WebSec Holdings, B.V., the Netherlands, fired up their legal salvo to acquire the domain name Websec.com. Registered in 2002, the domain’s creation date predates the Dutch cybersecurity’s formation date by 18 whole years.
Prior to the UDRP, the Complainant offered $1,000 to acquire the domain; the Respondent’s acquisition of the domain in 2016 cost more, apparently; he countered with $10,000 dollars. Negotiations stalled and the Complainant proceeded with a “Plan B” approach.
The Respondent’s counsel is John Berryhill. The WIPO panel ordered the domain to remain with the Respondent, on the basis of the Complainant’s date of formation, which was also used to declare a finding of Reverse Domain Name Hijacking:
[…] the Complainant provided false allegations in the Complaint. Indeed, the Complainant stated that “[i]n 2016, WebSec Holdings (at that time doing business as OS.SI Consulting B.V.) commenced operation. In 2020, WebSec Holdings, B.V. along with sister entity, WebSec B.V., commenced formal operations”. However, as demonstrated by the Respondent in annex B to the Response OS.SI Consulting was only established in January 2019 by another person than the owner of the Complainant, and was wound up already because it lacked activities on July 27, 2020 (i.e., a week before the Complainant was established). Moreover, the Complainant asserted that it had been using the trademark WEBSEC since 2016 in the European Union and subsequently in the United States since 2020 but did not submit any evidence of use to substantiate its allegations;
ARBITRATION AND MEDIATION CENTER – ADMINISTRATIVE PANEL DECISION
WebSec Holdings, B.V. v. Marty Martin, Adapt Partners Case No. D2023-0813
The Parties
The Complainant is WebSec Holdings, B.V., the Netherlands, represented by Solace Law, United States of America (“Unites States”).
The Respondent is Marty Martin, Adapt Partners, United States, represented by John Berryhill, Ph.d., Esq., United States.
The Domain Name and Registrar
The disputed domain name websec.com is registered with eNom, LLC (the “Registrar”).
Procedural History
The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on February 23, 2023. On February 23, 2023, the Center transmitted by email to the Registrar a request for registrar verification in connection with the disputed domain name. On February 23, 2023, the Registrar transmitted by email to the Center its verification response disclosing registrant and contact information for the disputed domain name which differed from the named Respondent (Redacted for Privacy) and contact information in the Complaint. The Center received on February 23 and 24, 2023, email communications from the Respondent. The Center sent an email communication to the Complainant on March 1, 2023, providing the registrant and contact information disclosed by the Registrar, and inviting the Complainant to submit an amendment to the Complaint. The Complainant filed an amended Complaint on March 1, 2023 twice.
The Center verified that the Complaint together with the amended Complaints satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).
In accordance with the Rules, paragraphs 2 and 4, the Center formally notified the Respondent of the Complaint, and the proceedings commenced on March 7, 2023. In accordance with the Rules, paragraph 5, the due date for Response was March 27, 2023. On March 20, 2023, the Respondent requested an extension of the Response due date. In accordance with the Rules, paragraph 5(b), the Response due date was extended to March 31, 2022. The Response was filed with the Center on March 30, 2023.
The Center appointed Luca Barbero, Sally M. Abel, and Alfred Meijboom, as panelists in this matter on April 14, 2023. The Panel finds that it was properly constituted. Each member of the Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.
Factual Background
The Complainant is a cybersecurity company headquartered in the Netherlands, which was incorporated on August 3, 2020.
The Complainant is the owner of the following trademark registrations for WEBSEC:
European Union trademark registration No. 018679478 for WEBSEC (figurative mark), filed on March 29, 2022 and registered on September 7, 2022, in International classes 9, 42, and 45;
United States trademark registration No. 6985649 for WEBSEC (word mark), filed on January 21, 2022 claiming first use as of March 8, 2020 and registered on February 21, 2023, in International class 42.
The Complainant also owns the domain name websec.nl, which was registered on June 7, 2016 and is currently used by the Complainant to promote its cybersecurity services under the trademark WEBSEC.
The disputed domain name websec.com, currently not pointed to an active website, was first registered on April 8, 2002 but was acquired by the Respondent in September 2016.
