Using IP Dispute Procedures to Combat Net Fraud

Internet fraud is becoming one of the most common and lucrative forms of crime in today's information-based economy. As the Internet has grown, so too have incidences of its misuse. How can intellectual property rights help fight this growing menace?

According to the Internet Fraud Complaint Center (IFCC) ' a collaboration between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center ' the incidence of cybercrime is increasing exponentially. The IFCC, which investigates Internet fraud and collects online complaints at its Web sites (www.ifccfbi.gov and www.ic3.gov), reports that the total number of complaints referred to on its Web sites tripled between 2002 and 2003. National White Collar Crime Center, IFCC 2002 Internet Fraud Report (2003). See, www.ifccfbi.gov/strategy/2002_ifccreport.pdf. Meanwhile, the number of complaints involving Internet fraud reported to the Federal Trade Commission (FTC) increased by 40% during 2003. FTC, National and State Trends in Fraud & Identity Theft (Jan. 22, 2004). See, www.consumer.gov/sentinel/pubs/Top10Fraud2003.pdf.

The FTC estimates that Americans lost more than $437 million due to online fraud in 2003. National and State Trends, supra. In November 2003, the U.S. attorney general's office, in cooperation with other federal agencies and law enforcement authorities, conducted Operation Cybersweep. This joint operation resulted in more than 100 investigations involving 125,000 victims, who claimed losses of more than $100 million. Press release, U.S. Department of Justice (Nov. 20, 2003), at www.usdoj.gov/usao/lae/hotnews/operation_cybersweep.htm.

Impact on Corporations

While many victims of cybercrime are individuals, corporations are also affected. Corporations are damaged directly by lost revenues and indirectly by misuse of their names and reputations, as well as by lost consumer confidence in conducting business online. Recent examples of fraud targeting large corporations include an instance when e-mail messages were allegedly sent from several corporations to consumers requesting personal identification and financial information, and an instance when a fraudulent Web site was established that appeared virtually identical to that of a well-known consumer goods retailer, which was then used to collect credit card and Social Security number information from unsuspecting consumers. Jason Gertzen, “Mugged by Your Machine,” Milwaukee J. Sentinel (Nov. 22, 2003).

While the foregoing examples are merely the tip of the iceberg, they demonstrate that Internet fraud does not only involve “hacking” into a corporate network, but relies upon deceiving consumers, often by unauthorized use of intellectual property.

The single most difficult obstacle in policing Internet fraud is identifying the criminals, who conceal their identities through, among other methods, use of fictitious names, false contact information and elaborate e-mail-routing schemes. The FBI, Secret Service, quasi-governmental organizations such as the IFCC and state and local law enforcement organizations investigate Internet fraud and provide information and assistance to consumers and corporations. Nevertheless, these organizations can be limited by budget constraints and resources available to respond to individual cases.

The IFCC Web site received more than 75,000 complaints between 2002 and 2003. See, IFCC report, supra. As the number of complaints grows each day, many corporations have chosen to investigate and police fraud on their own, using traditional intellectual property laws and recently adopted federal and state laws to combat Internet fraud.

Types of Internet Fraud

Internet fraud takes many different forms. According to statistics from the IFCC, online auction fraud, nondelivery of goods or services and identity theft are the most common forms of fraud.

Online auction fraud accounts for approximately 46% of Internet fraud. Typically, this fraud involves the misrepresentation of goods or services (ie, the buyer receives a far different product than what he/she agreed to purchase). Closely related to online-auction fraud is nondelivery of goods or services (ie, payment is sent to the seller, who never ships the goods to the buyer), which accounts for 31% of Internet fraud. Identity theft, which accounts for up to 12% of reported fraud, includes everything from the unauthorized use of Social Security numbers to use of fake or stolen credit/debit cards. See, IFCC report, supra.

