WIPO Arbitration and Mediation Center
ADMINISTRATIVE PANEL DECISION
Facebook, Inc. and Instagram, LLC v. WhoisGuard Protected, WhoisGuard, Inc. / Phishing Operations, Wombat Security Technologies
Case No. D2020-3218
1. The Parties
Complainant is Facebook, Inc., United States of America (“United States”), Instagram, LLC, United States, represented by Hogan Lovells (Paris) LLP, France.
Respondent is WhoisGuard Protected, WhoisGuard, Inc, Panama, / Phishing Operations, Wombat Security Technologies, United States, represented by Pattishall, McAuliffe, Newbury, Hilliard & Geraldson, United States.
2. The Domain Names and Registrar
The disputed domain names <facbook-login.com>, <facbook-login.net>, <instagrarn.ai>, <instagrarn.net>, and <instagrarn.org> (the “Domain Names”) are registered with NameCheap, Inc. (the “Registrar”).
3. Procedural History
The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on December 1, 2020. On December 1, 2020, the Center transmitted by email to the Registrar a request for registrar verification in connection with the Domain Names. On December 1, 2020, the Registrar transmitted by email to the Center its verification response confirming that Respondent is listed as the registrant and providing the contact details for the Domain Names.
The Center verified that the Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).
In accordance with the Rules, paragraphs 2 and 4, the Center formally notified Respondent of the Complaint, and the proceedings commenced on December 4, 2020. In accordance with the Rules, paragraph 5, the due date for Response was December 28, 2020. The Response was filed with the Center on December 28, 2020.
The Center appointed Robert A. Badgley as the sole panelist in this matter on January 11, 2021. The Panel finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.
4. Factual Background
Complainant Facebook, Inc. is an online social media service provider. Complainant has provided social networking services under the FACEBOOK trademark since 2004, and today is one of the world’s largest social media firms. Complainant has more than 2.7 billion active monthly users and more than 1.7 billion active daily users around the world. Complainant’s website, located at “www.facebook.com”, is one of the most visited sites in the world.
The trademark FACEBOOK is registered in numerous jurisdictions, including United States Patent & Trademark Office Reg. No. 3041791, registered on January 10, 2006.
There is little doubt that FACEBOOK is a famous trademark.
Complainant Instagram, Inc., owned by Facebook Inc. since 2012, is one of the world’s largest photo- and video-sharing social media platforms. Annexed to the Complaint is evidence that “Instagram” is one of the world’s most widely used app on mobile devices. Complainant maintains a website at “www.instagram.com”.
The trademark INSTAGRAM is registered in numerous jurisdictions, including United States Patent & Trademark Office Reg. No. 4146057, registered on May 22, 2012.
There is little doubt that INSTAGRAM is also a famous mark.
The Domain Names <instagrarn.ai>, <instagrarn.net>, and <instagrarn.org> were registered on April 25, 2018. The Domain Names <facbook-login.com> and <facbook-login.net> were registered on December 6, 2018.
Respondent Wombat Security Technologies (“Wombat”) was acquired by Proofpoint, Inc. (“Proofpoint”) in March 2018. Proofpoint sells online security awareness training services and products.
The Domain Names resolve to a landing page operated by Respondent’s parent, Proofpoint. The landing page contains a header that includes the name “Proofpoint Security Awareness Training”, and the following text (underscore denotes a hyperlink):
“Hi! This web site belongs to Proofpoint Security Awareness Training. This domain is used to teach employees how to recognize and avoid phishing attacks. This page is here to let you know that it is not a malicious web page. The email that led you here was likely sent by your employer as part of a training program.
If you have questions, you can contact your employer’s IT help desk. If you still have questions you can contact us at [email redacted].”
The hyperlink in the above-quoted text directs the visitor to the Proofpoint commercial website.
