The MITRE Corporation v. Timothy Kwok
Claim Number: FA2105001944297
Complainant is The MITRE Corporation (“Complainant”), represented by Tracy-Gene G. Durkin of Sterne, Kessler, Goldstein & Fox P.L.L.C., District of Columbia, USA. Respondent is Timothy Kwok (“Respondent”), California, USA.
REGISTRAR AND DISPUTED DOMAIN NAME
The domain name at issue is <cve.org>, registered with Network Solutions, LLC.
The undersigned certifies that he has acted independently and impartially and to the best of his knowledge has no known conflict in serving as Panelist in this proceeding.
Ho Hyun Nahm, Esq. as Panelist.
Complainant submitted a Complaint to the Forum electronically on May 7, 2021; the Forum received payment on May 7, 2021.
On May 12, 2021, Network Solutions, LLC confirmed by e-mail to the Forum that the <cve.org> domain name is registered with Network Solutions, LLC and that Respondent is the current registrant of the name. Network Solutions, LLC has verified that Respondent is bound by the Network Solutions, LLC registration agreement and has thereby agreed to resolve domain disputes brought by third parties in accordance with ICANN’s Uniform Domain Name Dispute Resolution Policy (the “Policy”).
On May 18, 2021, the Forum served the Complaint and all Annexes, including a Written Notice of the Complaint, setting a deadline of June 7, 2021 by which Respondent could file a Response to the Complaint, via e-mail to all entities and persons listed on Respondent’s registration as technical, administrative, and billing contacts, and to postmaster@cve.org. Also on May 18, 2021, the Written Notice of the Complaint, notifying Respondent of the e-mail addresses served and the deadline for a Response, was transmitted to Respondent via post and fax, to all entities and persons listed on Respondent’s registration as technical, administrative and billing contacts.
Having received no response from Respondent, the Forum transmitted to the parties a Notification of Respondent Default.
On June 10, 2021, pursuant to Complainant's request to have the dispute decided by a single-member Panel, the Forum appointed Ho Hyun Nahm, Esq. as Panelist.
Having reviewed the communications records, the Administrative Panel (the "Panel") finds that the Forum has discharged its responsibility under Paragraph 2(a) of the Rules for Uniform Domain Name Dispute Resolution Policy (the "Rules") "to employ reasonably available means calculated to achieve actual notice to Respondent" through submission of Electronic and Written Notices, as defined in Rule 1 and Rule 2. Therefore, the Panel may issue its decision based on the documents submitted and in accordance with the ICANN Policy, ICANN Rules, the Forum's Supplemental Rules and any rules and principles of law that the Panel deems applicable, without the benefit of any response from Respondent.
Complainant requests that the domain name be transferred from Respondent to Complainant.
A. Complainant
i) Complainant, The MITRE Corporation, is a not-for-profit corporation that conducts scientific research in the public interest. Complainant has rights in the CVE mark based on registration of the mark with the United States Patent and Trademark Office (“USPTO”) (e.g., Reg. No. 2,561,790 registered Aug. 7, 2001). Complainant has established common law rights in the CVE mark due to its continuous use of the mark in commerce since January 21, 1999. The disputed domain name is confusingly similar to Complainant’s mark as it incorporates the mark in its entirety, adding only the general top-level domain (“gTLD”) “.org.”
ii) Respondent lacks rights and legitimate interests in the disputed domain name as it is not commonly known by the disputed domain name and Complainant has not licensed or authorized Respondent to use the CVE mark. Additionally, Respondent does not use the disputed domain name for any bona fide offering of goods or services, nor for any legitimate noncommercial or fair use, because the disputed domain name currently resolves to an inactive website.
iii) Respondent registered and uses the disputed domain name in bad faith. Respondent either is affiliated with the inactive organization CVE, Inc. and provided false registration information on WHOIS, or Respondent is not affiliated with CVE, Inc. and uses the disputed domain name to create confusion and disrupt Complainant’s business for Respondent’s commercial gain. Respondent’s registration and use of the domain name is also in bad faith because it prevents Complainant from registering its mark as a domain name. Further, Respondent disrupts Complainant’s business because Respondent’s inactive website creates an impression that Complainant does not exist, or it may redirect Complainant’s consumers away from Complainant’s CVE product. Complainant asserts that Respondent presumably gains commercially from this practice. Respondent acquired the disputed domain name with actual knowledge of Complainant’s rights in the CVE mark.