Successful Internet fraud usually relies on the use of false e-mail addresses, cybersquatted domain names and fake Web sites. Each medium is effective on its own, but often very persuasive when used in combination. The IFCC estimates that 66% of fraud complaints involve communications with false e-mail addresses, and nearly 19% involve fake Web sites. See, IFCC report, supra. One method of using e-mail to commit Internet fraud is known as “spoofing” and involves the alteration of an e-mail message's embedded coding to make it appear that the message was sent by someone other than the person who actually sent it. For example, messages composed and sent from the e-mail address mailto:[email protected] could be manipulated to appear as if they were sent from the FBI (eg, from mailto:[email protected]).

Moreover, by creating a fake Web site that copies text and graphics from the fbi.gov Web site, a spoofer can further deceive consumers. Ultimately, the ability to fool consumers into believing that the message was sent from a legitimate entity can be used to obtain credit card, bank account and Social Security numbers, as well as untraceable wire-transfer payment particulars.

Another method of perpetrating Internet fraud is cybersquatting, which involves the bad-faith registration of trademarks or colorable imitations of trademarks (eg, Acme.com, Acme-services.com) as domain names. Like spoofed e-mail messages, cybersquatted domain names allow criminals to impersonate a well-known corporation and distribute false information, or to obtain sensitive or compromising information from deceived consumers.

Spoofing and cybersquatting used to obtain sensitive information is part of a phenomenon known as “phishing,” whereby criminals use fake e-mail messages linked to fake Web sites in order to bait the public into revealing personal and/or financial information that criminals can exploit. What makes these practices attractive to cybercriminals is that they allow third parties to tap into the good will inherent in trademarks and copyrighted material associated with popular and highly regarded brands, with little or no transaction costs. Further, the market-efficiency function of trademarks, while a cornerstone of today's economy, is nevertheless a double-edged sword: Consumers may rely on trademarks to accurately identify the source or origin of certain goods and services, which plays directly into the hands of cybercriminals.

Intellectual Property Options

As the basis for federal trademark protection, the Federal Trademark Act of 1946 (the Lanham Act) protects both registered and unregistered trademarks and trade names. Under the Lanham Act, use of another's trademark without the permission of the trademark owner may constitute trademark infringement and/or the related claim of false designation of origin. One of the goals of federal trademark law is protecting the public from the likelihood of consumer confusion. While not all types of Internet fraud directly relate to intellectual property, many instances of fraud involve some unauthorized use of trademarks, copyrights or domain names to deceive consumers and cause confusion (eg, the use of logos, images and e-mail addresses that are identical or similar to those of well-known companies).

In reality, it is difficult to bring claims of direct trademark infringement in cases of Internet fraud since the infringer in most cases cannot be identified easily. The alternative to direct infringement is to challenge those who contribute or enable criminals to commit fraud. Contributory trademark infringement may lie when the defendant has knowledge of the infringing activity and induces or contributes to the activity, such as the provision of Web and e-mail hosting services by Internet service providers (ISPs). Indeed, contributory trademark infringement liability in the context of the Internet has been recognized as a possible cause of action against ISPs. Gucci America Inc. v. Hall & Associates, 135 F. Supp. 2d 409 (S.D.N.Y. 2001).

Protection of material copied without authorization by cybercriminals (usually from legitimate Web sites may be available from the federal Copyright Act of 1976 and the Digital Millennium Copyright Act (DMCA). What has limited the effectiveness of the Copyright Act for infringement in cyberspace, as with direct trademark infringement, is the difficulty of determining the identity of infringers. As a result, copyright owners have taken action against the instrumentalities of the infringement, namely ISPs.

One of the leading cases relating to the liability of ISPs for hosting infringing material on their servers is Religious Technology Center v. Netcom, 907 F. Supp. 1361 (N.D. Calif. 1995). Following this case, questions arose as to exactly when ISPs can be held liable for the activities of subscribers. With passage of the DMCA in 1998, which provides that ISPs are immune from liability unless they have been notified of infringing activity and take no action to stop it, the law relating to ISP liability was clarified. 17 U.S.C. '512[c].

However, the limitations on liability apply to an ISP only if the service provider has designated an agent to receive notifications of claimed infringement, by making available through its service, including on its Web site in a location accessible to the public, and by providing to the U.S. Copyright Office, substantially the following information: the name, address, phone number and electronic mail address of the agent and other contact information which the register of copyrights may deem appropriate. 17 U.S.C. '512 [c][2].

