[caffeinewriter]

I feel like the title "Facebook sues Namecheap for registering phishing domains" is somewhat misleading.

> We found that Namecheap’s proxy service, Whoisguard, registered or used 45 domain names that impersonated Facebook and our services, such as instagrambusinesshelp.com, facebo0k-login.com and whatsappdownload.site. We sent notices to Whoisguard between October 2018 and February 2020, and despite their obligation to provide information about these infringing domain names, they declined to cooperate.

Specifically, they're suing Namecheap and their proxy service for not providing information about the true registrants of the allegedly infringing domains.

[dang]

We've edited the title in an attempt to thread that needle. If someone can suggest a better—more accurate and neutral—title, we can change it again.

[bagacrap]

"This week we filed a lawsuit in Arizona against Namecheap [...] for registering domain names that aim to deceive people by pretending to be affiliated with Facebook apps."

The press release says "for registering domain names" so I think the original title was accurate.

Previous similar court case where Verizon won a judgment against OnLineNic on the basis of trademark infringement: https://dockets.justia.com/docket/california/candce/3:2008cv...

So it doesn't seem like this suit is just about discovering the identities of the registrants.

[dang]

Hmm. Maybe we'll just cut it to the minimum viable title.

(Title was "Facebook sues Namecheap for registering phishing domains", then "Facebook sues Namecheap for registrants of phishing domains".)

[CydeWeys]

And to be clear, all Namecheap had to do to prevent this lawsuit was identify the owners of or delete the obviously-phishing and obviously-TM-infringing domain names. They didn't, so now Facebook is taking them to court over it.

[mmanfrin]

Facebook listed 3 of the 45, including one that I'd argue does not at all violate TM or phish. In a post like this, they'd likely pick the most egregious examples, so your statement about how obvious this is is entirely baseless. Furthermore, I'm absolutely okay with Namecheap not honoring a demand for information without a subpoena. Those whoisguards protect me from spammers, scammers, and anyone who would want my information from a whois.

[notRobot]

Agreed 100%. I'm a huge fan of removing all PII from whois info. Get a subpoena if you want that data. Otherwise next thing you know they'll be demanding registrant info for "facebookisevil.com" because it "infringes on our trademarks!!!"

[jfengel]

Isn't "getting a subpoena" basically what they're doing?

[gpm]

I think normally they would sue the people who registered the domain to get a subpoena, not namecheap itself.

[jfengel]

I thought the point was that they're suing namecheap to get the names of the people who registered the domain, because namecheap was serving as an anonymity service.

[rstupek]

Actually all PII information is already removed from whois info. I think it was a consequence of gdpr

[notRobot]

Nah namecheap made whoisguard free for all long before GDPR if memory serves correctly

[rstupek]

They may have but regardless of them doing so, gdpr resulted in the making of whois data not generally available to anyone.

[tptacek]

Why do I care about the other examples if the egregious examples include obvious phishing sites?

[blackearl]

It sounds like Facebook asked, not a court. Just because you're a big company doesn't mean others need to bend to your will.

[sieabahlpark]

Well what's the point of protecting the domain owner if anyone who comes by and asks can get that info?

[ensignavenger]

According to ICANN they cannot simply delete the domains- https://www.icann.org/resources/pages/help/dndr/udrp-en

"Under the policy, most types of trademark-based domain-name disputes must be resolved by agreement, court action, or arbitration before a registrar will cancel, suspend, or transfer a domain name."

[JoshTriplett]

Or, alternatively, remove the domain names, since they're blatantly phishing domains.

I think anonymous domain registration is an important property to preserve. Many people need such services for their safety. However, if you're going to serve as an anonymity shield for another party, you're taking on some of that party's liability, and in particular you need to take down malicious domains.

[xorcist]

Namecheap is responsible for administrating domain ownership. They are not free to unilaterally change or remove ownership at will.

That doesn't mean it's impossible to deregister infringing domains. It means that there is a process to follow, which is probably what we're seeing right now.

[throwaway3157]

I know some attorneys are on HN, so question: does Namecheap/Whoisguard have a legal obligation to reveal that requested info?

[caffeinewriter]

Honestly, I'm glad they didn't. There's not much use in a whois privacy service if they'll give up the info just because a company says "this is infringing".

[disiplus]

what value is there in whoisguard if anybody can strong arm you in giving the data away.

