Arguments for Recalling WIPO RFC3 and Proposal for DNS/TM Resolution
First Monday


Arguments for Recalling WIPO RFC3 and Proposal for DNS/TM Resolution

The Internet Domain Name System (DNS) allows a user to associate a name with a resource on the Internet, such as a machine, an electronic mail address, or a Web site. Trademarks exist in another, more traditional, name system which permits a customer to associate a product name with an enterprise, the mark owner. This paper argues that DNS names are intersubjective and never objective, while trademarks are objective and may also be intersubjective. These basic differences between a DNS name and a trademark name were however fully ignored by the World Intellectual Property Organization (WIPO) report RFC3, which seeks to regulate worldwide Internet domain names in purely objective terms. This paper further demonstrates that conflicts between the two naming systems exist in the intersubjective arena but are less than 0.04% for a typical well-known mark in a period of nine months. These results suggest that WIPO's RFC3 is basically flawed in motivation, qualification, and method, so that it should be recalled in totum. Its application would more probably cause more difficulties to Internet users and trademark owners than the few confusing cases it may avoid. A solution to these problems may be found in digital identity certification or at least origin authentication. "Business server certificates" - based on cryptographic challenge-response - can concretely define an objective business identifier on the Internet and can be used to support trademark requirements. Other issues such as cybersquatting, anonymity in DNS registration and tracing and stopping trademark-infringement sites are also treated in this paper.

Contents

Introduction
WIPO's Postulated Conflict with their Jurisdictional Matters
WIPO's Reported Extent of Conflict is Contradicted by Context
WIPO Assumptions Not Granted even if One-Sided
Unwarranted Association - Security Flaw
"Third-Class Trust Association
Wrong Market Motivation
Wrong Certification
Wrong Address Model
Wrong Theory
Denial by Similarity
Confusing "Who" with "Where"
Privacy versus Security
Negation of Previous Legal Principles
Internet Anonymity Not an Insurmountable Threat to Trademark Protection - A Commercial Opportunity?
What Is an Internet Domain Name?
Answering NTIA's White Paper Requests
Avoiding the "Tragedy of the Commons"
Conclusion

Introduction

The World Intellectual Property Organization (WIPO) is an organization founded through a treaty by States (171 States are members) essentially establishing international frameworks for each of the rights that make up intellectual property, and systems for obtaining international protection of intellectual property rights. However, there is a large diversity in worldwide legislation, as each member State is sovereign and may have different rules, rights and trademark limitations - including the recognition of famous trademarks.

The Internet Corporation for Assigned Names and Numbers (ICANN) [1] is a U.S. non-profit corporation under the laws of California, that was formed to take over the U.S. responsibility for the IP address space allocation, protocol parameter assignment, domain name system management, and root server system management functions now performed under U.S. Government contract by IANA and other entities. However, ICANN's policies also have a worldwide reach, not only because the Internet is worldwide but also due to the fact that as of March, 1999, more than 25 governments and international organizations have already endorsed ICANN as the body to set Internet policy matters [2]. However, each world State is sovereign in their own management of their ccTLDs namespaces such as .us (US), .jp (Japan), .de (Germany), .br (Brazil), etc. - besides the gTLDs, such as .org., .com, .net, etc. which are not country-specific but are managed according to U.S. laws.

On June 5,1998, the U.S. Government called upon several organizations, including WIPO and ICANN, to:

  1. develop recommendations for a uniform approach to resolving trademark/domain name disputes involving cyberpiracy,
  2. recommend a process for protecting famous trademarks in the generic top level domains, and
  3. evaluate the effects, based on studies conducted by independent organizations, of adding new gTLDs and related dispute resolution procedures on trademark and intellectual property holders.

This action was based on the Statement of Policy on the Management of Internet Names and Addresses (the "White Paper"), issued by the National Telecommunications and Information Administration (NTIA), an agency of the U.S. Department of Commerce.

In response to NTIA, WIPO has produced the document RFC3 [3], which is one of the subjects of this essay. But, already, WIPO is using their proposed RFC3 to provide a justification for WIPO's own commercial activities in domain name arbitration for the .io domain [4]. However, domain names in the .io domain are provided on a first-come first-served basis - which tends to maximize arbitration costs, later on to be collected by WIPO. The unfortunate ethics and the conjunction of legislative and judicial powers jointly performed by WIPO under the practical model they have set forth in RFC3 and related documents is also a subject of discussion in this paper, compounded by the fact that the executive power is tied in under WIPO by the respective domain registrar.

