On-line ADR Center of the Czech Arbitration Court (CAC)

Panel Decision

§ 15 of the UDRP Rules (Rules), § 9 of the CAC’s Supplemental Rules (Supplemental Rules)

Case No. 103841
Time of Filing 2021-06-07 09:26:05
Disputed domain name HLDGLOBQL.COM
Case Administrator
Name Denisa Rihova
Complainant
Organization ASSA ABLOY AB
Authorized Representative
Organization Coöperatieve Vereniging SNB-REACT U.A.
Respondent
Organization Register.com, Inc. ("Register Holding Account")
Other Legal Proceedings
The Panel is not aware of any other legal proceedings which are pending or decided and relate to the disputed domain name.
Identification of rights
The Complainant has demonstrated that it is the owner of:

- the word mark "HID", registered on 7 March 2000 as EU Trade Mark No.001061464 under Nice Classification System Class 9 and similarly in the United States since 2016 as US Trademark No. 85756909;
- the figurative mark with textual element "HID" in white capital letters on blue background with rounded corners, registered as EU trademark No. 012876991 since 13 October 2014 in Classes 9, 16, 42 and 45; and
- the word mark "HID GLOBAL", registered as EU Trade Mark No.352951 since14 August 2007 under Class 9 and similarly in the United States since 2008 as US Trademark No. 78853856.

The Complainant refers in regard to the quality of the last-mentioned trademarks to WIPO Case No. D2018-2027 <hidgiobal.com>, in which the Panel found that "HID GLOBAL trademark (...) has strong reputation and is widely known, as evidenced by its substantial use worldwide".

The Complainant uses its trademarks in domain names it has registered: <hidglobal.com>, <hidglobal.co.uk>, <hidglobal.de> and <hidglobal.se>.

The Respondent registered the disputed domain name on 27 August 2020.
Factual Background
FACTS ASSERTED BY THE COMPLAINANT AND NOT CONTESTED BY THE RESPONDENT:

The Complainant, ASSA ABLOY, is a global leader in door opening solutions with sales of 94 billion Swedish krona in 2019 (€9.2 billion or nearly $11 billion). It has a presence in over seventy countries and a market leading position in Europe, North America and the Asia Pacific region. About 70% of the group’s total sales fall under the ASSA ABLOY master brand, while 20% are under Yale (home access and security) and HID (identification technology), of which HID GLOBAL forms a sub-brand.

On 4 September 2020 a phishing mail was sent from an e-mail address employing the disputed domain name. It attached false "updated bank information" and requested recipients to ensure that they made payment using it before the end of the week. An image file was used in the mail to display the Complainant's HID figurative mark. The Complainant's correct domain name <hidglobal.com> was furthermore given in the corporate details along with the address of offices of the Complainant at Fort Lauderdale in the United States.

The Complainant was made aware of the fraudulent mail. On 5 January 2021, the Complainant's Authorized Representative sent an abuse report regarding the disputed domain name to the registrar, Register.com. However, the Complainant received no response.

At the time of opening the present proceeding, the Complainant took a screenshot of a Register.com page offering the disputed domain name for sale by means of "backorder", that is, by means of the registrar entering into contact with the registrant on behalf of a buyer.

The CAC Case Administrator requested the registrar's verification of the disputed domain name details on 4 June 2021 and was obliged to send reminders to the registrar on 8 and 10 June. The registrar's response was finally received on 11 June 2021.

The Registrar confirmed that "Register Holding Account" as the name for the registrant. It also affirmed that "The registrant has submitted the Registration Agreement at the principal office of the registrar" and other details incidental to the ADR process. The postal address the registrar provided for the registrant is the same as Register.com's own address, namely, 5335 Gate Pkwy Jacksonville​, Florida 32256, in the United States.

The CAC Case Administrator queried these registrant details on 17 June 2021. The registrar re-confirmed them on the same day.
 
PARTIES' CONTENTIONS:

COMPLAINANT:

The disputed domain name is confusingly similar to the Complainants' trade marks and is an example of typosquatting. It consists in a misspelling that maintains sufficiently recognizable aspects of the Complainant’s trademarks. The only difference between the stem of the disputed domain name <hldglobql.com> and the HID GLOBAL trademark is the change of the letter "i" to the letter "l" and the letter "a" to the letter "q". These new characters still look like the letters i and a in some computer fonts. Previous similar cases before ADR Panels include WIPO Case D2018-1815 on <hidQlobal.com>, another case involving phishing, where the Panel remarked that "An Internet user, including an email recipient, would likely fail to recognize the very minor distinction in appearance between Complainant’s trademark and the disputed domain name".

