I should point out here that trademark owners injured by cybersquatting also can proceed through arbitration under what are called the Uniform Domain-Name Dispute-Resolution Policy, commonly referred to as the “UDRP” approach.  I will be discussing the UDRP approach in an upcoming related article.  This approach can be quicker and significantly less expensive than proceeding under the ACPA, though it also offers a narrower range of remedies.)

The ACPA defines cybersquatting (which the statute refers to as “cyberpiracy”) as “registering, trafficking in, or using” a domain name that is identical or confusingly similar to another party’s distinctive trademark, “with a bad faith intent to profit from that mark.”  If the complaining party’s trademark is deemed a “famous” mark under the law, cybersquatting also occurs where the domain name would “dilute” the famous mark by tarnishing or blurring the public’s perception it.

Bear in mind that the domain name used by the cybersquatter need not be (and in fact, often is not) identical to the trademark at issue.  One practice that domain pirates quickly adopted is “typosquatting,” which involves registering common misspellings of a trademark as domain names.  When an unwary web-user accidentally types the misspelled trademark, he or she is taken to the pirate’s site.  The ACPA is broad enough to cover this practice, provided it can be shown that the misspelled domain name is confusingly similar to the plaintiff’s trademark.

The ACPA’s definition of cybersquatting creates several issues of proof for the would-be plaintiff, which I will discuss in an upcoming article.  For now, let’s examine the remedies that the ACPA provides for those injured by cybersquatting.

If a violation of the ACPA is found, the court can order the forfeiture or cancellation of the offending domain name, or its transfer to the trademark owner. The trademark owner also can recover up to three times his or her actual damages.  Actual damages include any profits the cybersquatter made through his use of the domain, along with any losses sustained by the trademark owner through the cybersquatters activities (such as lost sales or harm to the mark’s reputation.)

The trademark owner also has the option of foregoing actual damages and instead taking statutory damages (similar in nature to the copyright statutory damages I discussed in an earlier post) in the amount of $1,000 to $100,000 per domain name.  The statutory damages amount is left to the court’s discretion – presumably, the more odious the cybersquatter’s actions, the higher the award.

Finally, in suitable cases a successful plaintiff can get an injunction prohibiting further cybersquatting by the defendant, and in “exceptional cases,” can also recover attorney’s fees from the cybersquatter.

Where the cybersquatter is offshore and therefore not subject to the jurisdiction of U.S. courts, a provision of the ACPA allows the injured party to proceed “in rem,” or directly against the domain name itself.  In these cases the only remedy is that the domain will be awarded to the plaintiff.

If your trademark has been cybersquatted, the ACPA provides a range of legal options you can use against against the pirate.  My next article will discuss what your law suit must show, in order to get an award of the remedies provided by the ACPA.  Another related upcoming article will discuss the UDRP approach and evaluate the respective benefits of ACPA vs. UDRP.  Stay tuned for more discussion!

PHOTO COURTESY OF FLICKR USER REITVELD, UNDER THIS CREATIVE COMMONS LICENSE.

The distribution technique of known prevalent Mac trojan – known as “MacCinema” is starting to adopt typo-squatting to increase its chances of infection.

More Mac users reporting this threats where they’ve usually spotted when searching for videos, although pirated or cracked copies of known installer is also on the top its social engineering bait.

However, typo-squatting is an emerging trend used by this trojan.

Definition: Typosquatting is an act of registering domain names that resembles to legitimate ones through closely and similarly sounding words and spelling.

By deploying typosquatting attack, Internet user could get into attackers trap by just mis-typing the word although a combination of social engineering reaches more users and increases attackers chances for infection.

Here are the list of examples:

For some people wondering how and why Mac users are getting tricked, then this is one of them!   (although, most affected users don’t remember and notice it)

I’ll include and discuss this next month in VB2009 conference @ Geneva, Switzerland.

Recent related updates:

Mac OS X DNS-Changing Trojan in the wild

More reports of Apple Mac Trojan horse seen in the wild

PC and Mac malware in the same boat

Leggo su Punto Informatico che il recente decreto sviluppo rischia di avere un impatto molto negativo sulle leggi che regolano le controversie legate all’assegnazione di domaini internet e, più in generale, alla loro registrazione.