Also in response to NTIA, ICANN has proposed Guidelines for Accreditation of Internet Domain Name Registrars and for the Selection of Registrars for the Shared Registry System Testbed for .com, .net, and .org Domains [5]. These Guidelines will be used in competitive registration services for DNS designations worldwide, and thereby will impose rules upon anyone that will need to register a DNS - also private users, not only companies. But, contrary to WIPO [6], these Guidelines were not applied before the consultation process ended - nor will ICANN profit from a maximization of conflicts. In fact, ICANN asked for public comments whether the proposed regulation in its "Guidelines for Accreditation" is adequate and fair for its intended purpose - also targeting the trademark versus DNS issues. However, ICANN's Guidelines have also come under criticism [7].

One of the next ICANN tasks is to review WIPO's RFC3 recommendations on the settling of trademark-domain name disputes - and is also taking suggestions from brand holders. For example, Bell Atlantic, co-holder of the famous mark "Bell", issued comments [8]. Bell Atlantic contends that we are witnessing widespread trademark abuse in DNS references, as provided in several DNS registrars worldwide, which have gone out of current controls and seriously menace previous rights by trademark owners - specially famous marks like "Bell". However, this conclusion is not materially supported by the arguments that Bell Atlantic themselves present in their own comments[8], as explained in [9]. This discrepancy is discussed in this paper and strongly undermines the factual base presumed by WIPO to justify RFC3.

The issues dealt with by ICANN, WIPO, Bell Atlantic and others under the motivation of NTIA's request, are intertwined enough to justify their joint appraisal for a critique of RFC3, in this paper - in a broad view.

This essay shows that WIPO's RFC3 document is basically flawed in more than ten major technical areas and should be recalled in totum. Otherwise, pursuing the RFC3 recommendations will harm worldwide e-commerce, the Internet itself, Internet security, the public trust in business marks and, most importantly, users and consumers.

The essay supports some other views of Bell Atlantic and major brand holders to WIPO, but specifically in the suggestion that domain names not be squandered or brokered. In addition, this essay advances that a positive answer to NTIA's requests is possible. However, only by taking a quite different approach and by providing for a separation of powers.

WIPO's Postulated Conflict with their Jurisdictional Matters

The RFC3 specifically postulates that

"Internet domain names have come into conflict with the system of business identifiers that existed before the arrival of the Internet and that are protected by intellectual property rights"

- which matters are under the jurisdiction of WIPO.

The question arises whether this WIPO "declaration of conflict" is justified.

In other words, even though Internet domain names are surely a human friendly form of Internet addressing, are they also "business identifiers" for the specific purposes of intellectual protection rights?

First quote

If they would be business identifiers or marks, then in WIPO's RFC3 words, enforcing intellectual property rights would be useful, since:

"The exclusive right to the use of the mark enables the owner to prevent others from misleading consumers into wrongly associating products with an enterprise from which they do not originate."

Thus, if Internet domain names are business identifiers then they should allow customers to associate products with a business. But, they do not.

In fact, Internet domain names highest security threat comes from such association - which is fully unwarranted and forewarned against by every Internet Certification Authority (CA), browser's on-screen instructions to users, and security work groups such as the Internet Engineering Task Force (IETF), the Meta-Certificate Group (MCG) and also so handled by Network Solutions, Inc. (NSI), the current exclusive registrar for the gTLD .com, .org and .net domains as appointed by the United States.

Instead, Internet domain names in naming conventions such as e-mail addresses, DNSs and IPs are actually just convenient mirages in the worldwide Internet. For example, it is perfectly possible for a site that ends with .jp (i.e., Japan) to be hosted in the U.S. Just by the DNS convention, one cannot affirm anything about the site's whereabouts, contents, owner or business branch. Further, such names can be diverted to different Internet locations by URL-hijacking, router intervention, malicious JavaScript, etc.

As Nicholas Bohm [10] remarked elsewhere, in a perhaps fitting comparison to the issues here, the fact that people like to talk in sound bites like "identity theft", instead of using well-established words like "impersonation", does not mean that any legally relevant conclusions can be drawn from the misuse of technical terms like "theft" in the sound bite.