Parties’ Contentions
Complainant
The Complainant contends that the disputed domain name is identical to the trademark WEBSEC in which the Complainant has rights.
The Complainant asserts that it has been using the trademark WEBSEC since 2016 in the European Union and subsequently in the United States since 2020, although multiple United States confidential partnerships had been put in place before 2018.
The Complainant further submits that the Respondent’s use of the disputed domain name, identical to the Complainant’s trademark, produces a strong likelihood of confusion as to the source and/or sponsorship of the goods and services offered and creates ongoing prospective infringement liability due to its current sale disposition.
With reference to rights or legitimate interests in respect of the disputed domain name, the Complainant states that the Respondent is not commonly known by the disputed domain name and submits that it never assigned, granted, licensed, sold, transferred or in any way authorized the Respondent to register or use its trademark WEBSEC. The Complainant further indicates that, although the disputed domain name is currently not pointed to an active website, it was apparently initially used for providing web security services, though it is unclear whether the Respondent was involved with the organization that launched the website at the disputed domain name or whether it obtained it straight after. Indeed, the Complainant contends that the Respondent obtained the disputed domain name subsequent to that use but after the Complainant commenced operation.
The Complainant further submits that, given the initial use of the disputed domain name, strictly tethered to web security services, it is highly likely that the Respondent intended to capitalize off the trademark
WEBSEC purely for commercial gain and/or to capitalize on the Complainant’s global presence by offering the disputed domain name for sale for an amount well in excess of the documented out of pockets costs.
The Complainant also states that the Respondent has not used the disputed domain name for a legitimate, noncommercial or equitable purpose or in connection with a bona fide offering of goods and services as it has offered it for sale to the Complainant at an amount in excess of the out-of-pocket costs.
Specifically, the Complainant indicates that, on October 27, 2020, it commenced contact with the Respondent, offering to purchase the disputed domain name for the amount of EUR 1,000, which the Complainant found to be corresponding to the fair market value of the disputed domain name. The Respondent however replied on the same date claiming it paid more than USD 1,000 for the disputed domain name, and offered to sell it to the Complainant for USD 10,000.
The Complainant further contends that the Respondent’s acquisition of the disputed domain name from a third party, which may have had a legitimate claim to the disputed domain name and may have put it to good faith use before, does not mitigate the Respondent’s bad faith registration and use of the disputed domain name.
Moreover, the Complainant submits that the Respondent may be in the SEO industry but makes no offering of cybersecurity services and states that, though the original registrant is unknown, the facts have shown that the Respondent has never operated within the field of cybersecurity and currently operates a robust SEO agency.
The Complainant concludes that the Respondent appears to be holding the disputed domain name in bad faith to benefit financially from its sale to the Complainant or to any third-party that would be willing to pay a higher price.
Respondent
The Respondent rebuts the Complainant’s contentions stating that, with reference to the first requirement, the Respondent’s trademark rights postdate the Respondent’s registration of the disputed domain name, as the Complainant falsely attempted to attribute the first use of the trademark WEBSEC in 2016, a year in which it was allegedly doing business as OS.SI Consulting B.V., though as the Respondent underlines, the OS.SI Consulting B.V. company was first formed on January 25, 2019 and was led by a different manager, also sole shareholder of the company at the time.
Indeed, the Respondent goes on to highlight that there is no proof that the Complainant ever came into possession of trademark rights belonging to any predecessor entity as claimed by the Complainant, since the alleged predecessor in question had a different management and did not exist until 2019, whilst the Respondent registered the disputed domain name in 2016.
With reference to rights or legitimate interests in respect of the disputed domain name, the Respondent states that, contrary to the Complainant’s claims, its business, consisting in search engine optimization (SEO) of client websites, predates the Complainant’s registration and use of the trademark WEBSEC and the Respondent purchased the disputed domain name in 2016, registering also “WebSec.com” as its business name in Wake Country, North Carolina in 2017, for the sole purpose of providing a service in connection with its business.
