Study on Evaluation of Practices for Combating Speculative and Abusive Domain Name Registrations

Study on evaluation of practices for combating speculative and abusive domain name registrations

Prepared by FASANO PAULOVICS Società tra Avvocati, written by Ivett Paulovics

Internal identification Contract number: LC-01360983 SMART number: 2019/0085

EUROPEAN COMMISSION Directorate-General for Communications Networks, Content and Technology Directorate E— Future Networks Unit E.3 — Next Generation Internet

Contact: [email protected]

European Commission B-1049 Brussels

EUROPEAN COMMISSION

Study on evaluation of practices for combating speculative and abusive domain name registrations

Directorate-General for Communications Networks, Content and Technology 2020

EUROPE DIRECT is a service to help you find answers to your questions about the European Union Freephone number (*): 00 800 6 7 8 9 10 11

(*) The information given is free, as are most calls (though some operators, phone boxes or hotels may charge you)

LEGAL NOTICE This document has been prepared for the European Commission however it reflects the views only of the authors, and the European Commission is not liable for any consequence stemming from the reuse of this publication. The Commission does not guarantee the accuracy of the data included in this study. More information on the European Union is available on the Internet (http://www.europa.eu).

PDF ISBN 978-92-76-20634-7 Doi: 10.2759/428574 KK-01-20-432-EN-N

Manuscript completed in May 2020

The European Commission is not liable for any consequence stemming from the reuse of this publication. Luxembourg: Publications Office of the European Union, 2020

The reuse policy of European Commission documents is implemented by the Commission Decision 2011/833/EU of 12 December 2011 on the reuse of Commission documents (OJ L 330, 14.12.2011, p. 39). Except otherwise noted, the reuse of this document is authorised under a Creative Commons Attribution 4.0 International (CC-BY 4.0) licence (https://creativecommons.org/licenses/by/4.0/). This means that reuse is allowed provided appropriate credit is given and any changes are indicated. For any use or reproduction of elements that are not owned by the European Union, permission may need to be sought directly from the respective rightholders.

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

DISCLAIMER

By the European Commission, Directorate-General of Communications Networks, Content & Technology.

The information and views set out in this publication are those of the author(s) and do not necessarily reflect the official opinion of the Commission. The Commission does not guarantee the accuracy of the data included in this study. Neither the Commission nor any person acting on the Commission’s behalf may be held responsible for the use which may be made of the information contained therein. Reproduction is authorised provided the source is acknowledged.

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

TABLE OF CONTENTS

1. EXECUTIVE SUMMARY ...... 4 1.1 The .eu Registry’s collaborations with other bodies ...... 5 1.2 Comparison of the .eu Registry with European market peers ...... 7 1.2.1 Registration procedure ...... 7 1.2.2 Alternative Dispute Resolution (ADR) mechanisms ...... 8 2. INTRODUCTION ...... 10 2.1 SMEs in the EU ...... 10 2.2 Domain Name System (DNS) ...... 10 2.3 The .eu Top-Level Domain (TLD) ...... 11 3. SCOPE OF THE STUDY, METHODOLOGY AND LIMITATIONS ...... 12 3.1 Scope of the Study ...... 12 3.2 Methodology ...... 12 3.3 Limits of the Study ...... 13 4. LEGAL FRAMEWORK ...... 15 5. DEFINITION OF ABUSE ...... 20 6. COLLABORATION BETWEEN EURID AND EUIPO ...... 22 6.1 About EUIPO ...... 22 6.2 Formalisation of the collaboration between EURid and EUIPO ...... 22 6.3 Activities carried out within the scope of the Letter of Collaboration signed in 2016 ...... 23 6.4 Activities carried out within the scope of the Letter of Agreement signed in 2019 ...... 24 6.4.1 Availability check ...... 24 6.4.2 Notification upon registration of a .eu domain name (alert) ...... 25 6.4.3 Roles and responsibilities of EURid and EUIPO and data exchange ...... 25 6.4.4 Awareness of rightsholders and usage of the functionalities made available under the Letter of Agreement signed in 2019 ...... 26 6.5 Future activities planned to be realised by EUIPO and EURid ...... 30 7. COLLABORATION BETWEEN EURID AND EUROPOL ...... 34 7.1 About Europol ...... 34 7.2 Formalisation of the collaboration between EURid and Europol ...... 34 8. OTHER COLLABORATIONS ESTABLISHED BY EURID ...... 36 9. DOMAIN NAME REGISTRATION PROCEDURE ...... 37 9.1 General overview of the .eu domain name ...... 37 9.2 The .eu domain name registration procedure ...... 38 9.3 Registration data accuracy and registrant identification requirements ...... 39 9.4 Registration data verification activities ...... 41 9.5 Predictive algorithms used to verify registration data and prevent abuse ...... 42 9.6 Stats on registration data verification activities ...... 43 9.7 Cross-checks with reference to IPR ...... 44 9.8 Other post-delegation measures put in place by EURid ...... 45 9.8.1 Content monitoring ...... 45 9.8.2 Whois lookup ...... 45 9.8.3 Information on how to claim a domain name ...... 46 9.8.4 Registrant data release ...... 46 9.8.5 Stakeholder feedback on the .eu registration procedure ...... 47 9.9 Other ccTLDs’ registration procedures ...... 48 9.9.1 .be ...... 48 9.8.2 .dk ...... 51 9.8.3 .hu ...... 53 9.8.4 .it ...... 54 9.8.5 .uk ...... 57 9.10 Comparison of the .eu registration procedure with the ccTLDs ...... 58

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

10. ALTERNATIVE DISPUTE RESOLUTION MECHANISM (ADR) ...... 60 10.1 International backdrop ...... 60 10.2 .eu ADR ...... 61 10.2.1 Overview of the .eu ADR ...... 61 10.2.2 Stats on the .eu ADR ...... 64 10.2.3 Additional information on .eu ADR providers ...... 72 10.2.3.1 CAC ...... 72 10.2.3.2 WIPO ...... 73 10.2.4 Stakeholder feedback on .eu ADR ...... 73 10.3 Other ccTLD’s ADR ...... 74 10.3.1 .be ADR ...... 74 10.3.2 .dk ADR ...... 77 10.3.2.1 .dk ADR before the Danish Complaints Board for Domain Names ...... 77 10.3.2.2 Procedure involving typosquatting cases before the .dk Registry ...... 80 10.3.3 .hu ADR ...... 81 10.3.3.1 Objection procedure prior to the delegation of the domain name before the Consulting Board ...... 82 10.3.3.2 Procedure after the delegation of the domain name before the Registration Decision-maker 83 10.3.4 .it ADR ...... 85 10.3.4.1 Re-assignment procedure ...... 86 10.3.4.2 Opposition procedure before the .it Registry ...... 89 10.3.5 .uk ADR ...... 90 10.4 Comparison of the .eu ADR mechanism with the ccTLDs ...... 93 11. CONCLUSIONS AND RECOMMENDATIONS ...... 95 11.1 Recommendations with reference to the collaborations between the .eu Registry and other bodies ...... 95 11.2 Recommendations with reference to the .eu registration procedure ...... 97 11.3 Recommendations with reference to the .eu ADR mechanism ...... 100 12. ACRONYMS, ABBREVIATIONS AND TERMS ...... 103 13. ACKNOWLEDGEMENTS ...... 105

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

1. EXECUTIVE SUMMARY

This study (Study) was commissioned by the European Commission to evaluate the practices aimed at preventing and fighting speculative and abusive .eu domain name registrations, in particular those related to the infringement of previously recognised rights. The Study assesses in particular:  The .eu Registry’s collaborations with the European Union Intellectual Property Office (EUIPO), Europol and other European Union agencies;  The .eu registration procedure;  The .eu Alternative Dispute Resolution (ADR) mechanism in place for the resolution of domain name disputes.

For the purpose of the Study, speculative and abusive registration is defined as a domain name registration identical or confusingly similar to a name in respect of which a right is recognised or established by national and/or Community law and where it: (a) has been registered by its holder with no right or legitimate interest associated with said name; or (b) has been registered or is being used in bad faith.1 Protected rights include, inter alia, registered national and community trade marks, geographical indications or designations of origin, and, insofar as they are protected under national law in the Member State where they are held: unregistered trade marks, trade names, business identifiers, company names, family names, and distinctive titles of protected literary and artistic works (all together intellectual property rights – IPR).2 According to Article 21 of Regulation (EC) No 874/2004, speculative and abusive registrations shall be subject of revocation, using the .eu ADR proceeding or a judicial procedure initiated by the rightsholders.

Internet is without doubt a facilitator for IPR infringement.3 4 The number of .eu domain name disputes filed with the .eu ADR providers5 represents the mere tip of the iceberg and does not reflect the full extent of the phenomenon of speculative and abusive registrations, including but not limited to cybersquatting6, in the .eu TLD. In some cases, businesses, especially small and medium enterprises (SMEs), do not take action due to the lack of awareness on the infringement and/or on the measures available for the enforcement of their IPR or for other reasons (e.g., they consider taking action complex, not affordable or inconvenient). Others reach amicable settlement agreements or simply acquire the abusive domain name from the registrant, one of the main outcomes cybersquatters seek. Some cases are brought before courts, especially when the rightsholders aspire to obtain damages. Finally, in cases where other types of abuses (fake registration data, impersonation, scam, malware distribution, phishing, copyright infringement, trade mark infringement within the website content, etc.) are connected to speculative and abusive registrations, domain names might be subject to investigation

1 This definition is in line with Article 21 of Regulation (EC) No 874/2004. Broader definitions of speculative and abusive registrations exist both in literature and practice. 2 Article 10(1) of Regulation (EC) No 874/2004 3 EUIPO 2019 Status Report on IPR Infringement: https://euipo.europa.eu/tunnel- web/secure/webdav/guest/document_library/observatory/documents/reports/2019_Status_Report_on_IPR_infringement/ 2019_Status_Report_on_IPR_infringement_en.pdf 4 EUIPO Research on Online Business Models Infringing Intellectual Property Rights – Phase 2: https://euipo.europa.eu/tunnel- web/secure/webdav/guest/document_library/observatory/documents/reports/Research_on_Online_Business_Models_Inf ringing_IP_Rights.pdf 5 Total number of ADR proceedings in 2017: 66, 2018: 71, 2019: 54 6 Cybersquatting is defined by the Internet Corporation for Assigned Names and Numbers (ICANN) as bad faith registration of another's trade mark in a domain name: https://www.icann.org/resources/pages/cybersquatting-2013-05- 03-en 4

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

and ex officio actions on behalf of the .eu Registry or European Union and national law enforcement authorities (Europol7, law enforcement or public prosecutors in Member States). Therefore, the phenomenon of speculative and abusive registrations shall be analysed within the broader context of online abuses.

“Prevention is better than cure” applies here too. The Study suggests that the .eu Registry make further efforts to adopt preventive measures purposed at avoiding abuse, and thus reduce the need to resort to curative measures on rightsholders’ part. The Study also suggests further improvements of the curative measures. For the sake of clarity, practices put in place before the domain name is delegated to the zone file (pre-delegation phase) amount to preventive measures. Curative measures offer remedy after some harm (the delegation) has already been done.

1.1 The .eu Registry’s collaborations with other bodies

In dealing with the collaboration between the .eu Registry and EUIPO, the Study focuses on two measures these bodies have devised. The measures are available to European Union trade mark (EUTM) holders under the letter of agreement signed by the .eu Registry and EUIPO in May 2019 and consist in:  Availability check: at the time of filing of an EUTM application, EUTM applicants can check if an equivalent .eu domain name is available and, if so, register it with the accredited registrars;  Alert: EUTM applicants and holders can opt-in to receive alerts as soon as a .eu domain name is registered that is identical to their EUTM (application). The Study regards the availability check as a useful preventive and awareness-raising measure at the same time, since it informs the EUTM applicant about the possibility of registering the corresponding .eu domain name when filing an EUTM application, thus enabling such rightsholder to take action before any speculative and abusive registration might occur. In case the corresponding .eu domain name is not available, the EUTM applicant can check if a third party has engaged in a speculative and abusive registration. In a broader context, its educative purpose is to encourage the rightsholders to adopt a holistic approach in protecting their IPR. The scope of the notification (alert) is that the EUTM holder is informed as soon as anybody registers an identical .eu TLD to its EUTM. Thus, this useful measure enables the EUTM holder to take appropriate action in a timely manner. Such alert is only sent to users who have expressly opted in and limited to cases where a domain name identical to the EUTM has been registered.8 From a general standpoint, technical adjustments are necessary to make the measures in question more effective, and further awareness is required to make their use more commonplace.

With reference to the collaboration between the .eu Registry and EUIPO, the Study recommends to:

7 https://www.europol.europa.eu/newsroom/news/30-506-internet-domain-names-shut-down-for-intellectual-property- infringement 8 Only small variants are considered such as the addition of hyphen(s) and/or numbers. 5

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

 Carry out further awareness-raising and knowledge-building activities on both sides in order to make rightsholders aware of the existing measures, and thus increase their use;  Evaluate whether legal constraints exist and determine how to overcome such legal constraints so as to extend the alert to all EUTM holders (or their representatives), without the need to opt in (automatic opt-in);  Evaluate the feasibility of extending the EUIPO service of the similarity report, available for EUTM applicants during the e-filing process and consisting in receiving information from EUIPO and/or national trade mark offices on earlier identical or similar trade marks, to identical or similar .eu domain names;  Include information on .eu domain names and the measures in question (i.e., availability check and alert) in the document provided by the EUIPO to the EUTM applicants as final receipt and official record of the EUTM applications. The same information could be included in EUIPO’s subsequent communication to the EUTM applicants upon successful registration of their EUTM application to reinforce the awareness as to the existence of such measures;  Further study, develop and carry out on both sides plans on future measures and common actions, such as:  the EUIPO becoming a .eu accredited registrar and integrating the .eu domain name registration with EUTM applications to offer a one-stop-shop solution to rightsholders;  developing and launching a search tool that enables users to verify the availability of their term both as EUTM and .eu domain name;  further awareness-raising and knowledge-building programmes with a view to making the intellectual property system more effective for SMEs by simplifying registration procedures.9 10

Concerning the collaboration between the .eu Registry and Europol, which is still at the outset and informal in essence, this is to be further strengthened and formal processes are to be set up for the parties to interact. The two bodies ought to carry out awareness- raising and knowledge-building activities jointly to inform the public and train cybersecurity experts and law enforcement officers on cybercrime threats, including intellectual property crimes committed through the Internet, and on the available measures to prevent and fight them.

National registered trade marks are protected under .eu to the same extent as EUTMs. However, no structured collaboration of the .eu Registry with Member States’ trade mark offices exists. Hence, it is necessary to take steps in setting up, possibly through a single point of contact (e.g., European Union Intellectual Property Network - EUIPN11), collaborations and measures to combat speculative and abusive registrations. The Study also recommends extending the .eu Registry’s collaboration in place with EUIPO to Member States’ trade mark offices by offering the measures of availability check and/or alert to their users as well.

9 EU SME Strategy for a sustainable and digital Europe: https://ec.europa.eu/info/sites/info/files/communication-sme- strategy-march-2020_en.pdf 10 EUIPO Strategic Plan 2025: https://euipo.europa.eu/tunnel- web/secure/webdav/guest/document_library/contentPdfs/about_euipo/strategic_plan/strategic-plan-2025_en.pdf 11 https://euipo.europa.eu/ohimportal/en/european-cooperation 6

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

already occurred. Therefore, the .eu Registry ought to study solutions for setting up collaborations with entities and agencies to carry out (directly or indirectly) checks in databases (e.g., the European Commission’s EU Geographical Indications register - eAmbrosia12) and, in case of identity (or similarity) with the .eu domain names, notifies (directly or indirectly) the rightsholders enabling them to take action; or takes action directly (ex officio). This would, in practice, mean extending the alert functionality to those IPR as well.

1.2 Comparison of the .eu Registry with European market peers

For the purpose of the Study, five European ccTLDs actively combating abusive and speculative domain name registrations were identified and compared with the .eu TLD:  .be: country code for Belgium;  .dk: country code for Denmark;  .hu: country code for Hungary;  .it: country code for Italy;  .uk: country code for the United Kingdom.

Both the registration procedures and the ADR mechanisms of such ccTLDs and the .eu were compared in order to identify good practices which could be implemented in the .eu TLD.

1.2.1 Registration procedure

Based on the comparison carried out and the feedback of the stakeholders, the Study retains that the .eu domain name registration procedure is quite a simple and straightforward process. However, considered that establishing preventive measures to avoid speculative and abusive registrations in the registration (and pre-delegation) phase is crucial, there is still room for improvement. Existing curative measures could be further boosted as well.

The Study recommends that the .eu Registry make the following improvements in the .eu registration procedure and in the measures put in place to prevent and curate speculative and abusive registrations:

 Requiring the registrars to carry out strict identification of the registrants’ identity, possibly through eID authentication, in order to enter correct and accurate registration data in the .eu registry (such as in .dk);  Providing for a publicly accessible list of the domain name registration requests before the delegation of domain names and allowing a sufficient time period (at least from 1 week to 10 days) to enable those holding previously established rights to submit objections to the .eu Registry or the ADR providers aimed at preventing the registration of speculative and abusive domain names (such as in .hu). Until the deadline to submit objections has elapsed, the requested domain names should not be delegated and thus used for websites, email or other services;  Carrying out (directly or through collaborations) cross-checks in official databases, especially those related to Member States’ national trade marks, geographical indications and designations of origin, trade names, business identifiers and company names, distinctive titles of protected literary and artistic

12 https://ec.europa.eu/info/food-farming-fisheries/food-safety-and-quality/certification/quality-labels/geographical- indications-register/ 7

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

works to identify matches between the .eu domain name requests and IPR (such as in .dk, .hu, .uk);  Expressly recommending in the Registration Policy and Terms and Conditions13 that .eu registrants carry out, directly or indirectly through professionals or experienced organizations, cross-checks before registration, aimed at reducing speculative and abusive registrations (such as in .hu, .uk);  Offering, directly or through the registrars, services allowing IPR holders to preventively block infringing domain name registrations (similar to services already existing on the gTLD market14);  Extending the use of predictive algorithms to prevent speculative and abusive registrations and not only malicious registrations (i.e., phishing, spamming, distribution of malware, Botnet command and control);  Improving and raising rightsholders’ awareness as to the already existing similarity search tool within the Whois lookup to carry out searches or receive a list with similar domain names that could potentially infringe their rights (such as in .be);  Making readily accessible information available to users on how to report different types of misuses (such as in .be, .dk, .uk).

1.2.2 Alternative Dispute Resolution (ADR) mechanisms

The Study finds that the .eu ADR works as intended. However, based on the analysis of the ccTLD’s ADR mechanisms and stakeholder feedback, there is still room for improvement.

The Study recommends the following improvements to make the .eu ADR simpler, more accessible and affordable for SMEs:

 Making available (an) online dispute management portal(s) to enable parties to handle the entirety of the .eu disputes online (currently not all .eu ADR providers make it available) (such as in .dk, .hu, .uk);  Shortening the deadlines of the .eu ADR procedure in order to render it swifter (e.g., by including the possibility of requesting the change of the language used within the procedure within the .eu domain dispute itself; shortening the response period; shortening the decision period) (in line with the Uniform Domain Name Dispute Resolution Procedure - UDRP);  Reducing filing fees for initiating a .eu ADR procedure on a permanent and not merely temporary basis, especially for SMEs in order to keep the procedure affordable for rightsholders;  Introducing a ‘loser pays’ mechanism as a deterrent against speculative and abusive registrations and enabling the prevailing party to recover its filing costs incurred for initiating the .eu ADR procedure (as is the case in .be, .hu);  Including a mediation phase within the .eu ADR procedure (such as in .dk, .uk);  Providing for an appeal mechanism within the .eu ADR procedure (such as in .be, .uk);

13 https://eurid.eu/en/about-us/document-repository/ 14 Currently on the gTLD market there are several domain blocking services exist such as Donut’s Domain Protected Marks List (DPML), Trademark Clearinghouse’s (TMCH) TREx, Uniregistry’s Uni EPS, ICM Registry’s AdultBlock, .club Registry’s .club Trademark Sentry. Most of them are based on trade marks entered in the TMCH repository; .club Trademark Sentry is based on US trade mark registrations. 8

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

 Providing for expedited (fast-track) procedures such as the suspension of domain names by the Registry in clear typosquatting cases15 (such as in .dk) or procedures similar to Uniform Rapid Suspension system - URS16;  Providing for preliminary procedures available before the dispute over the domain name is initiated. For example, such preliminary procedure might consist of the possibility of raising an objection with the .eu Registry or the ADR provider(s) against a domain name registration request in the pre-delegation phase (such as in .hu) or filing an opposition with the .eu Registry against a domain name registration (post-delegation) in order to obtain the lock of the domain name (such in .it).

15 Typosquatting is a form of cybersquatting which relies on mistakes such as typos made by the Internet users when inputting a website address into a web browser. The typosquatted domain name consist of a common, obvious, or intentional misspelling of a trade mark (e.g., adjacent keyboard letters, substitution of similar-appearing characters, inversion of letters and numbers, the addition or interspersion of other terms or numbers). 16 URS is a rights protection mechanism launched by ICANN in 2013 with the introduction of the new gTLDs. URS is a low cost and quick proceeding for rightsholders experiencing clear-cut cases of trade mark infringement caused by domain name registrations. URS results in the temporary take down (suspension) of the domain name until the expiry of the same. At the end of the registration period the domain name is cancelled by the registry operator. 9

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

2. INTRODUCTION

2.1 SMEs in the EU

Europe’s 25 million SMEs are the backbone of the European Union (EU) economy. SMEs are indeed crucial in allowing the EU to transition towards a sustainable and digital economy. They employ around 100 million people, account for more than half of Europe’s gross domestic product (GDP) and add value to every sector of the economy. In addition, SMEs bring innovative solutions to global challenges such as climate change, resource efficiency and social cohesion, and expand innovation’s reach throughout Europe’s regions. They are essential to Europe’s competitiveness and prosperity, economic and technological primacy, and resilience to external shocks. As such, they represent a core element in carrying out the EU’s industrial strategy.17

The recent Communication of the European Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of Regions on the SME Strategy for a sustainable and digital Europe highlights that SMEs incur difficulty in developing intellectual property strategies to protect their investments in research and development (R&D) and raise growth capital. Only 9% of SMEs protect their intellectual property, as they are unaware of EU and national intellectual property initiatives or fear the complexity and expense of acquiring and enforcing them.

The Internet has provided European SMEs with previously unthinkable access to markets and consumers throughout the world. However, the risk of falling victim to online intellectual property infringement and other types of cybercrimes (e.g., phishing, spamming, distribution of malware, Botnet command and control, etc.) has also increased exponentially.18 19 20

2.2 Domain Name System (DNS)

The Domain Name System (DNS) is a hierarchical and decentralised naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorised domain names to the numerical Internet Protocol addresses (IP addresses) needed for locating and identifying computer services and devices with the underlying network protocols. By providing a worldwide, distributed directory service, the DNS has been an essential component of the functionality of the Internet since 1985.

The DNS exists to foster a healthy, functional and trustworthy Internet, but it is not immune to abuse. The .eu domain is no exception.

17 EU SME Strategy for a sustainable and digital Europe: https://ec.europa.eu/info/sites/info/files/communication-sme- strategy-march-2020_en.pdf 18 EUIPO – Europol 2017 Situation Report on Counterfeiting and Piracy in the European Union: https://www.europol.europa.eu/publications-documents/2017-situation-report-counterfeiting-and-piracy-in-european- union 19 EUIPO – Europol Intellectual Property Crime Threat Assessment Report 2019: https://euipo.europa.eu/tunnel- web/secure/webdav/guest/document_library/observatory/documents/reports/2019_IP_Crime_Threat_Assessment_Repo rt/2019_IP_Crime_Threat_Assessment_Report.pdf 20 Europol Internet Organized Crime Threat Assessment Report 2019: https://www.europol.europa.eu/iocta-report 10

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

At global level, cybersquatting cases continue growing year in and year out.21 The World Intellectual Property Organization (WIPO) reported 7% increase in domain name disputes in 2019 compared to the previous year. Such increase reflects the proliferation of websites used for counterfeit sales, fraud, phishing, and other forms of online abuses. This proves vigilance is required on an ongoing basis on the part of rightsholders around the world. Fraud and phishing or sale of counterfeit goods pose the most obvious threats, but all forms of cybersquatting affect consumers as well.

2.3 The .eu Top-Level Domain (TLD)

The .eu is the country code Top-Level Domain (TLD) for the European Union. It is one of the largest European TLDs with over 3.6 million registrations on a market of over 72 million domain names under management.22 23 End-users of the .eu TLD include individuals, businesses from different industry sectors24 and other entities, as well as EU institutions, agencies and bodies.

