By Steve Levy
Just two weeks ago I wrote about a decision in which a cybersecurity firm lost the <equifax-credit.com> domain name that it was using to conduct simulated phishing exercises for its corporate clients to test their susceptibility to online attacks. To show how nuanced the issue of arguably well-intentioned use is, and how subtle differences in conduct can lead to very different outcomes under the UDRP, this week I’d like to mention a different case in which the cybersecurity firm actually got to keep the domain name <optic2000.ad> under slightly different circumstances. Each case turns on how the Respondents used the disputed domain names and how those uses shaped the panel’s view of their intentions.
In the <optic2000.ad> decision (the country code for Andorra using a policy very similar to the UDRP), the Respondent was a cybersecurity company that had registered a domain name closely matching the Complainant’s trademark. What set this case apart was the Respondent’s operational use of the domain. The firm registered the domain name to prevent malicious third parties from themselves registering the domain and to conduct controlled observation of any traffic directed to the domain. The panel noted that the Respondent offered to unconditionally transfer the domain name to the Complainant at no cost but no response was received. This created a factual scenario in which the Respondent appeared to be acting as a good Samaritan, even if the chosen domain name overlapped with the Complainant’s mark. The panel examined whether the Respondent’s services targeted the Complainant or attempted to trade on its reputation for commercial gain and ultimately found that the evidence did not support a finding of bad faith registration.
As mentioned in my last entry, the situation in the <equifax-credit.com> unfolded very differently where the Respondent cybersecurity firm, though certainly not a traditional cybersquatter, resolved the domain name to a site that mimicked the Complainant’s branding and used it as part of its for-profit services of testing client vulnerabilities thus commercially exploiting the value of the Equifax mark without the Complainant’s permission.
Taken together, these decisions show how the UDRP hinges more on factual nuance than on sophisticated legal argument. Two cybersecurity firms, two disputed domains, and two very different uses led to opposite outcomes. The contrast underscores how the existence or absence of commercial activity and exploitive intent can affect a case when a Respondent claims legitimate interests in a contested domain name.