Bitwarden, Inc. v. Host Master / 1337 Services LLC
Claim Number: FA2306002050432
Complainant is Bitwarden, Inc. (“Complainant”), represented by Christine B. Redfield of Redfield IP PC, California, USA. Respondent is Host Master / 1337 Services LLC (“Respondent”), Saint Kitts and Nevis.
REGISTRAR AND DISPUTED DOMAIN NAME
The domain name at issue is <vaulbitwarben.com>, registered with Tucows Domains Inc.
The undersigned certifies that he has acted independently and impartially and to the best of his knowledge has no known conflict in serving as Panelist in this proceeding.
Richard Hill as Panelist.
Complainant submitted a Complaint to Forum electronically on June 23, 2023; Forum received payment on June 23, 2023.
On June 26, 2023, Tucows Domains Inc. confirmed by e-mail to Forum that the <vaulbitwarben.com> domain name is registered with Tucows Domains Inc. and that Respondent is the current registrant of the name. Tucows Domains Inc. has verified that Respondent is bound by the Tucows Domains Inc. registration agreement and has thereby agreed to resolve domain disputes brought by third parties in accordance with ICANN’s Uniform Domain Name Dispute Resolution Policy (the “Policy”).
On June 27, 2023, Forum served the Complaint and all Annexes, including a Written Notice of the Complaint, setting a deadline of July 17, 2023 by which Respondent could file a Response to the Complaint, via e-mail to all entities and persons listed on Respondent’s registration as technical, administrative, and billing contacts, and to postmaster@vaulbitwarben.com. Also on June 27, 2023, the Written Notice of the Complaint, notifying Respondent of the e-mail addresses served and the deadline for a Response, was transmitted to Respondent via post and fax, to all entities and persons listed on Respondent’s registration as technical, administrative and billing contacts.
Having received no response from Respondent, Forum transmitted to the parties a Notification of Respondent Default.
On July 24, 2023, pursuant to Complainant's request to have the dispute decided by a single-member Panel, Forum appointed Richard Hill as Panelist.
Having reviewed the communications records, the Administrative Panel (the "Panel") finds that Forum has discharged its responsibility under Paragraph 2(a) of the Rules for Uniform Domain Name Dispute Resolution Policy (the "Rules") "to employ reasonably available means calculated to achieve actual notice to Respondent" through submission of Electronic and Written Notices, as defined in Rule 1 and Rule 2. Therefore, the Panel may issue its decision based on the documents submitted and in accordance with the ICANN Policy, ICANN Rules, Forum's Supplemental Rules and any rules and principles of law that the Panel deems applicable, without the benefit of any response from Respondent.
Complainant requests that the domain name be transferred from Respondent to Complainant.
A. Complainant
Complainant states that it is a password management and security software company. Complainant’s products and services have helped the global community of online users manage their sensitive information easily and securely for over seven years. Complainant’s open source software is the foundation of its password management solution which is designed with the most security-conscious users in mind as it helps individuals, teams, and organizations worldwide. For individuals, Complainant offers the safest way to guard against password theft by creating and managing strong, unique passwords across all devices. For businesses, Complainant offers powerful, secure password management with complete administrative control to meet compliance requirements. Complainant’s password management platform sets strong security standards with collaboration features designed to simplify password sharing and boost online productivity for all users. To date, Complainant has nearly 7 million users of its product/service worldwide. In 2022, Complainant was named “Best Password Manager” by US News and World Report. Complainant’s password manager was also recently named the Best Password Manager or among the best password managers by Forbes, ZDNET, CNET, Wired and The Verge. Complainant has rights in the BITWARDEN mark through its registration of the mark in the United States in 2018. The mark is well known.
Complainant alleges that the disputed domain name is identical or confusingly similar to its BITWARDEN mark as it consists of a misspelling of the mark (the letter “d” is replaced with the letter “b”), merely adding the term “vaul”, which is a misspelling of the generic/descriptive term “vault”, and the “.com” generic top-level-domain name ("gTLD").
According to Complainant, Respondent lacks rights or legitimate interests in the disputed domain name. Respondent is not commonly known by the disputed domain name, nor has Respondent been authorized by Complainant to use its BITWARDEN mark. Respondent has not used the disputed domain name in connection with a bona fide offering of goods or services, or a legitimate noncommercial or fair use. Instead, the resolving website mimics and impersonates Complainant’s website, by providing a login page that is identical to Complainant’s login page at <vault.bitwarden.com>. Visitors to the resolving website who may be customers of Complainant are prompted to enter their login information to access their vaults which contain sensitive data such as passwords for all their online accounts. Visitors to the resolving website who are not yet customers of Complainant are invited to register by creating an account using an online form that is identical to Complainant’s registration form. This form requests additional information, including email address, name, master password and a master password hint.