Domain Names

Spoofed e-mail messages are often used with a cybersquatted domain name closely resembling a known company's trademarks and domain names. The cybersquatted domain name usually links to a Web site that copies the legitimate company's Web site or links to the legitimate company's actual Web site. One means of redressing cybersquatting is by using administrative dispute resolution, the most common being the Uniform Domain Name Dispute Resolution Policy (UDRP). A condition of registering most domain names is the agreement to submit to arbitration should a disagreement over ownership of the domain name arise.

According to the Internet Corp. for Assigned Names and Numbers (ICANN), more than 14,000 domain name arbitration cases have been decided to date. The appeal of UDRP is its relatively low cost compared to litigation and quick results (ie, usually less than 60 days). Domain-name arbitrators (usually former judges, law professors and well-known private practitioners) have the power to transfer or cancel registrations following the filing of a complaint and a response from the registrant.

Arbitrators are not bound by the Federal Rules of Evidence and must consider three factors in deciding whether a domain name should be cancelled and transferred: whether the domain name is identical or confusingly similar to a trademark of another; whether the registrant has any legitimate interests in the domain name; and whether the domain name was registered in bad faith. The allegation of fraud is usually a compelling indicator of bad faith. For example, a World Intellectual Property Organization (WIPO) arbitrator recently ordered that the domain name msnphone.com be transferred to Microsoft. The arbitrator's decision was based, in part, on the fame of the mark MSN and its use to commit fraud. Microsoft Corp. v. My Speedy Net Phone, WIPO Case No. D2003-0359 (July 15, 2003).

The disadvantage of the UDRP is that it provides no additional remedies other than transfer or cancellation of the subject domain name. If a plaintiff seeks to raise trademark or copyright infringement claims and seeks monetary damages, litigation under the Anticybersquatting Consumer Protection Act may be pursued in federal district court. The act provides for statutory damages of up to $100,000 for each domain name at issue, as well as attorney fees. 15 U.S.C. '1117[d]. Liability under the act results when a cybersquatter registers a domain name that is identical or confusingly similar to a protected trademark and the registrant has a bad-faith intent to profit from use of the domain name. 15 U.S.C. '1125[d].

Other Sources of Relief

Recently, President George W. Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), providing another tool for intellectual property owners to combat fraud. The CAN-SPAM Act is intended to address the dramatic increase of unsolicited commercial e-mail messages and requires, among other things, that e-mail messages use correct header information, an accurate subject line and a valid return e-mail address. 15 U.S.C. '7704[a].

In some cases, the CAN-SPAM Act may be effective against use of a company's intellectual property in e-mail messages.

The Computer Fraud and Abuse Act, as well as state and local laws and regulations, have also been used to combat Internet fraud. 18 U.S.C. '1030.

In addition to legal action, technological and educational tools are also employed by intellectual property owners to combat online fraud: “Locking” software is available that can prevent some types of Web site copying; some Web site codes contain “Web bugs” or a similar call back that a Web server can log and use to identify Web sites that copy one's code; and many corporate Web sites are now adopting Web pages alerting customers to beware of online fraud and educating customers on the types of transactions to avoid or to question.

For all its positive attributes, the Internet has also served as a tool for criminals to exploit both the expansive reach of the network and the inherent anonymity it provides. While there are many obstacles to preventing Internet fraud, there are a growing number of tools available to corporations to tackle Internet fraud.

While not all online fraud directly involves intellectual property (for example, credit card theft), the tools used to deceive and mislead customers often misuse the trademarks, copyrights and domain names of well-known companies. Traditional forms of intellectual property protection, although adopted well before the Internet age, can be used to address online fraud issues. Moreover, legislation that increases penalties for Internet fraud is currently under congressional consideration. Further, state laws against spam and common law unfair competition could also be useful in supplementing federal law.

In the end, as online fraud continues to rise in frequency, individual and corporate victims have a full range of legal options with which to fight back. The ultimate question for lawyers is not whether there are any legal remedies available, but which legal remedies best fit the type of fraud facing one's client or company.