Likewise, the fact that people introduce sound bites such as an Internet domain name "vocal.md" does not mean that any relevant conclusions can be drawn from the misuse of terms like "vocal" or "md" in the sound bite. Or, from a ccTLD designated by ".md" as the ISO 3166 designator for the Republic of Moldova, or ... is it the State of Maryland U.S., or... is it actually administered by a private company as a gTLD?

Perhaps, an international medical association could follow WIPO and now introduce their own RFC-3 to regulate the .MD "medical directory" since "Internet domain names have come into conflict with the system of medical identifiers that existed before the arrival of the Internet and that are protected by medical profession rights".

Thus, the bottom line is that Internet domain names are not business identifiers as RFC3 postulates, which negates the very conflict that is stated by WIPO to provide a need for RFC3 within WIPO. This conclusion is further supported by the following discussion.

WIPO's Reported Extent of Conflict is Contradicted by Context

In RFC3 WIPO declares that there is a large conflict between Internet domain names and marks. Indeed so it may seem to the reader  - "The scope of infringing activities is staggering", as Bell Atlantic reported [11] and testified before the WIPO Panel of Experts, "over a nine month period we logged nearly 600 separate instances of infringement for our famous BELL mark in the existing gTLDs - .com, .net and .org alone."

As usual, data without a verifiable context has no meaning - so, the question arises - what is the meaning of the "600 cases" reported by Bell Atlantic?

First, Bell Atlantic did not report how the "bell" trademark was identified in the DNS references. Perhaps, they mean any DNS registration that uses the word "bell" within other letters, defining the occurrence of trademark infringement regardless of use, likelihood of confusion, commercial nature of the site, etc. [12]. Given that "bell" is a pretty common English name, occurs in other languages, and appears as part of other words, it is probably a gross overstatement to consider every occurrence of "bell" a trademark infringement on Bell Atlantic's "bell" trademark. Is the site www.belle-epoque.com a problem? Or, the threat of www.bellow.net? But, perhaps, Bell Atlantic means only registrants attempting to use the word "bell" which are actually connected to telephone products and services. Thus, since Bell Atlantic does not report on these issues, the next calculation will consider the best case for their analysis and total in all 600 cases - also without taking into account rejoinders by the other side.

Second, NSI reports that it currently receives 500,000 applications/quarter or approximately 1,500,000 in a nine month period. The Bell Atlantic's reported number of DNS problems, in their terms is only 0.04% of all cases of DNS registration of NSI. If we consider the worldwide Internet, with all other ccTLDs, it is much less than 0.04%.

The third question is how much reported "Bell" possible copyright infringements are reported on average for a nine month period from all other sources - such as business names registrars, copyright registrars, simple use, etc. Given the novelty of the Internet, even without comparative data that would be necessary to access the relative importance of that -0.04% from the Internet alone vis-à-vis all other sources, it is already clear that this is hardly an issue that justifies harassing +99.96% of Internet users.

However, Bell Atlantic declares

"Based on the testimony of Bell Atlantic and many other brand holders, the World Intellectual Property Organization will soon be issuing final recommendations to ICANN."

- and also

"In view of this history of brand abuse under the current system that Bell Atlantic and the other members of the Private Sector Working Group, INTA (sic), AIPLA, ICC and other members of the business community have well documented,... is a problem that should be among the top issues to be considered and addressed directly in the goals and principles of registrar accreditation."

These declarations, however, lack a material basis, if we take the data provided by Bell Atlantic in the proper perspective as -0.04% . Rather, the data indicate a lack of extent of abuse.

In discussing the lack of extent of the alleged infringements, it is also important to note that Bell Atlantic as a brand holder have chosen their infringement metric to be "number of cases", not "amount lost in business". However, "amount lost in business" is probably much lower, as discussed in other items.

Thus, the entire argument line of nearly 600 cases in a nine month period seems to contradict itself. Indeed, -0.04% of all cases is not an issue that seem to justify harassing +99.96% of all cases - and may just be included in the usual cost of doing business and defending one's own viewpoints in a competitive global society. Possibly, considering the fact that "bell" is a very common word and word fragment, other brand holders will count less than 0.04% of potential infringements. WIPO's assumed conflict is simply not supported by data.

WIPO Assumptions Not Granted Even if One-Sided

If WIPO one-sidedly views or wants Internet domain names to be viewed as business identifiers, it should become aware that the basic requirements for a business identifier or mark are directly denied by the underlying DNS protocol.