The European Commission is responsible for the .eu TLD. The .eu registry operator (the .eu Registry or EURid) is entrusted by the Commission with organising, administering and managing the .eu TLD, including maintenance of the corresponding databases and the associated public query services, registration of domain names, operation of the registry of domain names, operation of the registry TLD name servers and dissemination of TLD zone files.25

Furthermore, the .eu Registry is required to adopt policies and implement measures against speculative and abusive registration of domain names, as this is fundamental to maintain a high level of trust in the .eu TLD.26

The European Commission promotes and assesses the cooperation between the .eu Registry, EUIPO and other EU agencies (e.g., Europol), with a view to combating the speculative and abusive registrations of domain names, including cybersquatting, and establishing simple administrative procedures, in particular for SMEs.27 28

21 Number of cases filed with the World Intellectual Property Organization (WIPO) in 2019: 3693 https://www.wipo.int/pressroom/en/articles/2020/article_0005.html; 2018: 3447 https://www.wipo.int/pressroom/en/articles/2019/article_0003.html; 2017: 3074 https://www.wipo.int/pressroom/en/articles/2018/article_0001.html; 2016: 3036 https://www.wipo.int/pressroom/en/articles/2017/article_0003.html 22 The Council of European National Top-Level Domain Registries’ (CENTR) stats as of Q4 2020: https://stats.centr.org/stats/global 23 EURid’s stats as of 31 March 2020: https://eurid.eu/media/filer_public/83/87/8387d2d7-1e16-4b30-ada4- 6fa0e813df4f/quarterly_report_q12020.pdf 24 EURid’s .eu website categorization: https://eurid.eu/en/news/eu-website-categorization/ 25 Article 2 of Regulation (EC) No 733/2002 26 Article 5 of Regulation (EC) No 733/2002 and Article 11 of Regulation (EU) 2019/517 27 Recital 7 of Regulation (EU) 2019/517 28 Article 16(2) of Regulation (EU) 2019/517 11

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

3. SCOPE OF THE STUDY, METHODOLOGY AND LIMITATIONS

3.1 Scope of the Study

The Study aims to assess the .eu Registry’s practices in tackling speculative and abusive registrations under the .eu TLD and to inform policy-makers on effective policies in fighting such registrations.29

First, the Study shall evaluate the ongoing cooperation among EURid, EUIPO and other European Union agencies in this field (specifically Europol), and whether and how their ongoing cooperation could be improved. The Study further investigates the cooperation with other EU agencies in this field and/or whether any ought to be established.

Secondly, the Study shall assess the .eu registration procedure and other administrative procedures of the .eu Registry with a view to finding whether a simplification is needed to facilitate the registration of domain names and to avoid speculative and abusive registrations, in particular with regards to SMEs. In order to do so, the Study compares the .eu Registry’s procedures with the those of identified European registry operators (.be, .dk, .hu, .it, .uk).

Then the Study also compares and assesses the ADR mechanisms available under .eu and the above-mentioned ccTLDs.

Based on the outcome of the assessment, the Study shall identify the areas where the .eu Registry’s practices need to be improved and where the collaboration with EUIPO, Europol and other EU agencies is to be strengthened or further developed and which practices ought to be enhanced or introduced to contribute to reducing speculative and abusive domain name registrations under the .eu TLD and to maintain a secure, transparent and trustworthy .eu online environment.

3.2 Methodology

The methodology used consisted in an extensive literary review of relevant industry reports and gathering and analysing of data, information and documents from multiple stakeholders.

The following stakeholders were interviewed through in-person meetings, videoconferences, phone calls or surveys: the .eu Registry – EURid, EUIPO, Europol, ccTLD Registries (DNS Belgium for .be, DK Hostmaster for .dk, Council of Hungarian Internet Providers – ISZT for .hu, Institute of Informatics and Telematics of the National Council of Researches – Registro .it for .it, Nominet for .uk), European ccTLD Registries’ associations (Council of European Top-Level Registries – CENTR), registrars (Register .it, Safebrands, IP Twins, Com Laude - Valideus), rightsholders’ associations and networks (European Brands Association – AIM, Organization for an International Geographical Indications Network – oriGIn, European IPR Helpdesk), practitioners with expertise in intellectual property law and domain names and domain name Panellists in gTLD and ccTLD disputes, companies specialised in brand protection (Safebrands, IP Twins), associations of representatives of rightsholders (European Communities Trade Mark Association – ECTA, Marques), ADR providers (Czech Arbitration Court – CAC for .eu, World Intellectual Property Office – WIPO for .eu, Belgian Centre for Arbitration and

29 Article 16 of Regulation (EU) 2019/517 12

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Mediation – CEPANI for .be, the Danish Complaints Board for Domain Names for .dk, Infomediátor for .hu, MFSD for .it and Nominet for .uk, SME associations (SMEunited).

Furthermore, walk-through tests were carried out in order to test the measures put in place by EURid and other bodies (e.g. EUIPO).

The market analysis and comparison used both qualitative and quantitative methods to identify differences and similarities using equivalent concepts and to understand and outline the best practices and possible shortcomings of the .eu procedures, such as to enable the authors of the Study to provide the Commission with specific recommendations towards achieving the intended outcome. This includes assessing administrative procedures that would allow SMEs to effectively combat speculative and abusive registrations under the .eu TLD and recommending possible supplementary measures.

All data and information collected were analysed and compared and constitute the basis for the Study’s findings.

3.3 Limits of the Study

The limits of the Study consist in a shortage of available data on certain aspects.

SMEs With regard to SMEs registering .eu domain names, little data was available, since EURid collects data on the number of registrations and recently carried out a study on the use of the .eu domains by the registrants (and on their industries of reference)30, but no further breakdown is available. Furthermore, the SMEs offered few substantive responses. This might depend on a lack of awareness as to intellectual property rights and their enforcement on the SMEs’ part. This reinforces the Study’s finding that further knowledge- building activities ought to be carried out on the subject matters and all stakeholders should work in such direction. However, to some extent, the SMEs’ position was traced by analysing the responses received from the practitioners, the rightsholders’ and their representatives’ associations (i.e., ECTA, Marques), further to the responses received from SMEunited.

Extent of the phenomenon of speculative and abusive registrations in the .eu TLD No data is available on the overall number of speculative and abusive registrations in the .eu TLD. Such data is not collected by EURid. As mentioned above, the .eu ADR procedures exclusively specify the number of cases in which the rightsholders took action by initiating the same. In some cases, no such action is taken. This might be due to the SMEs’ lack of awareness of IPR and their enforcement. Some speculative and abusive registrations might also be connected to other types of abuses, specifically cybercrimes. The .eu Registry is proactive in detecting cybercriminal activities and inaccuracy in the registration data by employing predictive algorithms. Where such abuses are detected, EURid or LEAs take action. In this sense, the speculative and abusive registrations could be part of the broader definition of abusive registrations. Since January 2018, over 60.000 malicious .eu domain names were taken down by EURid.31 32

Collaboration between the .eu Registry and EUIPO

30 https://eurid.eu/en/news/eu-website-categorization/ 31 https://eurid.eu/en/news/1st-ai-suspension-system-for-ds/ 32 https://www.domainpulse.com/2020/02/07/60000-eu-registrations-correctly-identified-as-malicious-by-apews/ 13

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

The availability check and alert functionalities were made available to EUTM holders in May 2019, a year ago. Both parties are still carrying out technical improvements to such functionalities. The feasibility of EUIPO and EURid’s future plans and their potential benefit to SMEs (such as EUIPO becoming a .eu accredited registrar and incorporating the registration of the .eu domain name within the EUTM registration procedure in order to offer a one-stop-shop solution to applicants) could hardly be assessed by the Study due to the ongoing discussions between the parties and to several unknown factors (e.g., at this time different options are being studied by EUIPO itself and, due to financial and legal issues, it is still unclear which solution could be adopted; no information on EUIPO’s technical readiness and ability to perform such activities has been disclosed; EURid’s interest in accrediting EUIPO as registrar is also unknown).

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

4. LEGAL FRAMEWORK

The .eu TLD is regulated by:  Regulation (EC) No 733/2002 of the European Parliament and of the Council33, implementing the .eu ccTLD  Commission Regulation (EC) No 874/200434, laying down public policy rules concerning the implementation and functions of such TLD, amended by Commission Regulation (EU) No 2015/51635

Since the adoption of those regulations, the political and legislative context in the EU, the online environment and the market have changed considerably. Therefore, on 19 March 2019 Regulation (EU) 2019/517 of the European Parliament and the Council on the implementation and functioning of the .eu top-level domain name and amending and repealing Regulation (EC) No 733/2002 and repealing Commission Regulation (EC) No 874/200436 was adopted. The new Regulation was published in the Official Journal of the EU on 29 March 2019 and entered into force on 18 April 2019. As established under Article 22, it will be effective starting from 13 October 2022, repealing the current Regulations, except for Article 20 (eligibility criteria), which is effective as of 19 October 2019.

The purpose of the .eu TLD is to help enhancing the EU identity and promote EU values online through good management, values such as multilingualism, respect for users’ privacy and security and respect for human rights, as well as specific EU priorities.37

The European Registry for Internet Domains (EURid), is a private, independent, non-profit organisation existing under Belgian law. EURid has been designated by the Commission as the .eu Registry since 21 May 2003.38 For that purpose, the Commission entered into a service concession contract with EURid. The current service concession contract of EURid with the Commission has been extended until 12 October 2022.

The .eu Registry must observe the rules, policies and procedures laid down in the cited Regulations and the contract with the Commission. Its main obligations under Article 2 of Regulation (EC) No 733/2002 are to: (a) organise, administer and manage the .eu TLD in the general interest and on the basis of principles of quality, efficiency, reliability and accessibility; (b) register domain names in the .eu TLD through any accredited .eu registrar requested by any eligible party39 on the basis of the ‘first-come-first-served’ principle; (c) impose fees directly related to costs incurred; (d) implement the extra-judicial settlement of conflicts policy based on recovery of costs and a procedure to resolve promptly disputes between domain name holders regarding rights relating to names including intellectual property rights as well as disputes in relation to individual decisions by the .eu Registry;

33 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002R0733 34 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32004R0874 35 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32015R0516 36 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32019R0517#ntr3-L_2019091EN.01002501-E0003 37 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32019R0517 38 https://eurid.eu/en/about-us/ 39 Article 4(2)(b) of Regulation (EC) No 733/2002 as amended by Article 20 of Regulation (EU) 2019/517 15

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

(e) adopt procedures for, and carry out, accreditation of .eu registrars, providing domain name registration services to registrants via contract with the .eu Registry; (f) ensure the integrity of the databases of domain names.

Pursuant to Article 10 of Regulation (EU) 2019/517, the Registry is required to: (a) promote the .eu TLD across the Union and in third countries; (b) comply with the rules, policies and procedures laid down in this Regulation, with the contract referred to in Article 8(4), and, in particular, with Union data protection law; (c) organise, administer and manage the .eu TLD in the general public interest and ensure in all aspects of the administration and management of the .eu TLD, high quality, transparency, security, stability, predictability, reliability, accessibility, efficiency, non-discrimination, fair conditions of competition and consumer protection; (d) enter into an appropriate contract providing for the delegation of the .eu TLD code, subject to the prior consent of the Commission; (e) perform the registration of domain names in the .eu TLD where requested by any eligible party referred to in Article 3; (f) ensure, without prejudice to any court proceedings, and subject to adequate procedural guarantees for the parties concerned, the possibility for Registrars and registrants to resolve any contractual dispute with the Registry by means of ADR; (g) ensure the availability and integrity of the databases of domain names; (h) at its own expense and with the consent of the Commission, enter into an agreement with a reputable trustee or other escrow agent established within the territory of the Union designating the Commission as the beneficiary of the escrow agreement, and submit an up-to-date electronic copy of the content of the .eu TLD database to the respective trustee or escrow agent on a daily basis; (i) implement the lists referred to in Article 6(3); (j) promote the objectives of the Union in the field of internet governance, inter alia by participating in international forums; (k) publish the principles and procedures on the functioning of the .eu TLD laid down on the basis of Article 11 in all of the official languages of the Union institutions; (l) at its own expense, undertake an audit by an independent body at least every two years to certify its compliance with this Regulation and send the outcome of such audits to the Commission; (m) participate, where requested by the Commission, in the work of the .eu Multistakeholder Advisory Group and cooperate with the Commission to improve the functioning and management of the .eu TLD.

Speculative and abusive registration is defined by Article 21 of Commission Regulation (EC) No 874/2004 as a domain name identical or confusingly similar to a name in respect of which a right is recognised or established by national and/or Community law, such as the rights mentioned in Article 10(1) (prior rights), and where it: (a) has been registered by its holder without rights or legitimate interest in the name; or (b) has been registered or is being used in bad faith.

As mentioned above, the .eu Regulations provide that the .eu Registry ought to adopt policies and implement measures to avoid speculative and abusive registration of domain names.40

40 Article 5 of Regulation (EC) No 733/2002 and Article 11 of Regulation (EU) 2019/517 16

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

The .eu TLD was placed in the Internet root zone on 2 May 2005 and launched on 7 December 2005. In order to avoid speculative and abusive registrations and safeguard prior rights, holders of prior rights and public bodies could benefit from a specific period of time (“sunrise period”) during which the registration (referred to as phased registration) of their domain names was exclusively reserved for such holders of prior rights and public bodies. The 4-month sunrise period, broken into two phases from 7 December 2005 to 6 February 2006 and from 7 February 2006 to 6 April 2006, was therefore put in place before the general registration availability date (“landrush”) as of 7 April 2006.

Whereas under the above-mentioned Article 21 a speculative and abusive registration shall be subject to revocation, using an appropriate extra-judicial or judicial procedure, under Article 20 the .eu Registry may revoke a domain name at its own initiative and without submitting the dispute to any extrajudicial settlement of conflicts where the domain holder breaches the terms of registration under Article 3, including the material inaccuracy in the registration data and/or in the registrant’s statement that the domain name registration has been made in good faith and does not infringe third-party rights.

Moreover, Regulation (EC) No 874/2004 provided that any verification by the Registry as to the validity of registration applications should take place subsequently to the registration at the initiative of the Registry or pursuant to a dispute for the registration of the domain name in question.41

Over the years, ‘in order to expand the security and abuse checks around .eu domain names’, it has become necessary to ensure that the verification by the .eu Registry of the validity of the registration applications takes place prior and not only subsequently to the registration at the initiative of the .eu Registry or pursuant to a dispute for the registration of the domain name in question.42 Therefore, Regulation (EC) No 874/2004 was amended accordingly by Commission Regulation (EU) 2015/516.43

In recital (17), Regulation (EU) 2019/517 provides that the alternative dispute resolution (ADR) procedures to be adopted should comply with Directive 2013/11/EU of the European Parliament and of the Council and take into account the international best practices in this area and in particular the relevant recommendations of the World Intellectual Property Organization (WIPO), to ensure that speculative and abusive registrations are avoided as far as possible. Those ADR procedures should respect uniform procedural rules that are in line with those set out in the Internet Corporation for Assigned Names and Numbers’ (ICANN) Uniform Domain Name Dispute Resolution Policy (UDRP).

In recital (18) the Regulation provides that the policy on the abusive registration of .eu domain names should provide for verification by the .eu Registry of the data that it receives, specifically data concerning the identity of registrants, as well as revocation and blocking from future registration of domain names considered by a final decision of a Member State court to be defamatory, racist or otherwise contrary to the law of the Member State.

Pursuant to recital (20) the .eu Registry should adopt clear policies aiming to ensure the timely identification of abusive registrations of domain names and, where necessary, should cooperate with competent authorities and other public bodies relevant to

41 Article 3(3) of Regulation (EC) No 874/2004 42 Recital (2) of Commission Regulation (EU) 2015/516 43 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32015R0516 17

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

cybersecurity and information security which are specifically involved in the fight against such registrations, such as national computer emergency response teams (CERTs).

Under Article 4(3) the .eu Registry may revoke a domain name at its own initiative, without submitting the dispute to an ADR or judicial procedure, on the following grounds: (a) there are outstanding unpaid debts owed to the Registry; (b) the non-fulfilment by the domain name holder of the eligibility criteria pursuant to Article 3; (c) the breach by the domain name holder of the requirements for registration requests laid down on the basis of points (b) and (c) of Article 11.

Article 4(4) provides that a domain name may also be revoked, and where necessary subsequently transferred to another party, following an appropriate ADR or judicial procedure, in accordance with the principles and procedures on the functioning of the .eu TLD laid down pursuant to Article 11, where that name is identical or confusingly similar to a name in respect of which a right is established by Union or national law, and where it: (a) has been registered by its holder without rights or legitimate interest in the name; or (b) has been registered or is being used in bad faith.

The principles and procedures on the functioning of the .eu TLD are contained in Article 11, which provides that the contract, concluded between the Commission and the .eu Registry to be designated by 12 October 2021, shall include the principles and procedures concerning the functioning of the .eu TLD, in compliance with the Regulation, as exemplified by the following: “(b) requirements and procedures for registration requests, a policy on the verification of registration criteria, a policy on the verification of registrants' data, and a policy on the speculative registration of domain names; (c) a policy on abusive registration of domain names and a policy on the timely identification of domain names that have been registered and used in bad faith, referred to in Article 4”.

Pursuant to Article 9 of the Draft Implementing Regulation44 dated 26 February 2020, published on the Commission’s website for public comment until 26 March 2020: 1. The .eu Registry shall have policies and procedures in place to actively mitigate speculative and abusive domain names registrations in the .eu TLD in compliance with paragraphs (b), (c), (e) of Article 11 of Regulation (EU) 2019/517. In doing so, it shall cooperate with the European Union Intellectual Property Office and other Union agencies 2. The .eu Registry shall take into consideration at least the intellectual property rights covered in Commission Statement 2005/295/EC4, including copyright, trade marks, and geographical indications provided in Union or national law, and, in as far as they are protected under national law in the Member States where they are held: unregistered trade marks, trade names, business identifiers, company names, family names, and distinctive titles of protected literary and artistic works 3. To mitigate speculative and abusive domain names registrations, the .eu Registry shall have in place policies and procedures ensuring the accuracy of registration data, in particular data identifying registrants. The .eu Registry shall ensure that the registrars manage the registrations in line with the principles of security and accuracy of the data and in accordance with Union law

44 https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/7568263-Contract-between-the-European- Commission-and-the-eu-top-level-domain-Registry 18

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

4. The .eu Registry shall have in place policies and procedures for registration requests and for the verification of registration criteria and of registrants’ data, which shall ensure that any verification of the information takes place prior to the registration or subsequently, at the initiative of the .eu Registry or as a result of a dispute related to the registration of the domain name in question.

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

5. DEFINITION OF ABUSE

Considered the legal framework described above and the purpose of the Study, different terms must be distinguished.

According to Article 21 of Commission Regulation (EC) No 874/2004 the term speculative and abusive registration is related to prior rights identified by Article 10(1).45

The term of abuse, introduced by Commission Regulation (EU) 2015/516, is broader and is linked to the registrant’s breach of the registration terms contained in Article 3 of Commission Regulation (EC) No 874/2004, including but not limited to material inaccuracy in the registration data as well as bad faith registration and infringement of third-party rights.

The current Regulations will be repealed with effect from 13 October 2022.

Regulation (EU) 2019/517 does not contain the definition of the term speculative and abusive registration, but makes references to speculative and abusive registrations in recitals (7) and (17) and in Article 16, abusive registrations in recitals (18) and (20) and in Article 11(c) and speculative registration in Article 11(b). However, in the light of Article 14(1)(d), the registrations unsupported by rights or legitimate interests and the registrations used in bad faith are to be considered abusive registrations of domain names.

In a broader context, within the Internet community, certain abusive activities are referred to as DNS abuse.46 According to a recent framework developed by registries and registrars to counter abuse, such activities comprise cybercrime activities such as malware, botnets, phishing, pharming, and spam (when this latter serves as a delivery mechanism for the other forms of DNS abuse) and certain website content activity, namely distribution of child sexual abuse materials, illegal distribution of opioids, human trafficking and material with specific, credible incitements to violence.47 Although generally the framework was welcomed by the domain name industry as a positive step48, some observed that the definition of DNS abuse was excessively narrow and advocated revisiting it and including, among others, trade mark infringement at the DNS level (within the string) and copyright infringement at the website content level49.

Thus, on the domain market the term of ‘abuse’ is currently used in different contexts with different meanings starting from cybercrime to trade mark and copyright infringement, causing confusion in the interpretation of such term on several occasions.

In the opinion of the authors of the Study, Regulation (EU) 2019/517 (as well as the Draft Implementing Regulation) traces the path of a holistic approach towards defining abuse

45 Article 21(1) A registered domain name shall be subject to revocation, using an appropriate extra-judicial or judicial procedure, where that name is identical or confusingly similar to a name in respect of which a right is recognised or established by national and/or Community law, such as the rights mentioned in Article 10(1), and where it: (a) has been registered by its holder without rights or legitimate interest in the name; or (b) has been registered or is being used in bad faith. 46 https://gac.icann.org/activity/dns-abuse-mitigation 47 http://dnsabuseframework.org/media/files/2019-12-06_Abuse%20Framework.pdf 48 http://www.circleid.com/posts/20191017_domain_registries_and_registrars_release_joint_document_on_dns/ 49 https://www.worldtrademarkreview.com/anti-counterfeiting/registry-and-registrar-dns-abuse-framework-positive-step- falls-short 20

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

and, hence, including the speculative and abusive registrations within the broader term of abuse. However, for clarity and legal certainty, clearly defining each is advisable.

Although the focus of the Study is on the assessment of practices combating speculative and abusive .eu registrations as provided for under Article 21 of Regulation (EC) 874/2004, measures relating to other types of DNS abuses are also evaluated, since clear overlap or at least interconnection between the two phenomena exists, as also mentioned above.

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

6. COLLABORATION BETWEEN EURID AND EUIPO

6.1 About EUIPO

EUIPO (formerly known as the Office for Harmonization in the Internal Market – OHIM) is an agency of the European Union set up in 1994 and based in Alicante (Spain).50 EUIPO is responsible for the registration of the European Union trade mark (EUTM) and the registered Community design (RCD), two unitary IPR valid across the Member States of the EU.

Every year, it registers an average of 135.000 EUTMs and close to 100.000 RCDs. In 2019 nearly 135.000 EUTMs and 89.000 RCDs were registered. Approximately 15% of the EUTMs are submitted directly by the applicants and 85% through their representatives.

The work of EUIPO extends beyond registration to cover the harmonisation of registration practices for trade marks and designs and the development of common intellectual property management tools. This work is carried out in tandem with the national and regional intellectual property offices throughout the EU, user associations and other institutional partners, with the objective of offering the trade mark and design system users a similar registration experience, be it at national or at EU level.

Since June 2012, the European Observatory on Infringements of Intellectual Property Rights (Observatory) was entrusted to the EUIPO. The Observatory brings public and private stakeholders together in the fight against piracy and counterfeiting. Through the Observatory, EUIPO is able to actively participate in various areas of IPR other than trade marks and designs. Among others, the Observatory has carried out a comparative case study on alternative resolution systems for domain name disputes published in February 2019.51 At the time of drafting of this Study the Observatory is carrying out a study on the phenomenon of cybersquatting which is expected to be published in the summer of 2020. Therefore, the findings of such study could not be considered by the present Study.

Moreover, the EUIPO’s Strategic Plan 2025 envisages initiatives including enhanced cooperation with company name administrators as well as with domain name registrars and the .eu Registry in order to combat cybersquatting and other forms of speculative and abusive registrations of domain names. According to EUIPO this could take the form of establishing a one-stop-shop for registering business identifiers, including domain names, in conjunction with any other measure resulting from the evaluation and review by the Commission of the functioning of the .eu and the EUIPO’s collaboration with the .eu Registry in that regard.52

6.2 Formalisation of the collaboration between EURid and EUIPO

As mentioned above, the Commission promotes the collaboration between the .eu Registry and EUIPO with a view to combating the speculative and abusive registrations of

50 https://euipo.europa.eu/ohimportal/en/about-euipo 51 https://euipo.europa.eu/tunnel- web/secure/webdav/guest/document_library/observatory/documents/reports/2019_Comparative_case_study_on_alternat ive_resolution_systems/Comparative_case_study_on_alternative_resolution_systems_for_domain_name_disputes.pdf 52 https://euipo.europa.eu/tunnel- web/secure/webdav/guest/document_library/contentPdfs/about_euipo/strategic_plan/strategic-plan-2025_en.pdf 22

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

domain names, including cybersquatting, and providing simple administrative procedures, in particular for SMEs.53

The collaboration between EURid and EUIPO was formalised on 23 June 2016 for the first time by signing a letter of collaboration (Letter of Collaboration). This collaboration was forged as a means to combat fraudulent activity following evidence that third parties systematically browsed EUIPO’s database seeking new EUTM applications and made speculative and abusive .eu domain name registrations for the same terms. Following the signature of the collaboration letter, a workplan was defined and agreed upon by the two parties in order to implement the necessary changes in the system and with the aim of raising awareness and reducing cybersquatting. On 20 May 2019 the collaboration was extended by signing collaboration agreement (Collaboration Agreement).

The timeline below provides a high-level progression overview of the collaboration between EURid and EUIPO, specifying the main milestones.

6.3 Activities carried out within the scope of the Letter of Collaboration signed in 2016

In signing the Letter of Collaboration, a number of actions were identified, to be undertaken based on strategic areas. During the early collaboration stages focus was placed on information exchange, including attendance at each other’s events. The .eu Registry attended EUIPO’s European Intellectual Property Prosecutors Network event in March 2016 and EUIPO participated in .eu Registry’s cybersecurity conference organised during the first semester of 2017. Meanwhile, more established mutual promotion areas were investigated as a means of generating awareness amongst users of the link between domain names and trade marks. Such areas are described in details below.

