Phishing is rampant, and when the targeted brand and service is Google Authenticator there’s a lot at stake.
The registrant of Google-Authenticator.com actually set up a web site thus engaging in brand infringement. Google Inc. filed a UDRP at the National Arbitration Forum.
According to the UDRP:
The resolving web site displays Complainant’s mark and logo, material copied from Complainant’s legitimate website, and the URLs of Complainant’s legitimate websites.
Such phishing attempts can cost tremendous amounts of monetary and intellectual property loss. The sole panelist at NAF ordered the domain name Google-Authenticator.com to be transferred to the Complainant.
Google LLC v. Chia Chuan Lee
Claim Number: FA2008001907337
PARTIES
Complainant is Google LLC (“Complainant”), represented by Fabricio Vayra of Perkins Coie LLP, District of Columbia, United States. Respondent is Chia Chuan Lee (“Respondent”), United States.
REGISTRAR AND DISPUTED DOMAIN NAME
The domain name at issue is <google-authenticator.com>, registered with GoDaddy.com, LLC.PANEL
The undersigned certifies that he has acted independently and impartially and to the best of his knowledge has no known conflict in serving as Panelist in this proceeding.
Richard Hill as Panelist.
PROCEDURAL HISTORY
Complainant submitted a Complaint to the Forum electronically on August 5, 2020; the Forum received payment on August 5, 2020.
On August 6, 2020, GoDaddy.com, LLC confirmed by e-mail to the Forum that the <google-authenticator.com> domain name is registered with GoDaddy.com, LLC and that Respondent is the current registrant of the name. GoDaddy.com, LLC has verified that Respondent is bound by the GoDaddy.com, LLC registration agreement and has thereby agreed to resolve domain disputes brought by third parties in accordance with ICANN’s Uniform Domain Name Dispute Resolution Policy (the “Policy”).
On August 7, 2020, the Forum served the Complaint and all Annexes, including a Written Notice of the Complaint, setting a deadline of August 27, 2020 by which Respondent could file a Response to the Complaint, via e-mail to all entities and persons listed on Respondent’s registration as technical, administrative, and billing contacts, and to postmaster@google-authenticator.com. Also on August 7, 2020, the Written Notice of the Complaint, notifying Respondent of the e-mail addresses served and the deadline for a Response, was transmitted to Respondent via post and fax, to all entities and persons listed on Respondent’s registration as technical, administrative and billing contacts.
Having received no response from Respondent, the Forum transmitted to the parties a Notification of Respondent Default.
On September 1, 2020, pursuant to Complainant’s request to have the dispute decided by a single-member Panel, the Forum appointed Richard Hill as Panelist.
Having reviewed the communications records, the Administrative Panel (the “Panel”) finds that the Forum has discharged its responsibility under Paragraph 2(a) of the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”) “to employ reasonably available means calculated to achieve actual notice to Respondent” through submission of Electronic and Written Notices, as defined in Rule 1 and Rule 2. Therefore, the Panel may issue its decision based on the documents submitted and in accordance with the ICANN Policy, ICANN Rules, the Forum’s Supplemental Rules and any rules and principles of law that the Panel deems applicable, without the benefit of any response from Respondent.RELIEF SOUGHT
Complainant requests that the domain name be transferred from Respondent to Complainant.PARTIES’ CONTENTIONS
A. Complainant
Complainant states that it has become one of the most highly recognized Internet search services. The GOOGLE name and company were created in 1997 by Stanford Ph.D. candidates Larry Page and Sergey Brin. Since that time, the Google search engine has become one of the most highly recognized Internet search services in the world. In connection with its products and services, Complainant offers “2-Step Verification” to protect user accounts. A user that signs into their account is first prompted to provide their password, followed by a second code that is sent to the user’s phone via text, voice call, or Complainant’s mobile app. The “2-Step Verification” process protects users with an extra layer of security, making it more difficult for a hacker to access user accounts. Relatedly, Complainant offers the “Google Authenticator” mobile application, which generates the second code of the “2-Step Verification” process in the app rather than through the user’s text messages or voice calls. Complainant has rights in the GOOGLE mark through its registration in the United States in 2004. The mark is registered elsewhere around the world and it is famous.
Complainant alleges that the disputed domain name is confusingly similar to its GOOGLE mark as it incorporates the mark in its entirety and merely adds the descriptive term “authenticator” along with the “.com” generic top-level domain (“gTLD”).