Internet fraud is becoming one of the most common and lucrative forms of crime in today's information-based economy. As the Internet has grown, so too have incidences of its misuse. How can intellectual property rights help fight this growing menace?

According to the Internet Fraud Complaint Center (IFCC) ' a collaboration between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center ' the incidence of cybercrime is increasing exponentially. The IFCC, which investigates Internet fraud and collects online complaints at its Web sites (www.ifccfbi.gov and www.ic3.gov), reports that the total number of complaints referred to on its Web sites tripled between 2002 and 2003. National White Collar Crime Center, IFCC 2002 Internet Fraud Report (2003). See, www.ifccfbi.gov/strategy/2002_ifccreport.pdf. Meanwhile, the number of complaints involving Internet fraud reported to the Federal Trade Commission (FTC) increased by 40% during 2003. FTC, National and State Trends in Fraud & Identity Theft (Jan. 22, 2004). See, www.consumer.gov/sentinel/pubs/Top10Fraud2003.pdf.

The FTC estimates that Americans lost more than $437 million due to online fraud in 2003. National and State Trends, supra. In November 2003, the U.S. attorney general's office, in cooperation with other federal agencies and law enforcement authorities, conducted Operation Cybersweep. This joint operation resulted in more than 100 investigations involving 125,000 victims, who claimed losses of more than $100 million. Press release, U.S. Department of Justice (Nov. 20, 2003), at www.usdoj.gov/usao/lae/hotnews/operation_cybersweep.htm.

Impact on Corporations

While many victims of cybercrime are individuals, corporations are also affected. Corporations are damaged directly by lost revenues and indirectly by misuse of their names and reputations, as well as by lost consumer confidence in conducting business online. Recent examples of fraud targeting large corporations include an instance when e-mail messages were allegedly sent from several corporations to consumers requesting personal identification and financial information, and an instance when a fraudulent Web site was established that appeared virtually identical to that of a well-known consumer goods retailer, which was then used to collect credit card and Social Security number information from unsuspecting consumers. Jason Gertzen, “Mugged by Your Machine,” Milwaukee J. Sentinel (Nov. 22, 2003).

While the foregoing examples are merely the tip of the iceberg, they demonstrate that Internet fraud does not only involve “hacking” into a corporate network, but relies upon deceiving consumers, often by unauthorized use of intellectual property.

The single most difficult obstacle in policing Internet fraud is identifying the criminals, who conceal their identities through, among other methods, use of fictitious names, false contact information and elaborate e-mail-routing schemes. The FBI, Secret Service, quasi-governmental organizations such as the IFCC and state and local law enforcement organizations investigate Internet fraud and provide information and assistance to consumers and corporations. Nevertheless, these organizations can be limited by budget constraints and resources available to respond to individual cases.

The IFCC Web site received more than 75,000 complaints between 2002 and 2003. See, IFCC report, supra. As the number of complaints grows each day, many corporations have chosen to investigate and police fraud on their own, using traditional intellectual property laws and recently adopted federal and state laws to combat Internet fraud.

Types of Internet Fraud

Internet fraud takes many different forms. According to statistics from the IFCC, online auction fraud, nondelivery of goods or services and identity theft are the most common forms of fraud.

Online auction fraud accounts for approximately 46% of Internet fraud. Typically, this fraud involves the misrepresentation of goods or services (ie, the buyer receives a far different product than what he/she agreed to purchase). Closely related to online-auction fraud is nondelivery of goods or services (ie, payment is sent to the seller, who never ships the goods to the buyer), which accounts for 31% of Internet fraud. Identity theft, which accounts for up to 12% of reported fraud, includes everything from the unauthorized use of Social Security numbers to use of fake or stolen credit/debit cards. See, IFCC report, supra.

