WIPO Arbitration and Mediation Center

ADMINISTRATIVE PANEL DECISION

The Nature's Bounty Co. v. Matthew Pynhas, Matthew Pynhas

Case No. D2017-0736

1. The Parties

The Complainant is The Nature's Bounty Co. of Ronkonkoma, New York, United States of America, represented by Gowlings WLG (Canada) LLP, Canada.

The Respondent is Matthew Pynhas, Matthew Pynhas of Setubal, Portugal, self-represented.

2. The Domain Name and Registrar

The disputed domain name <nbty.global> is registered with 101domain GRS Limited (the "Registrar").

3. Procedural History

The Complaint was filed with the WIPO Arbitration and Mediation Center (the "Center") on April 11, 2017. On April 12, 2017, the Center transmitted by email to the Registrar a request for registrar verification in connection with the disputed domain name. On April 21, 2017, the Registrar transmitted by email to the Center its verification response confirming that the Respondent is listed as the registrant and providing the contact details. In response to a notification by the Center that the Complaint was administratively deficient, the Complainant filed an amendment to the Complaint on April 24, 2017.

The Center verified that the Complaint together with the amendment to the Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the "Policy" or "UDRP"), the Rules for Uniform Domain Name Dispute Resolution Policy (the "Rules"), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the "Supplemental Rules").

In accordance with the Rules, paragraphs 2 and 4, the Center formally notified the Respondent of the Complaint, and the proceedings commenced on April 25, 2017. In accordance with the Rules, paragraph 5, the due date for Response was May 15, 2017. The Response was filed with the Center on May 8, 2017.

The Center appointed Andrew D. S. Lothian as the sole panelist in this matter on May 30, 2017. The Panel finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.

4. Factual Background

The Complainant is a leading global manufacturer, marketer, distributor and retailer of vitamins, nutritional supplements, sports & active nutrition and ethical beauty products under a range of brands and is able to trace its history back to 1870. The Complainant currently offers 16,000 products that are sold in more than 100 countries around the world, maintaining facilities throughout the United States of America ("USA") and Canada, together with overseas offices in the United Kingdom of Great Britain and Northern Ireland, China, the Netherlands, Spain, South Africa and New Zealand. The Complainant noted in its 2015 Annual Report that it had generated worldwide net sales in excess of USD 3 billion.

The Complainant was formerly known as NBTY, Inc. until a name change on November 9, 2016. It has sold products in association with the trademark NBTY since as early as 1979. The Complainant is the owner of a variety of registered trademarks for the word mark NBTY INC. including USA registered trademark no. 2607076 registered on August 13, 2002 in international class 35 (inter alia, retail and wholesale store services all in the field of dietary, herbal, mineral and vitamin supplements). The Complainant has expended significant resources in advertising and promoting the NBTY INC. mark in connection with both commercial and charitable activities. In 2015, the Complainant reported that it spent approximately USD 198 million on advertising, USD 203 million on promotion, and USD 189 million on catalogs, including print, media and cooperative advertising. The Complainant has established a significant Internet presence including via the domain name <nbty.com> which was used for the Complainant's primary website for nearly 20 years. The Complainant maintains a portfolio of more than 30 nbty and nbty-formative domain names.

The disputed domain name was created on November 22, 2016. According to the WhoIs record, the Respondent is a person based in Setubal, Portugal. The disputed domain name does not resolve to any active website.

The Complainant claims that the disputed domain name has been flagged by Internet blacklist sites as being concerned with suspicious redirections to a website containing malicious software ("malware"), the domain name of which is also registered to the Respondent. The Complainant provides a screenshot showing a warning message displayed by the browser before the viewer reaches the page to which the Complainant says that the disputed domain name was redirecting traffic. This features a message stating inter alia "The site ahead contains malware / Attackers currently on [the destination domain name] might attempt to install dangerous programs on your computer that steal or delete your information…Google Safe Browsing recently detected malware on [the destination domain name]…".