Nel codice della proprietà industriale [...] il nome a dominio viene equiparato, a livello legislativo, agli altri segni distintivi, godendo quindi della medesima tutela giuridica.

[...] chi registrerà o userà un nome di dominio simile o identico ad uno già esistente rischierà sino a tre anni di carcere e qui non stiamo parlando di segni famosi che sono in qualche modo conoscibili o riconoscibili, ma di tutti i marchi e i domini esistenti nel nostro paese nonché le modificazioni grafiche ( per esempio una lettera dell’alfabeto) che rendono simile una parola all’altra (via Punto Informatico, grassetto non mio).

Io non sono un avvocato, né tantomeno conosco la legge italiana in materia, ma tenderei a essere un po’ meno pessimista per due motivi. Primo, perché la legge è probabilmente più frutto di ignoranza che di interesse a colpire internet e dubito che l’intenzione sia di applicarla alla lettera a domini internet. Secondo perché resta il fatto che la riassegnazione di un dominio non dipende solo dalla somiglianza tipografica con il marchio ma anche da come questa somiglianza viene utilizzata. Ad esempio:

• Se il dominio punta a un sito web che vende prodotti simili a quelli dell’azienda proprietaria del marchio, molto probabilmente ci troviamo di fronte a sfruttamente indebito.
• Se il sito è tappezzato di annunci tipo Google Ad Sense, probabilmente, siamo di fronte a typosquatting.
• D’altro canto, se il dominio punta a un sito web che non ha niente a che vedere con il marchio originale,  o che non trae beneficio economico dalla somiglianza dei due nomi, ci sono buone probabilità che il sito sia legittimo.

Poiché la buona fede continuerà a giocare un ruolo fondamentale, le aziende, laddove possibile, continueranno ad accordarsi con i possessori dei domini incriminati, piuttosto che entrare in lunghe cause legali dall’esito spesso incerto. Senza contare che molti registry (fra cui il NIC per i domini .it) offrono un servizio di risoluzione delle controversie molto più economico e veloce di quanto può esserlo un tribunale.

Nel caso qualcuno fosse interessato: PhD studentships at Oxford Brookes University.

Vi segnalo, in particolare, il tema sulle digital identity, che mi vedrà, iin parte, coinvolto. Per informazioni l’email la trovate qui.

Digital Identity
Supervisors: Prof David Duce, Dr Faye Mitchell

In the digital age, the question of what constitutes “identity” becomes ever more complex, and the threat of identity theft continues to alarm. There is a growing literature on the problems of identity management and issues such as trustworthiness and privacy. In the past, solutions based on central authorities have been explored, but the difficulty of reconciling them with a networked world which is completely decentralised by its very nature has led to only partial adoption of these solutions. A practical line of development is by federating heterogeneous identity management frameworks. But there are much deeper research questions that should be addressed: what is a digital identity for Internet users, companies and for other institutions; is a digital identity unique in the Internet or is it only meaningful within a certain scope, such as a geographical locality or a limited time window; how does identity interact with privacy and how is trust defined among identities.

A proposito, ho scritto un post sul blog di Nominet a proposito di un picco di registrazioni di nomi di domini “.uk” che sfruttano la morte del cantante. Ve lo riporto integralmente.

Nike, Inc. recently succeeded in a cybersquatting action to recover the domain name www.nikeshop.com. The panel found that Nike had strong trademark rights in the NIKE mark based on its federal trademark registrations. The panel went on to find that the respondent had produced no evidence that it had any legitimate rights to the mark NIKE or NIKESHOP. Finally, the panel found bad faith when the respondent used the the domain name to display a website with links to goods and services that compete with Nike’s. Thus, the panel transferred the domain name to Nike.

For more cybersquatting news and information, see Cybersquatting.com

A UDRP panel recently found that the domain name www.emanufacturing.com had been cybersquatted. The action had been brought by E Manufacturing Co., which established that it had common law rights in the E MANUFACTURING mark, thought it did not have a federal trademark registration. The panel went on to find that the domain name at issue was confusingly similar to the E MANUFACTURING mark, and that the respondent had demonstrated bad faith where the respondent sold the domain name to E Manufacturing Co. for over $1,000 (far more than its out-of-pocket expenses).