B. Respondent
Respondent did not submit a response to this proceeding.
1. The disputed domain name was registered on July 30, 1998 and updated on February 24, 2018.
2. Complainant has rights in the CVE mark based on registration of the mark with the United States Patent and Trademark Office (“USPTO”) (e.g., Reg. No. 2,561,790 registered Aug. 7, 2001).
3. Complainant has established common law rights in the CVE mark (date of first use in commerce: January 21, 1999).
4. The disputed domain name remains inactive. Complainant’s attempts to navigate to the disputed domain result in a time-out error.
Paragraph 15(a) of the Rules instructs this Panel to "decide a complaint on the basis of the statements and documents submitted in accordance with the Policy, these Rules and any rules and principles of law that it deems applicable."
Paragraph 4(a) of the Policy requires that Complainant must prove each of the following three elements to obtain an order that a domain name should be cancelled or transferred:
(1) the domain name registered by Respondent is identical or confusingly similar to a trademark or service mark in which Complainant has rights; and
(2) Respondent has no rights or legitimate interests in respect of the domain name; and
(3) the domain name has been registered and is being used in bad faith.
In view of Respondent's failure to submit a response, the Panel shall decide this administrative proceeding on the basis of Complainant's undisputed representations pursuant to paragraphs 5(f), 14(a) and 15(a) of the Rules and draw such inferences it considers appropriate pursuant to paragraph 14(b) of the Rules. The Panel is entitled to accept all reasonable allegations set forth in a complaint; however, the Panel may deny relief where a complaint contains mere conclusory or unsubstantiated arguments. See WIPO Jurisprudential Overview 3.0 at ¶ 4.3; see also eGalaxy Multimedia Inc. v. ON HOLD By Owner Ready To Expire, FA 157287 (Forum June 26, 2003) (“Because Complainant did not produce clear evidence to support its subjective allegations [. . .] the Panel finds it appropriate to dismiss the Complaint”).
Complainant claims rights in the CVE mark through its registration with the USPTO (e.g., Reg. No. 2,561,790 registered Aug. 7, 2001). Registration of a mark with a national trademark agency is sufficient to demonstrate rights in a mark under Policy ¶ 4(a)(i). See Target Brands, Inc. v. jennifer beyer, FA 1738027 (Forum July 31, 2017) ("Complainant has rights in its TARGET service mark for purposes of Policy ¶ 4(a)(i) by virtue of its registration of the mark with a national trademark authority, the United States Patent and Trademark Office (“USPTO”).”). Therefore, the Panel finds that Complainant has rights in the mark under Policy ¶ 4(a)(i).
Complainant further argues that it has established common law rights in the CVE mark due to its use of the mark in commerce. Showings of the use of a mark in commerce may establish that a complainant has common law rights in a mark per Policy ¶ 4(a)(i). See loanDepot.com, LLC v. sm goo, FA 1786848 (Forum June 12, 2018) (“Complainant’s demonstration of continuous use in commerce and accompanying promotion and media recognition are adequate to sustain its claim of common law rights in the MELLO and MELLO SOLAR marks.”). Here, Complainant argues that it started using the CVE mark prior to the registration of the disputed domain name in association with its vulnerabilities listing service. The Panel notes that Complainant adopted the CVE mark in 1998 and first used the CVE mark with its vulnerabilities listing service, in commerce, on January 21, 1999. The Panel observes that Complainant’s demonstration of continuous use in commerce and accompanying promotion and media recognition are adequate to sustain its claim of common law rights in the CVE mark. Therefore, the Panel finds that Complainant has established common law rights in the mark per Policy ¶ 4(a)(i).
Complainant argues that the disputed domain name is confusingly similar to Complainant’s CVE mark because it incorporates the mark in its entirety, adding only the gTLD “.org.” A domain name is identical to a mark when it incorporates a mark in its entirety and merely adds a gTLD, in this case, “org.” See Scott Elowitz Photography, LLC v. zhang yinfeng / Hengshui Fn Fur Trading Co., Ltd, FA 1534428 (Forum Jan. 22, 2014) (holding, “The <lenscoat.org> domain name is identical to Complainant’s LENSCOAT under Policy ¶ 4(a)(i), because the domain name fully appropriates the mark and its affixation of the gTLD “.org” is insufficient to distinguish it from the mark.”); see also Tupelo Honey Hospitality Corporation v. King, Reggie, FA 1732247 (Forum July 19, 2017) (“Addition of a gTLD is irrelevant where a mark has been fully incorporated into a domain name and the gTLD is the sole difference.”). Furthermore, Complainant argues that the addition of the gTLD exacerbates confusing similarity since the “.org” gTLD corresponds to Complainant’s status as a non-profit organization. Therefore, the Panel finds the disputed domain name is confusingly similar to Complainant’s mark under Policy ¶ 4(a)(i).