The Respondent claims to be associated with a security company that engages in a practice called "DNS Sinkholing" which intercepts domain name system ("DNS") requests attempting to connect to known malicious or unwanted domains and returns a controlled Internet Protocol ("IP") address pointing to a sinkhole server. The Respondent claims to have registered the disputed domain name via a technique which identifies certain domain names which may be good sources of malicious information, including identifying domain names for which there is traffic being generated on a certain frequency but where the domain name does not exist or have any content.

The Respondent admits to being the respondent in two previous cases under the Policy, in both of which cases there was an allegation that the domain name concerned was pointing to malware, the Respondent did not reply to the complaint and transfer of the domain name was ordered.

5. Parties' Contentions

A. Complainant

The Complainant contends that the disputed domain name is confusingly similar to trademarks in which the Complainant owns rights; that the Respondent has no rights or legitimate interests in the disputed domain name; and that the disputed domain name was registered and is being used in bad faith.

The Complainant submits that the dominant element in the disputed domain name is the "nbty" element of the Complainant's NBTY INC. trademark, noting that the omission of the "inc." element and the addition of the generic top-level domain ("gTLD") ".global" are insufficient to distinguish the disputed domain name from such mark. The Complainant asserts that the inclusion of the mark with the gTLD enhances the false impression that the disputed domain name is somehow officially related to the Complainant.

The Complainant submits that it has not authorized, licensed, or otherwise permitted the Respondent to use the Complainant's trademarks nor to apply for any domain name incorporating such marks. The Complainant adds that the Respondent has never been, and is not currently, commonly known under the disputed domain name. The Complainant asserts that the Respondent has not used or made preparations to use the disputed domain name or a name corresponding to it in connection with a bona fide offering of goods or services or legitimate non-commercial purposes.

The Complainant contends that the Respondent is trading on the reputation of the Complainant's trademarks to redirect Internet traffic intended for the Complainant to a website that contains malware, noting that previous panels under the Policy have found that this does not give rise to a legitimate interest in the domain name concerned.

The Complainant submits that the Respondent registered the disputed domain name with full knowledge of the Complainant's rights for the purpose of intentionally attracting, for commercial gain, Internet users to the Respondent's website and redirecting Internet users to pages with malware or spyware by creating a likelihood of confusion with the Complainant's mark, amounting to evidence of bad faith use under paragraph 4(b)(iv) of the Policy. The Complainant notes that the disputed domain name was registered at a time when there was significant press coverage of the Complainant's change of corporate name from NBTY, Inc. to The Nature's Bounty Co. and contends that this strongly suggests opportunistic bad faith on the Respondent's part.

The Complainant notes that the Respondent is associated with approximately 9,795 other domain names and provides a sample which the Complainant says all redirect to a particular domain name owned by the Respondent which the Complainant says contains software that is malicious. The Complainant points out that the Respondent has been a respondent in the two other proceedings under the Policy noted in the factual background section above in each of which transfer was ordered.

B. Respondent

The Respondent requests that the Panel deny the remedies requested by the Complainant.

The Respondent states that it uses sinkholing to identify compromised hosts by analyzing sinkhole logs and identifying hosts that are trying to connect to known malicious domain names, using the data to assist its customers and third parties in remediating security issues. The Respondent adds that it frequently assists law enforcement in identifying and responding to cyber threats. The Respondent notes that its sinkhole server receives significant malicious traffic and that third party websites, including Google, often observe this traffic and incorrectly assume that the Respondent is propagating malware, warning visitors to these websites against visiting them. The Respondent adds that the alert is due to the fact that Google's systems are not sufficiently nuanced to determine that the Respondent is on the receiving end of vast quantities of malicious traffic rather than the instigator thereof.

The Respondent states that it has proprietary algorithms and techniques for identifying domain names which may be a good source of malicious information, registering such domain names and redirecting them to its sinkhole server to observe the activity. The Respondent indicates that it leaves the webpages on such domain names blank, posts no content and drives no traffic to the site. The Respondent asserts that it has no intent to disrupt any entity's business or to profit from any third party's business or trademark but rather provides a service to the Internet generally in reducing the propagation of malware and making the Internet a safer place to do business.