The Respondent has no rights or legitimate interest in the disputed domain name, which was registered in August 2020. This was long after the Complainant had established its rights in its well-known trademarks, which the Respondent has not been authorized to use. Far from the Respondent having any rights or legitimate interest in the disputed domain name, the Respondent relied on it to conduct fraudulent activity, i.e. phishing.

This is in itself also evidence of bad faith registration and use contrary to the UDRP, and it shows that the Respondent was clearly aware that the well-known HID and HID GLOBAL trademarks were registered and being used by the Complainant. The Respondent in fact impersonated the Complainant. Furthermore, as stated in WIPO Case D2018-1815 when reaching a finding of bad faith: "Regrettably, it is not uncommon for domain names which closely approximate distinctive trademarks to be used as instruments of fraud or other abuse." An additional factor for a finding of bad faith is that the Respondent also uses an anonymization service, PERFECT PRIVACY, LLC, which is established at the same address as the registrar’s. It is difficult to see in the present case why this Respondent should need to protect its identity, except to make it difficult for the Complainant to protect its trademark rights.

ADDITIONAL CONTENTION RELATED TO THE REGISTRAR’S COMPLICITY

The registrar has provided contradictory statements to the CAC Case Administrator concerning the Respondent's identity. On 11 June 2021 it stated that "Register Holding Account is the current registrant of the hldglobql.com domain name" but also that "The registrant has submitted the Registration Agreement at the location of the principal office of the registrar." On 17 June, it maintained that "these are the correct contact details." However, an "account" clearly cannot be a registrant. A registrant's name must be that of either an organization or a person.

Further, the address mentioned in the WHOIS data provided by the registrar seems to be the registrar's own address. The registrar thus failed to share information on the actual registrant of the disputed domain name with the ADR Provider or the Complainant. By contrast, the UDRP requires that the registrar must provide the UDRP Provider with full registration data. It is unclear why the registrar does not do so for a domain name used for phishing.

The Complainant thus refers here to Decisions of previous ADR Panels such as in WIPO Case No. DCO2019-0033 -- "where a registrar breached the provisions of the Policy or Rules or its conduct otherwise threatened to undermine the proper operation of the UDRP, it might be appropriate to invite the Center to bring that failure to the attention of ICANN, with a view to ICANN undertaking such investigation into, and enforcement steps against, the registrar as it considers appropriate" -- and CAC Case 100149.

For now, the registrar's mentioned legal entity, "Register.com, Inc.", is (also) itself a proper Respondent to the Complaint, as per WIPO Case No. D2010-1945: Pandora Jewelry, LLC v. Whois Privacy Protection Service, Inc. / Lisa Xu, in which the Panel stated that “In conclusion, …, the Panel considers by parity that the relevant domain names [sic] is in fact controlled by both persons, the privacy service as public registrant and the underlying registrant and that naming both entity [sic] as Respondents respects the UDRP rules”.

RESPONDENT:

NO ADMINISTRATIVELY COMPLIANT RESPONSE HAS BEEN FILED.
Rights
The Complainant has, to the satisfaction of the Panel, shown that the disputed domain name is identical or confusingly similar to a trademark or service mark in which the Complainant has rights (within the meaning of paragraph 4(a)(i) of the Policy).
No rights or legitimate interests
The Complainant has, to the satisfaction of the Panel, shown that the Respondent has no rights or legitimate interests in respect of the disputed domain name (within the meaning of paragraph 4(a)(ii) of the Policy).
Bad faith
The Complainant has, to the satisfaction of the Panel, shown that the disputed domain name was registered and is being used in bad faith (within the meaning of paragraph 4(a)(iii) of the Policy).
Procedural Factors
Paragraph 4 of the UDRP Rules states as follows in respect of the registrar verification step of the ADR procedure:

"(a) The Provider shall submit a verification request to the Registrar. The verification request will include a request to Lock the domain name.