Further, says Complainant, Respondent registered and uses the disputed domain name in bad faith. Respondent’s website disrupts Complainant’s business as Respondent registered the disputed domain name to pass off as Complainant and phish for user’s login credentials. Respondent had actual knowledge of Complainant’s rights to the BITWARDEN mark prior to registering the disputed domain name.
B. Respondent
Respondent failed to submit a Response in this proceeding.
Complainant owns the mark BITWARDEN and uses it to provide password management and security software and services.
Complainant’s rights in its mark date back to 2018.
The disputed domain name was registered in 2023.
Complainant has not licensed or otherwise authorized Respondent to use its mark.
Respondent uses the disputed domain name to pass off as Complainant to conduct a phishing scheme: the resolving website displays a login page that is identical to Complainant’s login page at <vault.bitwarden.com>, including Complainant’s mark and distinctive logo.
Paragraph 15(a) of the Rules instructs this Panel to "decide a complaint on the basis of the statements and documents submitted in accordance with the Policy, these Rules and any rules and principles of law that it deems applicable."
Paragraph 4(a) of the Policy requires that Complainant must prove each of the following three elements to obtain an order that a domain name should be cancelled or transferred:
(1) the domain name registered by Respondent is identical or confusingly similar to a trademark or service mark in which Complainant has rights; and
(2) Respondent has no rights or legitimate interests in respect of the domain name; and
(3) the domain name has been registered and is being used in bad faith.
In view of Respondent's failure to submit a response, the Panel shall decide this administrative proceeding on the basis of Complainant's undisputed representations pursuant to paragraphs 5(f), 14(a) and 15(a) of the Rules and draw such inferences it considers appropriate pursuant to paragraph 14(b) of the Rules. The Panel is entitled to accept all reasonable allegations set forth in a complaint; however, the Panel may deny relief where a complaint contains mere conclusory or unsubstantiated arguments. See WIPO Jurisprudential Overview 3.0 at ¶ 4.3; see also eGalaxy Multimedia Inc. v. ON HOLD By Owner Ready To Expire, FA 157287 (Forum June 26, 2003) (“Because Complainant did not produce clear evidence to support its subjective allegations [. . .] the Panel finds it appropriate to dismiss the Complaint”).
The disputed domain name consists of a misspelling of Complainant’s BITWARDEN mark (the letter “d” is replaced with the letter “b”), merely adding the term “vaul”, which is a misspelling of the generic/descriptive term “vault”, and the “.com” generic top-level-domain name ("gTLD"). Such changes do not distinguish the domain name from the mark under Policy ¶ 4(a)(i). See Morgan Stanley v. Francis Mccarthy / Baltec Marine Llc, FA 1785347 (Forum June 8, 2018) (“The [<morganstonley.com> and <morganstainley.com>] Domain Names are confusingly similar to Complainant’s marks, as they fully incorporate the MORGAN STANLEY mark, varying it only by subtle misspellings, omitting a space between the words, and adding the generic top-level domain (“gTLD”) ‘.com.’”); see also Bloomberg Finance L.P. v. Nexperian Holding Limited, FA 1782013 (Forum June 4, 2018) (“Where a relevant trademark is recognizable within a disputed domain name, the addition of other terms (whether descriptive, geographical, pejorative, meaningless, or otherwise) does not prevent a finding of confusing similarity under the first element.”); see also Milliman, Inc v. Domain Administrator, See PrivacyGuardian.org/Zhichao Yang, D2018-2178 (WIPO, Nov. 17, 2018) (finding that the addition of “benefis”, “bennefits”, “bnefits”, and “benefits” does not distinguish a disputed domain name from the complainant’s trademarks and ordering the transfer of <millimanbenefis.com>, <millimanbennefits.com>, <millimanbnefits.com>, and <millimannbenefits.com>); see also Home Depot Product Authority, LLC v. Angelo Kioussis, FA 1784554 (Forum June 4, 2018) (“The domain name contains the mark in its entirety, with only the addition of the generic letters ‘sb’ and the digits ‘2018,’ plus the generic Top Level Domain (“gTLD”) ‘.com.’ These alterations of the mark, made in forming the domain name, do not save it from the realm of confusing similarity under the standards of the Policy.”); see also Blue Cross and Blue Shield Association v. Shi Lei aka Shilei, FA 1784643 (Forum June 18, 2018) (“A TLD (whether a gTLD, sTLD or ccTLD) is disregarded under a Policy ¶4(a)(i) analysis because domain name syntax requires TLDs.”). Therefore the Panel finds that the disputed domain name is confusingly similar to Complainant’s mark under Policy ¶ 4(a)(i).
