AVM Computersysteme Vertriebs GmbH v 3DNS Privacy, LLC, John Doe

ADMINISTRATIVE PANEL DECISION

AVM Computersysteme Vertriebs GmbH v. 3DNS Privacy, LLC, John Doe

Case No. D2024-0706

1. The Parties

The Complainant is AVM Computersysteme Vertriebs GmbH, Germany, represented by

Kleiner Rechtsanwälte Partnerschaf tsgesellschaf t mbB, Germany.

The Respondents are 3DNS Privacy, LLC, United States of America (“United States”), and John Doe, United

States (the “Respondent”).

2. The Domain Name and Registrar

The disputed domain name <fritz.box> is registered with NameSilo, LLC (the “Registrar”).

3. Procedural History

The Complaint was f iled with the WIPO Arbitration and Mediation Center (the “Center”) on February 15, 2024. On February 15, 2024, the Center transmitted by email to the Registrar a request for registrar verif ication in connection with the disputed domain name. On February 16, 2024, the Registrar transmitted by email to the Center its verification response confirming that the Respondent is listed as the registrant and providing the contact details.

The Center verif ied that the Complaint satisf ied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).

In accordance with the Rules, paragraphs 2 and 4, the Center formally notif ied the Respondent of the Complaint, and the proceedings commenced on February 23, 2024. In accordance with the Rules, paragraph 5, the due date for Response was March 14, 2024. The Respondent did not submit any response. Accordingly, the Center notif ied the Respondent’s default on March 15, 2024.

The Center appointed Andrew D. S. Lothian, Andrea Jaeger-Lenz and Phillip V. Marano as the Panel in this matter on April 9, 2024. The Panel f inds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.

page 2

4. Factual Background

The Complainant is a German corporation, founded in Berlin in 1986. It is a manufacturer of products for various different types of broadband connection and devices for the digital home under the FRITZ! and FRITZ!Box trademarks. The Complainant notes that it sells its products in 30 countries worldwide, and maintains a range of partnerships with major network operators and Internet providers. It has 890

employees. The Complainant adds that it is actively involved in standardization in its industry and is a
member of the Broadband Forum, the Wi-Fi Alliance and the DECT Forum.

One of the Complainant’s main products is a line of Internet routers named “FRITZ!Box”. The Complainant provides evidence showing that, since at least 2004, the internal or private network domain name for accessing the user/conf iguration interface on these devices has been <fritz.box>. This is used by its customers in place of a local network IP address. The Complainant adds that network devices in the relevant local area network are provided with Domain Name System (DNS) hostnames in the format “[device-name].fritz.box” by the Complainant’s product. The <fritz.box> private domain name is printed on the label of all such products as well as in instruction manuals. A customer will type the <fritz.box> domain name into their browser to reach a login page in order to gain access to such device settings as Wi-Fi SSID name, password, parental controls, and certain smart home services including telephony and DVB-C television watching. If the attempt to resolve said domain name results in a query to the public DNS, it may return results for the disputed domain name, with potentially unintended or harmful results.

In terms of consumer awareness, the Complainant provides evidence in the form of a report dated March 21, 2022 showing that FRITZ! is the leading home networking brand in Germany with an 80% awareness among those surveyed, ranked fourth in Austria (47%), ninth in Italy (17%), and seventh in the Netherlands (21%). The Complainant notes that the report also illustrates the fact that it is better known by the FRITZ! brand name than it is by its corporate name.

The Complainant maintains a substantial portfolio of registered trademarks for the marks FRITZ! and
FRITZ!BOX including, for example European Union trademark No. 000916429 for the word mark FRITZ!,
registered on October 14, 1999 in Classes 9, 35, 38, 41, and 42, and European Union trademark
No. 003789906 for the word mark FRITZ!BOX, registered on September 15, 2005 in Classes 9, 38, and 42.
The Complainant has registered corresponding marks with the Trademark Clearinghouse. Since 2018, the
Complainant has also been the owner of the Internet domain name <fritz.com>.

According to both the Registrar’s verif ication and the WhoIs record supplied by the Complainant, the disputed domain name was registered on January 22, 2024. According to the Complaint, the disputed domain name formerly redirected to a webpage at <example.com> which the Complainant notes is reserved as a general place holder by IANA, and previously redirected to a default page for “.box” domain names at the domain name <my.box>. At the time of f iling the Complaint, the disputed domain name no longer resolved to any active website.

Little is known about the Respondent, which has not participated in the administrative proceeding. It has provided a patently false or f ictitious name, false address and false telephone number to the Registrar.

“.box” domain names such as the disputed domain name are “onchain” domain names with both “web2” and “web3” functionality. These domain names are owned and managed by a non-fungible token (“NFT”). The Complainant provides evidence that the NFT corresponding to the disputed domain name has been of fered for sale on the “ platform, a digital marketplace for crypto collectibles and NFTs, in the sum of ETH 420, translated on said site to USD 991,468.80. On said site, the Respondent is identif ied only as “DC8C7A”.