Internet domain names are not stable references - the first notion, according to some experts, that define the possibility of a mark that can serve as a business identifier. I doubt someone could trademark a cloud formation, a good metaphor for Internet domain names.

Second quote

Internet domain names are not even objective as a cloud. Domain names are simply references that depend on references, which are again references. They are intersubjective [13]. No one can be objectively certain to any degree that they reached the correct Internet address when they type an Internet domain name.

Personal names are often used in Internet domain names; do they really point to a specific person? No, for it is a common local misconception that a name, even a personal name, has a meaning per se. As Nicholas Bohm reports for the U.K.:

"And there are many countries, such as the United Kingdom, where people can change their names without formality or official records, and can use several names for different purposes, none of which are more truly theirs than any other. Authors and entertainers commonly use several names" [14].

Internet domain names do not need specific relationships that can be used to associate them with something else - even when a personal name is used. Domain names are just a syntactic reference, perhaps mnemonic, created to be noteworthy or purposefully obscure or ambiguous, perhaps inactive or even deleted tomorrow.

An Internet site may have a perfectly non-descriptive and non-trademarked name, such as www.123abc.com and still infringe several trademarks by its contents and goods sold. This means that site content can be much more harmful to brand holders than simply a similar site name with unrelated goods.

Unwarranted Association - Security Flaw

Internet Domain names are address identifiers which may point to any Internet host in the world, to any business and may even be diverted without anyone noticing it. Thus, it is a basic security flaw to proceed with WIPO's RFC3 and try to associate Internet domain names with stable, objective, and well-defined marks. They are not and never will be, by TCP/IP and Internet design.

There is an on-going educational effort on the Internet to explain to users what Internet domain names are and what they are not. Such understanding may backfire and increase the doubts of users. Companies, associations, groups, discussion lists and individuals have invested much time and resources in order not to provide ground for unwarranted associations. However, WIPO's RFC3 blatantly implies an Internet address assurance which simply does not exist and is even denied by the TCP/IP design.

"Third-Class" Trust Association

Internet domain names exist at the same trust level as a cloud mirage on the Sahara when used as absolute business identifiers. By using them in RFC3, WIPO will not be able to increase public trust in these digital business identifiers (which is one of NTIA's motivations). Why? Trust is qualified reliance on received information [15]. If the degree of trust is measured by reliance, then it is clearly reduced by denying the very fabric of traditional rules that WIPO's member States must follow when issuing a trademark. Consumers rely on these rules.

In this analysis, Internet domain names under RFC3 would then become "third-class" business identifiers. Since an Internet domain name cannot possess the basic trust qualities that would qualify it to be a mark under current traditional agreements, these names would essentially negate the very purpose of RFC3. This lack of trust would hurt the investments of companies in their good-will and business identification for traditional commerce.

Wrong Market Motivation

What is the message that WIPO RFC3 is sending to the market, with its apparently unreasonable restrictions and imposed clauses [16], coupled with the perceived lack of trust for Internet domain names as stable and objective as a "real" mark should be?

Perhaps, it would force a worldwide "generic" movement for Internet names aimed specifically for e-commerce. However these generic names would make it impossible for any vendor or business to sustain reputation, certainly one of the prime factors of a valuable mark.

Wrong Certification

Internet domain names are address identifiers. Do they authenticate a business site? Do they provide some degree of assurance that the address has been reached? No, on both counts.

The Internet is an open system, where the identity and origin of communicating partners is not easy to define. Each user controls only their end of the connection - and no one controls both ends at the same time. The communication path is non-physical and may include any number of eavesdropping and active interference possibilities. Thus, Internet communication is much like anonymous postcards, which are answered by anonymous recipients. These postcards are accessible to anyone to read and even write in them [17].

Internet domain names have routing problems which are actually a feature of the Internet TCP/IP packet traffic design and so cannot be avoided. They are solved with an additional design layer, the principle behind Internet protocols and their reliability. On the Internet, reliability is not obtained by a "perfect" process but by redundancy employing "real-world" and knowingly unreliable processes.

The standard solution to the routing problem is to use cryptographic authentication by means of digital certificates to assure that communication occurs between the desired endpoints, including real-time challenge response authentication to avoid replay attacks. This has been ignored by WIPO's RFC3.