The Respondent also states that its website at the disputed domain name ran for several years and provided users the ability to automatically scan websites using the Mozilla Observatory security scanning system with the aim of allowing users to find security vulnerabilities and to perhaps enlist the Respondent’s help in fixing them.
The Respondent explains that, in view of shifting commercial priorities coincident with the Covid-19 pandemic, the Respondent took down the public-facing website at the disputed domain name and began using the disputed domain name for internal purposes.
The Respondent further underlines that it undertook substantial ongoing preparations to develop the website further, as in January 2017, it commissioned a logo to be developed for the website, sought to hire offshore developers for “the web sec content”, and further acquired an SSL certificate for the site in August 2017.
The Respondent underlines that neither the Complainant nor its falsely claimed “predecessor” existed at the time.
The Respondent further illustrates that, according to its research, in November 2016, shortly after the Respondent registered the disputed domain name, the domain name now owned by the Complainant,
websec.nl was pointed to an undeveloped placeholder site with dummy text since the Complainant did not yet exist.
Additionally, the Respondent underlines that “Websec” is a commonly used generic expression relating to web security, that has been the acronymic name of the Internet Engineering Task Force (IETF) Working Group on Web Security since 2011 as well as being the name of a Reddit discussion section r/websec since December 2009, besides being used extensively and non-distinctively by various online entities such as:
Websec.be – a web security firm in the Complainant’s neighboring country of Belgium; Websec.ca / Websec.mx – a Canadian website security firm operating since at least 2016; Websec-test.com – the home of Websec Gmbh of Germany;
Websecblog.com – a web security blog; Websec.eu – a Polish web security firm; Websec.io – a web security information resource;
Webseccorp.com – a United States web security firm since 2004.
Considering the above, the Respondent claims to have rights and legitimate interests in the disputed domain name, as it has in fact been using the disputed domain name in connection with a bona fide offering of goods and services prior to notice of the present dispute, it has made substantial preparations to further develop the website at the disputed domain name and it owns senior registered business name rights for “WebSec.com”.
With reference to the circumstances evidencing bad faith, the Respondent indicates that the Complainant knew the disputed domain name was registered to the Respondent at the moment of launching its business in 2020 and contends that, even if the Respondent would gift OS.SI Consulting B.V. to the Complainant, evidence has shown that OS.SI Consulting B.V. was established in 2019 and not before 2016 when the Respondent launched its service.
Moreover, the Respondent emphasizes that the Complainant started contacting it in October 2020 (only two months after it was established), via a Hotmail email address, offering an initial price of EUR 1,000 to purchase the disputed domain name, while the Complainant had not filed the United States and European Union trademark applications yet. Emphasis is also laid on the fact that the Complainant started the negotiations and not vice versa.
The Respondent underlines that, contrary to the Complainant’s assertions, considering the Complainant’s trademark registrations were still not issued or existent when it received the Complainant’s first email communication, it is highly unlikely that the Respondent, in replying to the Complainant’s email, had in mind the Complainant’s rights or was intending to sell the disputed domain name to the Complainant to benefit financially from the trademark’s fame and world renown, especially considering there was no evidence at the time to suggest the Complainant had become famous among the multiple non-distinctive concurrent users of “websec” as a generic term.
The Respondent concludes that the registration and use of the disputed domain name for the legitimate purpose of offering web security scanning to attract SEO clients, has been prior to notice of a dispute and well senior to the Complainant’s claim and submits that its use has been legitimately related to the widely known and non-distinctive primary meaning of generic and widely used term “websec”. Furthermore, the Respondent notes that the Complainant did not mention one fact, or provide any evidence, to prove the Respondent should have known of the Complainant’s trademark when it purchased the disputed domain name in September 2016.
Discussion and Findings
According to paragraph 15(a) of the Rules: “A Panel shall decide a complaint on the basis of the statements and documents submitted and in accordance with the Policy, these Rules and any rules and principles of law that it deems applicable.” Paragraph 4(a) of the Policy directs that the Complainant must prove each of the following:
that the disputed domain name registered by the Respondent is identical or confusingly similar to a trademark or service mark in which the Complainant has rights;
that the Respondent has no rights or legitimate interests in respect of the disputed domain name; and
that the disputed domain name has been registered and is being used in bad faith.