Rights or Legitimate Interests
Complainant must first make a prima facie case that Respondent lacks rights and legitimate interests in the disputed domain name under Policy ¶ 4(a)(ii), then the burden shifts to Respondent to show it does have rights or legitimate interests. See Advanced International Marketing Corporation v. AA-1 Corp, FA 780200 (Forum Nov. 2, 2011) (finding that a complainant must offer some evidence to make its prima facie case and satisfy Policy ¶ 4(a)(ii)); see also Neal & Massey Holdings Limited v. Gregory Ricks, FA 1549327 (Forum Apr. 12, 2014) (“Under Policy ¶ 4(a)(ii), Complainant must first make out a prima facie case showing that Respondent lacks rights and legitimate interests in respect of an at-issue domain name and then the burden, in effect, shifts to Respondent to come forward with evidence of its rights or legitimate interests”).
Complainant argues that Respondent does not have rights or legitimate interests in the disputed domain name because Respondent is not commonly known by the disputed domain name, nor has Complainant authorized Respondent to use the CVE mark. Under Policy ¶ 4(c)(ii), when no response is submitted, WHOIS information can be used to identify a respondent and even if the WHOIS information reflects the disputed domain name, additional affirmative evidence is necessary to show a respondent is commonly known by that name. See Moneytree, Inc. v. Matt Sims / MoneyTreeNow, FA1501001602721 (Forum Mar. 3, 2015) (finding that even though the respondent had listed “Matt Sims” of “MoneyTreeNow” as registrant of the <moneytreenow.com> domain name, the respondent was not commonly known by the disputed domain name pursuant to Policy ¶ 4(c)(ii), because he had failed to list any additional affirmative evidence beyond the WHOIS information). Additionally, lack of authorization to use a mark is further evidence that a respondent is not commonly known by the mark. See Indeed, Inc. v. Ankit Bhardwaj / Recruiter, FA 1739470 (Forum Aug. 3, 2017) (“Respondent lacks both rights and legitimate interests in respect of the at-issue domain name. Respondent is not authorized to use Complainant’s trademark in any capacity and, as discussed below, there are no Policy ¶ 4(c) circumstances from which the Panel might find that Respondent has rights or interests in respect of the at-issue domain name.”). Here, the WHOIS information identifies “Timothy Kwok” as the registrant. However, Complainant asserts that there is no further evidence that Respondent is commonly known by that name. Complainant’s research shows that there was a nonprofit corporation called CVE, Inc. but this corporation dissolved in 2013. In 2013, the disputed domain name website was redirected to “Best Health Magazine.” These events happened after Complainant had registered for its mark in 2001. Complainant concludes that Respondent, be it the now-dissolved CVE, Inc., Best Health Magazine, or Timothy Kwok, cannot demonstrate rights or legitimate interest in the domain name. Additionally, Complainant asserts that it has not licensed or authorized Respondent to use the CVE mark. Thus, the Panel finds that Respondent is not commonly known by the domain name under Policy ¶ 4(c)(ii).
Furthermore, Complainant argues that Respondent does not use the disputed domain name for any bona fide offering of goods or services or legitimate noncommercial or fair use because the disputed domain name resolves to an inactive website and Respondent has not made any demonstrable preparation to use the domain. Inactive holding of a domain name without any sign of preparation for use generally does not qualify as a bona fide offering or goods or services under of Policy ¶¶ 4(c)(i) or (iii). See CrossFirst Bankshares, Inc. v Yu-Hsien Huang, FA 1785415 (Forum June 6, 2018) (“Complainant demonstrates that Respondent fails to actively use the disputed domain name as it resolves to an inactive website. Therefore, the Panel finds that Respondent fails to actively use the disputed domain name for a bona fide offering of goods or services or legitimate noncommercial or fair use under Policy ¶ 4(c)(i) or (iii).”); see also Activision Blizzard, Inc. / Activision Publishing, Inc. / Blizzard Entertainment, Inc. v. Cimpress Schweiz GmbH, FA 1737429 (Forum Aug. 3, 2017) (“Complainant insists that Respondent has made no demonstrable preparations to use the disputed domain name. When Respondent is not using the disputed domain name in connection with an active website, the Panel may find that Respondent is not using the disputed domain name for a bona fide offering of goods or services… As Respondent has not provided a response to this action, Respondent has failed to meet its burden regarding proof of any rights or legitimate interest in the disputed domain.”). Complainant asserts that Respondent has not made demonstrable preparations to use the disputed domain name, and Respondent has provided no response to Complainant’s action. Thus, the Panel finds that Respondent is not using the domain name for a bona fide offering of goods or services under Policy ¶¶ 4(c)(i) or (iii).