For more cybersquatting news and information, see Cybersquatting.com

A cybersquatting panel recently denied a cybersquatting claim to recover the domain name www.cleanenergyquotes.com brought by SBNet, Inc.  The panel found that SBNet had not made a basic showing of common law rights in the CLEANENERGYQUOTES.COM where it failed to show sufficient secondary meaning related to this descriptive mark.  In the absence of demonstrating rights in the trademark, SBNet’s cybersquatting claim failed on its face.  Additionally, the panel found that the domain name was not used in bad faith when it was used for an an internet based solar energy comparison shopping service.  Thus, the panel found that no cybersquatting had occurred.

For more news and information about cybersquatting, see Cybersquatting.com

Lacoste S.A. recently succeeded in a cybersquatting claim to recover the domain name www.lacosteshop.com. The cybersquatting panel found that Lacoste had numerous trademark registrations to support its rights in the LACOSTE trademark. Moreover, the panel found that the domain name was confusingly similar to the LACOSTE mark. Finally, the cybersquatting panel found that the domain had been registered in bad faith where it intentionally sought to attract Internet users to the website by creating a strong possibility of confusion with the LACOSTE mark and offering links to third-party websites.

For more cybersquatting news and information, see Cybersquatting.com

Acclaimed golfer Tiger Woods recently succeeded in a cybersquatting action to recover the domain name www.tigerwoodslifestyle.com. The panel found that Tiger Woods had a registered trademark for the TIGER WOODS mark, filed with the U.S. Patent and Trademark office, and that the registrant had no rights to the TIGER WOODS mark. Moreover, the panel found that the registrant had used the domain name in bad faith, where the registrant offered to sell the domain name to TIGER WOODS immediately after registering it. Accordingly, the panel found that the domain name had been cybersquatted and ordered it transferred.

For more cybersquatting news, see Cybersquatting.com

Con colpevole ritardo, riemergo da un po’ di viaggi in giro per l’Europa. Sono stato ad Atene, alla Web Science Conference, dove ho presentato un poster su typosquatting. Poi sono volato a Milano, al Security Summit 2009, a cui sono seguiti un paio di giorni “back home”. Una settimana in Inghilterra e ora di nuovo in Italia, per un po’ di meritate (spero ) vacanze.

So che non c’è niente di peggio di un report arrivato fuori tempo massimo, tuttavia, vi prometto che nei prossimi giorni posterò qualche nota e commento su queste due conferenze che mi hanno molto positivamente colpito.

Oggi, cominciamo dal mio paper, che un po’ di “self-advertising” non guasta mai

• Typosquatting is the practice of registering a domain name with the intent to confuse it with the name of a trademark or a famous domain name (trademark infringement on domain names).
• The neighbourhood N_d(x) of a domain name x is the set of all domain names in the registry whose distance d() from x is lower than a threshold th_d and we denote its cardinality as |N(x)|.
• A distance function d() is a transformation in the space of domain names.

Ad esempio, googgle.co.uk e goog1e.co.uk fanno parte del neighbourhood di google.co.uk. Abbiamo effettuato un po’ di esperimenti sul registro ‘.uk’ e i risultati sono abbastanza interessanti.

Infine, qualche considerazione sugli effetti che una pratica come quella del typosquatting potrebbe avere sul concetto di identità digitale:

• Social networks and Web 2.0 applications rely on a loose concept of digital identities based on simple identifiers
  • Which are the risks associated to typo-squatting in these scenarios?
  • How would they benefit from a cluster-based analysis?
• We should move towards a concept of digital identity associated to a cluster in some identifier space
• The cluster comprises a primary identifier and secondary identifiers that are mapped to it

Se questo argomento vi incuriosisce, lasciatemi pure un commento o scrivetemi una mail. Oppure date un’occhiata al full paper o al poster (entrambi scaricabili gratuitamente dal sito della conferenza).

The 3M Company recently succeeded in a cybersquatting action to recover the domain name www.3mpromotional.com. The cybersquatting panel found that the 3M Company had strong trademark rights in the 3M mark. Moreover, the panel found that the domain name was confusingly similar to the 3M mark because 3M comprised the dominant portion of the domain name. Finally, the panel found that the domain name had been used in bad faith because the registrant had tried to sell the domain name for $9,995, which far exceeded the registration costs.