The Complainant has identified the Respondent’s crypto wallet key via the disputed domain name. In turn, via such wallet key, it has identified that the Respondent has also purchased the domain name <o2.box>, which is also listed for sale on the said digital marketplace for ETH 69. According to the Complainant, the internal or private domain name <o2.box> is used for the routers of o2, a subsidiary of Telefónica, one of the Complainant’s competitors and one of the largest Internet providers in the European Union. The

Complainant adds that o2 is one of the four largest Internet providers in Germany.

page 3

5. Parties’ Contentions
A. Complainant

The Complainant contends that it has satisfied each of the elements required under the Policy for a transfer of the disputed domain name.

Notably, the Complainant contends that the Second-Level Domain (“SLD”) of the disputed domain name contains all of the letters of the Complainant’s FRITZ! trademark absent the exclamation point, while if the Top-Level Domain (“TLD”) of the disputed domain name is also taken into account, this contains all of the letters of the Complainant’s FRITZ!BOX trademark, again absent the exclamation point. The Complainant asserts that this comparison establishes confusing similarity, adding that visual and phonetic similarity is also present. The Complainant adds that actual confusion has arisen in that there is evidence that some of its users are being redirected to the Respondent’s website.

The Complainant asserts that the Respondent has no rights or legitimate interests in the disputed domain name, adding that there are no indications of any preparations to use it for a bona f ide use, that the Complainant has not licensed its trademarks with respect to domain names, and that the Respondent cannot be known by the disputed domain name (1) because of the short time since the disputed domain name was registered, (2) because its use of a default page at the domain name <my.box> is not linked to any person but only refers to the domain name itself, and (3) because the Respondent’s identity has remained hidden. The Complainant also submits that the Respondent is already offering the disputed domain name for sale, and that this demonstrates that it had no intention to use the disputed domain name for itself . The Complainant suggests that its strong factual interest in the disputed domain name due to its being printed on the back of every router sold by the Complainant should be considered when weighing the interests of the Parties.

The Complainant contends that the disputed domain name was registered and is being used in bad faith, adding that the Respondent must have been notif ied of the Complainant’s rights via the Trademark Clearinghouse when it applied to register the disputed domain name and cannot have registered it without being aware of these. The Complainant asserts that the disputed domain name was registered with intent to sell it (and/or the corresponding NFT) for a high price when compared to the value for which it was acquired, almost 2,311 times higher than the price paid by the Respondent, adding that its impression is conf irmed by the fact that the Respondent is also of fering to sell the domain name <o2.box> (which itself provokes a malware warning). The Complainant notes that other domain names/corresponding NFTs owned by the Respondent are being used for phishing, suggesting that the Respondent’s intent is harmful, adding that further evidence of intent to commit fraud or abuse is found in the Respondent’s registration of <wpad.box> which it says could be used to control the Internet traf f ic of tens of millions of users of existing routers (including but not limited to those manufactured by the Complainant) using the “.box” domain name for their local network. The Complainant notes such a potential exploit has already received media coverage which may have provided a guide to the Respondent. The Complainant points to the deliberate anonymity adopted by the Respondent via a false name and contact details.

The Complainant asserts that the only explanation for the Respondent having registered both the disputed domain name and the domain name <o2.box> is that it appreciates their signif icance as internal/private domain names for Internet services and plans to exploit this in a pattern of conduct that intentionally targets router manufacturers and distributors and their customers. The Complainant apprehends that the

Respondent may use the disputed domain name to spread malware, for phishing, or to generate the highest possible sale price, and notes that it does not consider that the Respondent holds the disputed domain name passively in good faith.

B. Respondent

The Respondent did not reply to the Complainant’s contentions.

page 4

6. Discussion and Findings
A. Preliminary Matter – Identity of the Respondent

In cases involving a privacy or proxy service and irrespective of the disclosure of any underlying registrant, the appointed panel retains discretion to determine the respondent against which the case should proceed. Depending on the facts and circumstances of a particular case, e.g., where a timely disclosure is made, and there is no indication of a relationship beyond the provision of privacy or proxy registration services, a panel may f ind it appropriate to apply its discretion to record only the underlying registrant as the named

respondent. On the other hand, e.g., where there is no clear disclosure, or there is some indication that the privacy or proxy provider is somehow related to the underlying registrant or use of the particular domain name, a panel may f ind it appropriate to record both the privacy or proxy service and any nominally
underlying registrant as the named respondent. WIPO Overview of WIPO Panel Views on Selected UDRP
Questions, Third Edition, (“WIPO Overview 3.0”), section 4.4.5.

In the present case, the Panel determines that the Respondent in the administrative proceeding should be both the apparent privacy service, 3DNS Privacy LLC, and the alleged registrant of the disputed domain name, “John Doe”. The latter is a plainly false and fictitious name, which, as noted above, is accompanied by an equally false address and telephone number. It is likely that the only part of the Respondent’s contact details that is accurate and that might lead to the person who registered the disputed domain name is the Respondent’s email address.