Identical or Confusingly Similar
The majority of the Panel finds that the Complainant has established rights over the trademark WEBSEC based on the trademark registrations cited under section 4 above and the related trademark certificates submitted as annex 4 to the Complaint.
As indicated in section 1.1.2 of the WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition (“WIPO Overview 3.0”), the filing/priority date, date of registration, and date of claimed first use, are not considered relevant to the first element test, but these factors may bear on a panel’s further substantive determination under the second and third elements. In addition, as highlighted in section 1.7 of the WIPO Overview 3.0, the first element functions primarily as a standing requirement, and the threshold test for confusing similarity typically involves a side-by-side comparison of the domain name and the textual components of the relevant trademark to assess whether the mark is recognizable within the disputed domain name.
In the case at hand, the Complainant’s trademark WEBSEC is entirely reproduced in the disputed domain name, with the mere addition of the Top-Level Domain “.com”, which is commonly disregarded under the first element confusing similarity test (section 1.11 of the WIPO Overview 3.0).
Therefore, the majority of the Panel finds that the Complainant has proven that the disputed domain name is identical to a trademark in which the Complainant has established rights according to paragraph 4(a)(i) of the Policy.
Panelist Sally M. Abel, instead, considers the first prong to be satisfied only with proof of prior trademark rights, which proof is lacking in this case. According to Panelist Abel, this prong of the test is not to be for procedural standing purposes only. Therefore, according to Panelist Abel, the Complainant already fails under the first requirement and the Panel should be under no obligation to consider this matter further.
Rights or Legitimate Interests
The Complainant must make a prima facie case that the Respondent has no rights or legitimate interests in respect of the disputed domain name, which the Respondent may rebut (e.g., Croatia Airlines d.d. v. Modem
Empire Internet Ltd., WIPO Case D2003-0455). In doing so, the Respondent may establish a right or legitimate interest in the disputed domain name by demonstrating in accordance with paragraph 4(c) of the Policy any of the following:
“(i) before any notice to you of the dispute, your use of, or demonstrable preparations to use, the domain name or a name corresponding to the domain name in connection with a bona fide offering of goods or services; or
you (as an individual, business, or other organization) have been commonly known by the domain name, even if you have acquired no trademark or service mark rights; or
you are making a legitimate noncommercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue.”
In the case at hand, the Complainant states that the Respondent was not authorized to use the Complainant’s trademark, is not commonly known by the disputed domain name, and has not been using the disputed domain name in connection with a bona fide offering of goods or services or in connection with a legitimate noncommercial or fair use.
The Respondent has rebutted the Complainant’s contentions stating that it acquired the disputed domain name in 2016 and, before the filing of the Complainant’s trademark, it had been using the term “websec” in good faith for the sole purpose of providing a service in connection with its business.
The Respondent demonstrated, via screenshots submitted as annex F to the Response, that its website at the disputed domain name – currently inactive – was active for several years in the past, providing users the ability to automatically scan websites using the Mozilla Observatory security scanning system with the aim of allowing users to find security vulnerabilities.
The Panel further notes that the Respondent undertook substantial ongoing preparations to develop the website further, as in January 2017 it commissioned a logo to be developed for the website, sought to hire offshore developers for “the web sec content”, and further acquired an SSL certificate for the website in August 2017.
The Respondent also submitted a notarized certificate showing that it adopted “Websec.com” as registered business name on April 11, 2017. Moreover, the Respondent has also demonstrated that the term “websec” encompassed in the disputed domain name, has been used by several third parties, including businesses, which existed before the Complainant was incorporated.
Lastly, the Respondent has shown that, at the time the Respondent acquired the disputed domain name in 2016, the Complainant’s website at websec.nl was undeveloped and the Complainant did not even exist as it was established only in 2020.
In view of the above, the Panel finds that the Respondent has proved that it has been using the disputed domain name in connection with a bona fide offering of goods or services since long before the Complainant’s foundation and its filing of trademark applications for WEBSEC in the European Union and in the United States.
