The State of Cybersecurity 2017 – Simplicity 2.0 Podcast

“Cybersecurity is a constant challenge for businesses. Niel Harper, Managing Director of Octave Consulting Group, shares tips to protect your company’s infrastructure from security threats, and offers ways to stay a step ahead of malware, hacking, and other attacks.”

I recently sat down with the Economist Group and Laserfiche (Simplicity 2.0 Podcast) to discuss the management of cybersecurity risks. These types of interviews tend to get very abstract, so I purposely wanted to touch on topics that would resonate with both corporations and end users.

The podcast in its entirety can be found here.

6 Tips for Protecting Against Ransomware

The Internet Society has been closely monitoring the ransomware cyber-attacks that have been occurring over the last couple of days. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt, exploits a flaw in Microsoft Windows that was first reportedly discovered by the National Security Agency (NSA). A group of hackers leaked the code for exploiting this vulnerability earlier this year, and a fix or patch was available as far back as March 2017. Since Friday, 200,000 computers in 150 countries have been compromised using this exploit. The numbers are expected to grow exponentially as people settle back into their work routines and regular use of computer systems this week. As part of our continuing work in online trust and security, there are some key takeaways from this incident that we want to leave with our community.

Firstly, we want to highlight the extremely negative effects which government stockpiling of vulnerabilities and zero day attacks has on the overall security of the Internet. With over 60 countries known to be developing growing arsenals of cyber weapons, and with many of these exploits leaking into the public domain, the potential for widespread damage is a massive cause for concern. The impact is not only economic in terms of financial loss, but social in terms of how it impacts end user trust, and most importantly human in terms of loss of life (especially given that ransomware attacks have been focusing on hospitals). And with critical infrastructure like power plants, dams, and transportation systems being targeted in nation state cyber offensives, the threat to human life increases exponentially.

Secondly, it would appear that some hospitals are easy targets for ransomware attackers. Their systems house data that is critical to patient care and management, and many of these institutions don’t have the IT resources to support critical process areas like vulnerability management, patch management, business continuity management, etc. In general, hospitals are also now adapting to digital realities and a number of them are playing catchup with regards to cyber readiness. However, the aforementioned challenges are not unique to hospitals, and are faced by many small and medium enterprises (SMEs), and in several instances, large corporations. Individual users are also targeted based on their generally poor Internet hygiene or lack of security awareness.

We want to take this opportunity to emphasize the importance of good online security practices when accessing the Internet. So here are 6 basic tips for protecting against ransomware:

1. Employ strong, multi-layered endpoint security – Using endpoint security that can protect web browsing, control outbound traffic, protect system settings, proactively stop phishing attacks and continuously monitor for anomalous system behavior will allow for better protection of servers, laptops, tablets, and mobile devices.

2. Maintain regular backups of your critical data – Backups can help you to protect your data from more than just ransomware. Other risk events such as malware, theft, fire, flood or accidental deletion can all render your data unavailable. Be certain to encrypt your backed-up data so it can be effectively restored. Backups should also be stored at an offsite location isolated from the local network.

3. Do not open unsolicited emails or messages from unknown senders – Many ransomware variants are distributed through phishing attacks or email attachments. Increased mindfulness when handling ‘suspect’ emails can be effective in combating ransomware.

4. Patch your systems regularly – Patching your systems for vulnerabilities reduces the opportunities for hackers to infect you with ransomware. The fact that a patch was available for the WannaCrypt vulnerability since March highlights the somewhat lax attitude by organizations and individuals to keeping their system patches up to date. That being said, patch management is a complex activity and can impact the availability of key systems. Hence, thorough testing must be conducted to avoid unplanned downtime.

5. Disable macros if possible – Many forms of ransomware are distributed in Microsoft Office documents that attempt to trick users into enabling macros. There are a number of tools available that can limit to functionality of macros my preventing them from being enabled on files downloaded from the Internet.

6. Be aware and vigilant – For individuals, don’t assume that only techies need to know about all the recent malware and trends in online attacks. Subscribe to mailing lists that provide information on common vulnerabilities and exposures. In the case of organizations, developing an information security awareness program is an integral part of improving overall security posture.