In this regard, the ITU-T Recommendation X.509 (which has been implemented as a de facto standard) defines a framework for the provision of authentication services, under a central control paradigm represented by a "Directory". It describes two levels of authentication: simple authentication, using a password as a verification of claimed identity; and strong authentication, involving credentials formed by using cryptographic techniques [18].

WIPO's RFC3 intends to provide a type of "business certification" (i.e., a mark) by means of simple Internet domain name unchallenged protocol authentication, without cryptographic challenge response and without a password. This is clearly technically wrong, imposing what the Internet denies.

The consequences? Problems caused by false certification or no certification mechanisms may range from a "man-in-the-middle" attack (in order to gain knowledge over controlled data) to a completely open situation to gain access to data and resources. It is important to note that these problems do not disappear with encryption or even a secure protocol such as SSL. If the user is led to a spoofing site, which appears to be what he wants, he may have a secure connection to a thief that will not make it safer.

To make matters worse, DNS hijacking can make connections to www.good.com go to www.bogus.com without anyone noticing it, even if you know that "bogus" is bad. Each Internet connection is a new one and each connection may go through different routers, even on the other side of the globe, which can be compromised without user control or perception.

Thus, identity certification, or at least origin authentication, is a must in order to really define a business identifier.This sort of authentication could have been followed by WIPO in order to define stable and objective references. WIPO's RFC3 notion of "business authentication" behind the use of Internet names as marks cannot help but may harm, by implying a level of security which is simply fictional.

Wrong Address Model

The "parochial model" of the Internet at the base of WIPO's RFC3 breaks down easily when we recognize that all machines and addresses are essentially peers in the Internet. The DNS system is only hierarchical to the extent that one branch follows another. There is no imposed relationship whatsoever between machines in different branches or even in the same branch. For example, the .ml.org domain has several fully unrelated machines in it, in different parts of the world.

Thus, RFC3 confuses the extent of a worldwide Internet address model, where no one controls both sides of a connection, all Internet domain names are peers and any machine (i.e., possibly business site, possibly hacker) can be made to respond to any name (i.e., would-be mark in RFC3) by a variety of techniques which the user cannot distinguish.

Wrong Theory

What is a name? What does a name mean? When I communicate over the Internet with an entity that has an Internet domain name, what can I suppose about the entity if I rely on that name's significance to me?

To better investigate this issue, suppose we express the general concept of a name as a sign or a symbol -- e.g., my name is a symbol for myself. Perhaps, one's tentative conclusion would be that if I see footsteps on the sand (i.e., a symbol, a name) then I could generally rely on the existence of someone that walked by (which is the meaning or cause of the footsteps.) Likewise, if I see a photo of a product (i.e., a symbol, a name) then I could rely on the existence of the product, and so on. Or, as in RFC3, I would expect to find a particular business bearing a causal relationship to that Internet name -- which would provide meaning to that Internet name in my communication.

However, this model breaks down easily [13] for instersubjective names such as Internet domain names - even though it may be valid for objective names such as trademarks or footsteps or photographs. If I say "Morning Star" or "Evening Star" then, clearly, the two phrases can have the same name (i.e., the planet Venus) but one describes it as the last celestial body to disappear at dawn and the other as the first one to appear at dusk -- thus, the same name can have different senses or meanings. The same can happen with Internet domain names.

What does the site represented by the domain name "www.gifts.com" really mean? Presents - as the English word "gift"? Does "gift" have the same context and meaning in German, for example - where it means "poison"? Or is the word "gift" actually an acronym with some totally different meaning and context? Wouldn't someone looking for an ecotourist adventure on the Amazon River be surprised by the contents of the site represented by the domain name www.amazon.com?

Denial by Similarity

To what extent can a trademark holder such as Bell Atlantic demand protection? Would it be legally and technically feasible for Bell to protect all variations of Bell as they relate to phone service? Telephones around the world can dial the characters "CALL-BELL"; should these be considered mark infringements? Can this sort of logic be extended to the Internet?

Confusing "Who" with "Where"

RFC3 attempts to curb cyberpiracy by resorting to trademark registration and arbitration rules. While the concern over cyberpiracy is justified, RFC3 misses the issue by focusing on "who" and not "where" - bringing privacy into play. In Bell Atlantic's criticism of the proposed ICANN rules for Internet domain name (DNS) registration, it was noted that:

"We are, therefore, disturbed by the language in Guideline 4 that limits a registrars information only the information required to make a registration. That phraseology suggests that there could be even less information identifying domain name holders than is available today. For example, the language of the proposal suggests that perhaps not even all the information currently available under NSI's WHOIS database would remain available under a new system. Without at least that much information, a substantial question remains whether registrars would even have the records needed to permit a trademark holder to find out who an infringing domain name holder is."