On July 31, 2019, Complainant notified Respondent about the former’s objections to the latter’s use of the Domain Name <facbook-login.com>. On October 8, 2019, Proofpoint’s counsel wrote to Complainant, stating that Proofpoint owns Respondent (Wombat) and that Wombat is legitimately using the Domain Name to educate its clients’ employees about phishing attacks. Proofpoint’s counsel stated that Respondent’s activities actually inure to the benefit of Facebook “because [Wombat] trains companies and individuals to recognize the difference between a legitimate email from Facebook versus an imposter who is using Facebook’s likeness for illegitimate purposes”.
On March 5, 2020, Complainant sent another letter to Respondent about the Domain Name <facbook-login.com> and requesting a transfer of the Domain Name. Reminders were sent to Respondent on March 13, 2020 and May 13, 2020. On the latter date, Respondent sent a response stating that it would respond within the “next several days”.
Complainant sent a third chaser to Respondent on June 24, 2020. On July 11, 2020, Respondent replied to Complainant’s March 5, 2020 letter, essentially reiterating the position stated by Proofpoint’s counsel on October 8, 2019.
Complainant subsequently conducted research and learned that Respondent had also registered the four other Domain Names at issue in this proceeding, and was using these Domain Names in the same manner as was described above in connection with <facbook-login.com>. Complainant also learned that Respondent had registered numerous other domain names similar to trademarks such as MICROSOFT, PAYPAL, GOOGLE, and the like.
5. Parties’ Contentions
Complainant contends that it has satisfied all three elements required under the Policy for a transfer of the Domain Names.
Respondent asserts that its registration and use of the Domain Names is legitimate and not in bad faith, as Respondent’s legitimate business is providing clients with training about cybersecurity, including identifying phishing scams. Respondent asserts that anyone who arrives at the Proofpoint via one of the Domain Names will see immediately that the website is not affiliated with Complainant or its FACEBOOK and INSTAGRAM marks.
6. Discussion and Findings
Paragraph 4(a) of the Policy lists the three elements which Complainant must satisfy with respect to the each of the Domain Names:
(i) the Domain Name is identical or confusingly similar to a trademark or service mark in which Complainant has rights; and
(ii) Respondent has no rights or legitimate interests in respect of the Domain Name; and
(iii) the Domain Name has been registered and is being used in bad faith.
A. Identical or Confusingly Similar
The Panel concludes that Complainant has rights in the trademarks FACEBOOK and INSTAGRAM through registration and use demonstrated in the record. The Panel also concludes that the Domain Names are confusingly similar to those marks. Two of the Domain Names fully incorporate the mark FACEBOOK minus one letter “e”, and then add the term “login”. The FACEBOOK mark is clearly identifiable within those Domain Names.
Similarly, the other three Domain Names fully incorporate the INSTAGRAM mark, except the “m” is replaced by “rn”. These letters, typed in succession, closely resemble an “m” in many fonts. Again, the INSTAGRAM mark is easily recognizable within these three Domain Names.
Complainant has established Policy paragraph 4(a)(i).
B. Rights or Legitimate Interests
For each of the Domain Names, pursuant to paragraph 4(c) of the Policy, Respondent may establish its rights or legitimate interests in the Domain Name, among other circumstances, by showing any of the following elements:
(i) before any notice to you [Respondent] of the dispute, your use of, or demonstrable preparations to use, the Domain Name or a name corresponding to the Domain Name in connection with a bona fide offering of goods or services; or
(ii) you [Respondent] (as an individual, business, or other organization) have been commonly known by the Domain Name, even if you have acquired no trademark or service mark rights; or
(iii) you [Respondent] are making a legitimate noncommercial or fair use of the Domain Name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue.
The Panel concludes that Respondent lacks rights or legitimate interests in respect of the Domain Names. Respondent is undoubtedly engaged in a legitimate business, but engaging in a legitimate business does not automatically vest Respondent with a legitimate interest vis-à-vis the Domain Names. Here, Respondent is admittedly using Domain Names that are confusingly similar to Complainant’s famous trademarks, with the aim that an Internet user will arrive at the landing page (described above in the “Factual Background” section) of Respondent’s parent, Proofpoint. Once arrived at the Proofpoint site, the Internet user becomes aware of Proofpoint’s commercial cybersecurity offerings.