Finally, we want to touch on the important work being done by the Online Trust Alliance (OTA), the Internet Society’s newest initiative. The OTA’s mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices and data stewardship. With regards to preventing ransomware attacks, OTA has developed a number of industry best practices that address key threat areas such as email authentication and incident response. These are as follows:

Email Authentication:

Domain-based Message Authentication, Reporting & Conformance (DMARC):

Cyber Incident & Breach Response:

Additional OTA best practices, resources and guidance to help enhance online safety, data security, privacy and brand protection can be found here.

The Spam Toolkit developed by the Internet Society also provides some guidance on addressing online threats.

The Internet Society is committed to the enhancement of online trust, and our work along this vein spans multiple areas. Our goal is to continue to provide our individual members, organizational members, chapters, partners, and other constituents with timely and relevant information and resources that equip and empower them to act.

My original blog article was published on the Internet Society website at:

8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable

In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their ‘brick-and-mortar’ counterparts irrelevant. Travel agents have been largely relegated to dinosaur status in this era of online travel search aggregators and booking portals. A payments ecosystem mostly dominated by major card networks and processors now includes closed loop systems such as Apple Pay, Google Wallet and others. When we add the Internet of Things (IoT), robotics and artificial intelligence (AI) to the mix, the networked society has become a monolith that we simply cannot ignore.

What is most concerning about the ubiquity of technology is the multitude of cyber threats which organizations and individuals have to contend with. While the risks to individuals are relatively high as it relates to invasion of privacy, identity theft and financial loss, cyber-attacks can have a particularly critical impact on businesses. Depending on market and jurisdictional realities, the consequences can include heavy regulatory penalties, plummeting stock prices, lawsuits or mass layoffs — The effect on a company’s bottom line can be catastrophic.

But how are corporations responding to this ever-evolving threat landscape? The resulting strategies fall mostly into the following categories. There are the large organizations which employ the ‘3 lines of defense’ approach where an IT department owns and manages cyber risks, the operational risk and/or compliance departments specialize in risk management (including cyber), and the internal audit function provides independent assurance that cyber risks are being effectively managed. This approach is resource intensive and demands highly specialized (and costly) personnel. There are the generally under-staffed companies that limp along from day-to-day reacting to cyber-attack after cyber-attack, many of them not even aware that their systems and networks have been compromised. And finally, there are the SMEs that basically stick their heads in the sand and pretend that their operation is too small or insignificant to be the target of cyber criminals.

More often than not, business leaders across the board fail to recognize that cybersecurity is no longer the domain of the IT organization. Cybersecurity strategy is now business strategy, and the response to cyber threats is the responsibility of every individual that works for or runs a company. And here are 8 key reasons why this is undeniably the case:

  1. Corporate governance – A 2016 survey by Goldsmiths that included responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries showed that 90% of respondents admitted to not being able to read a cybersecurity report and were not prepared to respond to a major attack. Even more worrisome was the fact that over 40% of executives did not feel that cybersecurity or protection of customer data was their responsibility. Let that sink in for a moment. This is why ensuring that cybersecurity is a running topic at executive and board level meetings is imperative for organizations. Even more, greater ownership should be ascribed to all levels of personnel for cyber risks. Cybersecurity culture is a collective effort that starts at the top and works its way down through the organization.
  2. Regulatory and legal compliance – Certain industries like banking, healthcare and energy are subjected to heavy regulatory burdens. And many of these regulations include requirements pertaining to privacy, data protection, and network security. In the US there are HIPAA, Gramm-Leach-Bliley, and FISMA. The EU has the NIS Directive and the GDPR. To address cross-border data flows between the EU and the US, there is Privacy Shield. To comply with this multitude of regulations, deep cyber and risk management capabilities must be embedded across organizations. Failure to do so can affect a company’s ability to stay in business. Period.
  3. Competitive advantage – Developing robust and effective internal controls to safeguard against cyber-attacks can equate to market leadership, brand strengthening, and product / service differentiation. For example, as more businesses look to AI, IoT and robotics to streamline processes and improve business performance, ensuring that these technologies are secure can increase revenues and drive bottom-line performance. In this respect, shareholders must not only expect cyber excellence, they should demand it.
  4. Financial management – There is clearly a direct correlation between cyber-related risk events (e.g. reputation damage, business disruption, fines, etc.) and financial loss. The severity and impact of such risks can be mitigated by integrating business strategy with cybersecurity strategy. The importance here is even more pronounced given the global economic downturn and depressed profits being experienced by several businesses.
  5. Public safety – An increasing number of companies are delivering products/services in the areas of smart grids, smart cities, automated public transit, power installations, autonomous vehicles, etc. Possessing core expertise in the alignment of cybersecurity and business operations will set these organizations apart in their respective market environments in terms of public safety […]

