The UDRP Should, Or Should Not Be The Forum To Recover Stolen Domains, How About Some Consistency Boys

As just reminded me I have noted in past UDRP decisions that panels have been reluctant to allow domain holders to recoup ownership of their domain name through the UDRP process.

But in the case Andrew wrote about today, as he pointed out a UDRP panel did just that allow a allegedly stolen domain to be returned to the former owner via the UDRP process.

I have stated that there should be some process by which the victim of a stolen domain should be able to recover it as cheaply and quickly as a UDRP allows a “trademark holder” to recover a domain name that “infringing” on their “trademark”,  but attorneys in the domain industry have warned against the use of a UDRP like system for such a purpose.

You may notice the use of quotes around the term infringing and trademark as UDRP panels have found a “trademark” where none were registered and “infringement” which can’t occur if a trademark doesn’t exist.

Whether the domain name at issue is a three or a 15 letter .org, UDRP is either the proper forum to recover a stolen domain or its not.

So rather than myself and Andrew battling it out, maybe one of the WIPO representative’s and NAF representative’s should make a decision which will bind all panels in the future, whether the UDRP is the proper mechanism for returning an allegedly stolen domain to the former owner and if so under what exact circumstance.

Domain name owner deserve to know.

I’m fine with ever way the heads of those organizations what to call it, but inconsistent decisions are not acceptable.

Either a UDRP is the proper method to recover a stolen domain or its not.

It shouldn’t change with the wind or the panelist

If WIPO and the NAF can’t even agree on how to consistently handle the simplest of complaints, the stolen domain, what hope do the rest of us have in getting consistent decisions where the issues are much more complicated.


  1. John Berryhill says

    “UDRP panels have found a “trademark” where none were registered”


    Since when is registration required to have a trademark in a common law jurisdiction?

    If one can establish a trade or service mark right – and registration of a trademark is NOT a prerequisite for that – then the domain theft is merely treated as a species of bad faith registration.

  2. Jane says

    “then the domain theft is merely treated as a species of bad faith registration”

    species of registration? I guess I missed domainology class. We have heard the arguments surrounding the question of wether or not a transfer or a renewal is tantamount to “registering” a domain name but to include theft seems to me to be an attempt at expanding the scope of the policy in much the same way that domainers are so critical of panelists. It also provides an interesting defense…I didn’t steal the domain name, I registered it!

  3. John Berryhill says

    “but to include theft seems to me to be an attempt at expanding the scope of the policy”

    I don’t quite understand what you are driving at. Obviously, someone who has stolen a domain name became the registrant at some point, and obviously became the registrant with a bad faith intent.

    What Mike is missing here is that he apparently believes that cases of alleged theft are simple to unwind. I’ve seen quite a few, including cases in which I still have no idea whether the domain was or was not stolen. I’ve also seen situations in which someone sells a domain, collects the payment, and then turns around and claims the domain name was stolen and that all of the transactional documents are forgeries.

    To take one recent example – As is typical, the domain registrant’s email was hacked, and in addition to using the email address to take control of the domain name, the thief collected a treasure trove of personal information from the victim’s stored email messages on the server. When confronted about the theft, the thief produced a contract with the actual victim’s signature on it, and a wire transfer receipt purporting to show a transfer to the actual victim’s bank account in the amount of the sale price. The victim’s bank statement, of course, showed no such inbound transfer. But in a UDRP-like situation, which is entirely based on electronically-submitted documents, no panelist is going to be able to sit there and decide which party is the one producing bogus documents.

    Another wild ride was In that situation, a purchaser of the domain name corresponded with the admin contact email address over a period of weeks to negotiate the sale price and payment, and eventually bought the domain name. Then, the registrant began claiming the domain name was stolen. We flat-out did not believe it, and had a wealth of email from the registrant to back it up. Eventually it went to court and, sure enough, it turned out that the email hacker was skillfully monitoring the inbox and outbox, and covering his tracks in a way that was invisible to the email account owner.

    In these situations, to get to the bottom of them, you need to be able to compel production of forensic evidence from third parties. The UDRP doesn’t have a mechanism for that and would be a piss-poor forum for resolving domain thefts per se.