"(b) Within two (2) business days of receiving the Provider's verification request, the Registrar shall provide the information requested in the verification request and confirm that a Lock of the domain name has been applied. The Registrar shall not notify the Respondent of the proceeding until the Lock status has been applied. The Lock shall remain in place through the remaining Pendency of the UDRP proceeding. Any updates to the Respondent's data, such as through the result of a request by a privacy or proxy provider to reveal the underlying customer data, must be made before the two (2) business day period concludes or before the Registrar verifies the information requested and confirms the Lock to the UDRP Provider, whichever occurs first. Any modification(s) of the Respondent's data following the two (2) business day period may be addressed by the Panel in its decision."

Based on the documentation of the registrar verification contained in the Case File, the Panel FINDS that the registrar of the disputed domain name in this case failed by two full days to comply with the requirements of UDRP Paragraph 4(b).

As concerns the Complainant's contentions regarding the content of the information provided by the registrar, these raise a substantive issue which is dealt with under the Principal Reasons for the Decision.

The Panel is satisfied that all other procedural requirements under UDRP were met and that there is no reason why it would be inappropriate to provide a decision.
Principal Reasons for the Decision
This case involves two issues: (a) typosquatting by an unknown person and (b) alleged complicity by a registrar in such activity.

A. Typosquatting

This is a distinctive form of domain name abuse that is in practice often associated with phishing, whereby emails sent using the domain name address in question can induce unsuspecting recipients to confuse the purported sender with a genuine, usually well-known entity with which the recipient may have or wish to have dealings. Typically, the idea is to trick the recipient into paying money to the sender.

In the present case, the typosquatting involved distorting -- in the stem of the disputed domain name at registration -- the Complainant’s trademark-protected HID GLOBAL brand name by altering two of its characters to other optically similar ones. The perpetrator of the abuse then within days from registration conducted phishing by masquerading as the Complainant as recounted under Factual Background, above. Further, to evade detection, the perpetrator sought to hide its identity not only by means of a privacy service but by misusing in its registration contact details the registrar's own privacy service details themselves.

All of the elements of the UDRP’s three-part cumulative test are met in the preceding paragraph’s encapsulation of this case – the Complainant’s rights, the confusing similarity of the disputed domain name to the Complainant's trademarks, the absence of any rights or legitimate interest on the part of the Respondent, and utmost bad faith at registration and in use. And one must in addition bear in mind here the risk of harm posed throughout to the Complainant's customers and the Complainant's business.

The Panel finds that the Complainant has demonstrated all UDRP elements amply, and orders the transfer of the disputed domain name to the Complainant.

B. Alleged registrar complicity

The Complainant is in effect seeking to make the registrar, Register.com, a Co-Respondent in this case.

On the one hand, the Complainant contends that the registrar provided contradictory statements to the CAC Case Administrator at the time of registrar verification. It cites in developing this argument notably the registrar’s statement (cited under Factual Background) concerning submission of the registration agreement at the registrar's location. The Panel finds, however, that this statement is irrelevant because the registrar was in fact merely expanding there on why English is the language of the registration agreement, which is important for determining the proper language of a UDRP proceeding.

On the other hand, the Complainant invokes the registrar’s other conduct. Here, the Panel notes that:

(1) The registrar seems not to have taken action on the basis of the Complainant’s abuse report, which alerted the registrar to the Complainant's rights and to evidence of phishing, but instead maintained a “backorder” service that would facilitate negotiation with the Respondent on transfer of the disputed domain name to a new buyer;
(2) The registrar failed to observe the UDRP’s deadline for registrar verification (see the Panel’s finding under Procedural Factors); and
(3) The registrar persisted in affirming that the name and contact details of the registrar's own privacy service sufficed for the purpose of registrar verification of the registrant’s identity, in spite of the CAC Case Administrator having queried these details.

The Panel observes that is the registrar which constitutes the first line of defence against harmful domain name abuse and thus records its serious concern as regards items (1) and (3). The Panel does not, however, conclude that a degree of complicity has been shown in this case that is sufficient to implicate the registrar as Co-Respondent; such conduct may well have made it easier for the perpetrator to commit phishing, yet there is no evidence of active collusion. The Panel instead recommends the CAC to notify ICANN of the circumstances just noted for consideration in light of ICANN's arrangements with gTLD accredited registrars.
Decision
For all the reasons stated above, the Complaint is Accepted
and the disputed domain name(s) is (are) to be
HLDGLOBQL.COM Transferred to the Complainant
Panellists
Name Kevin J. Madders
Date of Panel Decision 2021-07-31
Publication of the Decision
Publish the Decision