The full article can be found on the CircleID website at:

From Fragmentation to Integration to Harmonization: Outlining the Requirements for Effective Cyber Legislation Across CARICOM States


The Caribbean Community (CARICOM) is comprised of 15 Member States. Its chief purposes are to promote economic integration and cooperation among its members, to ensure that the benefits of integration are equitably shared, and to coordinate foreign policy. As it relates to cybersecurity, there are several programmatic deficiencies and significant fragmentation of efforts across Members states, primarily with regards to legislation.

There has been limited research exploring the regional harmonization of cyber laws across CARICOM. For example, some authors have touched on cyber-readiness at a high level, examining the cyber response capabilities of a few countries in the Caribbean region. However, these academic works have not provided an in-depth analysis of cyber legislation or enunciated the key requirements for legal reform. Others have broadened the scope of their cyber-readiness research to include Latin America and the Caribbean. However, lumping the Caribbean together with Latin America with regards to harmonized cyber legislation can be problematic due to factors such as history, language, traditionally weak political and commercial ties, size of countries, and disparate economic scenarios. In general, it must also be mentioned that cyber-readiness indicators don’t actually translate into a successful legislative framework or adequate protections against threat actors. Studies also fall short in articulating why harmonization is necessary for CARICOM Member States, and how the region compares to the likes of Europe, Asia-Pacific, and Africa with regards to a harmonized cybersecurity legal framework.

The scholarly justification for this paper is to challenge the effectiveness of the existing fragmented approach by first explaining why a harmonized cybersecurity legislative framework is important. I will then discuss some of the legal challenges associated with such an undertaking. Next, I will perform a comparative legal analysis with other regions that have taken similar steps, and use this as a lead-in to a SWOT analysis of CARICOM’s present cybersecurity posture. And finally, I will propose a legal framework that enables stakeholders in CARICOM Members States to more capably respond to transnational cybercrime.

Keywords: Cybersecurity, Cybercrime, Harmonization, Fragmentation, Integration, Cooperation, Cyber legislation

Read the full academic paper at:

The Role of Governments in Ensuring a Consistent Legal Framework for Internet Governance


The Internet is not an ethereal or otherworldly thing, and existing laws in the offline world are applicable to “cyberspace”. The Internet is for all intents and purposes a tool for making data available and for accessing it. But unfortunately, it is a tool that can be used by individuals and groups to conduct illegal activities. Similar to the offline world, governments have a social responsibility to develop laws that address criminal and illegal behaviors online. Hence, ensuring that an adequate and effective legal framework exists is an important role for governments.

Data protection and privacy

Data protection and privacy are high on top of the list of important legal issues, especially given that people are increasingly storing more of their data online and large amounts of data are collected, searched and manipulated electronically. In the EU, the Data Protection Directive 95/46/EC was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.[1] However, although these laws conform to the Directive in terms of basic concepts and principles, they tend to be slightly different in many relevant details. The differences in the way that each Member State implemented the law have led to inconsistencies, which create complexity, legal uncertainty and administrative costs. This affects the trust and confidence of individuals and the competitiveness of the EU economy.

In January 2012, the European Commission (“the Commission”) presented a proposal for a General Data Protection Regulation (GDPR) to replace Directive 95/46/EC.[2] On 21 December 2015, the European Parliament and Council reached agreement on the data protection reform proposed by the Commission. The Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on reinforcing individuals’ rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.

Responses to the reforms haven’t been all positive. Bird & Bird lawyer Gabriel Voisin strongly maintained that, “The text adopted at today’s plenary session of the European Parliament is over-prescriptive. It will hamper Europe’s ability to take advantage of new ways of using data. This will put Europe at a disadvantage to other parts of the world that are embracing the new technologies”.[3] Christian Toon, Head of Information Risk at Iron Mountain, told that,“While consumers will welcome the fact that the European Parliament has voted through the EU’s first major overhaul of data protection legislation since 1995, many European businesses will be feeling nervous… The reality is that many remain underprepared… Businesses that fail to address the issue now not only run the risk of significant financial penalties in the near future, but may also risk serious reputational damage that will make customer retention more complicated.”[4]A number of other subject matter experts had similar comments.