According to Complainant, Respondent lacks rights or legitimate interests in the disputed domain name as Respondent is not commonly known by the disputed domain name, nor did Complainant authorize it to us the GOOGLE mark in any way. Respondent fails to make a bona fide offering of goods or services or legitimate noncommercial or fair use in connection with the disputed domain name. Instead, Respondent attempts to pass itself off as Complainant: the resolving website mimics Complainant’s Google Authenticator mobile application and Two-Factor Authentication service by displaying Complainant’s GOOGLE Mark, as well as other logos and designs, and it contains hyperlinks to Complainant’s legitimate Two-Factor Authentication web site. Further, Respondent engages in a phishing scheme.
Further, says Complainant, Respondent registered and uses the disputed domain name in bad faith as Respondent attempts to engage in a phishing scheme. Respondent also had actual knowledge of Complainant’s rights in the GOOGLE mark.
B. Respondent
Respondent failed to submit a Response in this proceeding.
FINDINGS
Complainant owns the mark GOOGLE and uses it to market Internet search services around the world. The mark is famous.
Complainant’s rights in its marks date back to at least 2004.
The disputed domain name was registered in 2018.
Complainant has not licensed or otherwise authorized Respondent to use its marks.
The resolving website displays Complainant’s mark and logo, material copied from Complainant’s legitimate website, and the URLs of Complainant’s legitimate websites.DISCUSSION
Paragraph 15(a) of the Rules instructs this Panel to “decide a complaint on the basis of the statements and documents submitted in accordance with the Policy, these Rules and any rules and principles of law that it deems applicable.”
Paragraph 4(a) of the Policy requires that Complainant must prove each of the following three elements to obtain an order that a domain name should be cancelled or transferred:
(1) the domain name registered by Respondent is identical or confusingly similar to a trademark or service mark in which Complainant has rights; and
(2) Respondent has no rights or legitimate interests in respect of the domain name; and
(3) the domain name has been registered and is being used in bad faith.
In view of Respondent’s failure to submit a response, the Panel shall decide this administrative proceeding on the basis of Complainant’s undisputed representations pursuant to paragraphs 5(f), 14(a) and 15(a) of the Rules and draw such inferences it considers appropriate pursuant to paragraph 14(b) of the Rules. The Panel is entitled to accept all reasonable allegations set forth in a complaint; however, the Panel may deny relief where a complaint contains mere conclusory or unsubstantiated arguments. See WIPO Jurisprudential Overview 3.0 at ¶ 4.3; see also eGalaxy Multimedia Inc. v. ON HOLD By Owner Ready To Expire, FA 157287 (Forum June 26, 2003) (“Because Complainant did not produce clear evidence to support its subjective allegations [. . .] the Panel finds it appropriate to dismiss the Complaint”).Identical and/or Confusingly Similar
The disputed domain name incorporates Complainant’s mark in its entirely, merely adding a hyphen, the descriptive term “authenticator”, and the “.com” gTLD. Registration of a domain name that includes a mark in its entirety and adds a descriptive term, a hyphen, and gTLD does not distinguish the domain name from the mark per Policy ¶ 4(a)(i). See Eastman Chem. Co. v. Patel, FA 524752 (Forum Sept. 7, 2005) (“Therefore, the Panel concludes that the addition of a term descriptive of Complainant’s business, the addition of a hyphen, and the addition of the gTLD ‘.com’ are insufficient to distinguish Respondent’s domain name from Complainant’s mark.”). Therefore, the Panel finds that the disputed domain name is confusingly similar to Complainant’s mark per Policy ¶ 4(a)(i).
Rights or Legitimate Interests
Complainant has not licensed or otherwise authorized Respondent to use its mark. Respondent is not commonly known by the disputed domain name: where a response is lacking, WHOIS information may be used to determine whether a respondent is commonly known by the disputed domain name under Policy ¶ 4(c)(ii). See Amazon Technologies, Inc. v. LY Ta, FA 1789106 (Forum June 21, 2018) (concluding a respondent has no rights or legitimate interests in a disputed domain name where the complainant asserted it did not authorize the respondent to use the mark, and the relevant WHOIS information indicated the respondent is not commonly known by the domain name). Here, the WHOIS information for the disputed domain name lists the registrant as “Chia Chuan Lee”. Therefore, the Panel finds that Respondent is not commonly known by the disputed domain name per Policy ¶ 4(c)(ii).
