On January 29, the Coalition Against Domain Name Abuse (CADNA), which FairWinds helped found and runs, hosted a policy forum here in Washington, D.C.  The forum focused on emerging challenges for the Internet community in 2010, specifically the future of ICANN under the Affirmation of Commitments (AOC) and potential reform to the Anti-Cybersquatting Consumer Protection Act.  Attendees heard from two panels regarding these issues, which featured brand owners, online policy experts and Congressional staff members.  The keynote address was given by Senator Stephen Urquhart (R-UT 29th District), the Chairman of the Utah State Senate Transportation and Public Utilities and Technology Committee.  Urquhart recently introduced the E-Commerce Integrity Act to the Utah state legislature. This bill is designed to make the state of Utah more business-friendly by creating greater deterrents to prevent cybersquatting: firstly, the bill raises the damages that can be levied on a cybersquatter, and secondly, it holds affiliates of domain name registrants liable if it is found that they benefit from cybersquatting behavior.

In addition to Sen. Urquhart, representatives of Jay Rockefeller (D-WV), Chairman of the Senate Commerce, Science, and Transportation Committee; and Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee spoke on the panels.  Cybersquatting is an issue that hits close to home for the Senators they work for: PatrickLeahy.com and JohnDRockefeller.com both point to pay-per-click (PPC) sites.  (JayRockefeller.com, however, does lead to the Senator’s Web site.) SteveUrquhart.com also leads to a PPC site. 
 
When discussing the problem of cybersquatting, much of the attention often gets focused on businesses and infringements on brands and trademarks.  However, individuals like politicians and celebrities are also frequently the victims of squatting and other malicious conduct online. It’s great to know that Senator Urquhart and Congressional staff members understand this issue, and we’re happy to have them involved in efforts to create a safe, stable and flourishing Internet.

With hundreds of social media Web sites, business and personal communication are rapidly changing to real-time. Social media is in front and center position now in organizations and discussions are taking place not only among the security team but within marketing, sales, human resources and even at executive levels.

Firms in the financial services sector in the US have asked the Financial Industry Regulatory Authority (FINRA), a private corporation that acts as a self-regulatory organization (SRO), the successor to the National Association of Securities Dealers (NASD), on how rules governing communications with the public apply to social media sites that are sponsored by a firm or its registered representatives. FINRA responded in January 2010 with a Regulatory Notice to provide guidance to firms on blogs and social networking web sites in financial services.

For financial services firms, social media brings Legal and Compliance (L&C) plus Corporate Communications into the discussion to refocus attention on information security and risk management concerning customer contact, recommendation of investment products, liability and reputational risks.

The Regulatory Notice 10-06 addresses adopting policies and procedures on how firms and their registered representatives could use social media sites for legitimate business purposes and in a manner that ensures investor protection. The notice describes the challenges for a firm’s compliance program; providing personnel with routine access to approved communications and templates; record keeping of communications, complaints and orders related to a broker-dealers business made through social media sites; suitability requirements of product recommendation (NASD Rule 2310) and how firms must monitor interactive electronic forums on static (LinkedIn) versus non-static sites (Facebook, Twitter). L&C need to be copied in on communications between non-research and research departments, personnel need to be restricted to establish accounts, disciplinary action must be enforced if policy is violated, disclaimers need to appear plus the "entanglement" and "adoption" theories with respect to third-party content posted on sites established by the firm or its personnel must be considered and dealt with in an appropriate manner.

Social media sites pose new requirements and costs for supervisory systems, technology investments and social competency across a matrix of departments. FINRA’s regulatory notice is important guidance for financial institutions and we might see other federal regulators produce similar responses going forward.

At the heart of online marketing is the goal of attracting visitors to Web sites and engaging with them in ways that deliver lasting and memorable impressions.  There are a variety of elements that go into an effective online marketing campaign, including search engine marketing but also radio, print, outdoor, and TV offline to drive impressions online.  Often, companies direct a small portion of their efforts and budgets to domain names and search engine strategies like search engine optimization (SEO).  
 
Search engine strategies like SEO function best when paired with strong keyword domain names. It’s well known that Google and Bing reward developed keyword domains that have “search love”—in other words, Google and Bing give higher ranks to domain names that contain terms consistent with the search terms entered by Internet users—and for this reason a brand can achieve a higher page rank using keyword domain names. Try a search for “meals” in Google sometime and you’re likely to find Nestlé in the first position with their meals.com site. However, if you Google “sauce,” you won’t see a Unilever brand on page one of Google’s search results. Yet, Unilever owns sauce.com and points it to the Ragú Web site. Why does Meals.com rank so highly while Sauce.com does not? Domain names that are set up as simple redirects will not be indexed separately by search engines.  This is why meals.com is on page one for “meals” while sauce.com is not on page one for “sauce”  – Nestlé built a stand alone site on meals.com while Ragú pointed sauce.com to another site.  For a brand owner to take full advantage of a keyword domain name’s ability to capture both direct (type-in) and search traffic, the domain name must be utilized as a standalone site. Keyword domains that are properly developed will capture organic traffic on a reoccurring basis at nearly no cost.
 