The Respondent states that it has not responded to UDRP complaints against it in the past because findings are made publicly available and the Respondent's activity could be harmed by publicity as propagators of malware may intentionally avoid its sinkholes. The Respondent notes that this has led to "erroneous findings" against the Respondent.

The Respondent asserts that it registers domain names based on its algorithms and does not have any interest in whether these are associated with another business or a trademark, adding that the Complainant's allegations that the disputed domain name was registered to trade on the reputation of the Complainant's trademarks or that it redirects traffic intended for the Complainant to malware are false and without merit. The Respondent argues that it has a legitimate interest in the disputed domain name as it is a part of its DNS sinkholing operations. The Respondent states that it anticipates that the disputed domain name will continue to provide the Respondent with data on compromised or misconfigured machines in the future.

The Respondent contends that its activities do not propagate malware and on the contrary protect users from malware, that it does not post any content, does not drive traffic to the disputed domain name and merely observes the activity on the disputed domain name itself. The Respondent submits that it provides a bona fide and important service to its customers and to a community of users on the Internet.

The Respondent asserts that it has no intent to disrupt any entity's business, to profit from any third party's business or trademark or to tarnish the trademark at issue. The Respondent submits that where a domain name falls within the scope of its algorithms and is registered this does not constitute bad faith registration. The Respondent notes that it has never sought to trade on the goodwill of or suggest any affiliation with another company. The Respondent insists that it did not register the disputed domain name with knowledge of the Complainant's trademark. The Respondent adds that it is not bad faith conduct to be associated with thousands of domains because of its operation of the sinkhole network.

The Respondent states that it has never offered the disputed domain name for sale or rental and did not register it to prevent another entity from purchasing it, nor did it intentionally attempt to attract, for commercial gain, Internet users to any web site or other on-line location, by creating a likelihood of confusion with the Complainant's mark or business.

6. Discussion and Findings

To succeed, the Complainant must demonstrate that all of the elements enumerated in paragraph 4(a) of the Policy have been satisfied:

(i) the disputed domain name is identical or confusingly similar to a trademark or service mark in which the Complainant has rights;

(ii) the Respondent has no rights or legitimate interests in respect of the disputed domain name; and

(iii) the disputed domain name has been registered and is being used in bad faith.

A. Identical or Confusingly Similar

There are two parts to the inquiry under the first element of the Policy. The Complainant must first demonstrate that it has rights in a trademark and secondly that the disputed domain name is identical or confusingly similar to such trademark.

The Complainant has demonstrated to the Panel's satisfaction that it has rights in the trademark NBTY INC. by virtue of its USA registered trademark as outlined in the factual background section above. The second level of the disputed domain name is identical to the first element of this mark, "nbty". The Panel agrees with the Complainant that this first element is the dominant and immediately striking element of the mark and that the omission of the comparatively non-distinctive element "inc." from the disputed domain name is insufficient to distinguish the disputed domain name from the mark.

Turning to the gTLD suffix of the disputed domain name, in this case ".global", the Panel notes that this is typically disregarded for the purposes of comparison on the grounds that it is wholly generic and required for technical reasons only. The Panel nevertheless accepts the Complainant's submission that if the gTLD were to be brought into the comparison it would serve to exacerbate confusion in this case as the activities of the Complainant's corporation are global in nature.

In all of these circumstances, the Panel finds that the Complainant's trademark is confusingly similar to the disputed domain name and thus that the first element under the Policy has been established.

B. Rights or Legitimate Interests

Paragraph 4(c) of the Policy lists several ways in which the Respondent may demonstrate rights or legitimate interests in the disputed domain name:

"Any of the following circumstances, in particular but without limitation, if found by the Panel to be proved based on its evaluation of all evidence presented, shall demonstrate your rights or legitimate interests to the domain name for purposes of paragraph 4(a)(ii):

(i) before any notice to you of the dispute, your use of, or demonstrable preparations to use, the domain name or a name corresponding to the domain name in connection with a bona fide offering of goods or services; or

(ii) you (as an individual, business, or other organization) have been commonly known by the domain name, even if you have acquired no trademark or service mark rights; or

(iii) you are making a legitimate noncommercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue".

