According to Sandy Zhang, Senior Associate with Brisbane Intellectual Property and Privacy law firm EAGLEGATE Lawyers, the Facebook lawsuit has “shone a light on the whole issue of how web domain names are administered”.
Facebook has announced it is taking legal action against an American Namecheap and Whoisguard for allowing people to register domain names that “deceive people by pretending to be affiliated with Facebook apps.”
According to Sandy Zhang, Senior Associate with Brisbane Intellectual Property and Privacy law firm EAGLEGATE Lawyers, fake domain names are often used in phishing attacks, and the Facebook lawsuit has “shone a light on the whole issue of how web domain names are administered”.
Zhang says faked domain names are frequently used to trick users into thinking a site is connected to a legitimate company.
“According to The Verge Facebook filed a similar lawsuit last October against domain registrar OnlineNIC and its proxy service ID Shield for registering nearly two dozen domain names, including www-facebook-login.com and hackingfacebook.net, some of which were being used for malicious activity,” says Zhang.
“What’s interesting about the recent Facebook lawsuit against Namecheap is that it tries to shift the responsibility to domain name registrars to take an active policing role.
“Facebook does have a point in these circumstances – there simply cannot be a legitimate purpose behind registering a domain name like facebo0k-login.com. However, not all cases are necessarily so straightforward.
“You need to remember that registering a domain name does not mean having a website. Many of the domain names in the lawsuit may not have any website attached. Without any web content, it can be difficult to tell if a domain name like instagrambusinesshelp.com is in fact legitimate.
“Even assuming that these domain names are not legitimate, to what extent does a domain name registrar have to monitor its registrations, particularly if it gets thousands of registrations per day at prices of between $1-50 per year?
“It’s not possible for the registrar to conduct a full trade mark / legalities check for every little-known company that decides to register a domain name. If Facebook gets an exception because it is so well-known, then where do you draw the line? How well-known would you have to be?”
And Zhang says by agreement, domain names are administered by a number of bodies around the world, with ICANN being the peak body and country code top level domains like .au being administered by local bodies such as the .au Domain Administration (auDA).
“The administering authority generally licences the right to create new domain names to approved registrars. Registrars can then either directly “sell” (more accurately, licence) domain names to the general public or to wholesalers, or both. Typically, the service just involves allowing a registrant to check if a particular domain name is taken, and if it’s not taken, then allowing the registration for a fee,” he says.
“The domain name registration policies are mandated by the relevant domain authority. These policies will generally include things like good faith use and proper entitlement to use the domain name registered, but it has never been a registrar’s function or responsibility to actively police the registration or use of domain names under its management.
“Instead, registrars generally respond to complaints regarding a domain name being used in contravention of the policies that apply, and adopt a dispute resolution policy like the UDRP (Uniform Dispute Resolution Policy), which allows civil disputes between two persons over a domain name to be resolved.”
According to Zhang, because of the way domain names work, there has long been a practice of people registering domain names similar to or appearing to be connected with famous brands.
“They do so for two key reasons. The less nefarious is cybersquatting – the person simply sits on the domain name and hopes to sell it back to the brand at a significant mark-up. The other, more sinister reason is phishing. This is where a person attempts to impersonate a legitimate company in order to steal personal information, including passwords and credit card details,” he says.
“Complicating the matter and potentially assisting cybersquatters and phishing operators is the existence of domain privacy services. Registration of a domain name requires publication of the registrant’s details on a publicly searchable register. Domain privacy services will register the domain names on the real registrant’s behalf, so that public information does not show the actual owner.
“Many registrars offer this service as part of the domain registration package. In Australia for .au domains, this practice is prohibited due to an auDA policy, but for most other domain names including .com domains, the practice is allowed and widespread.”