Antifraud For information purposes alone, EURid forwards suspicious invoices it receives to EUIPO. This activity was intensively carried out in 2016 when EURid forwarded 22 scam invoices to EUIPO.

Alternative Dispute Resolution

53 Recital (7) of the Regulation (EU) No. 2019/517 23

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

During 2016 the Boards of Appeal54 of EUIPO took part in a meeting with the Czech Arbitration Court – Arbitration Centre for Internet Disputes (CAC), dispute resolution service provider for .eu, to learn more about CAC’s processes. Potential synergies were also discussed, such as the possibility for the Boards of Appeal to inform parties (through the Boards of Appeal mediation service) of the option for the .eu Registry to block a domain name during a dispute or mediation. However, such possibility was eventually discarded, as it was considered a threat to EUIPO mediators’ impartiality or neutrality.

Awareness-raising and promotion Starting from 2016, mutual promotion between the two bodies was also put in place. EUIPO added a link to EURid’s website in the ‘More links’ section in TMview, an online multilingual consultation tool, managed by EUIPO, allowing trade mark searches to be carried out free of charge.55 Furthermore, EUIPO placed banners in the last step of the EUTM e-filing application with a link to the .eu availability search tool, informing the users that “once your trade mark has been formally accepted it will be published in our online register and trade mark details will be publicly available. Don’t forget to protect the domain name for your trade mark in the EU before someone else does. Check availability at .eu”. Likewise, the .eu Registry included a link to EUIPO’s website within its Whois search: “Have you considered protecting your .eu or .ею domain name by registering it as a European trademark? Check the availability of the European trademark in TMView”.

6.4 Activities carried out within the scope of the Letter of Agreement signed in 2019

In addition to the functionalities put in place under the Letter of Collaboration signed in 2016 and under the Letter of Agreement signed in 2019, in May 2019 two new functionalities were made available to EUTM holders: (a) availability check of the corresponding domain name upon filing a new EUTM; (b) notification upon registration of a domain name (alert)

6.4.1 Availability check

The functionality added to the receipt page of EUIPO’s online trade mark filing tool (TMefiling), consists in directly informing the users as to the availability their trade mark as a .eu domain name as soon as they complete their EUTM e-filing, so they can choose to immediately register the domain name before their EUTM application is published.

Although the Study considers such measure as a useful preventive and awareness-raising measure, its operation is still in the early stages.

A walk-through test carried out independently by the authors of the Study on 22 December 2019 in a real-world environment (production area) showed that such service was not available upon e-filing of an EUTM application. The text ‘Other things to consider’ with the link to .eu availability search tool was displayed.

54 The Boards of Appeal are responsible for deciding on appeals against first instance decisions taken by EUIPO concerning EUTMs and RCDs. The decisions of the Boards may in turn trigger legal action before the General Court, the rulings which are subject to a right to appeal to the Court of Justice of the European Union (EU) on matters of law. The Boards of Appeal are independent and, in deciding a case, are not bound by any instructions. 55 https://www.tmdn.org/tmview/welcome 24

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

According to the parties the issue encountered was fixed and EURid introduced changes to the automated provisioning and deployment system to enhance the monitoring actions on third-party interfaces, including the EUIPO interface.

The second independent walk-through test carried out on 31 March 2020 showed the availability check functionality working properly. However, the link to EURid’s availability search tool was not correctly resolving.

6.4.2 Notification upon registration of a .eu domain name (alert)

Additionally, EUIPO users also have the option to set an alert in the TMefiling receipt page, as well as in the ‘Alerts’ section of the user area (User Area) and EUIPO’s online database (eSearch), to be informed when a .eu domain name identical to their trade mark is registered.

Receiving notification means that the EUTM holders are informed as soon as anybody registers an identical .eu TLD to their EUTM. Such alert is only received by users who have expressly opted in and only if a domain name identical to the EUTM is registered.56

The following type of alerts are sent to the users:  First alert received upon configuration when a .eu domain name already exists  First alert received upon configuration when no identical .eu domain name exists  Alerts received when an identical .eu domain name is registered (following the initial alert)

Several walk-through tests carried out by the authors of the Study in the real-world environment (production area) showed that the alert functionality put in place by EURid and EUIPO works, but with some critical faults. In particular, the alert cannot be configured effectively at the outcome of the e-filing process. It has to be configured in the ‘Alerts’ section of the User Area, hence, separately from the EUTM application process. This additional step makes the functionality less efficient, because the EUTM holders expect simple and usable services. Consequently, the parties must make further technical improvements.

6.4.3 Roles and responsibilities of EURid and EUIPO and data exchange

The roles and responsibilities in providing the availability check and the notification service (alert) to those users who opted in and the related data exchange can be briefly described as follows.

Availability check EUTM applicants are informed about the availability of an identical .eu domain name at the end of the TMefiling process on the receipt page. The match is based on the Whois database of EURid.

Alert The alert for the registration of an identical .eu domain name can be set by the EUTM holders (applicants) at the outcome of the TMefiling process on the receipt page or at any time from the User Area or through eSearch when logged in. EUIPO has provided EURid with an up-to-date list of EUTM applications on a daily basis through the EUIPO-download service (EUIPO-Download service) since February 2016. The EUIPO-Download service

56 Only small variants are considered, such as the addition of hyphen(s) and/or numbers. 25

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

consists of an initial database in XML format that can be downloaded from EUIPO’s FTP server and integrated in the user’s internal systems. It contains all EUTMs, RCDs and International Registrations (IRs) data, entered into the EUIPO internal database. Each new .eu domain name registration is checked by the .eu Registry by using its own algorithm against the above-mentioned list, and if a match occurs, EUIPO is informed. Such notification contains the identification of the EUTM and the domain name matching the trade mark. This notification is sent to EUIPO via a REST API. Once the information is received from EURid EUIPO created an alert (only in the cases of opt ins) and the latter is sent through the EUIPO alert system. Alerts are received by the users in their User Area. EUIPO has no direct access to the database containing the relevant data on .eu domain registrations.

6.4.4 Awareness of rightsholders and usage of the functionalities made available under the Letter of Agreement signed in 2019

EUIPO provided the following stats on the usage of the functionalities made available to EUTM holders:

Number of clicks to EURid through EUIPO website 160 143 140 134 134 124 117 111 120 110 105 100 80 60 40 20 0 May-19 Jun-19 Jul-19 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

EURid provided the following stats on matches found:

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Number of matches found by EURid 5000 4758 4500 3973 4000 3500 3234 3000 2500 2300 2206 2023 2000 1500 1000 500 0 Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Jan-20

The huge gap between the number of matches found and the number of alerts sent out seems to justify recommending that whether legal constraints exist be assessed and how to overcome such legal constraints be studied for the purpose of sending alerts not only to EUTM holders who have opted in (or their representatives), but to all EUTM holders (or their representatives) without the need to opt in (automatic opt-in) in order to raise the awareness level on such tools and increase their use.

For the purpose of the Study, rightsholders’ associations, practitioners, brand protection companies, associations of rightsholder representatives and SME associations were interviewed. Whereas the vast majority replied that they were aware of the availability check and/or alert functionalities, only a small part stated that they used them. Those who used the tools in question considered them effective. However, some of those who made use of the alert functionality stated that they had never received any alert. Nearly half of the respondents said that information on such tools is not readily accessible and further awareness is needed on existing and future tools. ECTA suggested the following improvements to the existing measures: - Disclosing information on the domain name holder to the EUTM applicant when an availability search shows that the domain name is already registered; - Receiving alerts also when domain names similar to the EUTM are registered; - Receiving alerts without having to opt in; - Carrying out more promotional and informative activities on the existing tools through social media campaigns or articles, conferences, webinars or events; - Taking steps towards increasing awareness on the EUTM applicants’ part as to the possibility of using existing measures during the EUTM e-filing process. Marques suggested further and regularly promoting the existing tools in order to raise awareness. Professionals, representing the EUTM holders should be especially targeted and made aware. oriGIn suggested extending the functionalities available to EUTM holders to geographical indications and designations of origin.

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

AIM suggested raising awareness with the existing right holders and through law firms handling EU trade marks, although its members questioned whether the measures put in place were sufficient or even relevant. Individual practitioners also suggested raising awareness by emphasising the availability of the existing tools and by carrying out more intense promotional activities relating to the services provided. The IPR Helpdesk replied it was not aware of tools stemming from the collaboration between EURid and EUIPO.

Stats on stakeholder responses

Awareness of EURid - EUIPO collaboration

26%

74%

Yes No

Use of availability check / alert

19%

81%

Yes No

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Effectiveness of availability check / alert

19%

79%

Yes Dont't use No

Readily available information on measures

47% 53%

Yes No

6.5 Future activities planned to be realised by EUIPO and EURid

The workplan 2020-2022 on the collaboration between EURid and EUIPO lists a number of activities to be carried out within a two-year period.

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

The activities entail improving the services already on offer and launching new activities. Possible new services are briefly described below.

Integration of .eu domain names registrations with EUTM applications As a possible step forward towards avoiding domain name-related abuse in protecting EUTM applicants, the potential integration of .eu domain name registration within the trade mark application process is being explored by EUIPO and EURid. Several implementation scenarios are being looked into with the aim of delivering to EUTM applicants the most attractive offer whilst at the same time complying with legal constraints. A possible option is to allow users to apply for a trade mark with EUIPO alongside a .eu domain name in a straightforward manner for an attractive price (possibly free of charge). According to EUIPO this would aim to boost .eu applications, reduce cybersquatting and, for an enticing price, support SMEs in developing their online presence. Before any steps are taken to put such an initiative in place, EUIPO will seek the Commission’s input and support in paving the way towards making it a reality.

EURid pointing to EUIPO services for trade mark availability check EUIPO presently informs users at the outcome of the e-filing process as to whether or not their EUTM is available as a .eu domain. Likewise, EURid could offer a similar service, informing users as to the availability of their .eu domain name as a EUTM. According to EUIPO this would support users in protecting their IPR portfolio and raising awareness on trade mark protection.

Joint study on application behaviour As a possible additional means to better tackle the fraudulent usage of registrations or registrations made in bad faith, the two entities decided to prepare a common study on what is registered first, domain names or trade marks. The level of detail of the study will

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

depend on data availability and accessibility. Investigating trade mark applications at national level or domain names other than .eu is not provided for.

Extension of identical search to similar search EUIPO states that at after an online EUTM application has been filed, applicants are currently advised as to the availability of their trade mark as a .eu domain name. They can also set up alerts (either at the end of e-filing or through their User Area or via EUIPO’s eSearch application when logged in) to receive notification when a .eu domain name matching their trade mark is registered. The results returned to the users are those based on an almost exact match in EURid’s database, with only slight variations (such as hyphens and numbers). The intention of the parties is to extend this match to similar .eu domain names, thus opening up more suggestions to the user at the end of e-filing of which similar .eu domain names are available and providing more comprehensive alerts and a better service to the end user. However, upon drafting the Study, which similarities might be considered for such similarity search has yet to be defined.

Feasibility study on pre-filing searches Considering the clear link between trade marks and domain names, a feasibility study will be launched on the creation of a search tool that would inform users of the availability of the term they searched for as a trade mark and domain name.

SME Programme Under its Strategic Plan 2025 the EUIPO will launch a SME programme (SME Programme). The SME Programme provides for a number of initiatives with the vision to empower SMEs within the EU and beyond to protect and enforce their competitive advantage through IPR.

Following initial discussions with EURid, a first set of collaborative activities within the SME Programme have been identified, namely in the areas of events, guidance to SMEs, sharing of information with SMEs, and mutual promotion or publicity. It is expected that such collaboration will result in the multiplying the audience of the SME Programmes through messages set to spread awareness of the .eu domain name and the importance of brand protection considering trade marks, domain name and other forms of IPR.

In a first phase, efforts will be placed on the following, but not limited to, initiatives: ● SME chatbot: containing different categorised bots based on business themes and information useful for SMEs, starting with intellectual property matters and terminology encountered in the start-up ecosystem. Collaboration under the workplan would see the .eu Registry feed the chatbot with relevant content in the area of domain names; ● Discovery guides: support and guidance for SMEs through their journeys, helping them to identify the steps to take, the information to look for and where they can go to find solutions to the challenges they are facing. The importance of domain names will be incorporated into the discovery guides being brought to the forefront and with links to relevant information provided to SMEs; ● Webinars: content aimed either directly at SMEs or their multipliers to highlight and promote the underlying messages of the programme and addressing specific subjects. Joint webinars will be organised to highlight the links between domain name and trade mark protection and the importance of brand protection.

In addition, beyond the 2019 Letter of Collaboration and the workplan being discussed with EURid, EUIPO has embarked on a number of additional initiatives related to domain names. Further to carrying out the Comparative case study on alternative resolution

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

systems for domain name disputes mentioned earlier, EUIPO proposed to EURid that it be accredited as .eu registrar. This could also serve as a back-up solution to the integration of .eu domain names in TMefiling.

In December 2019, the EUIPO hosted an interactive webinar “Let them know you exist! Domain names and trade marks as business builders”, providing practical tips and guidance from a domain name registrar on the steps to be followed by SMEs when registering a domain name or filing a trade mark.

The Study retains that such future actions, where accomplished by EUIPO and EURid, might have a positive impact on rightsholders, in particular on SMEs, and might contribute to decreasing speculative and abusive .eu registrations and recommends that the parties continue collaborating in studying, developing and implementing such actions.

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

7. COLLABORATION BETWEEN EURID AND EUROPOL

7.1 About Europol

The European Union Agency for Law Enforcement Cooperation, better known under the name Europol, formerly the European Police Office and Europol Drugs Unit, is the law enforcement agency of the European Union formed on 1 October 1998 to handle criminal intelligence and combat serious international organised crime and terrorism through cooperation between competent authorities of EU Member States.57 Europol is seated in The Hague, Netherlands.

Europol is mandated by the EU to assist Member States in fighting international crime, such as illicit drugs, trafficking in human beings, intellectual property crime, cybercrime, euro counterfeiting and terrorism, by serving as a centre for law enforcement cooperation, expertise and criminal intelligence.

Among other operations, Europol has recently shut down 30.506 domain names for IPR infringement.58

7.2 Formalisation of the collaboration between EURid and Europol

On 20 December 2016 EURid and Europol signed a Memorandum of Understanding.

According to EURid the collaboration with Europol has no specific procedures or interfaces in place. It aims at sharing relevant knowledge with each other on a regular basis, by attending each other’s conferences and seminars, as well as mutually improving efficiency in fighting abuse in the online space by exchanging best practices. Interactions occur between individual members. The parties are working on formalising processes. For instance, EURid is currently sending the same suspicious domains list it shares with the Belgian CERT to Europol’s Cyber Intelligence common mailbox.

Europol reported that the parties have worked together especially on botnet take downs (operation Avalanche) and intellectual property-crime related investigations since 2016. Workshops and panels on DNS abuse were also organised together59.

In November 2019, the two bodies decided to step up their cooperation and started a pilot project whereby EURid would share lists of suspicious domains identified by its Abuse Prevention and Early Warning System (APEWS), which carries out an assessment of possibly malicious domains before their effective delegation. The list is also fed by EURid’s post delegation checks which analyse the .eu zone for possible abusive domain names. Europol states that the list of suspicious domains which will be shared by EURid does not include personal data, yet it will provide Europol with useful information when investigating different types of cybercrimes in which domains are used such as botnets, malware distribution, as well as intellectual property-related crimes. When EURid will need to share personal data (name of domain registrants, IP addresses etc.) the information will

57 https://www.europol.europa.eu/about-europol 58 https://www.europol.europa.eu/newsroom/news/30-506-internet-domain-names-shut-down-for-intellectual-property- infringement 59 https://www.europol.europa.eu/newsroom/news/europol-enhances-cybercrime-and-internet-security-cooperation- signing-mou-eurid; https://eurid.eu/en/news/eu-europol-cybercrime-workshop/

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

be channelled via the cybercrime unit of the Belgian Federal Police. The parties are still working on formalising this process.

The generic, initial and informal collaboration between EURid and Europol is to be further strengthened by structuring such collaboration and providing for formal processes for the parties to interact.

The stats on the awareness of such collaboration of the stakeholders (less than one third) justifies the recommendation that the parties shall jointly organise further awareness- raising programmes.

Awareness of EURid - Europol collaboration

28%

72%

Yes No

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

8. OTHER COLLABORATIONS ESTABLISHED BY EURID

Further to its collaboration with EUIPO and Europol, EURid collaborates with international and European authorities, institutions and law enforcement agencies to prevent online illegal activities, such as Belgian Customs (against counterfeit websites), Belgian Prosecutors and law enforcement agencies (against cybercrime), Association for Safe Online Pharmacy (ASOP) (against rogue pharmacies), International AntiCounterfeiting Coalition (IACC)60, eCommerce Foundation (against fake e-shops), Anti-Phishing Working Group (APWG) (against phishing), Belgian Computer Emergency Response Team (CERT).

No structured collaboration with Member States’ trade mark and copyright offices exists. EURid stated that it is currently discussing with the Benelux Intellectual Property Office to set up a formal collaboration and extend the EUIPO notification (alert) system.

Considered that the .eu Regulations provide protection for national registered marks to the same extent as for EUTMs, it is recommended that EURid set up collaborations with national trade mark and copyright offices. Such collaborations could be set up through EUIPO’s European Union Intellectual Property Network (EUIPN) (formerly known as European Trade Mark and Design Network)61 or any other suitable network of the Member States’ intellectual property offices that can provide EURid with a single point of contact. The extension of EURid’s collaboration in place with EUIPO to Member States’ trade mark offices by offering the measures of availability check and/or alert to their users as well should be evaluated. Stakeholders, especially ECTA, have also suggested that the .eu Registry should collaborate with national trade mark offices.

Concerning the geographical indications or designations of origin, it is recommended that the .eu Registry carries out checks in the EU Geographical Indications register of the European Commission, eAmbrosia62. Whether any collaboration could be set up in order to extend the measures available to EUTM holders to the beneficiaries of the geographical indications or designations of origin is an aspect worth investigating. oriGIn has also suggested such extension.

With reference to trade names, business identifiers and company names, studying whether any collaboration with any European Union network of business registries could be set up is recommended.

60 https://eurid.eu/en/news/eurid-and-iacc-team-up-to-fight-cybercrime/ 61 https://www.tmdn.org/ 62 https://ec.europa.eu/info/food-farming-fisheries/food-safety-and-quality/certification/quality-labels/geographical- indications-register/ 36

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

9. DOMAIN NAME REGISTRATION PROCEDURE

This section will analyse the registration procedure of .eu domain names and compare it with the procedure of the identified ccTLDs with a view to finding whether a simplification is aimed at facilitating the registration of domain names is opportune, also to avoid speculative and abusive registrations, in particular with regards to SMEs.

9.1 General overview of the .eu domain name

Rules and regulations The regulatory framework of the .eu domain name is represented by the Regulations mentioned in section 4 of the Study. The .eu domain name is also regulated by the .eu Registry’s terms and conditions (Terms and Conditions)63 and the registration policy (Registration Policy)64.

Number of registrations According to EURid’s Q1 2020 Progress Report, issued on 5 May 2020, the total number of the registrations amounted to 3.623.050 at the end of Q1 202065. The registrations in such period increased from the end of Q4 2019 when they amounted to 3.606.31166. In Q1 2020 190.011 new registrations were made. The average renewal rate during Q1 2020 was 80,7%. The top country for growth in the quarter was Portugal with 64,4%, followed by Norway with 8,1% and Latvia with 6,5%.

Mission EURid has stated that its mission is to create a trusted .eu space for the end-users in a sustainable way through operational excellence, all the while offering outstanding quality of service to its accredited registrars. Thus, in these past few years the focus has been put on quality instead of quantity.

Eligibility criteria The eligibility criteria for .eu domain name registration were recently amended by Regulation (EU) 2019/517. As of 19 October 2019, the registration of .eu domain names can be requested by any of the following: ● An EU citizen, independently of the place of residence; ● A natural person who is not an EU citizen and who is a resident of a Member State; ● An undertaking that is established in the EU; ● An organisation that is established in the EU, without prejudice to the application of national law. Further to .eu (Latin script) and .ею (Cyrillic script), since 14 November 2019 it is possible to register domain names under .ευ (Greek script).

Reserved and blocked names Pursuant to Article 5(2) of Regulation (EC) No 733/2002 and Article 9 of Commission Regulation (EC) No 874/2004, several domain names are reserved to the EU institutions and bodies or the Member States (broadly-recognised names with regard to geographical and/or geopolitical concepts affecting Member States’ political or territorial organisation).

63 https://eurid.eu/d/7556497/Terms_and_Conditions_EN.pdf 64 https://eurid.eu/d/7568041/Registration_Policy_EN.pdf 65 https://eurid.eu/media/filer_public/83/87/8387d2d7-1e16-4b30-ada4-6fa0e813df4f/quarterly_report_q12020.pdf 66 https://eurid.eu/media/filer_public/28/8c/288c7ed6-01ee-48f8-b6d8-1f118acf4a23/q4_2019.pdf 37

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Their list is published on EURid’s website.67 Moreover, a list of the blocked names is also published on EURid’s website.68

Obligation to ensure correctness of the registration data EURid shall ensure the correctness of the data that it receives and holds from registrar. In this regard, EURid carries out verifications.

European Commission’s bi-annual report The report from the Commission to the European Parliament and Council on the implementation, functioning and effectiveness of the .eu Top-Level Domain from April 2017 to April 2019, dated 19 February 2020, has found that the .eu domain continues functioning in an effective way, facilitating access to the Digital Single Market in a secure and trustworthy way and allowing Europeans to display their European identity online.69

9.2 The .eu domain name registration procedure

Registrars Domain names can only be registered with the .eu Registry through a registrar accredited by the .eu Registry. Filing a request for domain name registration directly with the .eu Registry is not allowed. Therefore, the accredited registrars, via contract with EURid70, provide domain name registration services to the registrants. At the end of 2019, 715 registrars were accredited.71

Registration procedure The registration procedure in a nutshell is as follows: 1. EURid accredits registrars; 2. Accredited registrars offer registration services to end users; 3. End users choose a registrar and check, directly or through the registrar, the availability of the requested domain name; 4. End users register the requested domain names on a “first come, first-served” basis and accept the Terms and Conditions at the registration via the registrar and the registrar technically registers the domain name with the .eu Registry.

Length of registration procedure The domain name is registered in real time and the confirmation of the registration is immediate.

Cost of registration The cost of the .eu domain registration varies from registrar to registrar. Accredited registrars set their own prices for registrations and related services. The registration fee that a registrar pays to EURid is Euro 4. Registrars subscribing to the “Reduction Scheme” pay a fee of Euro 1,75 per annum. The Reduction Scheme is an initiative that EURid started over six years ago to support new .eu registrations. At the

67 https://eurid.eu/media/filer_public/5f/a4/5fa47d77-9857-49c5-a698- 104ce71bc4e3/2018_reserveddomainleaflet_final.pdf; https://eurid.eu/media/filer_public/fe/7c/fe7c35a8-73a5-44a6- 8d11-531f3f960ad0/1654_2005_en_0.pdf; https://eurid.eu/media/filer_public/9a/51/9a51a8be-ba92-4c5c-a489- 873ef7183a1d/560_2009_en.pdf; https://eurid.eu/media/filer_public/99/cf/99cf38ca-47fd-4377-b36a- 3cb857bb8f07/560_2009_corr.pdf; https://eurid.eu/d/3913/List%20of%20Reserved%20Names.%20Merged.pdf 68 https://eurid.eu/en/register-a-eu-domain/rules-for-eu-domains/list-blocked-names/ 69 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0063 70 https://eurid.eu/d/7583416/Registrar_agreement_en.pdf 71 https://eurid.eu/en/find-a-registrar/ 38

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

beginning of each year all .eu accredited registrars are offered the possibility of subscribing ad-hoc Terms and Conditions to benefit from a special new registration fee. This initiative is open to any .eu accredited registrar (contrary to the gTLD and certain ccTLD environments where registries have the possibility of negotiating individual deals with registrars). The Reduction Scheme has been refined over the years based on registrar feedback.

Tips how to choose a domain name EURid provides some simple tips how to choose a domain name, but does not provide any legal disclaimer on IPR or other rights, nor suggestions how to avoid the infringement of third parties’ rights.72 EURid has reported that it is currently evaluating to offer domain name suggestion services provided by most of the registrars. Such feature would have to take into account language aspects and other elements.

Domain name registration blocking services No domain name registration blocking service is provided for trade mark holders.73

9.3 Registration data accuracy and registrant identification requirements

The .eu Registry shall ensure both the security and stability of the .eu TLD and the correctness of the data that it receives - and holds - from the registrar. These two concepts are closely linked, since the maintenance of an accurate registry database may have an indirectly positive impact, as it is unlikely that actors with bad intentions would register a domain name using correct personal information.74

According to the Terms and Conditions, the registrant has the following obligations: ● To keep its contact information accurate, complete, and up-to-date, both with the registrar with which the registrant has entered into an agreement and with the .eu Registry (via the registrar); ● Any email address communicated to the .eu Registry shall be a functioning e-mail address; ● To use the domain name in such a way that does not violate any third-party rights, applicable laws, or regulations, including discrimination on the basis of race, language, sex, religion, or political view; ● Not to use the domain name in bad faith or for any unlawful purpose.