There are other ways to drive up traffic numbers by adjusting domain name strategy. By reviewing and making small adjustments to its domain name portfolio, Verizon was able to generate 24 million unique visitors to its Web sites in a 12-month period.  That increase in traffic was achieved without any additional search engine marketing tactics; Verizon simply redirected carefully selected names it owned and recovered valuable domain names that receive type-in traffic and pointed them to branded content, and ultimately drove millions of consumers to its sites – without the incremental costs associated with paid search clicks. An updated case study on the effects of Verizon’s domain name strategy will be coming soon.
 
In many instances, businesses do not set aside a portion of their marketing budgets to maximize the benefits from very active domain management because they are not aware of the benefits it can provide in terms of lead generation and cost savings.
 
However, consider how domain name typos are one area where companies often lose valuable traffic – if Internet users mistype the domain of a company’s Web site into the address bar, they can be led to sites containing Pay-Per-Click ads, malware, or in some cases, even to the Web site of the company’s competitor.  It is often surprising how much traffic businesses are losing to typos—we recently uncovered 47 million initial impressions one company was losing annually due to typos of its name.  Imagine a scenario where the top typos for a brand receive 5 million (about 1/10 of the prior example) unique visitors per year.  Considering the fact that on average, businesses are willing to pay approximately $2.00 per impression, unregistered typo domains cost the company in question $10 million per year, or more than $833,000 per month in lost marketing benefit.
 
When you look at the hard numbers, it becomes obvious that search engine tactics alone cannot generate the maximum number of online leads.  Instead, SEO, SEM and domain strategies must be combined to optimize results.

TechCrunch recently picked up MacRumor’s report on Apple’s assumed possession of the domain name islate.com. MacRumor found that the whois information for the domain name lists “DNStination, Inc.”, a profile often used by corporate registrar MarkMonitor to “mask” domain ownership on behalf of their clients. The article also points out that MarkMonitor is the corporate registrar that Apple is known to work with. 
 
What TechCrunch didn’t include is that MarkMonitor held the name on behalf of a client as far back as October 2006.  Before that time, it was held by Eurobox Ltd.  While we can’t confirm it, chances are the domain was acquired from Eurobox.

The TechCrunch reporter decided to do a little sleuthing and found other iSlate related domains that are registered by MarkMonitor and therefore likely linked to Apple.

So here’s a lesson for brands—no matter what “masked” Whois information a registrar sets up in the Whois profile of a domain you have purchased or registered, if yours is a corporate-only registrar, it’s too easy for the press, the public, competitors and others to guess what’s going on.

If the goal is to avoid media coverage and tipping off the masses, what’s the best way for a brand to go? Definitely use a corporate registrar like MarkMonitor for your registrations.  Registering domains for big companies is their business and they know it well.  However, if you have a new brand in mind and want to keep the press, competitors, and squatters off the trail, make it more anonymous – register through a consumer retail registrar like Network Solutions or GoDaddy and use their privacy service.

Maybe based on this recent article the registrars that service the domain registration needs of brand owners will offer a “super secret” anonymous registration and go outside their own registrar to make registrations.  I think it would be a valuable service.

I hope everyone had a wonderful holiday! After time spent worrying about things such as finalizing plans and buying Christmas presents, it’s always good to finally get the chance to slow down and enjoy time with family. It was my baby girl’s first Christmas, so it was definitely a special one.
It doesn’t take long for things to pick up speed after the lull of Christmas Eve and Christmas Day. Many people probably spent the weekend after Christmas returning gifts or taking advantage of some post-holiday sales. Plenty more probably went online in search of deals, hopefully dodging spammers and phishers looking to get a cut of holiday spending.

I have noticed a concerning trend with the spam and phishing emails that make their way into my inbox. Almost every time I have received a scam bank email from spammers/phishers, they have been posing as a local bank that I could feasibly use or the bank at which I am a customer.  In other words, I have never received a phishing email from a bank in another country. 

This makes me wonder about two things.  First, do Internet users in other countries experience the same patterns or do they also receive emails about banks in the U.S.?  Second, I have to wonder how much phishers actually know about the people on their email lists.  Some of the information contained in the emails is alarmingly specific – if the phisher actually knows where I bank, or at least enough about my habits or location to make a very accurate guess, then what else could they know about me?