Whether these criticisms are real or perceived, they represent a failed attempt at consensus between the European political establishment and its stakeholders. This has happened due to the fact that the GDPR was agreed to without adequate consideration of the 4000 amendments tabled by stakeholders, and the lack of political agreement among Member States in the European Council.[5] Consensus building is a critical aspect of Internet governance. The input of committed and informed stakeholders in decision-making processes, in their substantive roles and responsibilities, is imperative to verifying that outcomes are both effective and accepted. It also guarantees that diverse stakeholders can directly contribute to activities and are privy to their results. Consensus essentially facilitates solutions that meet the diverse needs of the Internet ecosystem, and moves the governance structure from top down to bottom up.

International Cooperation

The Internet is a cross-border platform and many of its legal and enforcement mechanisms necessitate international cooperation. The specific challenge posed by the cross-border aspect of the Internet is that activities that are legal in one country maybe illegal in another. Governments need to promote bilateral and inter-governmental agreements that support enforcement of the law. However, this is also the case in the offline world, where law enforcement can be bolstered through international cooperation between agencies. Governments have a responsibility to its citizens to cooperatively work together through international organizations such as the WTO, WIPO, Interpol and others in order to successfully combat illegal activity online.

A significant amount of international efforts have gone into the development of model laws for international cooperation and harmonization of cyber crime legislation. One example is the Council of Europe’s Convention on Cyber Crime.[6] The first of its kind, and the only effective global treaty on cybercrime, it was developed to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and fostering international cooperation among nations. It tackles broad subject matter, dealing with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures, such as the search of computer networks and interception. There have been other attempts at creating model laws such as the Commonwealth Model Law on Cyber Crime and the Three ITU Model Laws – HIPCAR (Caribbean), ICB4PAC (Pacific Islands), and HIPSSA (Sub-Sahara Africa).[7] The Commonwealth Model Law was not widely adopted by many States, but the fact that much of its framework has been integrated into the ITU model laws has subsequently resulted in many of its requirements being applied to legislation in African, Caribbean, and Pacific (ACP) states.

Attempts at international harmonization of laws can be rife with challenges. In several instances, the omission of necessary provisions, defective language, fragmented drafting, integration of obscure and unsafe offenses and their variance away from and contradiction with established best practices inflict great damage to the objective of enhancing international cooperation against cyber crime. In many developing countries, the main challenge has been the unavailability of subject matter expertise in drafting legislation and regulations on cybercrime and electronic evidence. To solve this, government should look at broadening the communities with which they engage. Inviting the private sector and academia to participate in developing model laws can drastically improve the quality of legislative outputs. Additionally, seeking technical assistance from international organizations can also yield substantial benefits.


Internet governance, and the multistakeholder model it employs, is a reflection of the open and inclusive nature of the global Internet and has been an integral reason behind its amazing growth and success. Many governments have realized that deeper stakeholder engagement — including governments, businesses, civil society, the technical community and academic institutions — is the optimal approach to sharing knowledge, experience, competences and best practices when developing policies to address new opportunities and respond to emerging challenges.

Traditional models of governance that would institutionalize control over the Internet by governments and inter-governmental bodies cannot achieve these goals. Such rigid decision-making processes are unable to maintain pace with rapidly changing technological advancements that characterize the Internet, and the ever-evolving requirements of Internet users. Any attempts to superimpose traditional models would dampen innovation and constrain realization of the limitless benefits of an open Internet. It would risk stifling the dynamism that has allowed the Internet to deliver so many benefits and opportunities for economic growth and social welfare.

A revisionist approach to governments’ involvement in Internet governance should focus on overhauling the rules of engagement. These new rules would allow government officials to participate in architecting a new ‘distributed global governance framework’, with defined restrictions and in their macro-level role as public policymakers for Internet-specific matters. Notably, this function should not undermine the globally accepted norms and principles of Internet governance. Within a multistakeholder environment, all concerned parties could contribute to building a platform for further public policy elaboration. This could set the stage for the transformation of Internet governance into a truly international policy-making process. But in order for that to occur, we need visionary leaders, a change in mindset from control to collaboration, and strong political will.


Does ICANN’s UDRP Preserve Free Speech and Allow Room for Criticism?