For more cybersquatting news and information, see Cybersquatting.com.

Hard Rock Cafe International, Inc. recently succeeded in recovering several cybersquatted domain names, including: www.hardrockcafelasvegas.net, www.hardrockcasinobiloxi.net, www.hardrockcasinotampa.net, and www.hardrockhotelandcasino.org.  The panel found that all of these domain names had been cybersquqatted where they contained the complainant’s HARD ROCK trademark.  Moreover, the panel found that the respondent used the confusion caused by the similarity of the HARD ROCK mark and the disputed domain names to divert users from the complainant’s website to the respondent’s gambling website.  Thus the panel ordered the transfer of the cybersquatted domains.

For more news and information on cybersquatting, see Cybersquatting.com

A UDRP recently denied a cybersquatting claim to recover the domain name www.scalar.com. Scalar Decisions Inc. had brought the cybersquatting action against the Scalar Consulting Group, LLC. The panel denied the claim because: a) the respondent established that it was commonly referred to by the name “scalar” and had used the trademark SCALAR: and b) the petitioner did not establish a bad faith registration of the domain name when it had been registered before the petitioner had come into existence. Accordingly, the UDRP panel denied the cybersquatting claim.

For more cybersquatting news and information see Cybersquatting.com

A UDRP panel recently ordered the transfer of the domain name www.americangirlbrand.com to American Girl, LLC. The panel found that the acclaimed doll maker had long-standing and established rights int he AMERICAN GIRL trademark. The panel further found that the domain name registrant had no legitimate rights in the mark, and that the domain name was confusingly similar to the AMERICAN GIRL trademark. Finally, the panel found that the registrant had used the domain name in bad faith by engaging in the unauthorized sale of American Girl’s products by diverting Internet users to a competitive website

For more cybersequatting news and information see Cybersquatting.com

Non si fanno i soldi con i blog (Wittgenstein)

…di una disarmante semplicità! Fare soldi con un blog vuol dire tappezzarlo di annunci pubblicitari. Che, a meno di pochi casi di successo (l’articolo di NewsWeek cita TechCrunch, tanto per dire) vuol dire tappezzare le proprie pagine di AdSense.

E allora, tanto vale darsi a del sano domain parking o, se vi piace il brivido, a un po’ di typosquatting. Così, almeno, non dovete perdere tempo a inventare belle frasi per attirare i vostri lettori…

Just a warning to prevent getting shocked.

Just a tip, try not to misspell www.facebook.com

It appears that a transposition of two of the initial four letters redirects  to a site that might not be appropriate for many situations. I suppose the site would in fact be appropriate for only a very limited set of situations none of which are likely to occur in a public place.

Welcome to this, the first of a deluge of news-infused blog-bombs to hit your security information hungry brain in 2009.

And Happy New Year.

As the world’s most excellent and generous security site, I4S continued to deliver security news and features daily over the Christmas and New Year period. Today I thought it might be useful to point out some important stories you may have missed while this newsletter was on hiatus.

First up is Alan Hyder’s exclusive and hugely insightful interview with Norbain CEO Alun John. It’s important reading. We’re not usually ones to boast, but respected IP video commentator John Honovich has described it as “the best security executive interview I have ever seen”. He adds his own thoughts on his site, which is also well worth spending some time on.

SMT Online editor Brian Sims also contributed some hefty features over the holiday period, including a two part series on the UK’s nuclear security capabilities. Here’s the first one. And here is where you’ll find the second. Brian also gave us his Editor’s View on the ongoing Damian Green affair.

Our latest Bench Test came courtesy of Basson Trade CCTV: our experts looked at their BVHQ camera.

That most festive of all security features, Songs About Security, didn’t take a break over the festive period. Both the Flaming Lips and The Who got a look in as part of the security music video phenomenon that has absolutely everyone talking.

Lastly, a couple of headlines for your delectation – we’ve got the concept of ‘typosquatting‘, and there’s also IP through the eyes of FMs. Hmm.

Hope your year has started well. Let’s stay in touch.

Then, go on and do the right thing. Visit www.ifsec.co.uk, and www.info4security.com. They pay me!

