Cybersecurity company fails to grab keeper .com in cybersquatting dispute

Keeper Security failed to show that the domain was registered in bad faith.

Cybersecurity company Keeper Security, Inc. has lost a cybersquatting dispute it filed against the domain name keeper .com.

The Complainant argued that the domain name was spreading malware. It hired a private investigator who gathered evidence that suggested the domain owner was out of business.

The problem for Keeper Security was that it gathered no evidence proving the domain was registered in bad faith. The Whois record reflects the original registrant, a company that sold menstrual cups.

In his decision (pdf), World Intellectual Property Organization panelist Lawrence K. Nodine addressed the Complainant’s arguments about the malware and how the circumstances don’t apply to UDRP:

Complainant contends that the bad faith registration requirement is satisfied here because an unknown and unnamed bad actor somehow hijacked the Disputed Domain Name in recent years to distribute malware and that this third parties’ actions are tantamount to a transfer of the domain name. WIPO Overview 3.0, section 3.9 (transfer date treated as registration date). Complainant does not claim to know when the unidentified bad actor started using the Disputed Domain Name for this purpose, but there are several reports since 2021 of Internet users being infected with malware after visiting the Disputed Domain Name website. Complainant supports its argument by combining these malware reports with evidence that Respondent is no longer in business and Respondent’s failure to respond to many efforts to communicate about the malware. Complainant alleges that since 2022 Respondent “no longer controls” the Disputed Domain Name and that an unknown and unnamed third-party bad actor renewed the Disputed Domain Name on May 30, 2024.

The Panel is not in a position to confirm this contention. The submitted WhoIs evidence shows an unbroken chain of ownership of the Disputed Domain Name by Respondent. There is no evidence Respondent, who registered the Disputed Domain Name in 1995, has transferred it to anyone.

Complainant cites no authority for the proposition that a third party’s malicious infection of a website associated with a domain name would satisfy the requirement of bad faith registration. Complainant also fails to support its theory with persuasive evidence. Although the evidence is sufficient to show that visitors to the Disputed Domain Name website have been infected by malware, Complainant offers no evidence about how this is accomplished and, in particular, there is no evidence the alleged bad actors’ actions are so extensive as to constitute a complete takeover of the Disputed Domain Name tantamount to a transfer of ownership, and thereby constitute registration. Complainant’s assertion, for example, that the third party recently renewed the Disputed Domain Name is mere speculation and ignore more likely possibilities, such as Respondent himself renewed the Disputed Domain Name or that it was automatically renewed by default. Regardless, panels have consistently held that renewing a domain name does not constitute registration under the Policy. WIPO Overview 3.0, section 3.9.

Complainant does not foreclose the possibility that the hypothesized third party’s actions, while malicious, fall short of taking complete control of Respondent’s website and the Disputed Domain Name. The alleged bad actor may have “infected” Respondent’s website resolving from the Disputed Domain Name, but not “taken control” of it so completely as to constitute constructive transfer of ownership of the Disputed Domain Name itself. This distinction is important. If mere infection were enough to be considered a transfer, and thereby satisfy the bad faith registration requirement, this would expose legitimate domain name owners to an accusation of bad faith registration whenever a cyber-criminal infected its website. This is especially problematic given the potential that a domain name owner may not be aware that its website has been infected by bad actors. Moreover, while related, the Panel notes that a website resolving from a domain name and a domain name registration are distinct entities, and that access to the website does not necessarily indicate full control and/or ownership of the domain name itself.

Nodine summarized how UDRP does not apply:

The Panel acknowledges that Complainant has a compelling need to stop the distribution of malware from a website that is identical to its Mark. However, the Policy does not apply in the circumstances of this case.

The good news for Keeper Security is that keeper.com no longer resolves, so it’s no longer spreading any malware.