Upon registering a .eu domain name the registrant represents and warrants that, further to meeting the eligibility criteria, all information provided to the .eu Registry during the domain name registration process is true, complete, and accurate. The registrant is under obligation to keep such information complete and accurate at all times throughout the term of registration.

72 https://eurid.eu/en/register-a-eu-domain/ 73 Currently on the gTLD market there are several domain blocking services exist such as Donut’s Domain Protected Marks List (DPML), Trademark Clearinghouse’s (TMCH) TREx, Uniregistry’s Uni EPS, ICM Registry’s AdultBlock, .club Registry’s .club Trademark Sentry. Such services for a fee enable IPR holders to prevent third parties’ registration of domain names identical or variants of their IPR. Most of those services are based on trade marks or geographical indications or designation of origins entered in the TMCH repository; .club Trademark Sentry is based on US trade mark registrations. 74 Council of European Top-Level Registries (CENTR) – Domain name registries and online content: https://www.centr.org/library/library/centr-document/domain-name-registries-and-online-content.html 39

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

In order to register a .eu domain the following information is to be provided by the registrant to the registrar: ● The full name of the registrant. Where no undertaking or organisation name is specified, the individual requesting registration of the domain name will be considered the registrant; if the name of the undertaking or organisation is specified, then the undertaking or organisation is considered the registrant; ● The full address of the registrant; ● Indication of country of citizenship for European Union citizens not residing in a European Union Member State; ● The registrant’s e-mail address (or that of its representative); ● The telephone number by which the registrant (or its representative) can be contacted; ● The requested domain name; ● The language for ADR proceedings, i.e., the language of the registration agreement between registrant and registrar in accordance with the Rules.

Pursuant to the provisions of the registrar agreement (Registrar Agreement) (Article 4.1), the registrar shall ensure and document that each registrant for whom it registers a domain name has accepted the rules in effect at the time the registration is carried out and complies with all requirements set forth in all Regulations and rules applicable to the .eu, Registration Policy, Terms and Conditions, the Whois policy, the ADR rules and the ADR supplemental rules (jointly, Rules), including but not limited to the confirmation by the registrant that, to its knowledge, the request for domain name registration is made in good faith, does not infringe the rights of any third party and will not be used for unlawful purposes.

Upon registering a domain name, the registrant obtains a limited, transferable, renewable, exclusive right to use the domain name.

The .eu Registry shall block the domain name, where it is informed that an ADR procedure or legal proceedings are pending, until such proceedings are terminated and the .eu Registry has been notified of the relevant decision; in this case the domain name cannot be transferred to a new registrant and/or to another accredited registrar, and the registrant cannot change its contact information with respect to the blocked domain name.

The .eu Registry shall revoke any domain name following a decision to that effect of a panel in an ADR procedure or court order.

The .eu Registry may revoke the registration of a domain name on its own initiative and without submitting the dispute to any non-judicial settlement of conflict procedures, on the grounds of non-fulfilment by the registrant of the eligibility criteria or breach of the Rules by the registrant (e.g., inaccuracy of the registration data).

Since EURid enters into the same accreditation agreement with all registrars, the identification requirements are the same for all registrars. However, the way they apply any identification mechanism at their end is discretionary. By contract, the registrars shall provide EURid with accurate and up to date registration data.

As to the question of whether EURid could require the registrars to perform a stricter identification of the registrants (e.g., through eID authentication in accordance with the eIDAS Regulation75 or other), EURid replied that it might require its registrars to apply

75 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG 40

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

stricter identification of the registrant, but that might be detrimental to its business as EURid would be the only ccTLD asking for it. However, considered that maintaining accurate databases of domain names and registration data is essential to ensure the security, stability and resilience of the domain name system and to identify IPR infringers, adopting policies setting stricter registrant identification requirements is considered adequate to prevent inaccurate registration data.

All documentation received by EURid is expected to be genuine and correct. According to EURid, to date no failproof ways to identify forgery or fraud of the identity documents exist, as EURid cannot act as a notary. EURid reported that in 2020 it will work on identifying an external person or organisation to carry out document verification and validation.

9.4 Registration data verification activities

To comply with its obligation of guaranteeing the security and stability of the .eu TLD and the correctness of the data, EURid carries out verifications. Thus, such verifications are related to the necessity of maintaining data accuracy and preventing illegal activities which could pose cyberthreats. Registrants with bad intentions likely use inaccurate data to hide their identity. Accurate registration data can help law enforcement authorities to actually identify the domain holders responsible for illegal activities and go after them via appropriate channel.

EURid performs different verifications of the registration data in relation to all newly registered domain names or already registered domain names for which the contact data has been updated.

EURid employs an automated process to check if in the registration data mentions a valid physical address to which a letter could be delivered. The checks are made against official postal address databases from 240 countries around the world by a single partner with which EURid has a contract until the end of its mandate in 2022. The address validation checks take place on a daily basis.

In case the registrant is a company, EURid may check the company data against KBO (Belgian Companies Register) or EU national databases to verify if the company is validly registered. EURid has the possibility of carrying out such cross-check.

EURid also checks newly registered domain names against the Domain Generation Algorithm (DGA) archive, a repository of domain names generated by algorithms. These domains are used in botnets and other DNS abuses in most cases.

If any issue arise from the above verification, EURid carries out a Whois accuracy procedure which consists in the following steps: ● An email notification is sent to the registrant requiring to provide (within 14 calendar days) documentary evidence that the registration data is accurate; ● If no satisfactory response is received in due time, the .eu Registry may suspend the domain name; ● In some cases, where potentially malicious activity is related to the domain name (e.g., domain name is part of a known malware campaign), EURid may shorten that reply period to 3 calendar days or even shorter, depending on the severity of the abuse and the potential impact on consumers. This fast track procedure is exceptional and requires approval from EURid’s Managing Director for notifications less than 3 days. 41

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

9.5 Predictive algorithms used to verify registration data and prevent abuse

EURid does not check all newly registered domain names manually before they are delegated. The Abuse Prevention and Early Warning System (APEWS), developed by EURid in collaboration with the University of Leuven, checks all newly registered domains in an automated way and uses machine-learning algorithms. The general goal of such system is to reduce the amount of cybercriminal operations by detecting and preventing malicious domains upon registration.

APEWS is an innovative and award-winning methodology based on evaluating patterns of domain name registrations. It predicts whether a domain name may potentially be used for malicious activities such as spamming, phishing, malware distribution, Botnet command and control. The current focus of such system is only on such kind of abuses.

The legal basis for EURid developing and using such system is Article 3(3) as amended by Commission Regulation (EU) 2015/516, according to which the verification on EURid’s part of the validity of the registration applications takes place prior and not only subsequently to registration at the initiative of EURid or pursuant to a dispute for the registration of the domain name in question.

Without attempting to detail the technical and technological features of the system analysed in scientific publications76 77 78 79, the system can be summarised as follows. APEWS uses the registrant data (domain name, registration time, registrant’s contact information, registrar, nameserver information, IP address geolocation data) as part of its detection strategy combined with clustering to make similarity-based predictions, as well as traditional machine-learning techniques to perform reputation-based classification (public blacklists of malicious domains). First, parts of the 3.6 million .eu domain names were matched against blacklists of reputation providers, containing lists of domain names associated with Internet-based attacks.80 Every detail of the matching domain names was then used to train the predictive model. This resulted in a comprehensive scoring model. Every newly registered domain name is scored by APEWS on these predictive indicators. If the score is too low and, thus, the domain name is identified as potentially linked to abuse, its delegation in the .eu zone file is delayed and its status in the web-based Whois shows ‘Server Hold’. The domain name is registered. However, any service linked to it (such as a website, email or any other service) will not function until EURid’s verification procedure is completed. Moreover, post-delegation APEWS looks into the domain names registered in the last 24 hours and does the necessary check to detect suspicious activities.

The APEWS workflow describes the process in details.

In 75% of the cases where the system flagged a domain name, the prediction was confirmed by third-party abuse indicators. Since its deployment in January 2018, over 60.000 malicious .eu domain name registrations were correctly identified.81 82

76 https://eurid.eu/media/filer_public/ca/a6/caa62c34-741f-45f1-bbe1-4f5a87f5fd60/official_paper_4_-_premadoma.pdf 77 https://eurid.eu/media/filer_public/34/3f/343f309f-4720-4745-b950-bc8879990998/prediction3.pdf 78 https://eurid.eu/d/4214398/accepted-SAC2019.pdf 79 https://eurid.eu/media/filer_public/9e/d1/9ed12346-562d-423d-a3a4-bcf89a59f9b4/eutldecosystem.pdf 80 Spamhaus DBL, SURBL, Google Safe Browsing 81 https://eurid.eu/en/news/1st-ai-suspension-system-for-ds/ 42

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Cybercriminals have also exploited the current health emergency caused by the outbreak of COVID-19 to perpetrate scams and victimise Internet users. Indeed, a significant rise of new domain registrations associated with the pandemic has been encountered under all TLD extensions.83 The .eu TLD has also been affected by such phenomenon.84 In response to such emergency situation EURid, in agreement with the European Commission, has adopted measures in order to prevent bad faith registration of domain names relating to the pandemic.85 EURid has amended its APEWS system, by performing additional checks on the registration data of both existing registrations and newly- registered domain names that contain keywords such as covid, virus, maschera, mascara, mask, vaccine, vacuna, etc. For suspicious domain names detected by APEWS, EURid carries out a Whois accuracy procedure, requiring the registrants to validate their data and to submit a statement confirming that their domain name was registered in ‘good faith’ within 7 calendar days. These measures are valid until the end of Q2 2020 with the possibility of continuation, subject to quarterly reviews by EURid and the European Commission.86

The Study acknowledges that APEWS is a very useful and innovative AI-driven proactive suspension system for malicious domain names, but it is worth mentioning that it is intended to prevent cybercriminal operations (malware, phishing, spam, Botnet command and control), and it is not used to prevent (directly) speculative and abusive registrations defined under Article 21 of Regulation (EC) No 874/2004.

To the question as to whether a domain name registration infringing a third party’s prior rights but registered by a registrant with true and correct registration data and not used (or intended to be used) for malicious purposes, could be detected by APEWS, EURid replied that the APEWS system learns on an ongoing basis from all cases. It depends on what it is fed with. Currently, EURid has lists that covers spam, malware and phishing. In the future other sources might be added. However, the case mentioned will not show up on any of those lists and therefore, will not be discovered by the system. According to EURid, rightsholders might use other measures to learn about possible abuses (Whois lookup, EUIPO’s availability check and alert) and it will be up to them to take action (e.g., .eu ADR).

At this moment no data is available to understand how many of the malicious domain names detected so far by APEWS qualify as speculative and abusive registrations as well.

Therefore, no predictive algorithm is currently used to prevent speculative and abusive registrations as defined under Article 21 of Regulation (EC) No 874/2004.

Moreover, EURid employs other technologies to reduce potential fraudulent domain name usage (e.g., Domain Name System Security Extensions - DNSSEC, Registry Lock, etc.).87

9.6 Stats on registration data verification activities

For 2019 EURid provided the following stats regarding Whois accuracy procedure:

82 https://www.domainpulse.com/2020/02/07/60000-eu-registrations-correctly-identified-as-malicious-by-apews/ 83 https://www.cyberthreatcoalition.org/covid-19-cyber-threat-updates-blog/2020-04-14-weekly-threat-advisory 84 https://eurid.eu/en/news/has-covid-19-affected-eu-registrations/ 85 https://eurid.eu/en/news/doteu-covid19-measures/ 86 https://eurid.eu/en/news/doteu-covid19-measures/ 87 https://trust.eurid.eu/en/ 43

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Legal actions on domain names in 2019

14000 13137

12000

10000

8000 6337 6000 4729

4000

2021 2000

0 0 SUSPENDED WITHDRAWN REINSTATED MAKE SEIZED (total) AVAILABLE (Prosecutor)

Where: “SUSPENDED” means that EURid suspended the domain name because its holder did not validate its registration data or did not respond at all. Suspension means that the holder still has the domain and it is shown in the Whois. “WITHDRAWN” means that EURid had first suspended the domain name because its holder did not validate its registration data or did not respond at all and subsequently withdrew it because the holder failed to provide the data after EURid the domain name. “REINSTATED” means that EURid had first suspended the domain name because its holder did not validate its registration data or did not respond at all, but consequently has reinstated the domain name because the holder provided data after EURid had suspended it. “SEIZED” relates to domain names that were seized by means of an official request from a prosecutor. The domain name is transferred to the prosecutor.

9.7 Cross-checks with reference to IPR

Concerning cross-checks with reference to trade marks or other IPR at the moment of the registration, EURid provided information about its collaboration with EUIPO described in details in section 6 of the Study. According to such collaboration, EURid downloads EUTM applications’ list on daily basis. Such list is compared with the .eu domain name registration database and, if identical matches are found, notification is meant to be sent through EUIPO’s alert system to EUIPO users who opted in.

No other trade mark database is consulted regarding national trade marks, since no collaboration with national trade mark and copyright offices is in place. EURid stated that it is currently discussing with the Benelux Intellectual Property Office to set up a collaboration and extend the EUIPO notification (alert) system.

No database is consulted and no collaboration exists regarding geographical indications or designations of origin, or distinctive titles of protected literary and artistic works. 44

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

9.8 Other post-delegation measures put in place by EURid

9.8.1 Content monitoring

EURid runs daily manual content checks on domain names 24 hours after the registration, as well as 53 days after the registration (to give some time to registrants to set up a web site), looking for keywords such as brands, bank names, drug names. The checks are based on past experience with brands subject to abuse or originate from daily de visu checks. The daily checks may reveal a specific brand subject to abuse on a specific day, thus adding to a growing list. For practical reasons, not all brands or trade marks are added to such list, as it would contain millions of brands. Such list is limited to the ones spotted on a daily basis. EURid also crawls the above-mentioned domain names and collects the main page of the website to which the domain name resolves (if it exists). Then, the page content is analysed, looking for webshops.

During the assessment carried out for the Study, EURid provided examples of recently registered domain names possibly linked to abuses that include well-known bank names or typos of bank names and famous fashion or sport brands for which in-depth research had been carried out to understand possible patterns enabling EURid to detect further cases. The identification of keywords corresponding to well-known trade marks or typos of well-known trade mark is random and based on EURid’s knowledge, not related to any cross-checks in trade mark databases. If the .eu Registry retains a domain name suspicious, it initiates a Whois accuracy procedure which can result in the suspension and withdrawal of the domain name. Additionally, EURid might report suspicious domain names to the competent authorities, such as Europol and CERT.

These regular checks are also run ad-hoc whenever needed on specific lists of suspicious delegated domain names.

At present content monitoring is still in the research phase with a mix of manual and automated procedures. To date, on a daily basis EURid detects 10-20 dubious domain names and the legal department of EURid initiates the Whois accuracy procedure on such domain names. If the identity is proven by the registrant but the data is suspicious, the results of EURid’s scans are shared with relevant parties who can take further actions (e.g., Europol, sectorial representative such as ASOP). The long-term objective of EURid is to introduce an automated procedure.

However, classifying websites as suspicious remains challenging. The final assessment as to whether the domain name is abusive falls outside EURid’s mandate and shall be made by the competent authorities.

9.8.2 Whois lookup

Within the Whois search, EURid implemented the functionality of searching for possibly similar registered domain names, based on visual resemblance and using a similarity score. Such functionality enables .eu domain name holders to check if possibly infringing domain names are registered. Within the similarity score zero means that no visual difference exists in practice between the original domain name and the one with that score in one of the possible ways it could be written (capitals or lowercase). For example, ikea (Latin) and ικέα (Greek) may look quite different, but if it is written in capitals IKEA (Latin)

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

and ΙΚΈΑ(Greek), then the difference is much smaller, explaining the low score88. The holder of a .eu domain name (for example, ikea.eu) may request and receive from EURid the full list of registered domain names that share striking similarities with its domain name.

Moreover, the ‘Tools’ functionality within the Whois search enables users having a complaint or issue with a registered domain name to file such complaint: ● Inaccurate registrant data: anybody spotting wrong data may inform EURid with the aim of bringing further investigation; ● Dispute registration is meant to inform those who think their rights have been infringed and explain possible solution to them; ● The ‘Request an authorisation code’ feature was introduced to help the registrant of the domain name to transfer his or her domain name from the current registrar. Normally the registrar shall execute such request, but in case there is any kind of conflict between the registrant and his or her registrar, the registrant may request a transfer code directly from EURid to avoid that he or she (or rather the domain name) is held hostage by the registrar. EURid monitors the release of authorisation codes on a regular basis to detect possible macro issues at the registrar level.

9.8.3 Information on how to claim a domain name

On the website of EURid general information is provided on how to contact the domain name holder and on the .eu ADR.89 90

9.8.4 Registrant data release

Personal data available in the publicly accessible Whois has been reduced in the following ways91:

Information displayed for legal entities holding a domain name is limited to: ● Company ● City ● Region ● Country ● Email address ● Language

Information displayed for individuals holding a domain name is limited to: ● Email address ● Language

Third parties with legitimate interests may request the disclosure of the personal data of a .eu domain name holder by submitting the personal data disclosure form.92

The request form should mention:

88 https://whois.eurid.eu/en/search/?domain=ikea.eu 89 https://eurid.eu/en/other-infomation/faq/i-wish-to-register-a-eu/#someone-registered-a-domain-name-that-i-want-or- that-i-have-a-better-claim-to-than-its-current-holder-what-do-i-do 90 https://eurid.eu/en/register-a-eu-domain/domain-name-disputes/ 91 https://eurid.eu/en/register-a-eu-domain/gdpr/ 92 https://eurid.eu/en/about-us/document-repository/ 46

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

● The domain name for which the request is completed ● The legitimate interest regarding the disclosure of personal data ● How the requested data is intended to be used.

The request form for disclosure of personal data is to be sent to EURid by email or fax.

The form is reviewed by EURid and, if data is disclosed, it usually takes a couple of days, up to a maximum of 30 days.

EURid provides information on how to contact the domain name holder and on the ADR procedure.93

9.8.5 Stakeholder feedback on the .eu registration procedure

Stakeholders find the .eu registration procedure straightforward.

Rightsholders and rightsholders associations However, practitioners, rightsholders and associations of rightsholders (ECTA) pointed out that stricter identification of registrants is needed in order to avoid speculative and abusive domain registrations. They provided several suggestions as to how that can be achieved: by requiring documentation such as official ID number, full copy of ID with dual factor authentication, official identification. Some stated that privacy shields for registrants should be avoided. Others suggested that registrants who freely provided official identification should be given a financial discount. Besides clear identification, other measures could also be deemed useful, namely publication of a domain name application with a corresponding opposition term, a prior official search for earlier identical marks of which the outcome could be used to refuse the application for a domain name and sanctions in case of false or inaccurate information. AIM suggested the following:  Adopting a pre-registration identity check with proper documentation  Requiring proof of the right to register well-known trade marks as domain names  Making available a functional and legally accessible Whois database,  Introducing an opposition procedure which would provide right holders with a mechanism to prevent speculative and abusive registrations.

Registrars A registrar (Com Laude – Valideus) has retained that stricter identification of registrants is required in order to avoid speculative and abusive domain registrations and suggested that registrars should be subject to ‘Know Your Client’ regulations. The same registrar has also suggested to further developing the APEWS tool of the .eu Registry by taking into account matching EUTMs. Upon receiving a domain name registration request, only one registrar, IP Twins, carries out cross-checks in business registries and/or trade marks registries as well. Another registrar (Registro .it) carries out the verification of on the correctness and consistency of the VAT Code or fiscal code provided by the registrant when requiring a domain name by using its own tool.

Registrants SMEunited has kept the .eu registration procedure simple and stated that EURid is carrying out its activities more proactively than other registries. It also asserted that the

93 https://eurid.eu/en/register-a-eu-domain/domain-name-disputes/ 47

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

possibility of requiring further documentation or information from the registrant is at the registrar’s discretion.

9.9 Other ccTLDs’ registration procedures

9.9.1 .be

Rules and regulations The Electronic Communications Act of 13 June 2005 set a basic regulatory framework for the .be TLD. The registration terms and conditions (Registration Terms and Conditions) provides for the rules and policy of .be domain name registration.94

Number of registrations According to Nominet’s stats on ccTLDs, .be is one of the largest European ccTLDs with total registration amounting to 1.619.630.95 The annual report 2018 of .be Registry (DNS Belgium96) provides some more detailed insights97.

Further to .be, DNS Belgium is responsible for managing .brussels and .vlaanderen.

Eligibility criteria No eligibility criteria are provided for registering a .be domain name.

Registrars and registration costs The .be Registry does not act as registrar, the registration is carried out through the accredited registrars98. The registration cost (wholesale fee) is Euro 4 (new registration, transfer, renewal).

Registrant obligations Upon registration of .be domain name the registrant represents and warrants that: ● All statements (in which the contact data of the registrant are explicitly included) made during the registration process and the term of the registration are complete and accurate; ● Registering the domain name will not infringe or otherwise violate third-party rights; ● The domain name is not registered for an unlawful purpose; ● The domain name is not used in breach of any applicable laws or regulations, such as a name that helps to discriminate on the basis of race, language, sex, religion or political views; ● The domain name is not contrary to public policy or morality (e.g., obscene or offensive names) ● The domain name is not registered with contact data aimed at shielding the identity of the actual owner.

The registrant must have a working e-mail address, which is inserted in the database of DNS Belgium. DNS Belgium and the registrant must use this e-mail address for official

94 https://assets.dnsbelgium.be/attachment/Enduser_Terms_and_Conditions_en_v6.1_1.pdf 95 https://media.nominet.uk/wp-content/uploads/2019/12/The-Online-World-2019.pdf 96 https://www.dnsbelgium.be/en 97 https://www.dnsbelgium.be/en/annual-report-2018 98 https://www.dnsbelgium.be/en/register-your-domain-name/find-registrar 48

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

communications. If the e-mail address is not kept up-to-date, the registrant is in breach of these terms and conditions and DNS Belgium may terminate the registration.

Registration data verification activities of the .be Registry As regards the quality control of the Whois database and the domain name system, DNS Belgium may perform checks regarding the accuracy of the data, either on its own initiative, or following a complaint from a third party or the government. Registrants shall be required to cooperate actively in such checks and must share the necessary documents in support of the correctness of the data. If DNS Belgium has serious doubts about the accuracy of the registrant’s contact data, it may suspend the domain name concerned (disable it) and then initiate an infringement procedure pursuant to Article 3.d of the Registration Terms and Conditions.

DNS Belgium conducts a daily manual screening of the registrant data for all new registrations. This is a quick check to spot any obvious anomalies (keystroke entries, fraudulent entries, major errors). If obvious inaccuracies in such details are detected, DNS Belgium initiates the revocation procedure. The registrant has 14 days to correct the wrong or incomplete contact data. If he or she fails to rectify, the domain name is deleted.

Besides the manual check, there is a complaint form available to report problematic registrant data99 and DNS Belgium deploys several techniques to do their own research as well. The .be Registry has a set of parameters that are used to (automatically) evaluate registrant contact data: validity of Belgian postal codes, validity of telephone number format (e164).

To assist the registrars, the .be Registry has a specific procedure (RFU or request for update) that can be activated to correct of errors in registrant contact data. It is basically a normal update but also allows modifying data fields relating to registrant contact info that are otherwise locked.

DNS Belgium does not use any predictive algorithm delegation to combat speculative and abusive registrations.

The .be Registry is subscribed to numerous anti-abuse feeds such as Netcraft, Google Safebrowsing, Abuse.ch. It monitors for malware, phishing and C&C botnets.

DNS Belgium also uses an in-house developed algorithmic model to detect fake webshops.

Content monitoring DNS Belgium does not perform content monitoring, as it is not competent to carry out legal assessments. DNS Belgium will only block/revoke/take down a domain name if the complaint is properly documented with a valid court order proving the breach of the invoked (intellectual property) rights.

Similarity report for IPR holders To protect brand names, company names against phishing, typosquatting etc. existing .be registrants can check if domain names are registered that harm their rights. Therefore, variants may be requested to a trade mark or another name may be looked up. DNS Belgium shows the results based on similarity (e.g., for dnsbelgium: dnsbeglium, upsbelgium, dns-belgium, dnsbélgium). Upon receiving the request, DNS Belgium sends

99 https://www.dnsbelgium.be/en/contact 49

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

the registrant an email with a list of domain names that shows similarities with a certain domain name, and mentions the link to the registration data of those domain names.

Disclosure of registrant data Third parties with legitimate interest may request the disclosure of the registration data through a form made available by the .be Registry100.

Abuse reporting DNS Belgium publishes information on how to report web misuse101.

Collaborations DNS Belgium collaborates with EUIPO by contributing to the work of the ‘Cooperation with Intermediaries expert group’ of the Observatory. Furthermore, DNS Belgium has a Notice & Action charter signed with FPS Economy (Federal Public Service of Belgium).102 The .be Registry has also created a matrix for LEAs that providing an overview of the assistance that DNS Belgium can offer and what type of documentation is necessary for specific request like suspension of domain names.