Successful Internet fraud usually relies on the use of false e-mail addresses, cybersquatted domain names and fake Web sites. Each medium is effective on its own, but often very persuasive when used in combination. The IFCC estimates that 66% of fraud complaints involve communications with false e-mail addresses, and nearly 19% involve fake Web sites. See, IFCC report, supra. One method of using e-mail to commit Internet fraud is known as “spoofing” and involves the alteration of an e-mail message's embedded coding to make it appear that the message was sent by someone other than the person who actually sent it. For example, messages composed and sent from the e-mail address mailto:[email protected] could be manipulated to appear as if they were sent from the FBI (eg, from mailto:[email protected]).

Moreover, by creating a fake Web site that copies text and graphics from the fbi.gov Web site, a spoofer can further deceive consumers. Ultimately, the ability to fool consumers into believing that the message was sent from a legitimate entity can be used to obtain credit card, bank account and Social Security numbers, as well as untraceable wire-transfer payment particulars.

Another method of perpetrating Internet fraud is cybersquatting, which involves the bad-faith registration of trademarks or colorable imitations of trademarks (eg, Acme.com, Acme-services.com) as domain names. Like spoofed e-mail messages, cybersquatted domain names allow criminals to impersonate a well-known corporation and distribute false information, or to obtain sensitive or compromising information from deceived consumers.

Spoofing and cybersquatting used to obtain sensitive information is part of a phenomenon known as “phishing,” whereby criminals use fake e-mail messages linked to fake Web sites in order to bait the public into revealing personal and/or financial information that criminals can exploit. What makes these practices attractive to cybercriminals is that they allow third parties to tap into the good will inherent in trademarks and copyrighted material associated with popular and highly regarded brands, with little or no transaction costs. Further, the market-efficiency function of trademarks, while a cornerstone of today's economy, is nevertheless a double-edged sword: Consumers may rely on trademarks to accurately identify the source or origin of certain goods and services, which plays directly into the hands of cybercriminals.

Intellectual Property Options

As the basis for federal trademark protection, the Federal Trademark Act of 1946 (the Lanham Act) protects both registered and unregistered trademarks and trade names. Under the Lanham Act, use of another's trademark without the permission of the trademark owner may constitute trademark infringement and/or the related claim of false designation of origin. One of the goals of federal trademark law is protecting the public from the likelihood of consumer confusion. While not all types of Internet fraud directly relate to intellectual property, many instances of fraud involve some unauthorized use of trademarks, copyrights or domain names to deceive consumers and cause confusion (eg, the use of logos, images and e-mail addresses that are identical or similar to those of well-known companies).

In reality, it is difficult to bring claims of direct trademark infringement in cases of Internet fraud since the infringer in most cases cannot be identified easily. The alternative to direct infringement is to challenge those who contribute or enable criminals to commit fraud. Contributory trademark infringement may lie when the defendant has knowledge of the infringing activity and induces or contributes to the activity, such as the provision of Web and e-mail hosting services by Internet service providers (ISPs). Indeed, contributory trademark infringement liability in the context of the Internet has been recognized as a possible cause of action against ISPs. Gucci America Inc. v. Hall & Associates , 135 F. Supp. 2d 409 (S.D.N.Y. 2001).

Protection of material copied without authorization by cybercriminals (usually from legitimate Web sites may be available from the federal Copyright Act of 1976 and the Digital Millennium Copyright Act (DMCA). What has limited the effectiveness of the Copyright Act for infringement in cyberspace, as with direct trademark infringement, is the difficulty of determining the identity of infringers. As a result, copyright owners have taken action against the instrumentalities of the infringement, namely ISPs.

One of the leading cases relating to the liability of ISPs for hosting infringing material on their servers is Religious Technology Center v. Netcom , 907 F. Supp. 1361 (N.D. Calif. 1995). Following this case, questions arose as to exactly when ISPs can be held liable for the activities of subscribers. With passage of the DMCA in 1998, which provides that ISPs are immune from liability unless they have been notified of infringing activity and take no action to stop it, the law relating to ISP liability was clarified. 17 U.S.C. '512[c].

However, the limitations on liability apply to an ISP only if the service provider has designated an agent to receive notifications of claimed infringement, by making available through its service, including on its Web site in a location accessible to the public, and by providing to the U.S. Copyright Office, substantially the following information: the name, address, phone number and electronic mail address of the agent and other contact information which the register of copyrights may deem appropriate. 17 U.S.C. '512 [c][2].