Respondent attempts to confuse internet users into thinking that Respondent is associated with Complainant: the resolving website mimics Complainant’s Google Authenticator mobile application and Two-Factor Authentication service by displaying Complainant’s GOOGLE Mark, as well as other logos and designs, and it contains hyperlinks to Complainant’s legitimate Two-Factor Authentication web site. That is, both the disputed domain name itself, and the content of the resolving website, falsely suggest that they are associated with the Complainant. Use of a disputed domain name to create a false impression that a respondent is associated or affiliated with a complainant is not a bona fide offering of goods or services or legitimate noncommercial or fair use per Policy ¶¶ 4(c)(i) or (iii). Indeed, according to paragraph 2.5 of the WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition (WIPO Jurisprudential Overview 3.0): “Fundamentally, a respondent’s use of a domain name will not be considered ‘fair’ if it falsely suggests affiliation with the trademark owner …”. See 201 Folsom Option JV, L.P. and 201 Folsom Acquisition, L.P. v. John Kirkpatrick, D2014-1359 (WIPO, Oct. 28, 2014); see also Ripple Labs Inc. v. Jessie McKoy / Ripple Reserve Fund, FA 1790949 (Forum July 9, 2018) (finding the respondent did not use the domain name to make a bona fide offering of goods or services per Policy ¶ 4(c)(i) or for a legitimate noncommercial or fair use per Policy ¶ 4(c)(iii) where the website resolving from the disputed domain name featured the complainant’s mark and various photographs related to the complainant’s business). Therefore, the Panel finds that Respondent has failed to use the disputed domain name to make a bona fide offering of goods or services or legitimate noncommercial or fair use per Policy ¶¶ 4(c)(i) or (iii). And the Panel finds that Respondent does not have rights or legitimate interests in the disputed domain name.
Registration and Use in Bad Faith
Complainant alleges that Respondent engages in a phishing scheme, but provides no evidence to support this allegation. Accordingly, the Panel does not find bad faith registration and use on that ground.
Respondent (who did not reply to Complainant’s contentions) has not presented any plausible explanation for its use of Complainant’s mark. In accordance with paragraph 14(b) of the Rules, the Panel shall draw such inferences from Respondent’s failure to reply as it considers appropriate. Accordingly, the Panel finds that Respondent did not have a legitimate use in mind when registering the disputed domain name.
Indeed, as already noted, consumers visiting the resolving website are likely to be confused as to whether Respondent and/or its website is affiliated in some way with Complainant; and/or the disputed domain name or the associated website are endorsed, authorized, or sponsored by Complainant, none of which are true. This is a form of bad faith use of the disputed domain name. See Bank of America Corp. v. Out Island Props., Inc., FA 154531 (Forum June 3, 2003) (bad faith established “[s]ince the disputed domain names contain entire versions of Complainant’s marks and are used for something completely unrelated to their descriptive quality, a consumer searching for Complainant would become confused as to Complainant’s affiliation with the resulting search engine website.”).
Further, Respondent registered the disputed domain name with actual knowledge of Complainant’s mark: the resolving website displays Complainant’s marks and logo and the URLs of Complainant’s legitimate websites. While constructive notice is insufficient to demonstrate bad faith, actual knowledge of a complainant’s rights in a mark prior to registration may be evidence of bad faith per Policy ¶ 4(a)(iii). See Custom Modular Direct LLC v. Custom Modular Homes Inc., FA 1140580 (Forum Apr. 8, 2008) (“There is no place for constructive notice under the Policy.”); see also Orbitz Worldwide, LLC v. Domain Librarian, FA 1535826 (Forum Feb. 6, 2014) (“The Panel notes that although the UDRP does not recognize ‘constructive notice’ as sufficient grounds for finding Policy ¶ 4(a)(iii) bad faith, the Panel here finds actual knowledge through the name used for the domain and the use made of it.”); see also Univision Comm’cns Inc. v. Norte, FA 1000079 (Forum Aug. 16, 2007) (rejecting the respondent’s contention that it did not register the disputed domain name in bad faith since the panel found that the respondent had knowledge of the complainant’s rights in the UNIVISION mark when registering the disputed domain name). The Panel finds that Respondent had actual knowledge of Complainant’s rights in the mark prior to Respondent’s registration of the disputed domain name and that this constitutes bad faith registration and use under Policy ¶ 4(a)(iii).
DECISION
Having established all three elements required under the ICANN Policy, the Panel concludes that relief shall be GRANTED.
Accordingly, it is Ordered that the <google-authenticator.com> domain name be TRANSFERRED from Respondent to Complainant.
Richard Hill, Panelist
Dated: September 1, 2020