Complainant has not licensed or otherwise authorized Respondent to use its BITWARDEN mark. Respondent is not commonly known by the disputed domain name: under Policy ¶ 4(c)(ii), WHOIS information may be used to determine whether a respondent is commonly known by the disputed domain name. See Emerson Electric Co. v. Cai Jian Lin / Shen Zhen Shi colorsun Zi Dong Hua You Xian Gong Si, FA 1798802 (Forum Aug. 31, 2018) (“UDRP panels have consistently held that evidence of a registrant name that is materially different from the domain name at issue is competent evidence that the respondent is not commonly known by the domain name.”). Here, the WHOIS information for the disputed domain name lists the registrant as “Host Master / 1337 Services LLC”. Therefore the Panel finds that Respondent is not commonly known by the disputed domain name per Policy ¶ 4(c)(ii).
Respondent passes off as Complainant by copying Complainant’s website in order to deceive users into entering login and password information. Specifically, Complainant presented evidence showing that the resolving website provides a login page that is identical to Complainant’s login page; visitors to the resolving website who may be customers of Complainant are prompted to enter their login information to access their vaults which contain sensitive data such as passwords for all their online accounts. Using a disputed domain name to pass off as a complainant for the purpose of phishing for personal information is not a bona fide offering of goods or services, nor a legitimate noncommercial or fair use per Policy ¶¶ 4(c)(i) or (iii). See ShipChain, Inc. v. 谢东东 / 谢东东, FA 1785189 (Forum June 21, 2018) (“The resolving webpages between Complainant’s and Respondent’s websites are virtually the same. Respondent’s use of the disputed domain name does not confer rights and legitimate interests under Policy ¶¶4(c)(i) and (iii).”). Thus the Panel finds that Respondent fails to use the disputed domain name to make a bona fide offering of goods or services, or a legitimate noncommercial or fair use per Policy ¶¶ 4(c)(i) or (iii). And the Panel finds that Respondent does not have rights or legitimate interests in the disputed domain name.
Respondent (who did not reply to Complainant’s contentions) has not presented any plausible explanation for its use of Complainant’s mark. In accordance with paragraph 14(b) of the Rules, the Panel shall draw such inferences from Respondent’s failure to reply as it considers appropriate. Accordingly, the Panel finds that Respondent did not have a legitimate use in mind when registering the disputed domain name.
Indeed, as already noted, Respondent uses the disputed domain name to pass off as Complainant and phish for users’ personal information. Registration of a confusingly similar domain name with the intent to pass off as a complainant to phish for user information can evince bad faith registration and use per Policy ¶ 4(a)(iii). See Wells Fargo & Co. v. Maniac State, FA 608239 (Forum Jan. 19, 2006) (finding bad faith registration and use where the respondent was using the <wellsbankupdate.com> domain name in order to fraudulently acquire the personal and financial information of the complainant’s customers); see also Hess Corp. v. GR, FA 770909 (Forum Sept. 19, 2006) (finding that the respondent demonstrated bad faith registration and use because it was attempting to acquire the personal and financial information of Internet users through a confusingly similar domain name). Thus the Panel finds that Respondent registered and uses the disputed domain name in bad faith per Policy ¶ 4(a)(iii).
Further, Respondent registered the disputed domain name with actual knowledge of Complainant’s mark: the resolving website displays Complainant’s mark and distinctive logo. While constructive notice is insufficient to demonstrate bad faith, actual knowledge of a complainant’s rights in a mark prior to registration may be evidence of bad faith per Policy ¶ 4(a)(iii). See Custom Modular Direct LLC v. Custom Modular Homes Inc., FA 1140580 (Forum Apr. 8, 2008) (“There is no place for constructive notice under the Policy.”); see also Orbitz Worldwide, LLC v. Domain Librarian, FA 1535826 (Forum Feb. 6, 2014) (“The Panel notes that although the UDRP does not recognize ‘constructive notice’ as sufficient grounds for finding Policy ¶ 4(a)(iii) bad faith, the Panel here finds actual knowledge through the name used for the domain and the use made of it.”); see also Univision Comm'cns Inc. v. Norte, FA 1000079 (Forum Aug. 16, 2007) (rejecting the respondent's contention that it did not register the disputed domain name in bad faith since the panel found that the respondent had knowledge of the complainant's rights in the UNIVISION mark when registering the disputed domain name). The Panel finds that Respondent had actual knowledge of Complainant’s rights in the mark prior to Respondent’s registration of the disputed domain name and that this constitutes bad faith under Policy ¶ 4(a)(iii).
Having established all three elements required under the ICANN Policy, the Panel concludes that relief shall be GRANTED.
Accordingly, it is Ordered that the <vaulbitwarben.com> domain name be TRANSFERRED from Respondent to Complainant.
Richard Hill, Panelist
Dated: July 24, 2023
Click Here to return to the main Domain Decisions Page.
Click Here to return to our Home Page