The consensus of previous decisions under the Policy is that a complainant may establish this element by making out a prima facie case, not rebutted by the respondent, that the respondent has no rights or legitimate interests in a domain name. In the present case, the Panel finds that the Complainant has established the requisite prima facie case based on its submissions that it has not given the Respondent permission to use its NBTY mark, that the Respondent has never been commonly known under the disputed domain name and that there is evidence that the disputed domain name has been used to redirect traffic to a website that contains malware. In these circumstances, the burden of production shifts to the Respondent to bring forward evidence of its rights and legitimate interests in the disputed domain name.

For its part, the Respondent asserts that the disputed domain name has been registered within its large portfolio of domain names, based on a proprietary algorithm without reference to any trademark value, in order for use as part of its "DNS sinkholing operations". The Respondent denies that it propagates malware and states that it publishes no content on the disputed domain name and is merely observing the activity. The Respondent claims that this "bona fide and important service to its customers" gives rise to rights and legitimate interests within the meaning of the Policy.

First, the Panel notes that the Response consists entirely of assertion. The only independent evidence provided is two hyperlinks to websites which describe DNS sinkholes and the uses to which these may be put. While these provide the Panel with useful background on this topic, they do nothing to demonstrate who the Respondent is or what the Respondent actually is doing with the disputed domain name. Other than the Respondent's name, no information is provided as to the Respondent's identity. No evidence is put forward relating to the security company or companies with which the Respondent is said to be affiliated, what industry credentials the Respondent possesses or any similar details which would give the Panel a greater sense of the validity of the Respondent's claims regarding the disputed domain name. Indeed, this lack of evidence can be contrasted with the equivalent provided by the Complainant including a fulsome description of the fame of the Complainant's mark and showing that the disputed domain name has indeed been flagged by multiple entities as concerned with malware distribution. The Complainant's case is also consistent with the two previous cases brought under the Policy to which the Respondent chose not to respond.

The Respondent asserts that it is engaged in important security work but provides no evidence that this is so. The Panel is left with the impression, no matter how unfortunate this may seem from the Respondent's perspective, that the Respondent's self-characterization as an Internet security expert is perhaps rather too convenient, given that it allows the Respondent to remain relatively-speaking in the shadows while simultaneously claiming that it performs beneficial activities or important work which makes the Internet a safer place to do business. It is impossible for the Panel to verify the Respondent's claims.

Without providing any evidence of its credentials, the Respondent is not in a position to claim any credibility for its case based upon its alleged status. Placing the issue in starker terms, as far as the Panel is concerned, the Response could have been written by a "white hat" Internet security expert as is claimed but it could equally have been written by a "black hat" distributor of malware, given that both of these persons could reasonably be expected to understand the practice of DNS sinkholing and both might potentially be engaged in the bulk registration of domain names.

The Panel also finds the manner in which the Respondent has addressed the Complaint somewhat curious from the point of view of an assessment of its alleged rights and legitimate interests. On the one hand, the Respondent explains that it did not respond to the two previous cases brought against it under the Policy because its activities could be harmed by publicity related to its sinkholing and yet on the other hand it has chosen to respond to this particular Complaint. On the Respondent's account, providing a description of its alleged activities in the present case will presumably have the exact effect it had previously been seeking to avoid. Indeed, one might observe that the filing of the Response risks the Respondent, on its own account, being caused to "blow its cover" in a way which typically would not be expected of a person engaged in important Internet security work. It would be reasonable to expect that such a person would attempt to take a swift and responsible approach to third party trademark owners affected by its domain name registrations. Indeed, this type of approach is becoming more common in the case of other bulk registrants of domain names. For example, the Respondent might have attempted to open some form of confidential dialogue with an affected entity such as the Complainant at the earliest opportunity. This would have allowed explanations to be tendered and a resolution explored without the attendant glare of publicity. The fact that this did not occur, or if it did, that the Respondent makes no mention of it in its Response can hardly provide the Panel with any assurance of the genuineness of the Respondent's claims.