Stats on registration data verification activities of the .be Registry

Number of revoked domain names 7000

6000 5733

5000

4000 3464 3295 2917 3000

2000 1003 1000

0 2019 2018 2017 2016 2015

100 https://assets.dnsbelgium.be/attachment/Whois_disclosure_request%20all%20TLDs%20ENG_1.pdf 101 https://www.dnsbelgium.be/en/internet-security/reporting-web-misuse 102 https://www.dnsbelgium.be/en/news/end-fraudulent-websites 50

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Number of complaints received for data inaccuracy 600 521 500 383 400 334 334 300

200

100

0 2016 2017 2018 2019

9.8.2 .dk

Rules and regulations The .dk domain name is regulated by the Domain Act of 2014 and two administrative orders related to the act. The Act on network and information security for domain name systems entered into force in 2018. From 1 July 2020, a new administrative order will come into force. The administrative order is issued by the Danish Business Authority. The Terms and Conditions (version 10) is effective since 1 March 2019.

Number of registrations The total number of the .dk registrations is 1.313.108.

The .dk Registry, registrars and registration costs The .dk TLD is administered by DK Hostmaster. DK Hostmaster comes from a sole registry tradition, and even if registrars103 have always been able to sell .dk domain names and are increasingly authorised to manage domain names on behalf of registrants, DK Hostmaster still maintains a direct relation with a registrant. Partly to protect the registrant’s consumer rights and also to uphold accountability and data accuracy measures towards them. Costs of the registration typically depend on the registrar. A 1- year registration with DK Hostmaster costs DKK 50 (Euro 6,7).

Eligibility criteria No eligibility criteria for the registration of .dk domain names.

Registrant identification requirements Pursuant to the Domain Act, DK Hostmaster have to ensure an accurate, updated and public Whois database. The registrant must provide accurate contact information. As part of DK Hostmaster’s control that the registrant’s contact information is accurate, the registrant must observe the control measures specified by DK Hostmaster, including those on electronic identification. Danish domain registrants are required to identify themselves using NemID, a login solution used by Danish banks, government websites and other private companies. Foreign registrants are subject to a risk assessment, which will determine whether they receive a request to provide proof of identity before registration - high risk - or up to 30 days after

103 https://selvbetjening.dk-hostmaster.dk/registrar_list 51

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

registration - low risk (no-risk customers are not required to provide proof)104. Where a high risk of inaccurate registrant data exists, delegation must await the approval of requested documentation. If the domain holder cannot or will not provide proof of his or her identity, the domain name is suspended and subsequently deleted.

Registration data accuracy verifications of the .dk Registry As part of the registration process DK Hostmaster cross-checks the registrant data of Danish residents with national databases: ● Danish Civil Registration System (CPR) ● Central Business Register (CVR)

Data and ID checks are carried out for each domain name registration request. DK Hostmaster began adopt strict ID-checking in November 2017. As a result, no fake webshops exist anymore in the .dk zone.

DK Hostmaster uses algorithms in the automated risk assessment on registrant data, which are part of any registration from an applicant outside Denmark. Some of these algorithms are designed to respond to registration characteristics associated with domain name registrations linked to fake webshops, e.g., illogical data combinations, how quickly a domain name is re-registered and the registrar. This will change as time goes on and other characteristics might become more relevant. The reasoning behind the algorithms is that online criminals tend to use inaccurate registrant data, but, in any case, DK Hostmaster only looks at data and patterns relating to the registration of a domain name. DK Hostmaster does not monitor the content of websites, since this does not fall under its mandate as registry and can be done better and in compliance with due process safeguards implemented by LEAs.

Take down in typosquatting cases DK Hostmaster’s procedure concerning typosquatting cases is described in details in Section 10.3.2.2.

Abuse reporting Information is readily accessible on how to lodge a complaint105.

Collaborations The .dk Registry collaborates with different police authorities, consumer protection agencies and the national information security authority.

Stats on .dk

Total number of revoked domain names due to inaccurate registration data: approximately 7.000

Total number of revoked domain names (fake webshops): approximately 3075

Number of domain names revoked upon complaint of third party (content related abuse) 2019: 9, 2 of them due to a request sent by LEAs 2018: 10

104 https://www.dk-hostmaster.dk/sites/default/files/2017-12/Procedure for kontrol af kontaktoplysninger og id for reg med bopael udenfor DK_EN.pdf 105 https://www.dk-hostmaster.dk/en/how-complain-about-website-content 52

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

9.8.3 .hu

Rules and registrations The registration of .hu domain names is regulated by the registration rules and procedures (Registration Rules and Procedures)106 enacted by the Council of Hungarian Internet Service Providers (.hu Registry or ISZT)107 exercising its right of self-regulation provided in Paragraph 15./A. of Act CVIII of 2001.

Number of registrations According to Nominet’s statistics on ccTLDs the number of the .hu domain name registrations amounts to a total of 758.005.108 Most recent ISZT data as at 1 March 2020 shows 769.136 .hu registered domains.109

Eligibility criteria The eligibility criteria for the registration of a .hu domain name is as follows: ● any citizen of the European Union, of a Council of Europe, an EEA or EFTA country, or of a neighbouring country of Hungary, or a natural person having an ID card, passport or driving licence issued by one of these countries; ● any natural person holding a permit for domiciliation in Hungary; ● any legal entity o established by virtue of law; o entered in the records of or registered with an authority or court, or o filing its respective application with the competent authority or court and commencing its operations in accordance with the law prior to such entry or registration; ● in the territory of the European Union, of a Council of Europe, EEA or EFTA country or a neighbouring country of Hungary; ● furthermore, the beneficiary of a trade mark registered with the Hungarian Intellectual Property Office or granted protection rights in Hungary.

Registrars and registration costs The Registry does not act as registrar. Registration is carried out through accredited registrars.110 ISZT charges the registrar the fees determined in the franchise contract.111 The registration fee is approximately Euro 4 for a 2 year-term, the annual renewal fee is approximately Euro 0,9. The registrars are free to determine their own fees.

Registrant obligations The registrant is liable for the correctness of data provided to the registrar. The registrar is liable for maintaining the data within the .hu domain name registration database in accordance with the data supplied by the registrant. In case of inaccuracies, the domain name may be subject to revocation. Article 2.2.1 of .hu Registration Rules and Procedures provides that although the domain name registrant is free to select the name of the domain to be delegated within the framework of law and the Rules and Procedures, at the same time the domain name registrant shall act with utmost care in selecting the domain name so as to ensure that the

106 http://www.domain.hu/domain/English/szabalyzat/szabalyzat.html 107 http://www.domain.hu/domain/English/ 108 https://media.nominet.uk/wp-content/uploads/2019/12/The-Online-World-2019.pdf 109 http://www.nic.hu/English/statisztika/ 110 http://www.domain.hu/domain/English/ 111 http://www.domain.hu/domain/szabalyzat/franchise.html 53

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

domain name application - as well as the manner in which it is used - shall not violate the rights of other persons or entities (e.g., exclusive rights to names, privacy rights, post- mortem rights, intellectual property rights, etc.). Such article expressly requires the domain name registrant to check the commercial register or the trade mark databases. Links to the Hungarian Intellectual Property Office’s trade mark database, as well as to the EUIPO, are provided to the registrants.

Verification activities of the .hu Registry According to .hu Registration Rules and Procedures, ISZT may carry out a registration data check prior to delegation. In practice, the .hu Registry checks every new request and may ask for a letter of consent or justification for the use of some names. After 1 July 2020, when new Rules and Procedures will enter into force, the .hu Registry will significantly decrease such checks. Currently, the .hu Registry carries out cross-checks in the company registers (Hungarian and European), in the European Commission’s VAT Information Exchange System (VIES), EUIPO, Hungarian Intellectual Property Office, WIPO, Courts of Hungary for Non-Governmental Organizations (NGOs).

Delayed delegation – publication of domain name registration requests The Hungarian domain name registration procedure provides for delayed delegation of all domain names, meaning that upon submitting a domain name registration request, the application is published at the .hu Registry website’s announcements section.112 During the announcement period the domain name applicant is granted the conditional right of using the domain name, meaning that the domain name is entered in the zone file, but remains undelegated to the applicant. Any third party who has a legal interest to state that the delegation of a domain name to a particular applicant infringes the rules may file an objection requesting the Consulting Board113 of the ADR provider (Infomediátor114) to hear the dispute. The objection procedure is described in detail in Section 10.3.3.1.

Content monitoring The .hu registry does not carry out content monitoring. The technical requirements only refer to legal compliance or technical suitability of the DNS.

Registration data disclosure The registration data is released to third parties who are able to prove they have a legally relevant interest.

Collaborations The .hu Registry collaborates with the National Media and Infocommunications Authority (NMHH).

9.8.4 .it

Rules and regulations The .it domain name registration is regulated by the rules of registration (Rules of Registration)115 and by the technical guidelines (Technical Guidelines)116 of the Institute of

112 http://www.domain.hu/domain/English/meghirdetes.html 113 http://www.domain.hu/domain/tt/ 114 https://infomediator.hu/ 115 https://www.nic.it/sites/default/files/archivio/docs/Regulation_assignation_v7.1.pdf 116 https://www.nic.it/sites/default/files/documenti/2019/Synchronous_Technical_Guidelines_v2.5.pdf 54

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Informatics and Telematics of the Italian National Research Council (.it Registry or Registro .it).117

Number of registrations According to Nominet’s statistics on ccTLDs the number of.it domain name registrations amounts to a total of 3.221.809.118 The most recent Registro.it data as at 29 February 2020 shows 3.258.918 .it registered domains.119

Eligibility criteria The registration of .it domain names is restricted to adults with citizenship, residence or commercial headquarters in the countries of the European Economic Area (EEA), in the State of the Vatican, in the Republic of San Marino and the Swiss Confederation (point 6 Article 1.2.3 of Rules of Registration).

Reserved domain names Reserved domain names are only assigned to specific categories: ● Domain names registered under the organisational and geographical structure, corresponding to local authorities120; ● Domain names corresponding to Italy (in different languages); ● Unsponsored gTLDs (uTLD) and sponsored gTLDs (sTLD) for certain sectors or categories.

Registrars and registrations The Registry does not act as registrar. Registration is carried out through accredited registrars. Currently, 1142 .it registrars operate.121 Fees for the .it registrars to be paid to the .it Registry after each domain name amount to Euro 4 plus VAT for registration and EUR 3.3 plus VAT for maintenance.

Registration procedure The registration procedure is as follows. The registrar executes the technical command to create the domain name on behalf of the registrant or for their own account. The registrar is tasked with notifying the registrant of the registration of the domain name and the ‘Authinfo’ code associated with it. A domain name is assigned to the registrant only after the applicant has provided his or her data, accepted the conditions and responsibilities established for the registration of an .it domain name. According to the Technical Guidelines the .it Registry requests signed template from the registrant only in case reserved domain names are registered or following a re-assignation procedure as described in Section 10.3.4.1.

Obligations to ensure the correctness of the registration data Registro .it ensures, also by means of suitable software tools, the reliability and quality of the data contained in the domain name database, in compliance with national and European Union law provisions that require exact and updated data. The registrant is liable for the correctness of data provided to the registrar. The registrar is liable for maintaining the data within the .it domain name registration database in

117 https://www.nic.it/en 118 https://media.nominet.uk/wp-content/uploads/2019/12/The-Online-World-2019.pdf 119 https://stats.nic.it/domain/growth 120 https://www.nic.it/sites/default/files/docs/comuni_list.html 121 https://www.nic.it/en/registrar/list 55

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

accordance with the data supplied by the registrant. In case of inaccuracies, the domain name can be subject to revocation.

Registration data verification activities of the .it Registry The .it Registry, using machine-learning algorithms, carries out syntactic and semantical controls on specific fields of the registrant contacts (taxpayer code, nationality code, registrants type). In case Registro .it finds obvious false and/or inconsistent registration data with reference to the domain name, revokes the domain name itself of its own accord or on a third-party request, providing notice to the registrar and the registrant. The revoked domain name will be signalled as ‘inactive/revoked’ and will remain in this status for 30 days. After this period has elapsed, it will be permanently deleted from the domain name database and thus be put in ‘pendingDelete/pendingDelete’ and later in ‘deleted’ status. In the event that a domain name is also subject to a challenge (and therefore also associated with a ‘challenged’ status), the domain name will then move from ‘inactive/revoked’ to ‘inactive/toBeReassigned’. In 2019 the .it Registry carried out 2556 verification procedures and only 30 domain names passed the test and continue being delegated.122

Content monitoring The .it registry does not carry out content monitoring.

Registrant data disclosure The registration data is disclosed to third parties who are able to prove they have a relevant legal interest through a formal procedure123. The request must clearly mention and justify the reason for the disclosure (e.g., initiation of legal proceedings). The .it Registry verifies the request within 10 working days and notifies the registrant who has 10 working days to raise an opposition with his or her reasons against the disclosure of the data. Afterwards, the Registry evaluates the opposition (if any) and releases the registration data or denies the disclosure.

Opposition procedure The opposition procedure, aimed at locking a domain name, before initiating an .it ADR procedure (re-assignation) is described in detail in Section 10.3.4.2.

Collaborations The .it Registry collaborates with the Italian Registry of Companies, the Italian Governmental Agency for Medicines (Agenzia Italiana del Farmaco - AIFA) and the Ministry of Economic Development (MISE).

Tips for SMEs Registro .it makes available tips and tutorials to SMEs regarding their digital presence, such as: Digital Kit124, What a digital world125, Digitals by chance126, Digital tips127, Italian stories128.

122 https://www.nic.it/sites/default/files/documenti/2020/ITQUARTER_3_2019.pdf 123 Article 5.2 of the Rules of Registration. 124 https://www.nic.it/en/promote-your-it/digital-kit 125 https://www.nic.it/en/promote-your-it/what-digital-world 126 https://www.nic.it/en/promote-your-it/digitals-chance-series 127 https://www.nic.it/en/promote-your-it/idee-digitali 128 https://www.nic.it/en/promote-your-it/italian-stories 56

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

9.8.5 .uk

Rules and regulations The registration of .uk domain names is governed by the rules of registrations (Rules of Registration)129 and the terms and conditions (Terms and Conditions of Domain Name Registration)130.

Number of registrations .uk is the second largest ccTLD in Europe with 13.270.812 registrations131. More statistics can be found at the .uk domain name registry’s website132.

The .uk Registry, registrars and registration costs The .uk domain name registry has been operated by Nominet since 1996133. The Registry does not act as registrar. Registration is carried out through accredited registrars.134 Registrars pay £3.90 per annum (members) or £80.00 per annum (non-members) to Nominet of domain registration and renewal.135 Registrars are free to determine their own fees.

Registration procedure The registration procedure can be summarised as follows:  Registrants register through registrars  Registrars submit registration applications via EPP or Web Domain Manager through Nominet’s web based online services portal. Among the suggestions of Nominet on choosing the right .uk domain name, registrants are expressly recommended to conduct researches in order to avoid infringing third-party rights.136 In particularly, links to UK and US trade mark databases are provided.

Verification activities of the .uk Registry Improving and maintaining the quality of the data on the register for .uk domain names is a key objective for Nominet137. The registrant shall provide correct registration data upon registration and respond quickly to any request from Nominet to confirm or correct the information on the register. Registrars must submit complete and accurate data in their interactions with Nominet. Registrars must ensure that a reasonable, minimum proportion of the data they submit to us can be validated by the .uk Registry. All registrars must be satisfied that the e-mail address for the registrant is a reliable means by which to contact the registrant. Nominet may validate any registrant data submitted to it. Where Nominet determines that data submitted cannot be validated, registrars will be required to take steps to resolve the issue. Consequently, the registrant might be asked to provide corrected data or the registrar may confirm that the data is reliable based on its own knowledge or information from a trustworthy third-party source; or the registrar may obtain documentary evidence that the data is reliable, such as a utility bill or similar document. Nominet monitors registrars’ compliance with its own processes through its data quality audits.

129 https://media.nominet.uk/wp-content/uploads/2018/05/22141819/dotUK-Rules-of-Registration.pdf 130 https://media.nominet.uk/wp-content/uploads/2018/05/22141655/Ts-and-Cs-of-Domain-Name-Registration.pdf 131 https://media.nominet.uk/wp-content/uploads/2019/12/The-Online-World-2019.pdf 132 https://www.nominet.uk/news/reports-statistics/ 133 https://www.nominet.uk/uk-domains/policies/ 134 https://registrars.nominet.uk/uk-namespace/registrar-agreement/list-of-registrars/ 135 https://registrars.nominet.uk/uk-namespace/managing-account/payments/fee-schedule/ 136 https://www.theukdomain.uk/get-online/how-to-choose-a-domain-name/ 137 https://media.nominet.uk/wp-content/uploads/2018/09/13094001/Data-Quality-Policy.pdf 57

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Through its post-registration data validation Nominet checks data against the UK Electoral Roll, Royal Mail Postal Service, Companies House, and the Charity Commission as appropriate.

Nominet also uses predictive algorithms to identify domain names that are highly likely to be used for phishing.138 The registrants of identified domains are asked to verify their identities. However, there is no delayed delegation is provided under .uk.

Content monitoring Nominet does not monitor content and cannot asses criminality. The .uk Registry suspends domains if UK law enforcement agencies certify that they are involved in criminal activity. In 2018, Nominet suspended 28.937 domains for criminal activity by collaborating with UK law enforcement agencies. Most of these were from the City of London Police’s Intellectual Property Crime Unit (28.606).139

Abuse reporting Nominet provides readily accessible information on how to submit complaints.140

Collaborations Nominet collaborates with the following UK law enforcement agencies: • Counter Terrorism Internet Referral Unit (CTIRU) • Financial Conduct Authority (FCA) • National Crime Agency (NCA) • Metropolitan Police – Fraud and Linked Crime Online (FALCON) • Medicines and Healthcare Products Regulatory Agency (MHRA) • Trading Standards • National Fraud Intelligence Bureau (NFIB) • Police Intellectual Property Crime Unit (PIPCU) • Ministry of Defence Police • Department for Environment, Food and Rural Affairs (DEFRA) – Veterinary Medicines Directorate.

9.10 Comparison of the .eu registration procedure with the ccTLDs

The following chart summarises the good practices of the ccTLDs and the comparison with the .eu TLD during and after the registration:

Preventive measures

Good practices .EU .BE .DK .HU .IT .UK (preventive measures) Strict registrant ✕ ✕ ✓ ✕ ✕ ✕ identification requirements before domain name delegation Delegation ✓ ✕ ✓ ✓ ✕ ✕ delayed with respect to the request for domain name

138 https://www.nominet.uk/domain-watch-ing-for-phishers/ 139 https://www.nominet.uk/over-28000-domains-suspended-as-law-enforcement-and-industry-keep-uk-safe/ 140 https://www.nominet.uk/complaints/ 58

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

registration Cross-checks ✓ ✕ ✓ ✓ ✕ ✓ carried out by the ccTLD Registry in official databases (trade mark registries, business registries, etc.) Obligation of or ✕ ✕ ✕ ✓ ✕ ✓ recommendatio ns to registrants to carry out cross-checks in databases before registration Services for ✕ ✕ ✕ ✕ ✕ ✕ IPR holders to preventively block domain name registrations Use of ✓ ✕ ✕ ✕ ✕ ✓ predictive algorithms by the ccTLD Registry

Curative measures

Good .EU .BE .DK .HU .IT .UK practices (curative measures) Check on ✓ ✓ ✓ ✓ ✓ ✓ the registration data upon or after domain name delegation Services for ✓ ✓ ✕ ✕ ✕ ✕ IPR holders to search domain names similar to their domain names or trade marks Collaboratio ✓ ✓ ✓ ✓ ✓ ✓ ns with other entities Availability ✕ ✓ ✓ ✕ ✕ ✓ of readily accessible information for users on reporting abuses

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

10. ALTERNATIVE DISPUTE RESOLUTION MECHANISM (ADR)

Since the Internet has a global reach and the resolution of cross-border domain disputes through court proceedings is costly and time-consuming, alternative dispute resolution (ADR) mechanisms to resolve such disputes are internationally recognised as effective curative measures against speculative and abusive domain name registrations.

After a brief overview of the international context, this Section will analyse the ADR for the resolution of .eu domain name disputes (.eu ADR) and compare it with the ADR procedures referable to a number of selected ccTLDs (.be, .dk, .hu, .it, .uk) with a view to identify good practices which might assist EU policy-makers in improving the existing domain name resolution policy and procedure for the .eu domain name.

10.1 International backdrop

In the late 1990s, in response to the commercialisation of the Internet and subsequent widespread phenomenon of abusive registrations by third parties who had intentionally registered domain names confusingly similar to trade marks in bad faith for profit (cybersquatting), ICANN, through a formal policy development process, adopted the UDRP as consensus policy, implemented on 24 October 1999.141 In developing UDRP international best practices, ccTLDs’ experience regarding intellectual property issues raised by domain names were especially taken into account. UDRP is a “quick, efficient, cost-effective” and “uniform administrative dispute-resolution procedure” that required domain name holders “to submit to the administrative procedure only in respect of allegations that they are involved in cybersquatting, which was universally condemned… as an indefensible activity that should be suppressed”.142 The UDRP applies to all gTLDs and some ccTLDs.143 Several European ccTLDs adopted domain name dispute resolution policies similar to the UDRP, adapting this latter to their national legal environment and, thus, such policies can be considered UDRP-variants (inter alia, .ch, .es, .fr, .ie, .nl, .se, etc.). The UDRP is incorporated by reference into all gTLD registration agreements. Therefore, the domain name holder is required to submit to a mandatory administrative procedure in the event that a third party (complainant) states that: (i) the domain name is identical or confusingly similar to a trade mark or service mark in which the complainant has rights; and (ii) the domain name holder has no rights or legitimate interests in respect of the domain name; and (iii) the domain name has been registered and is being used in bad faith. The mandatory administrative procedure is without prejudice to recourse to competent courts. UDRP is conducted before one of the domain dispute resolution service providers144, approved by ICANN in accordance with the Rules for UDRP145, and the provider’s Supplemental Rules. Over the years, the UDRP has proven an efficient remedy against bad faith, abusive registration of domain names infringing trade mark rights.

141 https://www.icann.org/resources/pages/policy-2012-02-25-en 142 WIPO Final Report “The Management of Internet Names and Addresses: Intellectual Property Issues”, 30 April 1999: https://www.wipo.int/amc/en/processes/process1/report/finalreport.html 143 Currently: .ag, .ai, .as, .bm, .bs, .bz, .cc, .cd, .co, .cy, .dj, .ec, .fj, .fm, .gd, .gt, .ki, .la, .lc, .md, .me, .mw, .nr, .nu, .pa, .pk, .pn, .pr, .pw, .ro, .sc, .sl, .so, .tj, .tt, .tv, .ug, .ve, .vg, and .ws 144 https://www.icann.org/resources/pages/providers-6d-2012-02-25-en 145 https://www.icann.org/resources/pages/udrp-rules-2015-03-11-en 60

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

WIPO, the main dispute resolution service provider for UDRP, has administered over 42,500 disputes since 1999, encompassing over 78.500 domain names.146 Over the course of 20 years the UDRP developed considerable case law that rendered the procedure highly transparent and the outcome predictable. The consensus views of UDRP panels are often referenced in ccTLD ADR procedures as well.

Starting from 2005 a development process was initiated by ICANN in order to introduce into the domain name space new gTLDs to allow more innovation, choice and change to the Internet’s addressing system. The new gTLD program was launched in 2011 and the application for new gTLDs began in January 2012. First, new gTLDs were delegated in October 2013 and over 1.300 new extensions became available147. By introducing the new gTLDs, ICANN implemented a number of new rights protection mechanisms, among which the Uniform Rapid Suspension System (URS). The URS is a trade mark-related rights protection mechanism, implemented to supplement the existing UDRP. URS is a lower-cost, faster path to relief for rightsholders experiencing clear-cut cases of trade mark infringement caused by domain name registrations. URS is not intended to replace the UDRP, but to complement it. The URS and UDRP have separate procedures with distinct timelines and remedies. The UDRP is designed to result in the cancellation or transfer of the domain name, whereas the URS results in the suspension of a domain name for the balance of the registration period. Right holders might resort to either or both procedures. Neither procedure is prioritised over the other. URS applies to all new gTLDs, some of the “legacy gTLDs” (.asia, .biz, .cat, .info, .jobs, .mobi, .museum, .org, .pro, .tel, .travel, .xxx) and some ccTLDs (.pw). URS is conducted by the ICANN-approved dispute resolution service providers pursuant to the URS Procedure, URS Rules and the provider’s Supplemental Rules148.

10.2 .eu ADR

10.2.1 Overview of the .eu ADR

Rules and regulations The .eu ADR is foreseen by Article 22(1)(a) of Commission Regulation (EC) No 874/2004149 and Regulation (EU) 2019/517 as a curative measure against speculative and abusive registrations150. The .eu ADR is governed by the ADR rules (.eu ADR Rules).151 Such rules were inspired by the UDRP152.

