Attorney John Berryhill analyzes an interesting UDRP case.
Once in a while a UDRP dispute is almost more interesting because of who, instead of what, is involved. The decision in Help-Aetna(.)com is one of those cases.
On its face, you would think this is one of the bread and butter UDRP disputes which make up most of the caseload. Aetna, the Complainant, is a well-known US insurance company, and they are represented in this case by Attorney Doug Isenberg, the author of the highly-regarded GigaLaw blog on internet law issues. Additionally, over the last year, Mr. Isenberg has published a series of “Masterclass” YouTube videos focusing on the UDRP in particular. So, unless someone is sending aid to volcano-threatened Sicilians, it would be difficult to believe this case would result in anything other than a transfer.
The panel is highly distinguished as well. The three panelists are Mr. Christopher Gibson, the author of more than 200 UDRP decisions. He is joined by Mr. Brian Winterfeldt, a leading intellectual property attorney and president of the ICANN Intellectual Property Constituency among other distinguished positions; and by Mr. Martin Schwimmer, the lanky, erudite Harvard-educated author of The Trademark Blog.
The first sign of trouble is the suspiciously-named Respondent, “Whois Privacy Service / Manager Knowbe4” shows up represented by, uh-oh, Wilson Sonsini, perhaps the first name in Silicon Valley IP circles.
It turns out that the domain registrant is a NASDAQ-listed IT security company which “employs a library of content for use by its corporate customers in simulated phishing attacks”. Among the assets it uses, apparently, are decoy domain names appropriate to the industry sector of the corporation which has engaged the Respondent as a client.
So, at bottom, the domain name is not used for any purpose to capitalize or exploit Aetna’s mark, or divert their customers. The fact that the Respondent uses the domain name in connection with a commercial service in some way is not relevant to the fact that no one is running around calling this an Aetna brand service. In fact, because the name is owned by a security company and used in their specifically targeted tests, it is not as if these phishing emails are out in the wild doing harm of any kind.
But, knowing these facts after seeing the UDRP Response, the Complainant pressed on with a supplemental filing. There has, in fact, been one case on this same fact pattern – Facebook v. Wombat Security Technologies, WIPO Case D2020-3218 – in which several domain names such as facbook-login(.)com etc., were used for a similar purpose by a company now known as the “Security Awareness Training” arm of Proofpoint Inc.. In the Wombat case, Facebook was represented by Hogan Lovells, and the Respondent was represented by UDRP heavy-hitter firm Pattishall, McAuliffe, so there was no lack of solid argument on either side. The solo panelist, Mr. Robert Badgely, redefined “bad faith” to include “good faith” through the magic of legal alchemy, finding, “[T]he concept of “bad faith” within the UDRP does not necessarily carry with it malice or ill motives” despite the fact that it is nearly universally considered to be the “intent” or “mens rea” element of the UDRP.
There has been some additional history to the Wombat case, however. WIPO does not, in general, indicate UDRP disputes which have died and gone to heaven in a court somewhere. To be fair, there is no feedback loop by which WIPO would know that. By the same token, WIPO is selective about which cases will receive a mention on a page of “selected” UDRP-relevant court decisions. That said, it is always the job of counsel to know what they are doing. As it turns out, WIPO D2020-3218 was further litigated as Proofpoint Incorporated v. Facebook Incorporated, Case No. 2:21-cv-00226 in the US District Court for the District of Arizona (the location of GoDaddy), and was terminated just last week by voluntary dismissal, since it appears that the parties came to their senses upon the realization that a decoy name used for legitimate security testing does not infringe anyone’s mark any more so than training store employees how to spot shoplifters stealing luxury goods.
Unlike single-member panel UDRP proceedings, a three-member panel proceeding requires what is usually a collection of thoughtful experts to actually confer on the outcome. Simply put, it is more likely that members of a three-member panel are going to find unchallenged assumptions or unsupported conclusions in their own initial positions as a consequence of conferring among one another.
Oddly, it does not appear that the Complainant, Respondent or Panel were even aware of the Wombat case, despite the fact that it had attracted some attention and a few raised eyebrows when it came out last year. The Panel notes that the “case presents an interesting question” but there is no apparent awareness that the identical question had been raised before, and even taken to litigation. This may be a function of the lack of adequate indexing of UDRP decisions generally, along with the fact that very few IP practitioners keep track of UDRP minutiae since, if IP disputes were Olympic sports, the UDRP would be a mud wrestling contest in a seedy bar on the other side of town. Drop by and buy me a drink sometime.
In any event, this Panel took the appropriate view under the narrow criteria of the UDRP, which is intended for clear-cut cases of abuse, finding:
“As to Complainant’s assertions of confusion arising from Respondent’s use of the Domain Name, to continue Complainant’s analogy – were a security company to simulate a bank robbery to promote its services, it might show poor judgment, and it might cause harm leading to some sort of liability, but if it simply never robbed the bank, it didn’t commit the sort of wrong covered by a bank robbery statute.”
So, yet again, we have two fairly identical UDRP fact patterns and two diametrically opposed results with no cross reference. Since, aside from the working memory of UDRP-obsessives, there are few good indices of UDRP decisions, none of the Complainant’s counsel, Respondent’s counsel, nor any of the three panelists, appear to have been aware that the identical question had been asked and answered a year ago. One would assume with confidence that Wombat would have been cited, to be directly contradicted. But, due to the dynamics of three-member UDRP panels, and the narrow class of clearly abusive domain registration for which the UDRP was intended, the result may well have been the same even if on-point precedent had been considered – at least for the purpose of expressly rejecting it.