The phenomenal growth of the Internet has resulted in a proliferation of domain names. The explosion of ‘.com’ registrations coincided with an increase in domain name disputes, and with it the legal branch of intellectual property devolved into virtual mayhem. ICANN’s Uniform Domain-Name Dispute-Resolution Policy (UDRP) was created to allow for trademark holders to challenge domain owners, bring the respondents into binding arbitration, and possibly gain control of the domain name in question. The UDRP was brought into force in October 1999, and it can be said that it has contributed handily to the resolution of domain name disputes. However, deeper investigation into the UDRP paints a different picture.

The fair use of domain names relative to non-commercial negative or critical statements is the subject of many UDRP grievances. Nonetheless, panelists still express divergent views as to whether this constitutes ‘fair use’. The evaluation of fair use hangs on the importance a panel attributes to the registrant’s right to freedom of expression in each case. In some cases, free speech is not viewed as a legitimate right under the UDRP to register a domain that is ‘indistinguishable’ from a complainant’s trademark for the purpose of criticism, even in the absence of commercial intent. An opposing view is also taken, where it is argued that non-commercial free speech is the justifiable fair use of a domain name to criticize a trademark owner. As such, a major complaint about the UDRP is that it is unconstitutional with respect to the protection of free speech.

‘Sucks’-Type Cases

A problematic feature of UDRP cases regarding free speech, and one that is linked to the ‘WIPO Overview Majority View’ is where ‘sucks’-type domain names are deemed as confusingly similar to complainant trademarks.

For example, in Walmart Stores, Inc. v Richard MacLeod, the panel explained that its decision to transfer to the complainant was based on its belief that “the phrase ‘identical or confusingly similar’ [is] greater than the sum of its parts”. The panel also concluded that their process does not examine if “the domain name causes confusion as to source… but instead whether the mark and domain name, when directly compared, have confusing similarity”. Taking into account that the respondent admitted that his original intention in registering the name was to sell it for profit, there was a strong argument for ruling in favor of the complainant based on the third element of the UDRP, which refers to a domain being used in bad faith. Moreover, the precedent established in Bally Total Fitness Holding Corp. v Faber should have been considered whereby it was held that the addition of “sucks” prevents any reasonable user from confusing that website with an official website.

In Royal Bank of Scotland Group plc v Pedro Lopez, the domain name <> was registered by the respondent, along with some other domain names that included the complainant’s mark. They all resolved to a site that incorporated criticisms of the complainant. Even though the domain name in question included ‘sucks’ after the mark, which could serve as a distinguishing factor, the panelist held that the use of a confusingly similar mark could not be determined as a legitimate non-commercial or fair use.

Another example is Chubb Security Australia Pty Ltd v Mr. Shahim Tahmasebi, where the respondent (a former employee of the complainant) utilized the <> domain name for a website that detailed the complainant’s poor employee relations practices. Acknowledging that the parties had no relationship to the U.S., the panelist adhered to other decisions that adopted the majority view and resolved that a ‘gripe’ site does not automatically endow any right or legitimate interest in a domain name. The panelist ultimately ruled against the respondent, concluding that “it is not in this panel’s view legitimate to use the complainant’s own trademark as a platform for criticizing the complainant itself.”

The cases above represent the majority view, and demonstrate that a large number of panelists have, with minimal analysis, applied the argument of the complainant in Wal-Mart Stores, that appending a ‘sucks’ or similar term to a trademark is not sufficient to eliminate confusion. One could easily surmise that the confusion test under the UDRP requires only the slightest degree of confusion, somewhat comparable to the ‘initial interest confusion’ doctrine under U.S. trademark law. A deeper investigation into the UDRP suggests that its original goals were to limit occurrences of classic or unfair competition cybersquatting. It was not developed with the intention to obstruct the use of domain names for reasonable criticisms of trademark owners. As the UDRP does not grant preemptive rights to trademark owners over the use of all variations of their mark in domain names, it can be ascertained that an authentic ‘sucks’-type website equates to a legitimate interest on the part of the registrant. As such, the WIPO majority view can be seen as restricting free speech and stifling criticism on the Internet.