Claim requirements Pursuant to Article 21 of Commission Regulation (EC) No 874/2004 and under the .eu ADR Rules, complainants must prove that the disputed .eu domain name is identical or confusingly similar to the name or names in respect of which a right or rights are recognised or established by national and/or European Union law, such as the rights mentioned in Article 10(1) of the cited Regulation and as specified and described in accordance with Paragraph B1(b)(9) of the .eu ADR Rules, and either the disputed

146 https://www.wipo.int/pressroom/en/articles/2019/article_0003.html 147 https://newgtlds.icann.org/en/program-status/delegated-strings 148 https://www.icann.org/resources/pages/urs-2014-01-09-en 149 Article 22 Alternative dispute resolution (ADR) procedure 1. An ADR procedure may be initiated by any party where: (a) the registration is speculative or abusive within the meaning of Article 21; or (b) a decision taken by the Registry conflicts with this Regulation or with Regulation (EC) No 733/2002. 150 Article 21 of Commission Regulation (EC) No 874/2004 151 https://eurid.eu/d/7770495/EN_ADR_English_rules.pdf 152 Recital (17) of Commission Regulation (EC) 874/2004 and recital (17) of Regulation (EU) No 2019/517. 61

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

domain name has been registered by its holder without the right or legitimate interest to do so or the disputed domain name should be considered as having been registered or used in bad faith.

Rights protected The protected rights include registered national and European Union trade marks, geographical indications or designations of origin, and, insofar as they are protected under national law in the Member State where they are held: unregistered trade marks, trade names, business identifiers, company names, family names, and distinctive titles of protected literary and artistic works.

Remedies The remedies available are the transfer or revocation of the disputed domain name. If a complainant requests the transfer of the disputed domain name, the complainant must provide evidence to satisfy the general eligibility criteria for the registration set out in Article 4(2)(b) of Regulation (EC) No 733/2002 (as amended by the new Regulation).

Dispute-resolution provider(s) The .eu ADR is provided by independent dispute resolution providers. The Czech Arbitration Court (CAC) has been operating as dispute resolution provider for .eu domain names since 2006.153 The World Intellectual Property Organization (WIPO) has been providing the domain name dispute resolution service for .eu since June 2017.154

Length of the procedure The procedure lasts approximately 3 months. The procedure occurs as follows: ● The complaint is filed; ● The ADR provider notifies the .eu Registry and the .eu Registry blocks the disputed domain name – 5 days from receiving the complaint; ● Administrative review of the complaint - if non-compliant, 7 days are provided to rectify any deficiency; ● The administratively compliant complaint is notified to the domain-name holder – within 5 working days of receiving fees; ● Response period – 30 working days from receiving the complaint by the domain name holder; ● If a response is provided, administrative review of the response occurs: if non- compliant, 7 days to rectify any deficiency; ● If no response is provided, a notice of default is sent to the parties; ● Appointment of the Panel; ● The decision is issued within 1 month of receiving the response or after the time period for submitting the response has elapsed.

Lock of disputed domain name Pursuant to Paragraph B(1)(e) of the .eu ADR Rules, the domain name is locked by EURid during the .eu ADR. Such measure guarantees that neither changes in the ownership of the domain name (“cyberflight”), nor other changes with regard to the domain name occur during while the .eu ADR procedure is ongoing.

Registrant data disclosure

153 https://eu.adr.eu/index.php?lang=en 154 https://www.wipo.int/amc/en/domains/cctld/eu/index.html 62

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

The complainant may obtain registrant details prior to initiating an .eu ADR procedure through EURid’s Whois or a formal request for the data to be disclosed.155 Such data is disclosed within 30 days. To the extent that those details are not publicly available (e.g., in the case of a natural person), the ADR provider obtains the registration data from EURid upon receiving the complaint and subsequently relays such details to the complainant.

Implementation of decisions The .eu Registry implements the .eu ADR decision to transfer or revoke the disputed domain name after 30 calendar days, provided that the .eu Registry does not receive documentation from one of the parties regarding court proceedings.

Publication of decisions All .eu ADR decisions are published online on the websites of the ADR providers156 157.

Language of the procedure The language of proceeding is one of the EU official languages. Unless otherwise agreed by the Parties or otherwise specified in the registration agreement relating to the disputed domain name, the language of the registration agreement is the language of the .eu ADR. The information on the language of the registration agreement relating to the disputed domain name is publicly available in the Whois records. A request to change the language of the procedure is possible under paragraph A(3) of the .eu ADR Rules158.

Procedure costs The cost of the .eu ADR is Euro 1.300 as administrative fees for a dispute involving 1-5 domain names decided by a single-member panel and Euro 3.100 as administrative fees for a dispute involving 1-5 domain names decided by a three-member panel. Currently (and until 30 June 2020) EURid arranged to temporarily subsidise the administrative fees for each .eu domain name dispute filed with the ADR providers. Therefore, the filing fee for a domain dispute involving 1-5 domain names decided by a single-member panel is currently Euro 100. EURid pays to the ADR providers Euro 1.200 per each dispute initiated. The administrative fees are entirely borne by the complainant. No cost recovery available to the prevailing complainant in the .eu ADR.

Mediation The .eu ADR does not provide for mediation.

Fast-track proceeding The .eu ADR does not provide for any fast-track procedure.

Appeal procedure The .eu ADR does not provide for an appeal procedure.

Mandatory preliminary procedure

155 https://eurid.eu/en/about-us/document-repository/ 156 https://eu.adr.eu/adr/decisions/index.php 157 https://www.wipo.int/amc/en/domains/decisionsx/list.jsp?prefix=DEU&year=2017&seq_min=1&seq_max=199; https://www.wipo.int/amc/en/domains/decisionsx/list.jsp?prefix=DEU&year=2018&seq_min=1&seq_max=199; https://www.wipo.int/amc/en/domains/decisionsx/list.jsp?prefix=DEU&year=2019&seq_min=1&seq_max=199 158 Lacking an agreement between the Parties, the Panel may, at its sole discretion, having regard to the circumstances of the ADR Procedure, decide on the written request of a Complainant, filed before initiating a Complaint, that the language of the ADR Proceeding will be different than the language of the Registration Agreement for the disputed domain name. 63

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

No mandatory procedure is provided as mandatory before initiating a .eu ADR.

10.2.2 Stats on the .eu ADR

CAC

Number of proceedings 700

634

600

500

400

300

200 177

89 100 62 71 51 52 53 54 53 42 45 39 38 7 5 2 1 2 1 3 5 3 3 5 3 0 1 0 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

.eu domain disputes language trials

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Number of domain names involved in proceedings 60 50 50

39 38 40

0 2017 2018 2019

Outcome of proceedings 100 90 80 19 70 16 60 28 50 24 40 30 3 20 42 35 16 10 5 8 13 0 7 Total Decisions Accepted Rejected Terminated Pending

2017 2018 2019

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Language of proceedings 30 25 25

20 19 17

9 10 8 8 5 4 5 3 3 3 3 3 3 2 1 1 1 1 1 1 1 1 0

2017 2018 2019

The categorization of the decisions provided by CAC is as follows:

Rights involved 30 28

20 18

15 11 12 10 9 10 8 8 6 5 4 4 4 5 2 2 3 3 3 00 0 0 0 0 001 0 0 1 0

2017 2018 2019

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Rights to a protected name 40 37 35 30 24 25 20 18 15 10 4 4 5 3 2 10 1 0 1 0 Owner Licensee Earlier Other priority/better right(s)

2017 2018 2019

Identity or confusing similarity

20 18 18 16 15 14 12 12 10 10 8 7 8 6 6 4 3 4 2 2 2 1 1 1 11 1 2 0 0 0 0 0 0 0

2017 2018 2019

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Legitimate rights or interests 9 8 8 7 6 6 5 5 4 3 3 3 2 2 2 2 1 1 1 1 0 00 0 0 0 0 0 Prior use of a Offer of goods Domain name Legitimate Bona fide Generic words Other corresponding and/or services holder has noncommercial intentions to name been or fair use of use the domain commonly the disputed name known by the domain name domain name

2017 2018 2019

Bad faith 16 15

14 12 12

10 8 8 7 7 6 6 6 6 5 5 5 4 4 4 4 4 3 3 3 3 3 2 2

0 Holding Non-use of the Blocking the Disrupting Creating the Pattern of Other domain name domain name owner of a professional likelihood of conduct for purposes protected activities of confusion of selling or name the holder of renting the prior right

2017 2018 2019

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Procedure 35 32 30 25 19 20 20 16 15 9 10 7 4 2 3 2 5 001 0 00 0 0 0 0 0 0 0 0 0 100 1 0 0 0 0 0

2017 2018 2019

Decisions 35 29 30 25 22 20 15 15 10 7 6 4 5 3 2 2 1 0 0 000 0 0 0 0 0 0 0 Complaint Reverse Domain Domain Settlement Interim Other denied domain name name decision name transferred revoked hijacking

2017 2018 2019

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Complainant's country 14 12 10 8 6 4 2 0 Italy Spain Malta China Latvia France Greece Poland Cyprus Turkey Austria Canada Estonia Finland Sweden Belgium Bulgaria Germany Denmark Switzerland Netherlands Luxembourg Great Britain Great United United States Saint and… Saint Kitts Czech Republic Czech

2017 2018 2019

Respondent's country 14 12 10 8 6 4 2 0 Italy Spain Latvia France Greece Poland Cyprus Ireland Austria Sweden Norway Belgium Bulgaria Portugal Hungary Gibraltar Germany Denmark Lithuania Afghanistan Netherlands Great Britain Great United United States Czech Republic Czech Slovak Republic Slovak

2017 2018 2019

WIPO

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Number of proceedings

35 32

25 21 20

15 13

0 2017 2018 2019

Number of domain names involved in proceedings

40 37 35 30 24 25 20 16 15 10 5 0 2017 2018 2019

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Outcome of proceedings 50

40 11 35

20 26

10 3 5 1 2 7 3 1 4 3 0 2 01 Transferred Revoked Denied Terminated Pending

2017 2018 2019

Language of proceedings 30 25 25

20 17

15 9 10

5 3 1 1 2 2 1 1 1 1 1 1 0 Dutch English German Spanish Czech Estonian German Slovak Danish

2017 2018 2019

10.2.3 Additional information on .eu ADR providers

10.2.3.1 CAC

The .eu ADR procedure is completely processed online through the online dispute management platform.159 This is particularly convenient for users.

Sufficient information (FAQ) on .eu ADR is published online for complainants, respondents and Panellists.160

159 https://eu.adr.eu/index.php?lang=en 72

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Number of Panellists: 117. Panellists’ qualifications are published online.161

The Overview of Panel Views on Selected Questions of Alternative Dispute Resolution for .EU Domain Name. Disputes (second edition) is also published online.162 This is particularly useful in order to guarantee uniformity and predictability as to the outcome of .eu ADR proceedings.

CAC does not provide educational programs or awareness-raising for SMEs on a regular basis. Occasional lectures at seminars are held, and CAC participates in conferences and issues publications. CAC holds biannual meetings for its Panellists to share knowledge on the latest developments in domain disputes (.eu, UDRP, .cz and other ccTLDs).

10.2.3.2 WIPO

WIPO does not use an online filing portal. Disputes are primarily managed electronically through emails. Certain due process safeguards for case notification are in place such that formal notification of the case to the registrant is done by email, fax, and post.

Sufficient information on .eu ADR procedures, including model forms, is published online for the benefit of interested parties.163

Although a formal mediation is not codified in the .eu ADR Rules, parties are free to request a temporary suspension of their case to explore settlement options in accordance with the ADR Rules, paragraph A(4). WIPO also provides mediation services in intellectual property-related disputes.164

Number of Panellists: approximately 150. Panellists’ qualifications are published online.165

WIPO holds an annual two-day UDRP training workshop available to the public including a session on ccTLDs and promotes its ccTLD services through different webinars.

10.2.4 Stakeholder feedback on .eu ADR

Stakeholders find the .eu ADR an effective curative measure against speculative and abusive registrations.

Practitioners, right holders and rightsholder associations However, practitioners, rightsholders and associations of rightsholders (ECTA) retain that the procedure should be faster, as time is crucial in the fight against speculative and abusive registrations. They also suggested introducing mediation within the .eu ADR procedure a system where either the losing party has to pay costs or a cost-recovery system is provided in favour of the winning party. Finally, some have suggested that the scope of ADR proceedings should be extended to other types of abuse.

160https://eu.adr.eu/adr/faq/complainant.php;https://eu.adr.eu/adr/faq/respondent.php; https://eu.adr.eu/adr/faq/panelist.php 161 https://eu.adr.eu/adr/panelists/index.php 162 https://eu.adr.eu/html/en/handbook_final_for_publication.pdf 163 https://www.wipo.int/amc/en/domains/cctld/eu/index.html 164 https://www.wipo.int/amc/en/mediation/index.html 165 https://www.wipo.int/amc/en/domains/panel/panelists.jsp?code=euDRP 73

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

IP Twins suggested to move from the domain dispute procedures to arbitration. Recourse to arbitration would strengthen the powers of the third-party decision-maker, who would have the power, inter alia, to order the losing party to pay damages and to reimburse the costs of the arbitration procedure. The parties would benefit from the 1958 New York Convention on the Recognition and Enforcement of Arbitral Award. The arbitration procedure should be expedited. Although the costs would be slightly higher than a domain dispute procedure, the losing party should reimburse the costs. The arbitration procedure might only work on a prerequisite: the exact identification of the domain name holder by the registrar. In the absence of identification, the complaining party should be able to sue the registrar before the arbitral tribunal. Therefore, the registrars would be liable for the proper identification of the domain name holders. AIM also suggested introducing a loser-pays system.

Registrars A registrar (Com Laude – Valideus) suggested introducing a loser-pays system.

10.3 Other ccTLD’s ADR

10.3.1 .be ADR

Rules and regulations The .be ADR is foreseen by the Terms and Conditions for .be domain name registrations of the .be Registry (DNS Belgium).166

Claim requirements Pursuant to Article 10(b)(1) of the Terms and Conditions, a complainant must prove that the following: i) the registrant’s domain name is identical or confusingly similar to a trade mark, a trade name, a registered name or a company name, a geographical designation, a name of origin, a designation of source, a personal name or name of a geographical entity in which the complainant has rights; and ii) the registrant has no rights or legitimate interests in relation to the domain name; and iii) the registrant’s domain name has been registered or is being used in bad faith.

Remedies The remedies available under .be ADR are limited to requiring that the domain name registration be cancelled or the domain name be transferred to the complainant.

Dispute resolution provider(s) The .be ADR is provided by an independent dispute-resolution provider, the Belgian Centre for Arbitration and Mediation (CEPANI)167 in accordance with the Rules for .be Domain Name Dispute Resolution.168

Duration of the procedure The duration of the procedure is approximately 1.5-2 month. The procedure may be briefly outlined as follows: ● Filing the complaint - the complainant shall choose between the following two options:

166 https://assets.dnsbelgium.be/attachment/Enduser_Terms_and_Conditions_en_v6.1_1.pdf 167 https://www.cepani.be/be-domainname-whatis/ 168 https://www.arbitrationbelgium.com/.BE%20Rules/cepani_reg_nom_domaine_rules%20EN.pdf 74

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

o Offering the domain name holder the possibility of voluntarily proceeding with the execution of the relief sought; or o Not offering the domain name holder the possibility to voluntarily executing the requested measure; ● CEPANI notifies DNS Belgium and the .be Registry blocks the disputed domain name; ● Administrative review of the complaint – 7 calendar days of receiving the complaint: if non-compliant, 14 calendar days to rectify the detected shortcomings; ● Notification of the administratively compliant complaint to the domain name holder and: o if the complainant chose to offer the domain name holder the possibility of voluntarily carrying out the request, the domain name holder is notified of such offer and informed that if the requested measure is not executed within 7 calendar days, the procedure will continue and that if the Third- party Decider decides that the domain name is to be transferred or cancelled, the domain name holder will be required to pay the costs of the procedure; or o if the complainant chose not to offer the possibility to voluntarily proceed with implementing the requested measure, the procedure continues without any notice being provided to the domain name holder; ● If the requested measure is voluntarily executed by the domain name holder within 7 calendar days, the procedure comes to a close and CEPANI refunds the administrative fees to the complainant; ● Response period – 21 calendar days; ● Appointment of the Third-party Decider – 7 calendar days following the receipt of the Response or the lapse of the time period for the submission thereof ● Decision within 14 calendar days of the case being discussed (7 calendar days after the appointment of the Third-party Decider).

No online dispute management platform is provided for .be ADR. The complaint is to be submitted by e-mail and one original hard copy. The response is to be submitted by e- mail. The notification of the complaint to the domain-name holder is carried out by e-mail, and, if unsuccessful, it occurs via registered mail. The communications related to the procedure (e.g., establishment of the procedure and appointment of the third-party decider) are sent by e-mail. The notification of the third-party decider’s decision to the parties is carried out by registered mail.

Lock of disputed domain name Pursuant to Article 10 b) k) of the Terms and Conditions for .be domain name registrations, the domain name is locked (on hold) by the .be Registry during the ADR to prevent cyberflight or other changes in the disputed domain name.

Registrant data disclosure The registrant’s details may be obtained by the complainant prior to initiating a .be ADR through the .be Registry’s Whois or, if the registrant is a natural person, a reasoned request to DNS Belgium. Such request shall clearly mention and justify the reasons for such disclosure (e.g., initiation of legal proceedings), as well as the specific legal grounds as referred to in Article 6.1 of the General Data Protection Regulation (GDPR). DNS Belgium will evaluate the invoked lawfulness of the disclosure and take a decision as to whether or not communicate the requested data.

Implementation of decisions

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

If a Third-party Decider decides that the domain-name registration should be cancelled or transferred, DNS Belgium will implement the decision 14 days after having been informed of the Third-party Decider’s decision by CEPANI, unless the registrant has initiated the appeal procedure in due time. The time period for appeal is prescriptive. If the appeal procedure is initiated within that time period, DNS Belgium will not take further action (whilst leaving the domain name on hold) until the appeal procedure has ended or has been cancelled.

Publication of decisions All .be domain name dispute decisions are published online on the CEPANI website.

Language of the procedure The language of the procedure is English, French or Dutch. Unless otherwise agreed by the parties, the language of the procedure for the disputed domain name shall be the language mentioned in the Whois database of DNS Belgium. The Third-party Decider may conduct the procedure in a different language in exceptional cases.

Cost of the procedure The administrative fees of the .be ADR are Euro 1.750 plus VAT for a dispute involving 1- 5 domain names. The administrative fees are entirely paid by the complainant. If the Third-party Decider finds that the domain name registration needs to be cancelled or transferred, DNS Belgium shall reimburse the administrative fees to the complainant and reclaim the thus repaid costs from the registrant. Upon DNS Belgium’s first request, the registrant shall reimburse the repaid amounts. The registrant will have no recourse against DNS Belgium, CEPANI, the Third-party Decider or the complainant for the financial loss suffered. The potential financial loss for the registrant is the risk that the latter took for the speculative registration of domain names on which third parties have rights. The repayment provision specified in the previous section does not apply to the appeal procedure of the .be dispute resolution procedure. The administrative fees relating to the appeal procedure are payable by the party that initiated such procedure. Although the recovery rate of the .be ADR costs by DNS Belgium is around 25%-30%, the “loser pays” system is a deterrent for abusive registrations.

Mediation The .be ADR does not provide for mediation.

Fast-track procedure The .be ADR does not provide for any fast-track procedure.

Appeal proceeding The .be ADR provides for an appeal procedure. Each party has the right to lodge an appeal against the decision of a third-party decider within 15 calendar days of the decision being notified. The appeal is established by filing the request for appeal and the payment of the costs related to the appeal, failing which the appeal shall not be valid. Within 7 calendar days receiving the request for appeal and the costs for appeal, the request for appeal is notified to the other party. The party against whom the appeal is lodged has 14 calendar days from receiving the notification of the appeal to provide a response. A panel of three Third-party Deciders is appointed within 7 calendar days following the receipt of the response or the lapse of time period for the submission thereof. The appeal panel renders its decision within 30 calendar days of the file having been notified. The decisions of the appeal panel are not subject to further appeal. The administrative fees for the appeal procedure amount to Euro 4.050 plus VAT.

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Mandatory preliminary procedure No mandatory procedure is provided as a condition for initiating a .be ADR.

Stats on the .be ADR

Number of proceedings 70 68 68

62 60 60 60

56 2017 2018 2019

Number of Third-party Deciders: 46

10.3.2 .dk ADR

10.3.2.1 .dk ADR before the Danish Complaints Board for Domain Names

Rules and Regulations The .dk ADR is governed by the Danish Act No. 164 of 26 February 2014 on Internet Domains (Domain Names Act)169, the Regulations of the Danish Complaints Board for Domain Names of 31 October 2018170 and the Rules of Procedure for the Danish Complaints Board for Domain Names of 1 December 2017.171

Claim requirements The Danish Domain Names Act forbids registration and use of domain names inconsistent with good domain name practice: “registrants may not register and use domain names in violation of good domain name practice …, (and) registrants may not register and maintain domain name registrations solely for resale or rental purposes” (Article 5). This term is not defined in the actual Act but by the Danish Complaints Board for Domain Names.172 Consequently, the Board has the authority to assess whether a user makes correct use of his or her right to use a domain name, based on considerations of public interest or technological developments.

169 https://www.retsinformation.dk/Forms/R0710.aspx?id=161869 170https://www.domaeneklager.dk/sites/default/files/2019- 03/Regulations%20of%20the%20Complaints%20Board%20for%20Domain%20Names.pdf 171https://www.domaeneklager.dk/sites/default/files/2017- 11/Forretningsorden%20for%20klagenaevnet%20af%2019%20december%202017%20-%20ENGELSK.pdf 172 https://www.domaeneklager.dk/en/complaints-board-domain-names 77

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Remedies The remedies available under the .dk ADR are the suspension, deletion or transfer of the disputed domain name.

Dispute resolution provider(s) The Danish Complaints Board for Domain Names is an independent entity providing ADR dispute resolution between domain name registrants and third parties concerning registration and use of domain names under .dk. The complainant may invoke Danish law as legal grounds. Complaints are thus not restricted to bad faith registration and/or use. The Complaints Board comprises a chairperson and a vice-chairperson who must be judges, two members with theoretical and practical expertise in law as well as two members representing consumer and commercial interests, respectively. Substitutes for each of the two members with expertise in law and for the consumer and commercial representatives have also been appointed. In the Complaints Board’s handling of cases, the chairman or the vice-chairman will take part, and also the two members with expertise in law. In cases involving non-commercial use of domain names and in cases of fundamental importance, the representatives for consumer and commercial interests will also take part. The chairman of the Complaints Board decides when a matter involves non-commercial use of domain names and when a matter is of fundamental importance.173

Duration of the procedure The procedure lasts approximately 5 months. The procedure may be outlined as follows: ● Filing of the complaint; ● Administrative review of the complaint; ● Notification of the complaint to the domain name holder: ● Response period – 14 days from the receipt of the complaint; ● Response notified to the complainant for the purpose of providing a statement – 14 days from the receipt of the response; ● Complainant’s statement notified to the domain-name holder for the purpose of providing a reply – 14 days from the receipt of the complainant’s statement; ● Oral discussion of the case, if necessary, and decision; alternatively, the case is decided in writing without any hearing; The .dk ADR proceeding is processed online throughout (except for the oral discussion) through a case-management portal.174

Lock of disputed domain name The domain name is locked during the .dk ADR proceeding to prevent cyberflight or other changes in the domain name.

Registrant data disclosure The complainant may obtain registrant details prior to initiating a .dk ADR through the .dk Registry’s Whois. If such details are not public, the ADR provider obtains the registration data from the .dk Registry upon receipt of the complaint.

Implementation of decisions Normally, the .dk ADR decision is implemented 1 month after the Complaints Board renders its decision. However, the Complaints Board can the decision shall be immediately implemented. Suspension and deletion decisions are implemented automatically. The decision to transfer the domain name registration (typically to the

173 https://www.domaeneklager.dk/en/node/406 174 https://www.domaeneklager.dk/en/case-management-portal 78

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

complainant) will be implemented by the .dk Registry only after the complainant has complied with certain formalities.

Publication of decisions All .dk ADR decisions are published online on the website of the Danish Complaints Board for Domain Names.175

Language of the procedure The language of the procedure is Danish. However, a party may submit pleadings, exhibits and other documents drawn up in English, Norwegian or Swedish unless the chairman or vice-chairman of the Complaints Board requests that they be accompanied by a translation. The translation must be certified by a translator at the request of the chairperson or vice-chairperson of the Complaints Board. Pleadings, exhibits and other documents drawn up in languages other than Danish, English, Norwegian or Swedish must be accompanied by a translation that must be certified by a translator at the request of the chairperson or vice-chairperson of the Complaints Board. However, the latter may allow a party to submit evidence drawn up in languages other than Danish or English if the contents of the evidence are assumed as being immediately understandable to both the opposing party and the Complaints Board. If a party does not understand Danish, all notifications about the case and guidance from the Complaints Board’s secretariat will occur in the English language.

Cost of the procedure The cost of the .dk ADR is DKK 500 (Euro 67) as administrative fees (or DKK 160 (Euro 21) for complainants devoid of commercial interest).

The complainant bears the entirety of the costs. If the complainant succeeds, the Complaints Board’s secretariat will reimburse the administrative fees to the complainant. The Complaints Board cannot order payment of costs or damages.

