Locke Liddell and Sapp

INTERNET DOMAIN NAME SECURITY: Cyberjacking and Tragic Lapse

By Paul Van Slyke 

 and  Nathan Belzer  Copyright© 2001



What do Microsoft, Adobe, J.P. Morgan, Excite and Adidas have in common?  They have all lost important Internet domain names and experienced the potentially catastrophic effects of worldwide web site and e-mail shutdowns.  The fact that such sophisticated companies have lost domain names highlights the importance of safeguarding these assets.  The information in this bulletin is intended to help you identify potential perils and suggest some alternative solutions. 

The Perils and the Losses

§         Inadvertent failure to renew.  Your accounting department may easily overlook paying the renewal fee timely or the invoice may be sent to the wrong address.  Another party can register your domain name immediately upon expiration.  When a domain name registration expires without renewal or is fraudulently transferred, it is often expensive or impossible to buy the rights from another party who has acquired the registration.  Your legal fees and purchase cost to reacquire the domain name can be quite high. 

§         Malicious cyber-jacking.  Hacking into the Registrar’s computer or sending a forged fax form to the Registrar can cause transfer of ownership of a domain name to another party.  This happened to adobe.com, gte.net, excite.net and others. 

§         Vandalism.  Traffic to your web site can be redirected to another site such as a pornography site or political protest site.  This can by done by fraud or computer hacking by simply changing the IP address (i.e., the numeric address at which your web site is located on the Internet).  Vandals redirected traffic from Nike's flagship site nike.com to an Australian activist website that complained about employment practices and fomented protests against Nike. 

§         Accidental deletion by the Registrar.  Occasionally, a domain name is deleted from the registry by human or computer error and then picked up by another party.  This happened to webtechs.com. 

§         Departing employee theft.  Many domain names are registered in the name of employees instead of the company and can be stolen or sabotaged upon departure.  This happened to printbid.com.


What Can You Do?

§         Manual solution.  One alternative is to set up an internal reminder system to renew your domain name registrations timely and to check frequently for any changes in the WHOIS database maintained by VerSign, Inc. (formerly Network Solutions, Inc.).  Check each domain name at least monthly for unauthorized changes in the WHOIS database.  Employee turnover or inattention, however, may make this first alternative less reliable. 

§         SnapNames.  An automated solution is to use one of the vendor services that have become available.  SnapNames, one vendor that provides these services, offers to protect every domain name you own at a current cost of $49.00 per domain name for one year of coverage.  SnapNames proposes to remind you by e-mail of upcoming expiration dates and alert you of any change, whether unintentional or malicious, in your domain name registration records.  If a Registrar inadvertently drops your domain name or you did not know you had to renew it, SnapNames offers to automatically reacquire the domain name on your behalf — registration cost included.  The potential savings in legal fees and repurchase cost from a speculator or squatter can far exceed the monitoring cost.  SnapNames is a good solution for a small portfolio of domain names (i.e., fewer than fifty). 

§         Back ordering service.  Through SnapNames you may also monitor a domain name you do not yet own.  SnapNames’ back ordering service will immediately alert you if the watched registration lapses and automatically acquires it on your behalf.  750,000 domain names expire every month.  The ones you wanted and missed could soon become available.  You may have wanted a domain name that is owned by someone else.  Or, you may have been unable to acquire spelling variations of your domain name.  This back ordering service may assist you in the acquisition of these currently unavailable domain names.  Of course, simply acquiring a domain name does not necessarily mean that you can use it.  Domain names that contain the trademark or brand of another party may pose infringement problems if used.  Ask your attorney to review your trademark portfolio and advise you on (i) the variations of your domain names that may be advisable to obtain and (ii) whether use of additional domain names would violate the trademark rights held by others. 

§         VeriSign.  Another vendor offering an automated solution is VeriSign, Inc. which has acquired Network Solutions, Inc.  VeriSign’s service is a comprehensive domain name management solution that is best suited for clients with a large portfolio of domain names (i.e., more than fifty).  With VeriSign, all of a client’s domain names are “locked” against changes in the registry except as authorized by a short list of authorized users with passwords.  VeriSign is named as the billing contact and handles all renewal payments automatically to prevent inadvertent lapse.  VeriSign also provides a standard default template for owner, administrative, and technical contact names and addresses to create uniformity in a client’s domain name registrations.  VeriSign has the capability to limit by name the number of people authorized to create names on behalf of a company.  VeriSign offers a data screen accessible on the Internet that shows a company’s entire domain name portfolio, along with the status and contact addresses of each domain name.  VeriSign charges $60.00 per domain name per year (which includes the cost of renewal) for these services. 

§         Centralizing your domain names.

In addition to the above, we recommend certain additional steps to secure rights in your domain names: 

°     Law firm.  Consider engaging a law firm familiar with domain name matters to set up and manage the registrations, renewals and changes to all your domain names. 

°     Develop an enterprise-wide strategy and policy guidelines for obtaining, maintaining and protecting domain names.  Ask your attorneys to draft comprehensive policy guidelines for obtaining, maintaining and protecting domain names.  Distribute the policy throughout the enterprise by a high level manager and insist that it be followed. 

°     Designated employees.  Designate employees or your outside law firm members who can register domain names.  In the policy guidelines, limit a trusted two or three people who have the authority to register, renew or change the records on any enterprise domain names. 

°     Inventory of domain names.  Compile an inventory of all your domain names and the names of the Registrars at which they are registered.  Consider using a domain name management system such as NameEngine, NameBoy, Register.com or VeriSign’s IDNames.  Appoint one primary person and one backup person to handle renewals and monitor changes in the domain name registry. 

°     Default list.  Set up a standard, default list of technical, administrative and billing contacts for all company domain names.  Frequently, a company's domain names (especially those listed in the name of an employee) have a wide variety of contact names and addresses. 

°     One owner name.  Transfer the owner name on each registration to one company name. 

°     Impersonal address.  Consider setting up contact names at an impersonal address, (e.g., webmaster@youraddress.com). 

°     Variations.  Register variations and corrupted spellings of your domain name.  (e.g., Microsof.com) as well as other top level domain names and country codes (e.g., your address.net, .org, .cc, .co.uk).  This will block encroachment of others on your domain names and reduce the number of actions you must initiate to take over domain names similar to yours.

JurisNotes.Com - The Law in Brief
Copyright ©  JurisNotes.Com