The DNS NEWS report No. 271 highlights the overall criticism of ICANN solution for not intervening as much as its powers allow in Internet security issues, even though the DNS breaches do not decrease the number of hits. A sort of criticism derives from this observation: should ICANN become a kind of Internet welfare state or should it remain in the background, which would be recommended by the defenders of Internet neutrality.
It should be noted that in 2018, ICANN solution had already undertaken measures to make the Internet a little more secure, by changing the cryptographic key used to protect the Internet’s address book, the DNS (Domain Name System). However, further efforts are expected.
Domain Name System. – V. ICANN, 16 sept. 2018, Approved Board Resolutions [ R]egular Meeting of the ICANN Board).
Since the advent of the General Data Protection Regulations (GDPR), it has become really difficult to obtain information about the registrant of a domain name. This obviously complicates the dialogue between trademark and domain name holders.
ICANN has proposed a project to create a System for Standardized Access/Disclosure (SSAD), which would allow standardized access to non-public data on domain name registrations.
The objective of the SSAD is to provide a predictable, transparent, efficient and accountable framework for access to non-public registration data. It must also be consistent with the GDPR.
However, the decision whether or not to grant requests would still belong to the registrars, as legal constraints on personal data may vary from country to country.
This project accelerated in August during Stage 2 of the policy development process, during which a final report was presented that provides 22 recommendations for the system.
The creation of this SSAD could, in the coming years, facilitate the fight against cybersquatting, which has been strongly impacted by the GDPR and WhoIs anonymization processes. It should be remembered that the next round of requests for domain name extensions should take place in 2023, bringing a whole new set of challenges in the fight against Internet attacks.
The top-level domain name extension <.sucks> was open for registration by ICANN in 2015. At the time, some brands were already concerned about the risk of cybersquatting on these extensions, and the possible damage to the brand image that this could generate. In fact, many domain names that use trademarks known and ending in <.sucks> were born. Very often, these domain names refer to pages where Internet users can complain about the brand in question, whether they are consumers or former employees.
During the past months, the phenomenon has intensified with a lot of reservation numbers, clearly done by the same registrar of the domain name in <.sucks>. Suddenly, new online pages have emerged, with the same structure and bad comments about renowned brands. A system of resale at prices between $199 and $599 is also in place.
The question of the dispute resolution about the <.suck> is complex, since the situation raises issues relating to freedom of expression.
Two recent cases with two opposite outcomes illustrate this complexity. The domain names <mirapex.sucks> and <bioderma.sucks> were both registered by the same registrar and are both the subject of UDRP complaints. In response to these two complaints, the defendant based his argument on freedom of expression. For <mirapex.sucks>, the complaint was unsuccessful, on the contrary, for <bioderma.sucks>, the name transfer was ordered.
In the case of <bioderma.sucks>, the expert had taken into consideration the fact that the registrar didn’t use the domain name for bad comments on the trademark in question but was simply a third party who registered the domain name seeking to resell it. The reseller was a company located in the Turks and Caicos Islands whose activity is the purchase and resale of names in <.sucks>. The latter had no way of verifying if the bad comments were authentic. Especially because those comments seemed to have been added only after the complaint was filed.
On the other hand, in the decision on <mirapex.sucks>, reserved by the same company, the transfer was refused. The expert gave special attention to the nature of the <.sucks> and to the freedom of expression, while underlining the insufficiency of the argumentation of the applicant.
One thing is sure: prevention is better than cure, therefore it would preferable to register a brand in the extension <.sucks>, on a purely defensive basis.
If Virgin Enterprises Limited (“Virgin”) was notably known by the French public as a megastore on the Champs Elysées, now permanently shut down; the company, on the contrary, is still very active in many different sectors such as travel, under the Virgin Voyages brand, or even in the mobile sector under the Virgin Mobile brand. As we all know, success is often followed by harm. Having detected the registration of domain names by a third party taking over its brands, namely <virgincruisevoyages.com>, <virginmediabiz.com>, <virginmobilewifi.com>, Virgin has filed an UDRP complaint against these names, July 23, 2020.
On the day the complaint was notified, July 27, the name <govirginvoyages.com> was registered and the applicant added it to his complaint. The expert reminds that a complaint can indeed cover several names, if they are registered by the same person or under the same name or under a common control.
In order to accept the request for consolidation, the expert takes in consideration the following elements:
* the names <govirginvoyages.com> and <virgincruisevoyages.com> that refer to identical sites and the same email contact;
* the registrant of the name <govirginvoyages.com> has the same first name as the registrant of of <virgincruisevoyages.com>, <virginmovilewifi.com> and <virginmediabiz.com>.
Thus, it seems possible to add a reserved name to a complaint after the filing.
Subsequently, the expert was able to conclude without difficulty that there was no legitimate interest of the defendant and bad faith. The defendant did not respond to the complaint.
All names resolved to sites copying those of Virgin and two of them, in particular, <virgincruisevoyages.com> and virginmobilewifi.com> were used in the context of fraud, aimed at “obtaining public information for commercial gain”. In addition, the registrar already used, in the past, other domain names related to Virgin’s brands. The expert said that “the use of some of the domain names involved in conducting an e-mail phishing scam is the type of illegal activity that is clearly considered to be the proof of bad faith”. This decision also highlights the need to be vigilant when mail servers – also known as “servers MX” – are set on a domain name. When such servers are set up, the reservee can send to anyb0ody e-mails from an address that includes the domain name, and endanger the company and its consumers; just checking if a website is in place on the names cybersquatted is not enough.