Domain Names

Spoofed e-mail messages are often used with a cybersquatted domain name closely resembling a known company's trademarks and domain names. The cybersquatted domain name usually links to a Web site that copies the legitimate company's Web site or links to the legitimate company's actual Web site. One means of redressing cybersquatting is by using administrative dispute resolution, the most common being the Uniform Domain Name Dispute Resolution Policy (UDRP). A condition of registering most domain names is the agreement to submit to arbitration should a disagreement over ownership of the domain name arise.

According to the Internet Corp. for Assigned Names and Numbers (ICANN), more than 14,000 domain name arbitration cases have been decided to date. The appeal of UDRP is its relatively low cost compared to litigation and quick results (ie, usually less than 60 days). Domain-name arbitrators (usually former judges, law professors and well-known private practitioners) have the power to transfer or cancel registrations following the filing of a complaint and a response from the registrant.

Arbitrators are not bound by the Federal Rules of Evidence and must consider three factors in deciding whether a domain name should be cancelled and transferred: whether the domain name is identical or confusingly similar to a trademark of another; whether the registrant has any legitimate interests in the domain name; and whether the domain name was registered in bad faith. The allegation of fraud is usually a compelling indicator of bad faith. For example, a World Intellectual Property Organization (WIPO) arbitrator recently ordered that the domain name msnphone.com be transferred to Microsoft. The arbitrator's decision was based, in part, on the fame of the mark MSN and its use to commit fraud. Microsoft Corp. v. My Speedy Net Phone, WIPO Case No. D2003-0359 (July 15, 2003).

The disadvantage of the UDRP is that it provides no additional remedies other than transfer or cancellation of the subject domain name. If a plaintiff seeks to raise trademark or copyright infringement claims and seeks monetary damages, litigation under the Anticybersquatting Consumer Protection Act may be pursued in federal district court. The act provides for statutory damages of up to $100,000 for each domain name at issue, as well as attorney fees. 15 U.S.C. '1117[d]. Liability under the act results when a cybersquatter registers a domain name that is identical or confusingly similar to a protected trademark and the registrant has a bad-faith intent to profit from use of the domain name. 15 U.S.C. '1125[d].

Other Sources of Relief

Recently, President George W. Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), providing another tool for intellectual property owners to combat fraud. The CAN-SPAM Act is intended to address the dramatic increase of unsolicited commercial e-mail messages and requires, among other things, that e-mail messages use correct header information, an accurate subject line and a valid return e-mail address. 15 U.S.C. '7704[a].

In some cases, the CAN-SPAM Act may be effective against use of a company's intellectual property in e-mail messages.

The Computer Fraud and Abuse Act, as well as state and local laws and regulations, have also been used to combat Internet fraud. 18 U.S.C. '1030.

In addition to legal action, technological and educational tools are also employed by intellectual property owners to combat online fraud: “Locking” software is available that can prevent some types of Web site copying; some Web site codes contain “Web bugs” or a similar call back that a Web server can log and use to identify Web sites that copy one's code; and many corporate Web sites are now adopting Web pages alerting customers to beware of online fraud and educating customers on the types of transactions to avoid or to question.

For all its positive attributes, the Internet has also served as a tool for criminals to exploit both the expansive reach of the network and the inherent anonymity it provides. While there are many obstacles to preventing Internet fraud, there are a growing number of tools available to corporations to tackle Internet fraud.

While not all online fraud directly involves intellectual property (for example, credit card theft), the tools used to deceive and mislead customers often misuse the trademarks, copyrights and domain names of well-known companies. Traditional forms of intellectual property protection, although adopted well before the Internet age, can be used to address online fraud issues. Moreover, legislation that increases penalties for Internet fraud is currently under congressional consideration. Further, state laws against spam and common law unfair competition could also be useful in supplementing federal law.

In the end, as online fraud continues to rise in frequency, individual and corporate victims have a full range of legal options with which to fight back. The ultimate question for lawyers is not whether there are any legal remedies available, but which legal remedies best fit the type of fraud facing one's client or company.