[shpongled]

Then Namecheap is liable for determining what qualifies as phishing or TM infringement. This is not their responsibility.

[StreamBright]

This pretty much depends on the details.

[AlexandrB]

How is "instagrambusinesshelp.com" impersonating Facebook services? Is the argument here that using "Instagram" in a domain name inherently not allowed?

Edit: Would "instagramsucks.com" or "facebooksucks.com" also be infringing?

[tinus_hn]

One name implies it’s related to the company, another does not. That’s why there are judges instead of robots in court.

[swiley]

The name only loosely suggests it might be related, it doesn’t (at least to me) directly imply it.

[notahacker]

I mean, it's alleged they were a phishing operation...

And in terms of trademark law the owners are unlikely to be on stronger grounds if they're not a pure phishing operation as alleged, but have merely chosen to include Facebook's trademark in their website or email marketing name without Facebook's permission to increase the likelihood Facebook's customers will purchase services from them.

You don't have to imply you definitely are the owner of a trademark to fall foul of trademark law, you just have to be trying to profit from using the trademark without permission in their line of trade in a way you can't justify as 'fair use'. I think we can rule out the idea instagrambusinesshelp.com is commentary, comparison, parody or a list of third parties worked with.

[cooljacob204]

But you have to consider your everyday user who has no real understanding of how companies use domains outside of being a name. That domain suggests it's business support for Instagram.

[swiley]

I feel like an everyday person would see that and think “ah a 3rd party consultant to help with my influencer business” (or whatever the professional application of instagram is.)

[gentleman11]

Almost every windows website in existence is liable under this description. It is confusing, but protecting domain names via trademark law seems undesirable to me in most cases

[gibolt]

Instagram has a business portal. When your site could easily be mistaken as an official company channel, that should not be allowed.

[bavell]

This seems like a bad knee-jerk reaction, not a real solution.

My company also has a business portal. Can I take down domains that are similar to it as well? Or is this power just reserved for MegaCorp Inc. who can afford large legal teams? At what point does a company become large enough to warrant "protection" of domains similar to their own? Who makes that decision and is there any dispute process? Etc, etc...

So many questions and potential pitfalls surrounding this approach. I don't know if there's any better realistic "solution" than to let users ultimately be responsible for the domains they visit. Not much of a solution but I don't see any better options that are both realistic and helpful.

[Kalium]

There's an ICANN process that allows you to file exactly this sort of domain-specific takedown notice. https://www.icann.org/resources/pages/help/dndr/udrp-en

The big drawback of the process it that it doesn't work well for phishing attacks, where taking down one domain is of limited value. It's designed more for things like nissan.com

[AlexandrB]

But the language on Facebook's press release implies that the names themselves are misleading. They don't mention the content.

I'm not disputing that the sites themselves are scammy/phishing, but what Facebook is saying here sounds like an overreach that amounts to "using Facebook trademarked names in a domain name is misleading and inherently untrustworthy".

[shaneprrlt]

So if you started a small consulting company helping people advertise or build a brand on Instagram, and your website was instagrambusinesshelp.com, Facebook has the right to say "not allowed"?

Do I also have the right to impose rules on other businesses naming conventions [1], or no because I'm not a $500B company?

[1] In a fair use context, not blatant copyright/trademark infringement or posing as the company in a phishing context.

[derision]

There is no fair context for that under the law. The name is trademarked so unless you have approval from Facebook to use their trademark then using it is not legal. It's not that complicated.

[mcbits]

Maybe domain names are treated differently from book titles, but I don't see why they should be. There certainly is fair use of trademarks in book titles if the use is descriptive, not likely to lead to confusion about who produced the book, and can't be effectively replaced with a more generic term. E.g. "That Popular Graphics Editor for Dummies" isn't a sensible substitute for "CorelDRAW! for Dummies".

[koolba]

They don’t even like you use “book”.

[jbob2000]

My assumption is that "instagrambusinesshelp.com" was impersonating Instagram to scam people. Instagramsucks.com probably isn't trying to impersonate them, just complaining about them.

[rstupek]

And likely wouldn't be infringing Instagram tm.

[EE84M3i]

Well, their whois proxy services. Namecheap has other proxy services (email for sure, I think also some configurations like parking and redirection use an HTTP proxy), so not specifying whois proxy is pretty confusing.