In this case, each single name was associated with a fake site and two of them had in addition a mail server that was carrying an e-mail fraud campaign. Thus, would be preferable to set up adequate surveillance on the company’s brands and to carefully analyze those, which are closest to the brand in order to take the right actions once the registration is detected.
Source: WIPO, Arbitration and Mediation Center, Oct. 23, 2020, aff. D2020-1921, Virgin Enterprises Limited v. Aladin Chidi, NA / Aladin Tg.
Consumers are now demanding more privacy and security in t he processing of their personal data.
What are the challenges for the data controller?
There are several challenges for the data controll
er – i.e. the legal or natural person who determines the purposes and means of a processing operation – to overcome at different scales:
– information management: reducing the data collected by establishing a precise commercial context, and reducing the risks by taking care of the contracts;
– communication with suppliers: being able to find solutions and evaluate each other;
– monitoring of data processing: setting up mechanisms for reporting data breaches or threats concerning suppliers (for example, if Easyjet has had a data breach, the data controller, operating in the same business sector as the airline, if notified, can redirect its decisions.
What are the risk management methods?
A more effective risk management includes precise identification of suppliers, prior audits when integrating new suppliers, automation of evaluation and control processes, and risk prevention to protect data.
What about cookies?
They are used to collect data. Their presence is materialized by the banners you find on websites that ask for your consent to collect certain data.
In summary, there are 3 types of cookies:
– cookies strictly necessary for the operation of the site;
– cookies intended to improve the performance and functionality of the site;
– advertising cookies (which will soon disappear, Firefox has already put an end to them, and Google has announced that Chrome will no longer use them in 2021).
How do I collect online consent?
Remember that in France, consent must be free, specific, informed and unambiguous (GDPR).
Nevertheless, in order to collect consent, the user must understand what he is consenting to. He must receive clear information (purpose and duration of the use of cookies, list of third parties with whom the information is shared etc…) and the data controller must be particularly attentive to the layout of his banner.
What should be the role of the DPO (Data Protection Officer) in a modern company?
If the company promotes ethics, innovation, data, then the DPO has a key role: they shed light on data collection, and bring their vision on risks from an individual’s point of view.
In the past, their role was purely administrative, but today it is different, the DPO accompanies the company on a permanent basis, but they cannot guarantee compliance on their own: they have to expand a web within the organization (with the digital or marketing departments in particular) in order to promote the essential principles.
What changes are taking place within companies, in terms of GDPR awareness?
When GDPR came into force, programs were launc
hed to raise awareness of it, , and it was necessary to mobilize the entities and ensure they had good skills (setting up e-learning internally, for example).
Despite the existing similarities in legislation, what differences persist and what are the challenges that companies have to face in this respect?
There are technical differences (in terms of data retention time, each country has its obligations) and very important cultural differences, the way in which people in different countries deal with these subjects depends on their history. Consequently, it is difficult to find “golden rules” (= harmonized rules).
How can organizations benefit from their compliance efforts?
One way to recognize that companies have done their job properly is through certifications, such as HDS certification.
Our site uses cookies to offer you the best service and to produce statistics, and measure the website's audience. You can change your preferences at any time by clicking on the "Customise my choices" section.
When browsing the Website, Internet users leave digital traces. This information is collected by a connection indicator called "cookie".
Dreyfus uses cookies for statistical analysis purposes to offer you the best experience on its Website.
In compliance with the applicable regulations and with your prior consent, Dreyfus may collect information relating to your terminal or the networks from which you access the Website.
The cookies associated with our Website are intended to store only information relating to your navigation on the Website. This information can be directly read or modified during your subsequent visits and searches on the Website.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Dreyfus is concerned about protecting your privacy and the Personal Data ("Data"; "Personal Data") it collects and processes for you.
Hence, Dreyfus complies every day with the European Union legislation regarding Data protection and particularly the European General Data Protection Regulation Number 2016/679 of 27 April 2016 (GDPR).
This Privacy Policy is aimed at informing you clearly and comprehensively about how Dreyfus, as Data Controller, collects and uses your Personal Data. In addition, the purpose of this Policy is to inform you about the means at your disposal to control this use and exercise your rights related to the said processing, collection and use of your Personal Data.
This Privacy Policy describes how Dreyfus collects and processes your Personal Data. The collection happens when you visit our Website, when you exchange with Dreyfus by e-mail or post, when exercising our Intellectual Property Attorney and representative roles, when we interact with our clients and fellow practitioners, or on any other occasion when you provide your Personal Data to Dreyfus, in particular when you register for our professional events.
The DNS NEWS report No. 271 highlights the overall criticism of ICANN solution for not intervening as much as its powers allow in Internet security issues, even though the DNS breaches do not decrease the number of hits. A sort of criticism derives from this observation: should ICANN become a kind of Internet welfare state or should it remain in the background, which would be recommended by the defenders of Internet neutrality.
Since the advent of the General Data Protection Regulations (GDPR), it has become really difficult to obtain information about the registrant of a domain name. This obviously complicates the dialogue between trademark and domain name holders.
Webinar September 10, 2020 :