Mediation Under Paragraph 8 of the Rules of Procedure, the Complaints Board’s secretariat can seek to facilitate a settlement between the parties. Such procedure must not exceed 1 month, and the secretariat’s endeavours to facilitate a settlement are made in confidence. The Complaints Board can act as a mediator in the case.

Fast-track procedure The .dk ADR does not provide for any fast-track procedure (except for the procedure described in section 10.3.2.2).

Appeal procedure The .dk ADR does not provide for an appeal procedure.

Mandatory preliminary procedure No any mandatory procedure is required before a .dk ADR is initiated.

Stats on the .dk ADR

175 https://www.domaeneklager.dk/en/recent/decisions 79

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Number of proceedings

400 367 350 307 312 300 253 250 209 200 162 150 100 50 0 2017 2018 2019

Proceedings filed Proceedings decided

Outcome of proceedings 180 168168 160 144 140 120 99 100 84 80 63 60 3533 40 24 131413 9 9 20 2 1 4 0

2017 2018 2019

10.3.2.2 Procedure involving typosquatting cases before the .dk Registry

In addition to .dk ADR, the .dk Registry has a specific fast-track curative tool for typosquatting cases under Paragraph 9.1 of the Terms and Conditions for the right to use a .dk domain name.176 Under the procedure, the .dk Registry may suspend the domain name without referring the case to the Danish Complaints Board for Domain Names.

The .dk Registry may suspend a domain name if the following requirements are met: ● An inherent risk exists that Internet users’ spelling or typing errors when entering a URL in an address field are exploited to create confusion with another nearly identical domain name, thereby generating traffic to their own website;

176 https://www.dk-hostmaster.dk/en/terms#uretmassig 80

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

● The registrant of the domain name subject to confusion submits a notification; ● The domain name utilised in confusion and the notified domain name are available to the public, e.g., to operate a website, and the registered domain name is registered at a later date than that on which the notifying party registers its domain name; ● The registrant of the notified domain name does not have any relevant name or trade mark or other proprietary rights or other legitimate grounds to use the domain name; ● The registrant of the notified domain name and/or a legal or natural person closely related to the Registrant has registered at least two other domain names with a similarly related risk of confusion as discussed above.

DK Hostmaster will not make a decision on the suspension of the notified domain name until the registrant of the domain name has had an opportunity to issue a statement in the case. The registrant of the notified domain name has a deadline of 72 hours to provide a statement. The deadline is calculated from the time when .dk Registry sends the notification to the registrant with a request for the registrant to make a statement. The suspension of the domain name is maintained for 4 weeks, or if the decision on suspension is brought before the Complaints Board for Domain Names, until the Board issues a decision on the case. After the suspension period has elapsed, the .dk Registry deletes the notified domain name, unless the notifier previously requested to have the domain name transferred. If the same registrant has had a domain name suspended in at least two cases pursuant to Paragraph 9.1 of the Terms and Conditions, an agreement on the right of use to a domain name will be concluded with the .dk Registry only once the registrant has entered a code sent by the .dk Registry in a paper letter.

In 2019 .dk Registry received 35 complaints on typosquatting and 23 of them did not meet the criteria in Paragraph 9.1 of the Terms and Conditions for the right to use a .dk domain name; therefore, they were refused. 12 complaints were approved and out of them 7 domain names were transferred to the complainant and 5 were suspended and deleted.

In revising typosquatting cases under Paragraph 9.1 of the Terms and Conditions for the right of use to a .dk domain name the .dk Registry’s decision is based on the statements and documents provided by the parties and the information registered in the Whois database.

The procedure under Paragraph 9.1 of the Terms and Conditions for the right of use to a .dk domain name can may also be introduced in English.

The Study holds that the curative tool DK Hostmaster put in place is very useful against clear cases of typosquatting in terms of time and costs (free) for SMEs.

10.3.3 .hu ADR

Rules and Regulations The .hu Domain Registration Rules and Procedures provide for the resolution of domain name disputes through .hu ADR.177

Chapter V of such Registration Rules and Procedures distinguishes between two different type of disputes: ● Objection procedure prior to the delegation of the domain name before the Consulting Board concerning a domain name application;

177 http://www.domain.hu/domain/English/szabalyzat/szabalyzat.html 81

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

● Procedure following the delegation of the domain name before the Registration Decision-maker concerning a domain name registration.

10.3.3.1 Objection procedure prior to the delegation of the domain name before the Consulting Board

As described above, the peculiarity of the Hungarian domain name registration procedure is delayed delegation. Upon submitting a domain name registration request, such application is published at the .hu Registry website’s announcements section.178

During the announcement period, the domain name applicant is granted the conditional right to use the domain name, meaning that the domain name is entered in the zone file, but it is still not delegated to the applicant.

Any third party may file an objection under Article 6.1 and 9 of the Registration Rules and Procedures, requesting that the Consulting Board179 of the ADR provider (Infomediátor180) hear the dispute, where they have a legal interest to state that the delegation of a domain name to a particular applicant infringes the rules. The complainant may submit the objection providing reasons to any of the registrars chosen by him or her within a timeframe that makes it possible for the registrar to enter the commencement date of the procedure in the records within 8 days from the beginning date of the announcement of the domain registration request on the delegation waiting list and to submit the complaint within 14 days from such day. The registrar of the domain name application shall take over the complaint, whereas other registrars might decide on taking over the complaint.

The steps of the procedure may be summarised as follows: ● Filing of the objection by the complainant; ● Notification of the objection to the domain-name applicant on the registrar’s part; ● Response period: voluntary withdrawal of the domain-name application or submission of defences to the objection – 8 days from the receipt of the objection; ● If no response (withdrawal or defences) is submitted, the case file is forwarded to the Consulting Board of the ADR Provider once the deadline has elapsed; ● If the domain applicant withdraws the application the dispute comes to a close; ● If the domain applicant submits defences in relation to the complaint, the case is forwarded to the Consulting Board of the ADR Provider upon receipt of the defences; ● Within 20 working days the Consulting Board issues an opinion as to whether the particular domain may be delegated to the particular applicant or not.

The procedure is regulated by the Rules and Regulations of the Consulting Board181.

The Consulting Board comprises 6 members.

The language of the procedure is Hungarian.

If, based on the opinion, the right granting conditional use of the domain name ceases to be effective (the domain name delegation is denied), the prevailing complainant alone

178 http://www.domain.hu/domain/English/meghirdetes.html 179 http://www.domain.hu/domain/tt/ 180 https://infomediator.hu/ 181 http://www.domain.hu/domain/tt/tt-szesz-201106.pdf 82

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

may apply for the registration of the domain name within 60 days from the date on which the domain name was deleted if the intent was specified in the records by the complainant’s registrar upon submitting the complaint (right of first refusal).

The .hu Registry and the registrar shall refer to the opinion of the Consulting Board.

All opinions of the Consulting Board are published online.182

The opinion of the Consulting Board is immediately implemented by the .hu Registry.

If the Consulting Board decides that the delegation of the domain name is to be denied, the administrative fee for the Consulting Board to issue an opinion shall be paid by the registrar of the domain name applicant to the .hu Registry. Otherwise, the fee shall be paid by the complainant’s registrar. The Registrar shall have the right to charge its costs relating to the procedure onto the complainant or domain name applicant (loser pays).

In 2019 111 objections were filed: in 101 cases the domain-name applicant withdrew the domain name application and in 10 cases the dispute was decided by the Consulting Board.

The objection procedure is very useful for SMEs in terms of time and remedy. It enables rightsholders to avoid the delegation of speculative and abusive domain names to the registrant. Moreover, the prevailing complainant may obtain the domain-name registration (right of first refusal). However, it presumes that the SMEs have a watch / monitoring service in place in order to be notified in a timely manner upon publication of the domain- name applications. The procedure is considered low-cost. The registrars require the complainant to deposit approximately Euro 200-400, reimbursed to the complainant (net of the registrar’s handling fee), if the domain name applicant withdraws the application. If the case goes before the Consulting Board and the objection is granted, the losing applicant shall pay the administrative fees to the registrar (“loser pays”). This is a sufficient deterrent against bad faith registrations.

10.3.3.2 Procedure after the delegation of the domain name before the Registration Decision-maker

Upon delegation of a .hu domain name, any third party with a lawful interest may bring a dispute before the Registration Decision-maker of the ADR provider according to Article 10 of the Registration Rules and Procedures. The Registration Decision-maker’s procedure is governed by its procedural rules.183

Remedies The remedies available under such procedure are the revocation or transfer of the domain name under dispute to the complainant.

Claim requirement The Registration Decision-maker shall decide on revoking or transferring the domain name to the complainant if: ● the domain name is identical or confusingly similar to a name in respect of which a protection is recognised or established by national and/or Community law in favour of the complaint; or

182 http://www.domain.hu/domain/English/tt/egyedi_allasfoglalasok/ 183 http://infomediator.hu/alternativ-vitarendezo-forum/regisztracios-doentnoek-eljarasi-szabalyzata 83

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

● the domain name is identical or confusingly similar to a name in respect of which a right to use is recognised or established by national and/or Community law in favour of the complainant; and ● the domain name has been applied for by the registrant without rights or legitimate interest in the name; or ● the domain name has been applied for or is being used by the registrant in bad faith.

Length of the procedure The procedure lasts approximately 3 months. It main steps may be summarised as follows: ● Filing of the complaint ● Administrative review of the complaint: if non-compliant, 8 working days to rectify any deficiency; ● The ADR provider notifies .hu Registry and the Registry blocks the disputed domain name; ● Notification of the complaint to the domain name holder – 8 working days from the receipt of the complaint and the payment of administrative fees; ● Response period – 30 calendar days from the receipt of the complaint; ● If a response is submitted, it is notified to the Complainant for the purposes of providing a statement – 8 calendar days from receiving a response; ● Appointment of the Panel – 8 working days from receiving the statements or from when the deadlines have the elapsed; ● The decision is issued within 30 days from the appointment of the Panel. The complaint form is to be submitted online and the procedure is processed electronically.184

Lock of the disputed domain name The domain name is locked during the .hu ADR to prevent cyberflight or other changes in the domain name.

Registrant data disclosure The complainant may obtain the registrant details prior to initiating a .hu ADR by forwarding a formal request to the .hu Registry and indicating his or her legal interest.185 Otherwise, the ADR provider obtains the registration data from the .hu Registry upon receipt of the complaint.

Implementation of decisions The .hu Registry implements the ADR decision after 30 calendar days, if it does not receive documentation from either party regarding court proceedings.

Publication of decisions All .hu ADR decisions are published online on the ADR provider’s website.186

Language of the procedure The language of the procedure is Hungarian.

Cost of the procedure

184 https://infomediator.hu/alternativ-vitarendezo-forum/kerelem-benyujtasa 185 http://www.domain.hu/datacontrolling.pdf 186 https://infomediator.hu/alternativ-vitarendezo-forum/doentesek 84

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

The administrative fees of the procedure before the Registration Decision-maker are HUF 100.000 (Euro 300) plus VAT for a dispute involving 1-2 domain names decided by a single-member Panel and HUF 150.000 (Euro 450) plus VAT in case of a three-member Panel. HUF 150.000 (Euro 450) plus VAT for disputes involving 3 or more domain names decided by a single-member Panel and HUF 200.000 (Euro 600) plus VAT in case of a three-member panel. The complainant bears administrative fees in their entirety. No cost recovery mechanism is available to the prevailing complainant.

Mediation The .hu ADR does not provide for mediation.

Fast-track procedure The .hu ADR does not provide for any (other) fast-track procedures.

Appeal procedure The .hu ADR does not provide for an appeal procedure.

Mandatory preliminary procedure No mandatory preliminary procedure is provided to initiate a .hu ADR.

Stats on disputes before the Registration Decision-maker

Number of ADR proceedings per year: approximately 50-60 per year

Number of domain names involved in ADR proceedings per year: typically, one domain name per dispute, thus 60-70 domain names per year

Breakdown based on the outcome of ADR proceedings: roughly 80% ruled in favour of the complainant.

Number of Panellists: 10

10.3.4 .it ADR

Rules and Regulations .it domain disputes are governed by the Rules of Dispute Resolution187 of the .it Registry (Italian National Research Council).188 The principles of the Rules of Registration of .it Domain Names189 provides that: “the Registry will neither tolerate the hoarding of domains names nor cybersquatting” (Article 1.2.3 Paragraph 5).

The Rules of Dispute Resolution distinguishes two ADR proceedings: ● Arbitration; ● Re-assignment procedure.

Considered that arbitration is not widely used (only 3 cases since 2001) ,the Study does not analyse such procedure any further.

187 https://www.nic.it/sites/default/files/archivio/docs/Dispute_Resolution_v2.1.pdf 188 https://www.nic.it/en 189 https://www.nic.it/sites/default/files/archivio/docs/Regulation_assignation_v7.1.pdf 85

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

10.3.4.1 Re-assignment procedure

The scope of the procedure is to check the right of use or legal availability of the domain name and ensure that the domain name has not been registered and maintained in bad faith (Article 3.2 of the Rules of Dispute Resolution).

Complainant requirements The re-assignment procedure may be introduced by individuals, corporations or other entities having the requirements for registration of a .it domain name (i.e., persons who have citizenship, residence or a registered office in the countries of the European Economic Area (EEA), the Vatican, the Republic of San Marino, and Switzerland - Article 1.2.3, Paragraph 6 of the Rules of Registration of .it Domain Names). The procedure may also be initiated by a complainant not belonging to the European Union provided that: ● The complainant is acting as licensee under a licence right explicitly recognised by the right holder and this is mentioned and proved during the re-assignment procedure; or ● The complainant is acting under an explicit legitimate concession of another right the breach of which has a bearing on the re-assignment procedure, and this is mentioned and proved in the re-assignment procedure. If the procedure is submitted by a complainant not having the requirements for registering a .it domain name, the complaint must be rejected due to lack of standing to sue.

Claim requirements Pursuant to Article 3.6 of the Rules of Dispute Resolution, domain names for which a third party (complainant) makes the following claims are subject to re-assignment: ● The disputed domain name is identical to or such as to cause confusion with a trade mark or other distinctive business sign, for which the complainant claims rights, or to his or her name and surname; and ● The registrant has no right to the domain name; and ● The domain name has been registered and is used in bad faith. If the complainant proves the existence of first and third requirements and the registrant does not prove that he or she has right to the domain name, the domain name shall be transferred to the complainant.

Remedies The only remedy available under .it ADR is the re-assignment (transfer) of the domain name to the complainant.

Dispute resolution provider(s) The re-assignment procedure is provided by 5 independent dispute-resolution providers approved by the .it Registry (MFSD190, Milan Chamber of Arbitration191, CRDD192, Tonucci & Partners193, ADR Company194), in accordance with the Rules of Dispute Resolution and their supplemental rules.

Duration of the procedure The procedure lasts approximately 2 months. The procedure occurs as follows:

190 http://www.mfsd.it/mfs_dispute_domini.php?nav_set=501 191 https://www.camera-arbitrale.it/en/domain-names-disputes/index.php?id=13 192 http://www.crdd.it/map/index-en.htm 193 http://tonucci.com/en/controversie-sui-nomi-a-dominio-it/ 194 http://www.adrcompany.it/ 86

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

● Filing of the complaint; ● Administrative review of the complaint: if non-compliance is found, 6 working days to rectify any deficiency; ● Notification of the dispute sent by the ADR Provider to the .it Registry; ● Notification of the complaint to the domain name holder; ● Response period – 25 working days from receipt to submit a Response; ● Appointment of the panel – 5 working days after the response date or the respondent’s default date; ● ’Acceptance of the appointment on the panellists’ part – 5 working days from the appointment; ● Issuance of the decision - 15 working days from acceptance; ● Notification of the decision to the parties on the ADR panel’s part – 4 working days from the issuance of the decision. No online dispute management platform is provided for .it ADR. The complaint is to be submitted by e-mail and in 2 original hard copies. The response is to be submitted by e- mail and 2 original hard copies. The notification of the complaint to the domain name holder is carried out by e-mail and registered mail. Only if the notification by registered mail is unsuccessful (the ADR provider does not receive the return receipt), the ADR provider may notify the complaint by express courier. The communications related to the procedure are sent by e-mail. The panel’s decision is notified by e-mail.

Lock of the disputed domain name The disputed domain name is locked (“‘challenged”) by the .it Registry during the .it ADR to prevent cyberflight or other changes in the domain name. This procedure, referred to as “opposition”, is detailed below.

Registrant data disclosure If the registrant is an individual or the registrant details are not available in the Whois database, the complainant may obtain such information through a formal procedure prior to initiating an .it ADR.195 The request shall clearly mention and justify the reason for the disclosure (e.g., initiation of court proceedings). The .it Registry verifies the request within 10 working days and notifies the registrant who has 10 working days to raise an opposition with his or her reasons against the disclosure of the data. Afterwards, the Registry assesses the opposition (if any) and releases the registration data or denies the disclosure.

Implementation of decisions If the Panel decides that the domain name should be transferred, the .it Registry implements the transfer decision within 15 working days from receiving the decision, unless either party has initiated court proceedings. In order to obtain the transfer of the domain name, the prevailing complainant shall contact a registrar to obtain the “contactID” to be submitted with a formal request aimed at reallocating the domain name to the .it Registry. If the reallocation is not completed within 30 days by the prevailing complainant, the domain name will become available once more according to the “first come, first served” principle.

Publication of decisions All decisions on disputes relating to .it domain name are published online on the website of the .it Registry196 and that of the domain dispute resolution providers.

195 Article 5.2 of the Rules of Registration 196 https://www.nic.it/en/manage-your-it/psrd-decision-2019 87

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Language of the procedure The language of the procedure is Italian. However, the panel may decide, taking into account the circumstances of the dispute and on request from one of the parties, to conduct the procedure in another language. The panel may order that documents produced in any language other than Italian be accompanied by a full or partial translation into the language of the procedure.

Cost of the procedure The administrative fees vary from ADR provider to ADR provider. The minimum fee for a dispute involving 1 domain name decided by a single-member panel is Euro 900, plus VAT, for a dispute decided by a three-member panel is Euro 2.000, plus VAT. The maximum fees for a dispute involving 1 domain name decided by a single-member panel is Euro 1.200. The minimum fee for a dispute involving 2 domain names decided by a single-member panel is Euro 1.500, plus VAT, for a dispute decided by a three-member panel Euro 2.900, plus VAT. The maximum fees for a dispute involving 2 domain names decided by a single-member panel is Euro 1.800, plus VAT, decided by a three-member panel is Euro 3.600, plus VAT. The complainant shall bear the entirety of the administrative fees. No cost recovery is available to the prevailing complainant.

Mediation The .it ADR does not provide for mediation.

Fast-track procedure The .it ADR does not provide for any fast-track procedures.

Appeal procedure The .it ADR does not provide for an appeal procedure.

Stats on the .it ADR

Number of Panellists: at least 15 for each provider (approximately 80).

Number of proceedings 41 40 40 39 38 37 37 36 35 34 34 33 32 31 2017 2018 2019

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Number of domain names involved in proceedings 48 46 46 44 44

40 39

34 2017 2018 2019

Outcome of proceedings in the last 5 years 140 121 120

100

40 21 20

0 Complaint accepted Complaint rejected

Number of the Panellists: at least 15 for each provider (approximately 80).

10.3.4.2 Opposition procedure before the .it Registry

Prior to initiating an .it ADR a mandatory procedure (opposition) must be initiated before the .it Registry under Article 5.1 of the Rules of Registration. Any complainant intending to initiate the re-assignment procedure shall send a reasoned formal letter to the .it Registry, requesting the lock (“challenged status”) of the domain name. The .it Registry verifies the request within 10 working days and, once the opposition is initiated and the domain name is locked, it notifies the complainant’s request and its decision on the opposition procedure to the domain-name holder. The complainant must initiate the dispute over the domain before one of the ADR providers within 180 days (the period may be extended for a further 180 days) in accordance with Article 3 of the Rules of Dispute Resolution. The domain-name holder may request the cancellation of the domain name subject to opposition. In that case, the complainant has the right of first refusal to register the domain name either following the domain name holder’s waiver or a successful ADR procedure.

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

The mandatory preliminary opposition procedure before the .it Registry is a useful curative measure available to SMEs against speculative and abusive .it registrations, since it enables the complainant to block the domain name and it is time (10 working days) and cost-effective (free). Should the domain name holder waive its right over the domain name, the complainant shall not initiate the ADR procedure and will have the right of first refusal to register the domain name.

Between 2015 and 2019 1.321 cases of opposition were resolved (the domain name is cancelled by the registrar or the registrant, the opposition has not been extended or may no longer be extended, or the domain name has been revoked).

10.3.5 .uk ADR

Rules and regulations Article 6.1.3 of the .uk Registry (Nominet)’s Terms and Conditions of Domain Name Registration provides that the registrant shall not, by registering or using the domain name in any way, infringe the intellectual property rights (for example, trade marks) of any other party.197 Pursuant to Article 9.1, the registrant is bound by the dispute resolution service. The .uk ADR is governed by the rules and procedures contained in the Dispute Resolution Service Policy.198

Claim requirements According to such policy, abusive registration means a domain name which: ● was registered or otherwise acquired in a manner which, at the time when the registration or acquisition took place, took unfair advantage of or was unfairly detrimental to the complainant’s rights; or ● is being or has been used in a manner which has taken unfair advantage of or has been unfairly detrimental to the complainant’s rights.

Protected rights The rights protected under .uk ADR are rights that the complainant may enforce, whether under English law or otherwise, and may include rights in descriptive terms which have acquired a secondary meaning.

Remedies The remedies available under .uk ADR are cancellation, suspension and transfer of the domain name to the complainant.

Domain name dispute provider The .uk ADR is operated by the .uk Registry itself.199

Duration of the procedure The duration of the procedure is approximately 2 to 3 months. The procedure is organised as follows: ● Filing of the complaint; ● Administrative review of the complaint – 3 working days; ● Notification of the complaint to the domain name holder; ● Response period – 15 working days; ● Complainant reply to the response – 5 working days;

197 https://media.nominet.uk/wp-content/uploads/2018/05/22141655/Ts-and-Cs-of-Domain-Name-Registration.pdf 198 https://media.nominet.uk/wp-content/uploads/2017/10/17150434/final-proposed-DRS-policy.pdf 199 https://www.nominet.uk/domain-support/uk-domain-disputes/ 90

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

● Mediation – 10 working days; ● If the respondent does not submit a response, the complainant has the option of applying for a full decision or a summary decision; ● Appointment of the Expert and payment of the administrative fees within 10 working days from the appointment; ● Appeal notice period – 10 working days from the issuance of the decision during which the losing party may file an appeal. The .uk domain name dispute is entirely managed online through Nominet’s online dispute resolution facility.200 Generally, Nominet’s website on its Dispute Resolution Service contains readily accessible, easily comprehensible information for the parties concerned.

Lock of disputed domain name The disputed domain name is blocked during the .uk ADR, stopping a registrant transfer, registrar change or cancellation. The domain name will continue to resolve for the duration of the ADR procedure.

Registrant data disclosure The registrant details may be obtained by the complainant prior to initiating a .uk ADR by submitting a data disclosure request and providing Nominet with reasons to access non- public data.201

Implementation of decisions The .uk ADR decisions are implemented after the 10-working-day appeal period has elapsed. Mediated settlements are carried out as agreed.

Publication of decisions All .uk ADR decisions are published and searchable online.202 In addition, the Expert Overview document is available to review any referenced decisions.203 Expert Overview is useful in rendering the .uk ADR predictable for the parties.

Cost of the procedure The administrative fees of the .uk ADR are £200 (Euro 230) plus VAT for summary decisions and £750 (Euro 860) plus VAT for full decisions. The complainant bears the entirety of administrative fees. There is no cost recovery available to the prevailing complainant under .uk ADR.

Mediation The .uk ADR Rules provide for mediation. If a response is submitted by the domain name holder, Nominet offers a free mediation service. The parties are automatically “opted-in” to mediation, but the procedure is voluntary. An accredited mediator helps the parties discuss (usually over the phone) the settlement of the dispute. Mediation is confidential and without prejudice. In the last 3 years 10-15% of the disputes were settled through mediation.

Fast-track procedure The .uk ADR Rules do not provide for any fast-track procedure.

Appeal procedure

200 https://secure.nominet.org.uk/auth/login.html 201 https://media.nominet.uk/wp-content/uploads/2018/09/14115532/Data-request-form.pdf 202 https://secure.nominet.org.uk/drs/search-disputes.html;jsessionid=30324B2FC5751B4539F28ECB77F4EBC4 203 https://media.nominet.uk/wp-content/uploads/2018/09/24124932/expert-overview.pdf 91

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

The .uk ADR Rules provide for an appeal procedure. Within 10 working days from the issuance of the Expert decision either Party shall have the right to appeal a decision by submitting an intention to appeal, which must be followed within 15 working days by an appeal notice or an appeal. The intention to appeal should not contain the actual grounds or reasons for appeal. The appeal notice should set out detailed grounds and reasons for the appeal, but contain no new evidence or annexes. Nominet forwards the intention to appeal or the appeal notice to the opposing party within 3 working days. Within 10 working days of receiving the appeal notice, the opposing party may submit an appeal response. Following the filing of an appeal response (or once the deadline to do so has elapsed) Nominet appoints an appeal panel of three members of the Expert Review Group. Appeal decisions shall be issued within 30 days of the appointment of the panel (extendable by 10 days). The administrative fees of the appeal proceeding amount to £3.000 (Euro 3.440) plus VAT.