The Panel finds that Complainant has made out a prima facie case that arises from the considerations above. All of these matters go to make out the prima facie case against Respondent. As Respondent has not filed a Response or attempted by any other means to rebut the prima facie case against it, the Panel finds that Respondent has no rights or legitimate interests in the disputed domain name.
Complainant contends that Respondent registered and uses the disputed domain name in bad faith. If the registration of a disputed domain name predates a complainant’s first claimed rights in a complainant’s mark, complainant generally cannot prove registration in bad faith per Policy ¶ 4(a)(iii), as the Policy requires a showing of bad faith registration and use. See Platterz v. Andrew Melcher, FA 1729887 (Forum Jun. 19, 2017) (“Whatever the merits of Complainant’s arguments that Respondent is using the Domain Name in bad faith, those arguments are irrelevant, as a complainant must prove both bad faith registration and bad faith use in order to prevail.”); see also Faster Faster, Inc. DBA Alta Motors v. Jeongho Yoon c/o AltaMart, FA 1708272 (Forum Feb. 6, 2017) (“Respondent registered the domain name more than a decade before Complainant introduced the ALTA MOTORS mark in commerce. Respondent therefore could not have entertained bad faith intentions respecting the mark because it could not have contemplated Complainant’s then non-existent rights in [the mark] at the moment the domain name was registered.”).
The Panel notes that the registration of the disputed domain name predates Complainant’s first claimed rights in the CVE mark. Paragraph 3.8.1 of the WIPO Overview 3.0 sets out the consensus view of WIPO panels on the issue of post-dating trademarks as follows:
Subject to scenarios described in 3.8.2 below, where a respondent registers a domain name before the complainant’s trademark rights accrue, panels will not normally find bad faith on the part of the respondent. (This would not however impact a panel’s assessment of a complainant’s standing under the first UDRP element.) Merely because a domain name is initially created by a registrant other than the respondent before a complainant’s trademark rights accrue does not however mean that a UDRP respondent cannot be found to have registered the domain name in bad faith. Irrespective of the original creation date, if a respondent acquires a domain name after the complainant’s trademark rights accrue, the panel will look to the circumstances at the date the UDRP respondent itself acquired the domain name.
Complainant contends that the registration record for the disputed domain name was updated on February 24, 2018, suggesting that ownership of the domain name may have been transferred, long after Complainant acquired rights in its CVE mark. This transfer of ownership is tantamount to a new domain name registration registered and used in bad faith, since the domain name is confusingly similar to the CVE mark in which Complainant has prior rights. Alternatively, if the Registrant/Respondent is associated with CVE, Inc., the Registrant/Respondent updated the record with false information and uses the domain name in bad faith, since CVE, Inc. is no longer an active entity. Updating the registration record with false or inaccurate information is a violation of the Domain Name Registration Agreement with the Registrar. By registering or acquiring ownership of, and by continuing to use (or passively hold) the disputed domain name, the Registrant/Respondent prevents Complainant from registering its mark as a domain name and hinders Complainant’s ability to provide its CVE-branded services to its relevant consumers. It appears from captures on the Wayback Machine that the original, or an early, registrant of the disputed domain name may have been CVE, Inc., a California nonprofit corporation, providing vocational services to individuals with disabilities. According to public records, CVE, Inc. filed a Domestic Nonprofit Corporation Certificate of Election to wind up and dissolve the nonprofit corporation with the California Secretary of State on April 15, 2013. This filing comports with information found on the disputed domain name website, captured by the Wayback Machine on October 6, 2013, which states “CVE will be closing its doors on May 15, 2013. This website will remain live for three months after our closure.” Additional captures by the Wayback Machine reveal that beginning in 2014 and through 2015, the disputed domain name website redirected to “Best Health Magazine” at www.besthealthmag.ca. This suggests that ownership of the disputed domain name was transferred to an entity unrelated to CVE, Inc., which was then and remains today, a dissolved, inactive entity. This activity occurred long after Complainant acquired rights in the CVE mark. There are no captures on the Wayback Machine for the disputed domain name after 2016 showing anything other than an error code, and the disputed domain name currently does not resolve to an active website. Complainant’s attempts to navigate to the disputed domain result in a time-out error.