In these circumstances, on the present record, the Panel finds that the Respondent has failed to rebut the Complainant's prima facie case. The Panel observes, for completeness, that had the Respondent contributed evidence to support its claims, the Panel would not necessarily have found that the Respondent had rights and legitimate interests in the disputed domain name. If one assumes hypothetically that the Response accurately describes the Respondent's activities, this is clearly a commercial rather than a noncommercial use of a domain name. The Respondent receives a benefit from this use by sharing data with its customers. However, if the domain name is confusingly similar to a trademark, its use in this manner will lead to an evidently deleterious effect upon both the trademark and its owner should it become associated with an apparent distribution of malware. In the Panel's view, the Respondent cannot remain indifferent to this consequence. The use of an algorithm or other technical process to select the disputed domain name cannot absolve the Respondent of responsibility therefor. As section 2.15 of the WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition ("WIPO Overview 3.0") states:

Apart from the circumstances surrounding their registration, to support a claim to rights or legitimate interests under the UDRP, the use of a disputed domain name must in any event not be abusive of third-party trademark rights.

In conclusion, the Panel considers that employing a domain name as a "DNS sinkhole" could in some circumstances amount to a use in connection with a bona fide offering of goods and services. However, the Panel does not consider that this is so in the circumstances of the present case, where the disputed domain name invokes third-party trademark rights. The same might have been said in respect of the two previous cases brought against the Respondent under the Policy, had the Respondent tendered a similar explanation in either of those proceedings. The domain names both in those cases and in the present case create confusion with trademarks. Their operation has the potential to lead to reputational damage on the part of the trademark owner if they are flagged in association with malware by well-known Internet agencies.

In any event, in the absence of evidence which is sufficient to rebut the Complainant's prima facie case under this element, the Panel finds that the Respondent has no rights or legitimate interests in the disputed domain name and therefore that the second element under the Policy has been established.

C. Registered and Used in Bad Faith

Paragraph 4(b) of the Policy provides four, non-exclusive, circumstances that, if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith:

"(i) circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the complainant who is the owner of the trademark or service mark or to a competitor of that complainant, for valuable consideration in excess of your documented out of pocket costs directly related to the domain name; or

(ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or

(iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or

(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other online location, by creating a likelihood of confusion with the complainant's mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your web site or location".

In the present matter, the Complainant's case focuses on the alleged distribution of malware. This is accompanied by supporting evidence from several providers of alerts including Google Safe Browsing, Spamhaus and an aggregator which states that URL scanners from Sophos, BitDefender and Fortinet report alternately that the website associated with the disputed domain name is a "malicious site" or a "malware site". The Respondent has explained that this is merely an effect of its good faith activity in connection with Internet security.

The Panel notes that it has doubts regarding the credibility of the Respondent's case along the lines expressed in the preceding section. No evidence has been provided in support of the Respondent's alleged good faith activities. That said, even if the Respondent's case is taken at its highest, the Panel doubts that the Respondent's activities involving the disputed domain name could be regarded as constituting registration and use in good faith. In this connection, the Panel finds some parallels with cases under the Policy relating to the use of large scale registration practices for the capture of valuable generic or dictionary word domain names for resale or the display of advertising links, for example Mobile Communication Service Inc. v. WebReg, RN, WIPO Case No. D2005-1304; and Media General Communications, Inc. v. Rarenames, WebReg, WIPO Case No. D2006-0964. As in the present matter, the panels in those cases were required to consider the situation where such large scale registration practices gave rise to the registration of domain names containing trademarks. In all such cases, the claimed intended purpose for the automated processes could, absent the trademark issue, have been characterized as good faith activity, namely either to obtain valuable generic domain names for resale or advertising purposes, or in the present case, to obtain suitable specimens for DNS sinkholing.