Mandatory preliminary procedure No mandatory procedure is provided prior to initiating a .uk ADR.

Stats on the .uk ADR

Detailed statistics on .uk ADRs are published online on an annual basis.204

Number of Experts: 47

Number of proceedings 720 712 710 703 700

690

680 671 670

660

650 2016 2017 2018

204 https://www.nominet.uk/news/reports-statistics/ 92

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Outcome of proceedings

200 187184 180 160 136 140 121122 112 117 120 106 110 108 97 100 93 77 81 71 7275 80 64 60 49 47 40 40

20 6 7 3 1 1 1 0 5 2 1 0

2016 2017 2018

10.4 Comparison of the .eu ADR mechanism with the ccTLDs

The following chart summarises the ADR good practices of the ccTLDs and the comparison with the .eu:

ADR

Good .EU .BE .DK .HU .IT .UK practices (ADR) Online ✓ ✕ ✓ ✓ ✕ ✓ dispute CAC managem ent ✕ WIPO Possibilit ✓ ✓ ✓ ✕ ✓ ✕ y of use other language( s) througho ut the procedure Cost ✕ ✓ ✓ ✓ ✕ ✕ recovery Loser Refun Objection by the pays d procedur prevailing e – loser party: pays refund or ‘loser ✕ pays’ ADR mechanis post- m delegatio n

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Availabilit ✕ ✕ ✓ ✕ ✕ ✓ y of mediation built in the procedure Appeal ✕ ✓ ✕ ✕ ✕ ✓ mechanis m Fast-track ✕ ✕ ✓ ✕ ✕ ✕ proceedin Typo- g squatti ng cases Preliminar ✕ ✕ ✕ ✓ ✓ ✕ y Objection Oppo procedure procedur sition e proce dure Public ✓ ✕ ✕ ✕ ✕ ✓ availabilit CAC y of ADR case law ✕ WIPO

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

11. CONCLUSIONS AND RECOMMENDATIONS

The .eu Registry ought to adopt policies and implement measures to avoid speculative and abusive registration of domain names, as this is fundamental to maintain a secure, transparent and trustworthy .eu online environment.

The Study evaluated the measures put in place and planned to be implemented by the .eu Registry to combat speculative and abusive registrations by comparing them with other market peers’ practices. Based on such assessment and comparison, the measures of the .eu Registry were found in line with the best practices of other ccTLDs. However, certain improvements would enhance the effective protection of rightsholders’ rights and reduce speculative and abusive domain name registrations.

In particular, the Study recommends that the .eu Registry make further efforts to adopt preventive measures aimed at avoiding abuse, and thus reduce the need to resort to curative measures on rightsholders’ part. The Study also suggests further improvements of the curative measures.

11.1 Recommendations with reference to the collaborations between the .eu Registry and other bodies

With reference to the collaboration between the .eu Registry and EUIPO, the Study recommends the following:

 Enhance the collaboration between the .eu Registry and EUIPO. In particular, further technical improvements are recommended to fully deploy the availability check and alert functionalities in the production environment with a view to enhance such measures from a technical standpoint and offer simple and effective solutions to rightsholders, especially to SMEs. In particular, within the availability check functionality, links ought to correctly resolve to the .eu Registry’s search tool. The configuration of the alert functionality ought to work properly at the final stage of the EUTM application filing process to avoid that EUTM applicants are required to take an additional step to configure such functionality at a later stage through the ‘Alerts’ section of their User Area;  Carry out further awareness-raising and knowledge-building activities on both sides in order to make rightsholders aware of the existing measures (i.e., availability check and alert), and thus increase their use. Although a certain level of awareness as to the availability of such measures exists, their use is still uncommon. The Study recommends that specific training courses and webinars are organised for the benefit of rightsholders representatives and the rightsholders themselves, especially where SMEs are concerned, and that the same are boosted through specific promotional campaigns. Feedback from the users also needs to be gathered and analysed to consider their needs and inputs with the further aim of consistently bettering such tools. From the EUIPO side, this could be carried out through the EUIPO User Group consisting in EU-wide federations of SMEs and associations representing particular industries or trade mark owners.205 The .eu Registry might collect such information through customer satisfactions surveys;  Evaluate whether legal constraints exist and determine how to overcome such legal constraints so as to alert not only EUTM holders (or their representatives)

205 https://euipo.europa.eu/ohimportal/en/our-partners 95

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

who have opted in, but all EUTM holders (or their representatives), without the need to opt in (automatic opt-in). This would also raise the level of awareness on such measures and increase their use. Indeed, data shows that huge gap exists between the matches found by the .eu Registry and the alerts sent out through the EUIPO system. With an automatic opt-in all EUTM holders could benefit from the measures in question. Nonetheless, an opt-out ought to be made available;  Evaluate the feasibility of extending the EUIPO service of similarity report, available for EUTM applicants during the e-filing process and consisting in receiving information from EUIPO and/or national trade mark offices on earlier identical or similar trade marks, to identical or similar .eu domain names. Offering such a service would enable EUTM applicants to adopt a more holistic approach in protecting their marks and domain names and take a more informed decision during the filing process;  Include information on .eu domain names and the measures in question (i.e., availability check and alert) in the document provided by the EUIPO to the EUTM applicants as final receipt and official record of the EUTM applications. The same information could be included in EUIPO’s subsequent communication to the EUTM applicants upon successful registration of their EUTM application to reinforce the awareness as to the existence of such measures;  Further study, develop and carry out on both sides plans on future measures and common actions, such as:  the EUIPO becoming a .eu accredited registrar and integrating the .eu domain name registration with EUTM applications to offer a one-stop-shop solution to rightsholders;  developing and launching a search tool that enables users to verify the availability of their term both as EUTM and .eu domain name;  further awareness-raising and knowledge-building programmes with a view to making the intellectual property system more effective for SMEs by simplifying registration procedures.206 207 Indeed, such actions would further simplify the procedure for .eu domain name and EUTM registration and foster awareness on the clear link between domain names and trade marks. However, any such tool or measure planned shall be simple, user friendly, accessible and effective for SMEs.

The collaboration between the .eu Registry and Europol, which is still at the outset and informal in essence is to be further strengthened and formal processes are to be set up for the parties to interact. In this regard, parties should identify the persons responsible within the bodies in question and their respective deputies. The interaction between the parties should occur on a personal level. The parties involved ought to draw up and approve a document (an operations manual) that:  Describes, step-by-step, the process each party must follow;  Establishes the method to identify the cases in which the parties should contact each other;  Defines the means of their interaction (e.g., through a specific interface, email or other) and the expected response time (24h / 48h / 72h or other);  Determines the frequency of reports on the activities performed in accordance with such operations manual.

206 EU SME Strategy for a sustainable and digital Europe: https://ec.europa.eu/info/sites/info/files/communication-sme- strategy-march-2020_en.pdf 207 EUIPO Strategic Plan 2025: https://euipo.europa.eu/tunnel- web/secure/webdav/guest/document_library/contentPdfs/about_euipo/strategic_plan/strategic-plan-2025_en.pdf 96

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

The two bodies ought to carry out awareness-raising and knowledge-building activities jointly to inform the general public and train cybersecurity experts and law enforcement officers on cybercrime threats, including intellectual property crimes committed through the Internet, and on the available measures to prevent and fight them. For example, the .eu Registry could include on its website a link to Europol’s website the same way it includes the link to EUIPO’s website. Case studies could also be showcased by the parties with a view to educating the general public, rightsholders and their representatives. Each of such case studies could focus on a specific problem (e.g., phishing, scam, impersonation, trade mark infringement, copyright infringement, etc.), outline the different measures available and offer proven results that showcasing the actions taken by the two bodies acting jointly to solve the issue.

National registered trade marks are protected under .eu to the same extent as EUTMs. However, no structured collaboration of the .eu Registry with Member States’ trade mark offices exists. Hence, it is necessary to take steps in setting up, possibly through a single point of contact (e.g., the European Union Intellectual Property Network - EUIPN208), collaborations and measures to combat speculative and abusive registrations. The Study also recommends extending the .eu Registry’s collaboration in place with EUIPO to Member States’ trade mark offices by offering the measures of availability check and/or alert to their users as well.

Currently, holders of IPR other than trade marks, such as geographical indications and designations of origin, trade names, business identifiers and company names, etc., only have access to curative measures when the abusive registration under the .eu has already occurred. Therefore, the .eu Registry ought to study solutions for setting up collaborations with entities and agencies to carry out (directly or indirectly) checks in databases (e.g., the European Commission’s EU Geographical Indications register - eAmbrosia209) and, in case of identity (or similarity) with the .eu domain names, notifies (directly or indirectly) the rightsholder enabling this latter to take action; or takes action directly (ex officio). This would in practice mean extending the alert functionality to those IPR as well.

11.2 Recommendations with reference to the .eu registration procedure

 Requiring the registrars to carry out strict identification of the registrants’ identity in order to enter correct and accurate registration data in the .eu registry. Currently, the .eu Registry enters into the same accreditation agreement with all registrars and the identification requirements are the same for all of them. However, registrars carry out identification on a discretionary basis. Adopting and enforcing stricter identification requirements would significantly reduce the number of domain name registrations with fake or inaccurate data and enable rightsholders and law enforcement agencies (LEAs) to identify the registrant. The strict identification requirement could also be implemented through eID

208 https://euipo.europa.eu/ohimportal/en/european-cooperation 209 https://ec.europa.eu/info/food-farming-fisheries/food-safety-and-quality/certification/quality-labels/geographical- indications-register/ 97

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

authentication in accordance with the eIDAS Regulation210, especially with reference to registrants residing in countries where eID schemes have already been notified to the Commission.211 The .eu Registry should in addition require that until the strict identification of a registrant is not carried out by the registrar, the domain name should not be delegated (such as in .dk). Danish domain registrants are required to identify themselves using NemID, a login solution used by Danish banks, government websites and other private companies. Foreign registrants are subject to a risk assessment, which will determine whether they receive a request to provide proof of identity before registration - high risk - or up to 30 days after registration - low risk (no-risk customers are not required to provide proof).212 Where a high risk of inaccurate registrant data exists, delegation must await the approval of requested documentation. The approval process takes 24 hours from the receipt of the documentation. Further to the approval the domain name is delegated. On the other hand, the impact of such requirement on the competitiveness of the .eu is to be further studied and evaluated also by comparing with the impact (if any) on the competitiveness of such ccTLDs that already adopt strict registrant identification requirements (.dk);  Providing for a publicly accessible list of the domain name registration requests before the delegation of such domain names and allowing a sufficient time period (at least from 1 week to 10 days) to enable those holding previously established rights to submit objections to the .eu Registry or the ADR providers aimed at preventing the registration of speculative and abusive domain names (such as in .hu). The .hu Registry publishes the list of the domain name registration requests for a period of 8 days.213 During the publication period rightsholders might raise objections with the ADR provider. The domain name applicant is granted with the conditional right of using the domain name, meaning that the domain name is entered into the zone file, but it is still not delegated to the registrant (delayed delegation). If no objection is received, the .hu domain name is fully registered and delegated. In case of objection, the successful complainant has the first refusal right to have the domain name registered. Similarly, until the deadline to submit objections has elapsed, the requested .eu domain names should not be delegated and thus used for websites, email or other services. In case of successful objections, the rightsholders would have the right of first refusal in terms of registering the domain name. This could significantly decrease that speculative and abusive domain names in terms of delegation, all the while placing the burden of taking action on the rightsholders;  Carrying out (directly or through collaborations) cross-checks in official databases, especially those related to Member States’ national trade marks, geographical indications and designations of origin, trade names, business identifiers and company names, distinctive titles of protected literary and artistic works to identify matches between the .eu domain name requests and such protected rights (such as in .dk, .hu, .uk). This could be realized, as mentioned above, by extending the existing collaboration with EUIPO to Member States’

210 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC 211 https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Overview+of+pre- notified+and+notified+eID+schemes+under+eIDAS 212 https://www.dk-hostmaster.dk/sites/default/files/2017-12/Procedure for kontrol af kontaktoplysninger og id for reg med bopael udenfor DK_EN.pdf 213 http://www.domain.hu/domain/English/meghirdetes.html 98

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

trade mark and copyright offices and business registers and the existing measures, especially the alert system, put in place under the collaboration with EUIPO in relation to geographical indications and designations of origin, trade names, business identifiers and company names, distinctive titles of protected literary and artistic works;  Expressly recommending in the Registration Policy and Terms and Conditions214 that .eu registrants carry out, directly or indirectly through professionals or experienced organizations, cross-checks before registration, aimed at reducing speculative and abusive registrations (such as in .hu, .uk). This would reinforce registrants’ awareness as to their responsibility to carry out searches on prior rights and to avoid registering domain names potentially infringing third parties’ IPR;  Offering, directly or through the registrars, services allowing IPR holders to preventively block the infringing domain name registrations (similar to services already existing on the gTLD market215). Such a service would consist in rightsholders being able to submit requests and documentary evidence on prior rights for a fee and offering them the possibility to put the corresponding .eu domains, variants of those and their typosquatted versions on a list of names not available for registration by third parties;  Extending the use of predictive algorithms to prevent speculative and abusive registrations. The Abuse Prevention and Early Warning System (APEWS) is an AI-driven proactive detection and suspension tool developed by EURid to prevent malicious domain names.216 It applies machine-learning techniques to predict whether or not the domain will be used in cybercriminal operations upon registration (i.e., phishing, spamming, distribution of malware, Botnet command and control), based on similarities (patterns) in registration data (domain name, registration time, registrant’s contact information, registrar, nameserver information, IP address geolocation data) and public blacklists of malicious domains.217 If a domain name is identified as being potentially linked to abuse, its delegation in the .eu zone file is delayed and its status in the web-based Whois shows ‘Server Hold’. The domain name is registered. However, any service linked to it (such as a website, email or any other service) will not function until EURid’s verification procedure (the so-called Whois accuracy procedure) is completed. The Whois accuracy procedure consists in requiring registrants to validate their data. Failure to receive validation entails suspending or withdrawing the domain name. The post-delegation APEWS looks into the domain names registered in the last 24 hours and performs the necessary checks to detect suspicious activities. If suspicious activity is detected, the Whois accuracy procedure is activated or the competent authorities are notified. The APEWS has been recently amended to prevent that the current health emergency be exploited by parties acting in bad faith.218 EURid verifies existing registrations and newly-registered domain names containing keywords relating to the coronavirus pandemic by carrying out the Whois accuracy procedure.

214 https://eurid.eu/en/about-us/document-repository/ 215 Currently on the gTLD market there are several domain blocking services exist such as Donut’s Domain Protected Marks List (DPML), Trademark Clearinghouse’s (TMCH) TREx, Uniregistry’s Uni EPS, ICM Registry’s AdultBlock, .club Registry’s .club Trademark Sentry. Most of them are based on trade marks entered in the TMCH repository; .club Trademark Sentry is based on US trade mark registrations. 216 https://eurid.eu/en/register-a-eu-domain/apews/ 217 So-called reputation providers curate list of domain names associated with cyberattacks (Spamhaus DBL, SURBL, Google Safe Browsing). Various software and services consult these blacklists and block incoming or outgoing communication with listed domains accordingly. 218 https://eurid.eu/en/news/doteu-covid19-measures/ 99

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

Registrants of suspicious domain names containing detected keywords are required to validate their data and submit a statement confirming that their domain name is registered in ‘good faith’ within a deadline (7 days) set by EURid. Although APEWS is very useful tool in preventing cybercrimes, its use is currently limited to detecting such kind of abuses and it is not used to prevent speculative and abusive registrations as defined under Article 21 of Regulation (EC) No 874/2004, i.e., IPR abuses. Therefore, the APEWS should be further developed to detect and thus prevent the registration of domain names matching prior rights (EUTMs and national trade marks of the Member States and other IPR protected under Article 10(1) of Regulation (EC) No 874/2004) made in bad faith, also by using public databases of such IPR (trade mark databases, business registries, geographical indications and designations of origin databases – e.g., eAmbrosia, etc.)  Improving and raising rightsholders’ awareness as to the already existing similarity search tool within the Whois lookup to carry out searches or receive a list with similar domain names that could potentially infringe their rights (such as in .be). When carrying out a Whois lookup on their own registered .eu domain name, holders may get information from EURid on similar registered domain names, based on visual resemblance and using a similarity score.219 Such holders may also request to receive by email the full list of registered domain names that share striking similarities with their domain names. The Study recommends that such service be extended to any IPR holder providing documentary evidence of its prior right, not only to existing .eu domain name holders;  Making readily accessible information available to users on how to report different types of misuses (such as in .be, .dk, .uk). The information should clearly list the types of abuses in respect of which the .eu Registry may take action and, where the .eu Registry has no authority to do so, the contact information of the competent authority.

11.3 Recommendations with reference to the .eu ADR mechanism

The Study recommends to make the following improvements to make the .eu ADR simpler, more accessible and affordable for SMEs:

 Making available (an) online dispute management portal(s) to enable parties to handle the entirety of the .eu disputes online (currently not all .eu ADR providers make it available) (such as in .dk, .hu, .uk)  Shortening the deadlines of the .eu ADR procedure in order to render it swifter (e.g., by including the possibility of requesting the change of the language used within the procedure within the .eu domain dispute itself; shortening the response period; shortening the decision period) (in line with the Uniform Domain Name Dispute Resolution Procedure - UDRP);  Reducing filing fees for initiating a .eu ADR procedure on a permanent and not merely temporary basis, especially for SMEs in order to keep the procedure affordable for rightsholders;  Introducing a ‘loser pays’ mechanism as a deterrent against speculative and abusive registrations and enabling the prevailing party to recover its filing costs incurred for initiating the .eu ADR procedure (as in the case in .be, .hu)  Including a mediation phase within the .eu ADR procedure (such as in .dk, .uk). Mediation is a structured process, however named or referred to, whereby parties to

219 An example is ikea.eu: https://whois.eurid.eu/en/search/?domain=ikea.eu 100

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

a dispute attempt by themselves, on a voluntary basis, to reach an agreement on the settlement of their dispute with the assistance of a mediator. 220 Mediator is any third party who is asked to conduct a mediation in and effective, impartial and competent way. Thus, mediation is an informal consensual process, an efficient and cost- effective way of resolving disputes. The advantages of mediation are the following: the procedure is voluntary, controlled by the parties, interest-based, confidential221, enforceable222 and without prejudice. The .uk ADR Rules provide for free mediation service carried out by phone by an accredited mediator in case a response to the complaint is submitted. Statistics show that 10-15% of the .uk disputes are settled through mediation. Mediation is built in the .dk ADR as well. Mediation within the .eu ADR procedure might save time and money for SMEs;  Providing for an appeal mechanism within the .eu ADR procedure (such as in .be, .uk). An appeal procedure could offer to parties a time and cost-effective process for the review of their cases seeking a reversal of the decision at first instance. An appeal procedure shall not prevent parties from initiating court proceedings in the of relevant jurisdiction during or after the procedure has come to a close;  Providing for expedited (fast-track) proceedings, such as the suspension by the Registry in clear typosquatting cases223 (such as in .dk) or procedures similar to Uniform Rapid Suspension system - URS224. Currently, if EURid suspects cybersquatting or typosquatting detected by its manual check, which is based on its own knowledge (not on cross-checks in trade mark or other databases), it carries out a Whois accuracy procedure to verify the domain name registration data. If the registrant does not validate the registration data, EURid may revoke (suspend and then withdraw) the domain name. The .dk Registry has a specific fast-track proceeding with reference to typosquatting cases.225 Rightsholders (already registrants of a .dk domain name registration) may file a request to the .dk Registry with the supporting documentation, requesting the suspension of domain names for typosquatting. The registrant has the possibility to make a statement within 72 hours. The decision is taken by the .dk Registry itself. The suspension is maintained for 4 weeks or until the decision of the ADR provider if the case is brought before it. After that, the domain is deleted. Upon deletion, the successful complainant has the first refusal right to have the domain name transferred. Thus, in clear-cut cases of trade mark infringement or in cases of obvious typosquatting, simplified and fast-track proceedings should be made available to the parties complementing and not replacing the standard .eu ADR procedure. This might save time and money for SMEs;  Providing for preliminary procedures available before the dispute over the domain is initiated. For example, such preliminary procedure might consist of the possibility to raise objection with the .eu Registry or the ADR provider

220 Article 3 EU Directive 2008/52/EC of the European Parliament and of the Council on Certain Aspects of Mediation in Civil and Commercial Matters (Mediation Directive) 221 Article 7 of Mediation Directive 222 Article 6 of Mediation Directive 223 Typosquatting is a form of cybersquatting which relies on mistakes such as typos made by the Internet users when inputting a website address into a web browser. The typosquatted domain name consist of a common, obvious, or intentional misspelling of a trade mark (e.g., adjacent keyboard letters, substitution of similar-appearing characters, inversion of letters and numbers, the addition or interspersion of other terms or numbers). 224 URS is a rights protection mechanism launched by ICANN in 2013 with the introduction of the new gTLDs. URS is a low cost and quick proceeding for rightsholders experiencing clear-cut cases of trade mark infringement caused by domain name registrations. URS results in the temporary take down (suspension) of the domain name until the expiry of the same. At the end of the registration period the domain name is cancelled by the registry operator. 225 https://www.dk-hostmaster.dk/en/terms#uretmassig 101

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

against a domain name registration request in the pre-delegation phase (such as in .hu226) or to file an opposition with the .eu Registry against a domain name registration (post-delegation) in order to obtain the lock of the domain name (such as the opposition procedure in .it227). Such solutions would be beneficial for SMEs both in terms of time and costs.

This assessment provides a foundation on which policy responses may be drawn up.

226 Articles 6.1 and 9 of Registration Rules and Procedures: http://www.domain.hu/domain/English/szabalyzat/szabalyzat.html 227 https://www.nic.it/en/manage-your-it/legal - primo 102

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

12. ACRONYMS, ABBREVIATIONS AND TERMS

ADR alternative dispute resolution

APEWS Abuse Prevention and Early Warning System

CAC Czech Arbitration Court

AIM European Brands Association

CAC Czech Arbitration Court

ccTLD country code Top-Level Domain

CENTR Council of European Top-Level Registries

CEPANI Belgian Centre for Arbitration and Mediation

Danish ADR provider for .dk Complaints Board for Domain Names

DK Hostmaster registry for .dk

DNS domain name system

DNS Belgium registry for .be

ECTA European Communities Trade Mark Association

EUIPO European Union Intellectual Property Office

EUIPN European Union Intellectual Property Network

EURid European Registry for Internet Domains – registry for .eu

EUTM European Union Trade Mark

GDP gross domestic product

gTLD generic Top-Level Domain

ICANN The Internet Corporation for Assigned Names and Numbers

Infomediátor ADR provider for .hu

Institute of Registro .it – registry for .it Informatics and Telematics of the 103

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

National Council of Researches

IP Internet Protocol

IPR intellectual property right(s)

ISZT Council of Hungarian Internet Providers – registry for .hu

MFSD ADR provider for .it and URS

Nominet registry and ADR provider for .uk oriGIn Organization for an International Geographical Indications Network

Panellists neutrals appointed by ADR providers to decide domain name disputes

R&D research and development

SME small and medium enterprises

TLD top-level domain

UDRP Uniform Domain Name Dispute Resolution Policy

URS Uniform Rapid Suspension System

WIPO World Intellectual Property Organization

104

STUDY ON EVALUATION OF PRACTICES FOR COMBATING SPECULATIVE AND ABUSIVE DOMAIN NAME REGISTRATIONS

13. ACKNOWLEDGEMENTS

FASANO PAULOVICS Società tra Avvocati would like to thank all stakeholders who contributed to the Study by providing data and information. In addition, FASANO PAULOVICS Società tra Avvocati would like to thank MFSD and its .it Experts and international Panellists for their input.

105

GETTING IN TOUCH WITH THE EU In person All over the European Union there are hundreds of Europe Direct information centres. You can find the address of the centre nearest you at: https://europa.eu/european-union/contact_en On the phone or by email Europe Direct is a service that answers your questions about the European Union. You can contact this service: – by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls), – at the following standard number: +32 22999696 or – by email via: https://europa.eu/european-union/contact_en

FINDING INFORMATION ABOUT THE EU Online Information about the European Union in all the official languages of the EU is available on the Europa website at: https://europa.eu/european-union/index_en EU publications You can download or order free and priced EU publications at: https://publications.europa.eu/en/publications. Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see https://europa.eu/european- union/contact_en). EU law and related documents For access to legal information from the EU, including all EU law since 1952 in all the official language versions, go to EUR-Lex at: http://eur-lex.europa.eu Open data from the EU The EU Open Data Portal (http://data.europa.eu/euodp/en) provides access to datasets from the EU. Data can be downloaded and reused for free, for both commercial and non-commercial purposes.

KK-01-20-432-EN-N KK-01-20-432-EN-N

doi:10.2759/428574

ISBN 978-92-76-20634-7