At the heart of many phishing schemes is the pursuit of information: personal and financial details that phishers can exploit.  A great deal of scam protection involves safeguarding this valuable information. One reason that phishers and other spammers know so much about the people on their lists is because some of their data comes by way of hackers who break into the systems of legitimate organizations and harvest the information that each of us knowingly provided to that organization.

So if phishers already know enough about us to engage in fairly sophisticated targeting and actually reach us, shouldn’t we be more concerned about how easily these phishers can maneuver their way into getting our information?

Since our report a week ago on the hostess.com decision, a claim under the Anti-Cybersquatting Consumer Protection Act (ACPA) has been filed in the Federal District Court for the Eastern District of Virginia by Goodwill Industries International, Inc. against Cyber2Media, Inc., the owner of the domain goodwill.com. 
 
As with the word "hostess," the word "goodwill" is arguably a descriptive term.  However, this case is very different from the hostess.com example because the defendant uses goodwill.com to forward visitors to a pay-per-click Web site featuring links to the plaintiff’s site and to other charitable organizations. By using the domain name this way, the defendant appears to be attempting to profit of off Goodwill’s fame as a charitable organization.  By registering goodwill.com and hosting links to charitable organizations, the defendant is likely hoping to take advantage of confused visitors to the site who will assume that the links are approved by Goodwill Industries International. This sort of proof of intent was the missing element in the hostess.com case and seems here to be strong evidence of lack of legitimate use of the domain and the defendant’s registration of the domain in bad faith.

In an interesting side note, the domain savechildren.com was recently ordered to be transferred to the owner of the well-known Save The Children trademark in a UDRP decision which did not make any mention of the potentially descriptive nature of the phrase "save children." In that case, however, the respondent did not file a response and the domain resolved to a pay-per-click Web site featuring links to complainant's competitors and other unrelated products and services.

Imagine that you’re one of the top-selling producers of snack cakes under a very famous 90-year-old brand. Next, imagine that someone has registered a domain that is identical to your brand and that this someone happens to be a domain investor who owns thousands of names and has been on the losing end of two prior UDRP decisions. Finally, add to the mix the fact that this someone demanded tens of thousands of dollars to obtain the domain. Sounds like the set up for a pretty simple UDRP win, doesn’t it? That may be what Hostess Brands, Inc. thought. Unfortunately, a WIPO Panelist disagreed and recently denied a UDRP complaint against the <hostess.com> domain. Hostess Brands, Inc. f/k/a Interstate Bakeries Corporation v. Domain Capital, WIPO Case No. D2009-1357.

This decision is a study in the limits of enforcement against a generic term and how important the surrounding facts can be in such disputes.

Having found that the domain is identical to the famous HOSTESS trademark under section 4(a)(i) of the UDRP and that Respondent had no right or legitimate interest in the name under section 4(a)(ii), the Panel’s inquiry turned on the question of the Respondent’s bad faith under section 4(a)(iii).

The Complainant claimed that the Respondent had set up a placeholder Web site under the domain but pulled it down soon after receiving an adverse UDRP decision in another dispute. Unfortunately, the Complainant had apparently not put proof of this placeholder site into evidence and the Panel found that “there is no allegation that Respondent has ever used the Domain Name in connection with the goods and services covered by Complainant’s trademarks.”

Further, the Complainant asserted that, in response to its offer of $5,000 to buy the domain name, the Respondent sought payment of $20,000. However, Respondent denied, in a sworn statement, that any such offer and counteroffer were ever made. Recognizing that there is no discovery permitted under the UDRP and that a different result might be obtained in a court, the Panel accepted Respondent’s statement but tacitly warned that “if Respondent, in the future, would attempt to extract a significant sum from Complainant for purchase of this Domain Name identical to Complainant’s HOSTESS trademark, these circumstances may provide support for application of the Policy’s paragraph 4(b), indicating bad faith”.

Also working against the Complainant was the fact that the domain was solely composed of the common word “hostess,” which is subject to substantial third-party use, both generically and as a trademark. A Google search yielded many millions of results apart from those referring to Complainant. Further, the Respondent cited at least 22 third-party registered U.S. trademarks that incorporate the word “hostess,” including 7 for that word standing alone.

In the end, the Panel declined to find that Respondent acted in bad faith saying that “[a]lthough the Domain Name is identical to Complainant’s well-known trademark, Respondent is correct when it emphasizes that ‘hostess’ is also a common word subject to substantial third-party use. Without any further evidence of specifically targeting Complainant and its trademarks, or use of the Domain Name in a manner that supports a finding of seeking to profit from Complainant’s mark, this Panel cannot, on the balance of the probabilities, adopt the inferences which Complainant urges.”