Essentially "who" or "reaching the culprit" is confused with "where" or "discovering the culprit's address".

So, while it is true that anonymous remailers may not be traceable for their users, anonymous owners of Internet domain names will not be found, and anonymous Internet host accounts may be used in trademark infringement attempts -- their physical access lines can be routinely traced and cut off as they have been, by court decisions. Effectively providing means for stopping any harmful activity against a brand holder, without any of additional ruling, imposed mediation or privacy encumberments from RFC3.

Privacy versus Security

Bell Atlantic essentially calls for less privacy for DNS registrants for the sake of more security for trademark owners, the same call made in WIPO's RFC3. This recurring theme - a privacy versus security paradox - appears whenever networks of networks, also called internets [18] are involved. On the Internet, no one controls both sides and multiple intersubjective issues have to be addressed in a peer-to-peer objective approach. Privacy cannot be properly traded off for security; once lost, privacy is lost for life. Security is merely a short-time asset.

Third quote

However, in both Bell Atlantic's remarks and RFC3, security would not even be enhanced by the privacy restrictions they propose. Thus, Bell Atlantic and RFC3 set out to combat trademark infringements but end up not doing that. Instead, they encroach into the privacy of millions of Internet users in order to try to resolve an incredibly small number of syntactic name collisions in Internet domain names, a privacy burden without justification.

Negation of Previous Legal Principles

No trademark can be anonymously granted; hence no anonymous Internet domain name could be protected under the terms of RFC3 [19]. Thus, the call for reduced privacy in RFC3 would make it impossible to protect an anonymous domain name. This would again be against many legal principles and rights, such as the right to anonymous speech.

Internet Anonymity Not an Insurmountable Threat to Trademark Protection - A Commercial Opportunity?

Anonymity poses - by definition - several difficulties for two-way communication and for the flow of monies and goods in a public environment. This means that an anonymous commercial site would be either perfectly incommunicado, hence not a commercial threat, or it would be traceable in two-way communications even if untraceable electronic cash or cryptographic cash tokens are used.

Anonymity thus does not mean absolute protection. Internet links can be correctly traced, and this technical possibility provides a business opportunity to Bell Atlantic and other phone companies. For a fee, and a legal reason, a service can be can provided to trace the actual locations of intellectual property offenders. Technology means that there is no need to potentially jeopardize the privacy of 99.96% of all Internet users. It also means that there is no reason for less privacy in DNS registry in the name of more security for trademark owners.

What is an Internet Domain Name?

Historically, as Tony Rutkowski comments [20], Internet Domain Names were established as maintenance zones for the construction of host names; as "call letters".

However, I believe the definition of Internet domain names cannot be answered historically. The Internet today is vastly different from its original state and it will be very different in the future. Further, public discussions led by NTIA (focusing on the .us domain at the DoC [21]), WIPO, and ICANN have already provided us with widely different statements of what an Internet domain name could be - from a virtual address to a national asset. But, essentially all such discussions lead to the understanding that an Internet Domain Name System (DNS) allows a user to associate a name with a resource on the Internet, such as a machine, an electronic mail address, or a Web site.

The question is now reduced to the nature of this "association" between a domain name and an Internet resource. As discussed in previous items, this association is solely mediated by a series of references based upon references, and so on - it is entirely intersubjective. Thus, there is nothing objectively reliable about a domain name's association with a resource - the same domain name can have different meanings, the resource can be diverted by a hacker, the resource's retrieved information can be silently changed en route, etc.

But, trademarks exist in another, more traditional, name system which permits a customer to associate a product name with an enterprise, the mark owner. Trademarks are objective not only because they have been around for a long time and have a well-established legal framework, but mainly because they can be verified independently by anyone, with reliable results. However, they can also be intersubjective, but only when a customer could be led to use a conflicting Internet domain name -- which is less than 0.04% of all cases on the Internet for a typical well-known mark in a period of nine months, as discussed in previous items.

Therefore, this paper argues that Internet domain names are intersubjective and never objective, while trademarks are objective and may also be intersubjective. These basic differences between a domain name and a trademark name were however fully ignored by the WIPO report RFC3, which seeks to regulate worldwide reliance on Internet domain names in purely objective terms.