Respondent asserts that the Internet user in this position will not conclude that Respondent/Proofpoint is somehow affiliated with Facebook or Instagram, and therefore there is no harm here. The Panel does not agree. First, the Proofpoint landing page does not expressly disavow any affiliation with Complainant and its marks. The Internet user may well believe that Complainant has somehow sanctioned or authorized Proofpoint’s activities. Moreover, even if an Internet user does not reach this conclusion, the user has nonetheless arrived, via the Domain Name, at a website where the only actionable link would have the user to click on the Proofpoint hyperlink and visit the Proofpoint website. This could cause confusion that trademark law and the UDRP would not permit.
Although Internet users using one of the Domain Names and mistakenly arriving at the Proofpoint website may ultimately realize that the site is not authorized by or affiliated with the Complainant, they will have nonetheless landed on a site which flows to Respondent’s commercial benefit. These users did not sign up for this; they were searching – via a campaign sponsored by the Respondent – for Complainant’s website. Respondent is, in essence, riding on the considerable goodwill of Complainant and its famous trademarks to capture the attention of Internet users looking not for cybersecurity goods and services, but for FACEBOOK or INSTAGRAM social media offerings.
Complainant has established Policy paragraph 4(a)(ii).
C. Registered and Used in Bad Faith
For each of the Domain Names, paragraph 4(b) of the Policy provides that the following circumstances, “in particular but without limitation”, are evidence of the registration and use of the Domain Name in “bad faith”:
(i) circumstances indicating that Respondent has registered or has acquired the Domain Name primarily for the purpose of selling, renting, or otherwise transferring the Domain Name registration to Complainant who is the owner of the trademark or service mark or to a competitor of that Complainant, for valuable consideration in excess of its documented out of pocket costs directly related to the Domain Name; or
(ii) that Respondent has registered the Domain Name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that Respondent has engaged in a pattern of such conduct; or
(iii) that Respondent has registered the Domain Name primarily for the purpose of disrupting the business of a competitor; or
(iv) that by using the Domain Name, Respondent has intentionally attempted to attract, for commercial gain, Internet users to Respondent’s website or other online location, by creating a likelihood of confusion with Complainant’s mark as to the source, sponsorship, affiliation, or endorsement of Respondent’s website or location or of a product or service on Respondent’s website or location.
The Panel concludes that Respondent has registered and used the Domain Names in bad faith. The Panel incorporates its discussion above in the “Rights or Legitimate Interests” section. It is uncontroverted that Respondent had Complainant’s famous trademarks in mind when registering the Domain Names. As respects bad faith use, the Panel finds that this case falls squarely within the above-quoted paragraph 4(b)(iv).
Respondent insists that it is not a bad actor, and that it operates a legitimate business. The Panel does not have any quarrel with those assertions, which are true as far as they go. The Panel observes, however, that the concept of “bad faith” within the UDRP does not necessarily carry with it malice or ill motives. The non‑exclusive list of “bad faith” factors spelled out above does not necessarily require a finding of malice or particular motives. As noted above, this case fits almost verbatim within paragraph 4(b)(iv).
Respondent may sincerely believe that it has not violated the UDRP here, but the fact remains that Complainant never gave Respondent permission to use its famous trademarks in such a manner as to enhance the number of Internet users arriving at Respondent’s parent’s commercial website, and yet Respondent has done exactly that.
Complainant has established Policy paragraph 4(a)(iii).
For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the Domain Names <facbook-login.com>, <facbook-login.net>, <instagrarn.ai>, <instagrarn.net>, and <instagrarn.org> be transferred to Complainant.
Robert A. Badgley
Date: January 25, 2021