The main lessons of this decision are two-fold. First, when faced with a possibly generic or descriptive word carefully examine and consider all of the surrounding circumstances – especially any use, or lack thereof, by the domain owner that refers to the brand owner. Second, be very careful to capture evidence while it is still available – especially changeable Web sites – and document all evidence in your case, by declaration if necessary.

Many of us in the U.S. are familiar with Toys for Tots, the charitable program that collects new toys every holiday season to distribute to children whose parents cannot afford to buy them gifts.  Run by the U.S. Marine Corps Reserve (USMCR) since 1947, Toys for Tots is one of the most popular and recognizable charities, especially during the holidays, not to mention one of the most heart-warming.
 
The domain name that Toys for Tots uses to host its Web site is toysfortots.org.  Last year, the site saw a significant spike in traffic during the holiday season, reaching a total of about 1 million unique visitors in December.  However, the site toysfortots.com also received a significant amount of traffic volume during that period.  About 5% of people are entering toysfortots.com instead of toysfortots.org.  Both sites are owned by the Marine Toys for Tots Foundation, but the latter, toysfortots.com, does not redirect to toysfortots.org.  In fact, the .COM domain does not resolve at all.
 
In a year, I estimate that well over 100,000 Internet users go to toysfortots.com in an effort to reach the charity’s Web site.  The domain name toys4tots.com (which unfortunately is currently owned by a third party and hosts pay-per-click ads) also receives substantial annual traffic, more than toys4tots.org. These figures reflect the fact that Internet users type .COM at the end of domain names more intuitively than other extensions, including .ORG.  The popularity of the Toys for Tots program, in addition to the high traffic volume toysfortots.org receives, makes it clear that the USMCR has a significant communicative power and ample ability to reach Internet users.  If this power were matched with the best practices that leading private sector marketers use, the USMRC could substantially increase the effectiveness of their programs.
 
Toys for Tots is a wonderful program that helps to make the holidays special for so many children.  With a bit of marketing strategy, the charity could expand to reach more donors and, in turn, provide gifts to even more children around the country.  

McAfee, one of the leading manufacturers of anti-virus and security software, recently released a report titled “Mapping the Mal Web” that analyzes the relative risk of top-level domains (TLDs).  The TLD for Cameroon, .CM, ranked at the top of the world’s riskiest TLDs.  Alarmingly, .COM took second place on McAfee’s overall list.  According to the report, 32.2% of all .COM Web sites contain browser exploits like drive-by downloads of spyware, adware or malicious content; lead to phishing scams; or bombard users with excessive pop-ups.  Since .COM is the most popular TLD, 32.2% amounts to a total of 918,873 risky domains. 
 
In addition to overall risk, McAfee ranked TLDs by specific threat.  Romania’s TLD, .RO, had the highest portion of malicious downloads, while .INFO was ranked worst for spam, with 17.2% of its sites generating junk email.  On the other end of the scale, the governmental TLD .GOV is the safest generic TLD, while Japan’s .JP is the safest ccTLD. 

The popularity of .COM makes it an ideal target for bad actors because so many Internet users intuitively type in .COM at the end of domain names.  Since .CM is such a common typo of .COM, it is not surprising that it is the top choice among cybercriminals.  (We’ve written about threats posed by .CM before) [link to a past post].  According to the BBC, Hong Kong’s .HK ccTLD topped last year’s list of riskiest domains, but since has taken measures to become safer.  Specifically, the Hong Kong Internet Registration Corporation Ltd, which supervises domain registration for .hk Web sites, said that asking for proof of identity was one tactic that has led to a decline in suspicious applications.

The news and rumors about Tiger Woods’s crash and the circumstances surrounding it continue to dominate the media.  However, each breaking story that develops about Woods’s alleged affairs and other activities is old news to one group: domain name squatters.  We were pretty surprised to see that key domains like TigerWoodsCrash.com were registered the same day as the accident.  But even more surprising was finding out that names like TigerWoodsAffair.com and TigerWoodsRachelUchitel.com were also registered that day, even before major news outlets were covering the possibility of an affair.  By the time we published our last blog post on this topic on November 30, six additional affair- or scandal-related domain names had been registered.  Since that day, only two more intuitive domains have been registered: TigerWoodsScandals.com on December 3 and TigerWoodsPrenup.com on December 7. 
 
Squatters know how to snatch up the key domain names related to breaking news topics fast.  If the Tiger Woods example is any indication, the most intuitive domain names are taken within the first 72 hours of the news breaking.  It seems like domain squatters could give the press a run for their money.