However, on the Internet, as in law, reliance on a domain name needs to be justified by an examination of the facts presented. As seen before, by typing www.gifts.com no one is technically justified in an intersubjective sense to rely on finding anything related with "presents" -- though I could be misled in a subjective sense (looks logical in English to me), or even in an objective sense (there is a trademark "gifts" and I know by trademark registration in a certain country that it relates to presents in that country). In legal terms, missing however the technical basis, no one can then be legally justified in making those associations of www.gifts.com with a Web site that sells presents or with the trademark "gifts".

Likewise, when I type jsmith@sacramento.ca.us -- I may or may not be justified to rely that it will actually contact me to a "John Smith" that is registered in Sacramento, CA, US. If I take the subjective stance, yes -- I may be justified by "actual reliance" [15]. But, if I take the objective stance then I may realize that nothing can guarantee who or what actually is responding at that address, at that computer -- there can be no "reasonable reliance" [15] to this effect. Finally, if I take the intersubjective stance then I must also take into consideration that the underlying protocol does not warrant either identification or authentication -- so, "justified reliance" [15] is also denied since no one may even be "at that address, at that computer" and, "that address" may not be the one I am directed to.

Internet domain names are thus essentially intersubjective references, which do not warrant any particular subjective or objective interpretation. Being intersubjective, they are essentially overly variable in relation to a trademark, which is an objective property enforceable by law. Technically, we have thus no justification to reduce the over variability in domain names unless other factors were introduced.

Answering NTIA's White Paper Requests

In software engineering, we are accustomed in dealing with isolated computers (subjective view) and well-defined networks (objective view) with a client-server paradigm. On the Internet, we deal with networks of networks (intersubjective view), an overly variable concept relative to isolated computers and networks. We can no longer control both ends of the communication channel, and never will.

A solution to the DNS/trademark question posed by the NTIA cannot rely on Internet routing, which depends on networks of networks and an overly variable relationship; in other words, DNS name routing cannot be relied upon for objective business identification.

A practical and effective solution could rely on cryptographic certificates and their legal significance as "business server certificates". These would not impose any additional privacy or regulatory burdens on private DNS registrants. Domain name policies worldwide would be hardly affected with the addition of an additional layer. With this approach, domain names would be less susceptible to parasitical appropriation since corresponding certification would link an Internet address to a company's legal name. This approach could be carried out both in an extrinsic certification mode (X.509, CAs, PGP) as well as by intrinsic certification (Meta-Certificates) [23], offering flexibility and technologically neutral options both to users as well as to businesses. These certificates would be inexpensive, having other purposes as well.

Avoiding the "Tragedy of the Commons"

This essay is not a dismissive appraisal of all trademark issues raised by Bell Atlantic or WIPO. In fact, Bell Atlantic has some suggestions which may be useful to ICANN and to WIPO, in avoiding the "tragedy of the commons" [22]. A public resource (a "commons") can be degraded by overuse; Bell Atlantic notes that:

"We would also suggest that domain names not be squandered or brokered. We recognize that domain names are not conceptually identical to telephone numbers; in particular, unlike telephone numbers, they are not a resource subject to exhaustion. However, in an important regard, they are not unlike telephone numbers in that they are a public resource whose principal use is to identify a unique person or entity for the purpose of enabling communications to take place efficaciously. Practices such as number hoarding are inconsistent with this purpose and, therefore, are not permitted in the public telephone network. We believe that the practice of "cybersquatting" is equally inappropriate in the context of the Internet and should be stopped."

Conclusion

We must recognize that Internet domain names can contain reference information in varying degrees of completeness and human reading, but not at all the multiple corresponding senses or meanings. Further, given the design of the Internet, domain names inherently lack any objective or stable information qualities; they are intersubjective references and afford no objective reliance. Any additional context is not warranted by the supporting Internet infrastructure and protocols. Their use as a mark would thus deny the minimal objective properties that WIPO member states have defined as a trademark - for a mark is not simply a name.

I suggest that RFC3 should be recalled in totum. Its application will more probably cause more difficulties to Internet users and to trademark owners than the few pathological cases it may solve. Further, these cases have other avenues for resolution in public and open Internet discussions within the jurisdiction of each country's domain name registry, according to local uses, rules, and laws. The Internet is a learning experience and certainly the WIPO consultation has served and will serve that purpose.