Panel and Jurisdictional Issues

Another shortcoming of the UDRP is that it doesn’t specify which local laws should apply in domain name disputes. Inconsistencies transpire when panelists apply dissimilar precedents to similar factual themes, apply different local laws to cases with similar issues, or disregard local laws altogether. Furthermore, the panelists that review UDRP cases come from all corners of the globe. Consequently, the panelists, who ostensibly possess expertise is trademark law to start with, are likely to apply the laws that they are familiar with to the cases they are tasked with arbitrating. What this does is introduce jurisdictional bias into the decision-making process. While this issue is pretty much expected, it is exacerbated by the fact that complainants engage in forum shopping to prejudice results in their favor.

Concerns regarding panel and jurisdictional bias in fair use and free speech cases involving U.S. panelists and respondents have thus emerged. For instance, it has been discovered that panelists from the U.S. are more predisposed than those from other nations to rule in favor of respondents in fair use and criticism-related cases. Additionally, it was found that the chances of respondents from the U.S. succeeding in a fair use defense are higher than those originating from other countries. This means that, under the UDRP, respondents from the U.S. enjoy greater speech protections than those from other countries, and that arbitrators from the U.S. are more sympathetic to speech interests than arbitrators from other countries.

There are a few explanations for this. For one, the largest percentage of panelists originates from the U.S., making up 24% of all WIPO panelists. The next four countries with the greatest share of panelists are the UK (10%), Australia (6%), France (5%), and Switzerland (5%). Additionally, U.S. panels are deciding nearly 50% of all fair use cases. Finally, U.S. trademark law allows for uses of marks to criticize or comment on them, either under the fair use defense or a parody defense. Still, as previously mentioned, to the extent that a fair use defense exists in the UDRP rules, it tends to be ignored by panelists. This has the effect of creating a strong bias for trademark holders at the expense of guarantees over freedom of speech.

The Spanish Constitution includes explicit provisions that protect freedom of speech. Section 20 of the Spanish Constitution confers broad protections for the dissemination of information. This section ensures protection for “the right to freely express and spread thoughts, ideas, and opinions through words, in writing, or by any other means of reproduction.” In the past, this provision has been used in ruling that a statute that criminalized denials of genocide was unconstitutional. In reaching this decision, the Court argued that freedom of expression was essential to a democratic society. The exercising of the principle of free dissemination of ideas and opinions incorporates freedom to criticize. That freedom applies to all opinions, whether they are considered erroneous or dangerous or challenge the democratic system itself. As previously discussed, UDRP panels are inclined to ignore the rights of domain registrants to criticize trademark holders. Such criticism would likely constitute protected expression under the Spanish Constitutional Court’s jurisprudence, and the UDRP would violate the country’s free speech protections.

For domain disputes heard in Ireland, country-specific supplemental UDRP rules known as the ieDRP are used. However, the ieDRP prescriptions are quite similar to the UDRP rules. Unfortunately, similar concerns for freedom of speech exist with the ieDRP. Article 40 of the Constitution of Ireland protects the right to free speech and guarantees the “right of the citizens to express freely their convictions and opinions.” The UDRP represents an insular view of the right to free speech, highlighted by its liberal interpretation of the term “confusingly similar” and its confined view of the respondent’s “rights or legitimate interests in the domain name.” As such, it is in diametric opposition to the constitutional free speech protections of Ireland.

As is presently the case in the U.S., Spain, Ireland, and other countries, the UDRP violates constitutional protections over freedom of expression. And they aren’t simply technical violations, but actually indicators that the process is void of the fairness that such provisions were devised to safeguard. Moreover, the UDRP creates problems of legitimacy given its foundation in U.S. public law, the fact that it regularly conflicts with domestic law, and the absence of input from other nations.

Free Speech Issues with New gTLDs

With ICANN’s new gTLD system, trademark owners are expected to be proactive in either registering new gTLDs similar to their own marks, or at a minimum blocking registrations of such gTLDs by others. While trademark owners possess legitimate rights to protect their valuable commercial brands within the new gTLD space, either of these possibilities – registration or defensive objection to registration – has the potential to impact negatively on free speech. In the new gTLD program, successful applicants may choose to run their gTLD registry as open or closed registries; registrations within a closed registry would be available only to a specific type and a limited number of users.