The panel in Media General Communications, Inc. v. Rarenames, WebReg, supra, found it of significance that the respondent in that case did not indicate what steps, if any, it had taken in good faith to avoid registering and using domain names that corresponded to trademarks, adding "The domain name in question is a short string of letters but it is not a dictionary word or descriptive phrase. Rather, it is suspiciously identical to the Complainant's arbitrary mark". This strikes a chord with the Panel in the present case where there is similar suspicious identity of the first and dominant element of the Complainant's trademark with the second level of the disputed domain name and the Respondent has provided no description of any good faith activity which it undertakes to avoid including trademarks in its domain names. As the Panel sees it, the Respondent's registration of numbers of domain names identified through automated processes, with no attention whatsoever to whether they may be identical to trademarks, can support a finding that the Respondent is engaged in a pattern of conduct that deprives trademark owners of the ability to register domain names reflecting their marks on the same basis as that described in Mobile Communication Service Inc. v. WebReg, RN, supra.

Furthermore, the categories of bad faith registration and use are not closed. The Panel considers that there is bad faith to be found in the apparent recklessness of the Respondent's conduct in registering volumes of domain names, which it knows will ultimately be flagged for the presence of malware, where no attempt is made by the Respondent to eliminate the presence of registered trademarks in such domain names. In every such domain name registration, a substantive risk exists that any included trademarks may be tarnished or their owners affected reputationally by the incipient malware warnings. The Respondent argues that the flagging of such domain names for malware is due to the lack of nuance in the systems of the Internet agencies who provide the scanning services on which the Complainant's case relies. However, the Panel considers that the Respondent must bear the greater responsibility for the situation. Without its involvement the domain name concerned would not exist at all, could not therefore be flagged for malware and thus would not lead to any adverse effect upon any trademark owner.

In respect of the indiscriminate bulk registration of domain names identified by an algorithm, the Panel considers that the Respondent is at best being "willfully blind" to the trademark value of those domain names which are ultimately selected by the process, in the sense described in Grundfos A/S v. Texas International Property Associates, WIPO Case No. D2007-1448. As section 3.2.3 of the WIPO Overview 3.0 notes, depending upon the facts and circumstances of a given case, this concept has been applied irrespective of whether the registrant is a professional domainer. The concept could in fact be extended in the present case to the use of the domain names concerned in that the Respondent is willfully blind not only to the trademark value of these but also to the detrimental effect their use is likely to have upon any trademark holder whose mark is represented therein.

While not all panels under the Policy accept the "willful blindness" approach in all cases, it will be apparent that this Panel considers that the concept is particularly apposite here. Nevertheless, even taking the alternative view of one very experienced panel on the topic, as discussed in Research In Motion Limited v. Privacy Locked LLC/Nat Collicot, WIPO Case No. D2009-0320, the Respondent's actions in the present case can still be condemned as bad faith on the basis of a limited form of constructive knowledge:

This Panel has never favoured constructive knowledge leading to findings of bad faith, but now concedes that these new practices of automated bulk transfers of domain names do necessitate a limited form of constructive knowledge if the Policy is not to fall into disrepute. The Panel believes it appropriate that purchasers of domain names should be taken to have knowledge of (a) what they have purchased and (b) how their domain names are being used. Accordingly, if a domain name, which they have purchased incorporates a third party's trade mark of which they are likely to have knowledge, they should be treated as having acquired that domain name knowingly and knowingly to have put the domain name to the use to which it is being put. Were it otherwise, automated bulk transfers of domain names would be the perfect shield for abusive registrations.

Likewise in the present case, if the Panel's approach were otherwise than to treat the Respondent as acting in bad faith due to its willful blindness to the consequences of its actions or due to its limited constructive knowledge, the alleged operation of DNS sinkholes by a respondent would form a perfect shield to a complaint under the Policy notwithstanding the potentially abusive effect of such registrations upon trademarks and trademark holders.

It follows from this analysis that the Panel finds that the disputed domain name has been registered and is being used in bad faith and therefore that the third element of the Policy has been satisfied.

7. Decision

For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the disputed domain name <nbty.global> be transferred to the Complainant.

Andrew D. S. Lothian
Sole Panelist
Date: June 13, 2017