Complainant argues that the registration record is tantamount to a new domain name registration, and that it demonstrates Respondent’s bad faith registration of the disputed domain name since Respondent had knowledge of Complainant’s rights in the CVE mark at the time it acquired the disputed domain name. The Panel recalls Complainant’s arguments that even if the original registrant of the disputed domain name was known by the CVE mark, this entity no longer exists, and the various changes of the domain name’s resolving website over the years likely shows that ownership of the disputed domain name changed. As the Panel agrees, it finds Respondent acquired the disputed domain name with bad faith under Policy ¶ 4(a)(iii).
Complainant argues Respondent registered and uses the disputed domain name in bad faith because either Respondent is not affiliated with CVE, Inc. and registered for a domain name confusingly similar to Complainant’s mark, or Respondent is affiliated with CVE, Inc. and updated the registration record with false information because CVE, Inc. is no longer active. If Respondent is not affiliated with CVE, Inc., Complainant argues that Respondent registered and uses the disputed domain name in bad faith because it prevents Complainant from registering its mark as a domain name. Under Policy ¶ 4(b)(ii), bad faith is found when a respondent registered the domain name to prevent complainant from reflecting its mark in a corresponding domain name. See Kabushiki Kaisha Toshiba v. Tel. Island, D2004-0711 (WIPO Nov. 15, 2004) (finding bad faith registration and use pursuant to Policy ¶ 4(b)(ii) where the respondent registered the <toshibastrata.com> domain name to prevent the complainant from reflecting the TOSHIBA and STRATA marks in a corresponding domain name). The Panel finds bad faith under Policy ¶ 4(b)(ii).
Complainant argues that Respondent uses the disputed domain name in bad faith by inactively holding the disputed domain name. The Panel agrees that the passive holding of a domain name does not necessarily circumvent a finding that the domain name is being used in bad faith within the requirements of paragraph 4(a)(iii) of the Policy. See Telstra Corporation Limited v. Nuclear Marshmallows, WIPO Case No. D2000-0003 (finding that in considering whether the passive holding of a domain name, following a bad faith registration of it, satisfies the requirements of paragraph 4(a)(iii), the panel must give close attention to all the circumstances of the respondent’s behavior, and a remedy can be obtained under the Policy only if those circumstances show that the respondent’s passive holding amounts to acting in bad faith.)
The particular circumstances of this case that the Panel has considered are:
i) One of Complainant’s public interest services is to identify, review, and catalog vulnerabilities in computer network environments. In 1998, Complainant initiated work to achieve interoperability between vulnerability databases in its operational enterprise security environment. As a result of this work, Complainant scientists adopted and introduced the novel CVE (Common Vulnerabilities and Exposures) service as a mechanism to foster the sharing of vulnerability data. Complainant’s CVE service is a list of entries for publicly known cybersecurity vulnerabilities. These entries are used in numerous cybersecurity products and services from around the world, including the National Institute of Standards and Technology’s U.S. National Vulnerability Database. The list of Complainant’s CVE service is available to the public on the Internet and free to use. Complainant has offered this service online since at least as early as January 21, 1999. As such, the Complainant’s mark CVE is considered as being a well-known and reputable trademark; and
ii) Respondent has provided no evidence whatsoever of any actual or contemplated good faith use by it of the disputed domain name.
Taking into account all of the above, the Panel concludes that Respondent’s passive holding of the disputed domain name constitutes bad faith under Policy, paragraph 4(a)(iii) and that Respondent is using the disputed domain name in bad faith.
Having established all three elements required under the ICANN Policy, the Panel concludes that relief shall be GRANTED.
Accordingly, it is Ordered that the <cve.org> domain name be TRANSFERRED from Respondent to Complainant.
Ho Hyun Nahm, Esq., Panelist
Dated: June 16, 2021
Click Here to return to the main Domain Decisions Page.
Click Here to return to our Home Page