Che succede se qualcuno ti “ruba” l’account su Twitter? Nel momento in cui sto scrivendo, ad esempio, l’account “Microsoft” (http://twitter.com/microsoft) è vuoto e non appartiene all’azienda produttrice di Windows.

Uno “scherzo” come questo, nel campo dei domini internet, si chiama typosquatting (ne avevo già parlato da qualche parte): il nome (trademark) di un’azienda famosa (Microsoft, in questo caso) viene sfruttato per attirare traffico verso un sito o un servizio che con Microsoft non ha niente a che vedere. Il typosquatting non è legale e l’ICANN gestisce i casi dubbin tramite  attraverso l’UDRP.

Twitter è un giochino carino, a volte utile, ma non fondamentale per il funzionamento di Internet. E se un giorno diventasse importantissimo? Sarebbe corretto che l’account Microsoft non fosse assegnato a chi, normalmente, ne avrebbe diritto?

Un anno fa Steve Poland fa incetta di account Twitter con l’intento dichiarato di rivenderli quando avranno acquisito valore. Uultimamente, però, se li vede annullare uno a uno per essere restituiti ai “legittimi proprietari”. Io penso che la decisione sia stata corretta (Steve Poland è solo uno speculatore). In generale, però, Steve ha ragione quando si chiede

I’m just wondering, when does it end? My personal twitter account is STP — are you going to pull that from me when STP (motor oil company) or Stone Temple Pilots comes to you guys and claims trademark infringement? My initials are STP — as in, “Steven Thomas Poland.”

Stiamo parlando di identità digitale: FaceBook, MySpace, Second Life e qualsiasi applicazione Web 2.0 identifica i propri utenti tramite un nickname univoco. A lungo andare, si crea una relazione forte fra utente reale e suo alter ego digitale un po’ come capita già fra un’azienda e il suo marchio. Da qui nascono due problemi importanti e contrapposti:

1. Il problema della continuità, stabilità e persistenza del doppio virtuale dell’utente. La sicurezza, cioè, che un nickname o un account non venga cancellato, riassegnato e sospeso, magari perché inutilizzato per un certo periodo di tempo o perché richiesto da qualche entità terza che non ne abbia diritto.
2. Il problema del Yet Another Social Network, il rischio, cioè, che l’identità che è di un utente in un’applicazione (spesso, lo ripeto, consiste di un semplice nickname) sia assegnata (magari anche in modo legittimo) a un altro utente in un’altra applicazione (UPDATE: per l’appunto, qui si parla di Reverse User Name Hijacking)

Esistono delle proposte in questo senso (OpenID, ad esempio) ma, oltre a non essere soluzioni definitive, sono, per ora, gestite da compagnie private, che non è il massimo.

Io credo che il problema dell’identità digitale, con tutti i suoi risvolti tecnici e legali, non sia ancora stato compreso e affrontato adeguatamente e mi chiedo se sia necessario, nel prossimo futuro, iniziare una riflessione di ampio respiro su questo tema (di typosquatting, ad esempio, si parla da anni e ormai c’è anche una certa letteratura legale a riguardo. Ma il problema è ancora lungi dall’essere risolto).

Per ulteriori approfondimenti consiglio la lettura di Social Media User Names Becoming More Like Domain Names apparso su DomainNameNews qualche giorno fa.

O, taka literówka mi się zdarzyła, bo nie przełączyłem niemieckiego układu klawiatury (którym się posługuję) na polski:

GayetaPraca.pl wpisane z palca.

Ciekawie natomiast wygląda strona pod tą domeną.

Ciekawe kiedy na domenie pojawi się ban od Google. Wygląda na to, że jeszcze go nie ma, ale ale… Strona jest wykonana niezgodnie z polityką Google Adsense, czyli publikowania reklam na stronie. Nie ma żadnej treści… tylko wklejony kod Adsense.

Aha, warto jeszcze nadmienić, że nie kliknąłem w reklamę, aby przejść na GazetaPraca.pl. Wolałem wpisać ręcznie już poprawną wersję adresu. Nie daję zarabiać cybersquatterom. A tutaj to ewidentny przykład tego. GazetaPraca jest znakiem towarowym prawnie chronionym. A literówka jest próbą wykorzystania tej renomy. Z pewnością jeszcze nie raz wspomnę o cybersquattingu, tej ciemnej stronie domenowego biznesu