For example, in early 2015, ICANN’s new gTLD Program Committee set a policy that limited registrations in the .doctor name space to strictly ‘medical practitioners’. This decision to summarily exclude various lawful users of the word, including persons who are Ph.D’s, DBAs, or Juris doctors, is a serious violation of free expression. In what could be viewed as a preventative measure for such occurrences, ICANN’s community set out to embed certain protections for freedom of expression in the new gTLD program via core principles in the GNSO’s final approved new gTLD policy. Take for instance Principle G in the new policy: “The string evaluation process must not infringe the applicant’s freedom of expression rights that are protected under internationally recognized principles of law.” Sadly, these provisions were replaced by so-called “Public Interest Commitments”, which ran contrary to the clauses that were designed to preserve Internet users’ free expression rights.

Another example of free speech violations in new gTLDs is where the American Bible Society (ABS), acting as registry for the .bible domain space, prohibited any content that they deemed unsuitable. In their published Acceptable Use Policy, the following was stated: Pointing to any content that, as determined in ABS’s sole discretion, espouses or promotes a religious, secular or other worldview that is antithetical to New Testament principles, including but not limited to the promotion of a non-Christian religion or set of religious beliefs.” This is clearly a form of censorship and suppression of freedom of speech.

But what do these examples have to do with the UDRP and free speech? The uniform adoption of the UDRP by all ICANN-accredited Registrars means that its use and application are geographically widespread. Failure to reform the UDRP and resolve major issues such as the narrow view of the term “confusingly similar”, forum shopping, disregard for local laws, and inconsistent use of precedence coupled with the increasing prevalence of closed registries, will lead to greater violations of fair use and free speech in domain disputes.


Given the phenomenal growth of the Internet, and the launch of new gTLDs, domain name disputes will increase in frequency. With this increase, we should expect trademark owners to continue to employ any and all means to protect their marks. However, this unbridled enthusiasm must not be permitted to deny domain registrants of their legitimate rights. In its present manifestation, the UDRP broadly violates the constitutions of the U.S., Spain, Ireland and numerous other countries. By disregarding protections over free speech, the UDRP weakens the fundamental concepts of fairness that these provisions were created to safeguard. A number of changes need to be made to the UDRP to formulate a more balanced framework between trademarks and free speech on the Internet.

One clear option would be to reform the UDRP thereby scaling back trademark infringement rulings, so they are restricted to scenarios where there is authentic consumer confusion as opposed to initial interest confusion. Furthermore, trademark dilution actions should seldom, if at all, be available in cases involving parody and critical commentary. The prevailing opinion should be that such occurrences are non-commercial, fair use and fall under the protections afforded to free speech. Also, the UDRP should be limited to cases of evident cybersquatting and bad-faith and not be extended to circumstances related to cybergripe or parody sites.

Finally, I believe it is imperative that ICANN completes its transition to an international multistakeholder body. This type of governance structure with underlying self-regulating constitutional principles can guarantee that free speech rights are protected while retaining much of the features that have made the UDRP attractive. Such an arrangement would appeal to nations on the legal and policy levels, and to trademark owners and registrants on an individual basis. It would drive policy uniformity, improve the consistency of decisions, legitimize the UDRP process, and increase accuracy in arbitrations. The UDRP would remain as an efficient apparatus for handling cybersquatting, and simultaneously ensure that dispute adjudication is fair and precise.

Why Domain Names Should Be Viewed as Property Rights


The legal status of domain names is one of the most hotly debated topics with regards to evolving property rights and how they should be applied to technological and intellectual property ‘innovations’ in cyberspace. At present, there are two opposing factions on this topic: On one hand, there are those who maintain that domain names should be considered as contracts for services, which originate from the contractual agreement between the registrant and the registrar. On the other hand, we have the parties who contend that domain names are intangible property rights that reside with the domain name holder.

As the law has evolved, property has been defined as “an abstract right or legally constructed relationship among people with respect to things” or “a bundle of rights, powers, privileges and immunities that define one’s relationship to a resource.” These theories have been beneficial more so for normal property rights, but law courts have found it quite challenging when attempting to determine how these concepts apply to domain names.

In this theme report, I will discuss service contract rights and the ‘bundle of rights’ property theory, as well as examine case law in a number of jurisdictions, and present an argument for why domain names should be considered as ‘property rights’.

Domain Names as Contracts for Service

A number of courts have categorized domain names as contracts for service. This in itself is not incorrect, as domain names are transferred to an individual through a contractual agreement between them and the domain name registrar. The role of the registrar is to provide a functional mapping and translation between the domain name and an IP address. The registrant maintains their right to the domain name as long as they pay the associated fee to the registrar and ensure that the domain name is not utilized in bad faith or infringes on the intellectual property of others.