Therefore, the Panel concludes that the Complainant has failed to demonstrate that the Respondent has no rights and legitimate interests in the disputed domain name according to paragraph 4(a)(ii) of the Policy.
Registered and Used in Bad Faith
Paragraph 4(a)(iii) of the Policy requires that the Complainant proves that the disputed domain name was registered and is being used by the Respondent in bad faith.
In light of the findings under section 6.B above, the Panel does not need to address the issue of registration and use of the disputed domain name in bad faith. However, the Panel notes that there is no evidence on record that the Respondent registered and/or used the disputed domain name with the intention to target the Complainant and its trademark.
As indicated above, the Respondent acquired the disputed domain name in 2016, several years before the Complainant was established in its present form (albeit noting that the Complainant’s websec.nl site was live in July 2016), filed its first trademark applications for WEBSEC in 2022 and started using the trademark. Accordingly, the Respondent could have not been aware of the Complainant’s claimed trademark rights at the time of the acquisition of the disputed domain name. Moreover, there is no evidence that the Respondent might have ever used the disputed domain name to target the Complainant and its trademark.
In the circumstances of the case, the Respondent’s request, in reply to the Complainant’s offer to purchase the disputed domain name, of an amount which substantially exceeds the amount the Complainant subjectively deemed the market value of the disputed domain name, is not sufficient to demonstrate that the Respondent registered the disputed domain name primarily to offer it for sale to the Complainant at an amount exceeding of the out-of-pocket costs.
The Panel therefore finds that the Complainant has also failed to demonstrate that the Respondent registered and used the disputed domain name in bad faith.
Reverse Domain Name Hijacking
Paragraph 15(e) of the Rules provides that, if “after considering the submissions the Panel finds that the complaint was brought in bad faith, for example in an attempt at Reverse Domain Name Hijacking or was brought primarily to harass the domain-name holder, the Panel shall declare in its decision that the complaint was brought in bad faith and constitutes an abuse of the administrative proceeding”.
The Rules define Reverse Domain Name Hijacking as “using the Policy in bad faith to attempt to deprive a registered domain-name holder of a domain name.”
The Panel concludes that the Complainant’s actions constitute Reverse Domain Name Hijacking for the following reasons:
the Complainant, which is represented by a lawyer, should have appreciated the weakness of its case in view of the fact that the disputed domain name was registered well before the Complainant acquired trademark rights on WEBSEC. In addition, a simple online search would have highlighted that the term “websec” encompassed in the disputed domain name cannot be exclusively referable to the Complainant, being used since years by several third parties offering information or services in the web security field;
the Complainant provided false allegations in the Complaint. Indeed, the Complainant stated that “[i]n 2016, WebSec Holdings (at that time doing business as OS.SI Consulting B.V.) commenced operation. In 2020, WebSec Holdings, B.V. along with sister entity, WebSec B.V., commenced formal operations”. However, as demonstrated by the Respondent in annex B to the Response OS.SI Consulting was only established in January 2019 by another person than the owner of the Complainant, and was wound up already because it lacked activities on July 27, 2020 (i.e., a week before the Complainant was established). Moreover, the Complainant asserted that it had been using the trademark WEBSEC since 2016 in the European Union and subsequently in the United States since 2020 but did not submit any evidence of use to substantiate its allegations;
the Complainant’s case appears to be based on the argument that the Respondent’s use of a common/descriptive domain name in connection with a currently inactive website – which in the past offered web security services independently of any awareness of the Complainant – and the offering the disputed domain name for sale amounts to evidence of bad faith. The Panel finds that the Complainant should have contemplated that it could not succeed with such an argument;
the circumstances of the case clearly show that this was launched by the Complainant after its failure to purchase the disputed domain name from the Respondent.
Decision
For all the foregoing reasons, the Complaint is denied. The Panel further declares that the Complaint was brought in bad faith and that it constitutes an abuse of the administrative proceeding.
/Luca Barbero/ Luca Barbero Presiding Panelist
/Sally M. Abel/ Sally M. Abel Panelist
/Alfred Meijboom/ Alfred Meijboom Panelist
Date: May 1, 2023