  4. says

    if so under what exact circumstance

    Simple: as long as the complaint follows and proves the standards laid out by UDRP. If you look at all the few, limited cases where UDRP was used to recover allegedly stolen domain names, you’ll find they all met the three criteria laid out by UDRP especially on proving TM rights.

    IMHO, MHB, you’re (understandably) getting caught up with this. While UDRP is intended for no-brainer cybersquatting cases, there’s nothing in it saying something like it can’t be used to recover allegedly-stolen domain names while meeting UDRP’s standards.

    I partly agree there ought to be a cheaper and faster process to (at least try) resolving alleged domain hijackings. TDRP is one possibility, albeit good luck getting ICANN to include that as an option for domain registrants other than just for registrars.

    If anything, UDRP – like any process – is essentially used as a means to an end. There can be more than one way to solve a problem, and often one uses a seemingly more complex yet arguably practical and realistic solution as long as it solves the problem.

    Besides, if a domain registrant really isn’t able to get the registrar to help and short of going to police, what other choice does s/he have that won’t necessarily cost so much time, money and effort?

  5. John Berryhill says

    “TDRP is one possibility, albeit good luck getting ICANN to include that as an option for domain registrants other than just for registrars.”

    The TDRP is pretty much useless even if you can get the cooperation of the registrar.

    The TDRP addresses the question of “was the transfer authorized by the registrant at both ends of the transfer”. Many times, the hi-jacker will take control at registrar A, establish himself as the registrant there, and then transfer the domain name to registrar B. Under the TDRP, there is absolutely nothing wrong with the transfer from A to B, since the registrant was the same party which authorized the transfer at both ends.

    That, in fact, is WHY GoDaddy implemented the 60 day hold on registrar transfers after a registrant update, which everyone complains about. I totally agree that the GD 60 day hold is a royal pain in the ass for those who are surprised by it, and that it isn’t authorized by the relevant ICANN policies on domain transfers. On the other hand, they’ve stopped a lot of hi-jackings cold that way. But folks on the blogs tend to go on a righteous rip about things which have affected them in some way, and never really want to rationally discuss both sides of the coin.

    Bottom line – any system of human decisionmaking is going to come up with wrong answers pretty regularly. You can tweak around the edges of the process to balance things out to an extent, but if your goal is perfection in every instance, you might as well quit now.

    Dave nails the situation in his comment above, and I can’t see why that is so hard for some to understand. Yes, if you can establish a trademark right, either by registration or sufficient common law evidence, then you’ll have a good shot at getting the domain name back. If you had a dictionary word being used for its generic meaning then, no, the UDRP is not going to work out for you.

    Now, in edge cases with no reply by the respondent, it does seem that panels will apply a somewhat lower threshold to finding a trade or service mark right, where there is good evidence that the name was stolen. But whether or not an individual panelist is going to put his/her thumb on the “trademark” scale somewhat in order to arrive at what he/she perceives to be a larger “just result” is a highly discretionary thing. Experienced lawyers and jurists in an international context come to the table with a fairly broad range of ideas about “what judges are supposed to do”. Our own national experience with a highest court that decides pretty much everything on a 5-4 split among judges with decades of experience should be enough to convince you that getting to some sort of universal agreement about what is “right”, “just” or “fair” in hotly contested situations is not some sort of obvious thing.

    Ranting on about “justice” as if there is some sort of broad agreement on what it is, while throwing hot steaming turds at people who disagree with you is, on the other hand, pretty easy for all comers.

  6. John Berryhill says

    And one minor and final note on this thread:

    “How About Some Consistency Boys”

    The UDRP is administered by a variety of people and by panelists who tend to be men and women, and tend not to be “boys”, or even “girls”.

Comment Policy: welcomes reader comments. Please follow these simple rules:

  • Stay on topic
  • Refrain from personal attacks
  • Avoid profanity
  • Links should be related to the topic of the post
  • No spamming. Listing domains, products, or services will get the comment deleted

We reserve the right to remove comments if we deem it necessary.

Join the Discussion