An analogy has been made between domain names and telephone numbers, accompanied by an argument that both domain names and telephone numbers are allocated and ultimately managed by either a registrar or a telephone company, and as such should be recognized as a contract for use and services. Hence, a person who registers a domain name or is assigned a telephone number is simply the contractual holder of that resource and does not become its owner. Ownership remains with the registrar or phone company.

Dorer v. Arel was the first litmus test of the theory that domain names form contracts for service, and that owners have no property rights to them […]

The full article can be found on the Circle ID website at:


Towards the Single Telecoms Market: Analyzing the Performance of the Body of European Regulators for Electronic Communications (BEREC)


There is no doubt that BEREC’s performance to date has been generally satisfactory. It has so far fulfilled its functions in a commendable manner, most notably with regards to Article 7/7a procedures, in addition to its contributions to the dialogue on international roaming and net neutrality. It has federated the NRAs in a way that its predecessor failed to: it has compelled them to be more accountable to themselves and to consumers. It has enabled further harmonization and strengthened interactions between the Member States and the EU institutions. It can be said that BEREC’s uniqueness is based on two elements: On the one hand, it is a body uniting highly skilled professionals who perform their tasks independently from any public or private entity. On the other hand, BEREC comprises representatives of different Member States and allows for regular exchange and deliberation between them cascading the results of these processes to the European level.

BEREC’s independence, while imperfect, has proven to be a laudable feature of the organization. Its legal foundation (the Framework Directive) provides measures to ensure separation of powers and prevent unnecessary political or private sector capture. The mixed funding model in place serves to curtail any attempts by the providers of the body’s financing to obstruct the effectiveness of its activities in delivering trans-national or pan-European services. However, this is not to say that the independence of BEREC concerning the individual NRAs doesn’t require improvements, especially towards the goal of fashioning an overarching European groupthink that overrides the national interests of the constituent NRAs.

The current organizational structure from the technical to the decision-making level provides balance between stability and flexibility. It also leaves room for the negotiations to take place at different levels considering all views in an efficient manner. The EWGs have improved their performance and work in a more professional manner. In the last years, the quality of the reports has been enhanced at the same time that the deadlines are met in the practical totality of the cases. However, rules or guidelines for the EWG work may also be useful for the better functioning of BEREC.

BEREC’s lack of decision-making/enforcement powers can be a double-edged sword. On the one hand, it manifests as a weakness in cases where NRAs choose to reject opinions from BEREC, and pursue undertakings that run counter to the strengthening of the single market. On the other hand, it can serve as a balancing influence as it pertains to the regulatory powers of the Commission and the national regulators. Fortunately, BEREC has had a more balanced record whereby it has taken on several opinions that support the draft decisions of NRAs, and both the Commission and the national regulators have largely agreed with the opinions of BEREC in instances where there was divergence.

Clarity around its accountability continues to be a challenge for BEREC. The body was formed to provide expert opinions on relevant topics, define priorities and advise the EU institutions regarding the harmonization of the single market. It is of critical importance that BEREC demonstrate greater accountability for its own objectives. This can be achieved by documenting its commitments or tactical goals for each coming year, and then through reporting on its achievements to EU institutions at the close of the year.

Models of regulatory governance vary in the level of discretion granted to regulators. This determines the level of transparency required to reassure stakeholders and build legitimacy around regulatory decisions. European citizens and residents have very strong beliefs about the right to access information related to their political and legal institutions. Additionally, the Commission has been vigorously promoting open data and generating value through the re-use of a specific type of data – public sector information. Simply put, BEREC needs to demonstrate their commitment to openness and transparency to build greater trust and legitimacy among its stakeholders. There isn’t much more to it.

The ultimate success of the EU single market depends on the existence of a body that can effectively influence outcomes in national markets and begin to erode the pervasive ‘national’ market approach of Member States. The failure of the ERG is one of the main reasons why the European e-communications market remained a patchwork quilt of national markets for some time. BEREC has many of the elements to become a successful force in coordinating national approaches and bringing consistency through decentralized regulation. However, it could also become a major obstacle in harmonization policy of the Commission by becoming a center for European regulation that protects and lobbies national interests. The verdict is still out on which way the pendulum will swing.