"Business server certificates" - based on cryptographic challenge-response - can however be used to concretely define an objective businesses identification on the Internet and could thus support objective trademark requirements.

This proposal leaves room for simultaneous occurrence of different but valid views - since they must exist in a network of networks, an internet. In their resolution, an abstract model for Internet domain names emerges from this essay which may be sufficiently flexible to support the different views in their entirety while negating what is patently unwarranted.

About the Author

Ed Gerck received his Doctorate in Physics (Dr.rer.nat.) from the Ludwig-Maximilians-Universität and the Max-Planck-Institut für Quantenoptik in Munich, Germany in 1983. Since 1986 he has been active as an international consultant and developer in the field of security and cryptography, with additional academic and industrial work in lasers since 1977. He is also the founder and current Coordinator of the Meta-Certificate Group, an open international non-profit group active in the field of Internet security and certification standards development. The arguments herein represent matters that were publicly discussed by the MCG, an Internet Open Group on Security and Certification that includes participants from 28 countries, and in other fora. However, this presentation is not a MCG document nor should its terms be considered statements by anyone but the author.
E-mail: egerck@mcg.org.br

The author is indebted to several commentators in earlier threads, especially Nicholas Bohm, Tony Bartoletti, Einar Stefferud, Tony Rutkowski, Milton Mueller and Alistair Campbell-Dick.

Notes

1. ICANN Website at http://www.icann.org

2. Kenneth Cukier, "Contemplating life after Postel."

3. WIPO, 1998. "The Management of Internet Names and Addresses: Intellectual Property Issues," at http://wipo2.wipo.int

4. As announced and sold in "Internet ONE" - http://www.io.io and at WIPO - http://wipo1.wipo.int

5. "Guidelines for Accreditation of Internet Domain Name Registrars"

6. WIPO is commercially sanctioning trademarks/DNS resolution rules to third-parties and also charging for WIPO's arbitration services in support of them, while the same rules are undecided and yet under review in RFC3 - see [ 4]

7. Cukier, op.cit.

8. Bell Atlantic, 1999, "Comments of the Bell Atlantic Corporation on the ICANN's Draft Registrar Accreditation Guidelines"

9. As discussed in Ed Gerck, 1999. "Comments on ICANN Accreditation Guidelines", and summarized in this paper.

10. Nicholas Bohm, [cf. 14], quoted from public list discussion in e-carm.

11. Quoted in [8], which concern was also publicly confirmed by a Bell Atlantic representative to the .us domain meeting at the DoC reported in [21]

12. Thanks for the private comments by Milton Mueller.

13. For definition and examples of intersubjective property, as well as its relevance to the issues discussed here, see Ed Gerck, "Overview of Certification Systems: X.509, CA, PGP and SKIP. MCG," and, Ed Gerck, "Towards Real-World Models of Trust: Reliance on Received Information."

14. Nicholas Bohm, "Authenticating identities."

15. Ed Gerck, "Towards Real-World Models of Trust: Reliance on Received Information."

16. Michael Froomkin, "A critique of RFC3."

17. Ed Gerck, "Overview of Certification Systems: X.509, CA, PGP and SKIP. MCG."

18. Privacy versus security in networks of networks, or internets - see the network discussions by Einar Stefferud in "Internet Paradigms" [http://www.mcg.org.br/paradigm.htm] and the security discussions by Ed Gerck in "Dr. Faust's Internet Dilemma" [http://www.mcg.org.br/faust.htm]

19. See Michael Froomkin, 1999, [16] as well as Kathryn Kleiman, "WIPO RFC3".

20. A.M. Rutkowski, 1999, "Internet transitions: The Assigning of names and numbers," IEEE Internet Computing, volume 3, number 1 No. 1 (January/February), and private correspondence.

21. Ed Gerck, "Reflections upon the .us Meeting".

22. For definitions and further discussion on modes of reliance, in their legal and technical aspects, see Ed Gerck, "Towards Real-World Models of Trust: Reliance on Received Information."

23. See the MCG Webstie at http://www.mcg.org.br and Ed Gerck, "Overview of Certification Systems: X.509, CA, PGP and SKIP. MCG".


Contents Index

Copyright © 1999, First Monday





A Great Cities Initiative of the University of Illinois at Chicago University Library.

© First Monday, 1995-2017. ISSN 1396-0466.