It appears to the Panel that the Registrar cannot have performed even the most cursory review of such contact details upon its acceptance of the Respondent as its customer. Such details could not on any reasonable view be thought of as reliable contact information within the terms of the ICANN 2013 Registrar Accreditation Agreement (“RAA”), section 3.7.7.1, being a term with which the Registrar is required to use commercially reasonable efforts to enforce compliance (section 3.7.7, ibid). The submission of this contact information as the underlying registrant of the disputed domain name in the present case strongly suggests to the Panel that the Registrar’s ef forts to ensure compliance with the relevant section of the RAA were inadequate, whether commercially reasonable or not. The Panel requests that the Center share this decision with ICANN so that ICANN may consider what actions it may wish to take, in the context of the Registrar’s contractual compliance or otherwise.

The RAA goes on to state, at section 3.7.7.3, as follows: “Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it discloses the current contact information provided by the licensee and the identity of the licensee within seven (7) days to a party providing the Registered Name Holder reasonable evidence of actionable harm.” In these circumstances, it seems reasonable to the Panel to include the privacy service originally named by the Complainant in this case as a Respondent. The Panel has decided to include the plainly false or f ictitious name of the Respondent in addition, as this may facilitate cooperation between other

organizations or individuals that may have been affected by the Respondent’s conduct, and likewise may facilitate anti-abuse measures by domain name registries and registrars with validation requirements for suspicious or patently false or f ictitious registration data.

B. Identical or Confusingly Similar

It is well accepted that the f irst element functions primarily as a standing requirement. The standing
(or threshold) test for confusing similarity involves a reasoned but relatively straightforward comparison

between the Complainant’s trademark and the disputed domain name. WIPO Overview 3.0, section 1.7.

The Complainant has shown rights in respect of a trademark or service mark for the purposes of the Policy.
WIPO Overview 3.0, section 1.2.1.

page 5

The Panel f inds the mark is recognizable within the disputed domain name. Accordingly, the disputed domain name is confusingly similar to the mark for the purposes of the Policy. WIPO Overview 3.0, section 1.7. The Panel notes for completeness that whether the SLD of the disputed domain name is compared to the Complainant’s FRITZ! trademark (and the TLD disregarded, see WIPO Overview 3.0, section 1.11.2) or the SLD and TLD in combination are compared to the Complainant’s FRITZ!BOX trademark (see WIPO Overview 3.0, section 1.11.3) the only difference is the presence of the exclamation point in the respective trademark, which in itself may not be reproduced in a domain name for technical reasons and can therefore be ignored for comparison purposes. See e.g., Brett Habenicht v. Plantation Coffee Roasters, Inc., WIPO Case No. D2003-0770 (since “javajava” in the domain name dif fers f rom the Complainant’s trademark JAVA! JAVA! only by the omission of the exclamation points, the absence of punctuation does not alter the fact that the domain name is identical to the trademark.)

The Panel f inds the f irst element of the Policy has been established.

C. Rights or Legitimate Interests

Paragraph 4(c) of the Policy provides a list of circumstances in which the Respondent may demonstrate rights or legitimate interests in a disputed domain name.

Although the overall burden of proof in UDRP proceedings is on the complainant, panels have recognized that proving a respondent lacks rights or legitimate interests in a domain name may result in the difficult task of “proving a negative”, requiring information that is of ten primarily within the knowledge or control of the respondent. As such, where a complainant makes out a prima facie case that the respondent lacks rights or legitimate interests, the burden of production on this element shifts to the respondent to come forward with relevant evidence demonstrating rights or legitimate interests in the domain name (although the burden of proof always remains on the complainant). If the respondent fails to come forward with such relevant evidence, the complainant is deemed to have satisf ied the second element. WIPO Overview 3.0,

section 2.1.

Having reviewed the available record, the Panel finds the Complainant has established a prima facie case that the Respondent lacks rights or legitimate interests in the disputed domain name. The Respondent has not rebutted the Complainant’s prima facie showing and has not come forward with any relevant evidence demonstrating rights or legitimate interests in the disputed domain name such as those enumerated in the Policy or otherwise.

Despite the fact that the Respondent has not presented any rebuttal of the Respondent’s prima facie case, it has occurred to the Panel that one line the Respondent might have attempted to take would have been to assert that it is a domain name investor that has merely registered a common f irst name, “Fritz” in an

available generic TLD, and is offering this for general sale without any attempt to target the Complainant. Such line, had it been taken in the present case, would have been discounted by the Panel on the basis that the overwhelming evidence produced by the Complainant is more than sufficient for a f inding on the balance of probabilities that the Respondent intended specifically to target the Complainant’s FRITZ! and FRITZ!BOX trademarks by way of the disputed domain name. There is evidence that the Complainant’s trademark is, if not globally well-known, distinctive for the given products, and benefits from significant brand recognition in several of its principal marketplaces, for purposes of the Policy. Furthermore, the mark will have been used by all of the Complainant’s customers when setting up their relevant products via the internal domain name matching exactly the disputed domain name.

Most importantly, any doubt as to the Respondent’s intentions is comprehensively dispelled by the Complainant’s evidence that the Respondent has also registered the domain name <o2.box>. The Panel considers it to be beyond coincidence that both of these domain names happen to reflect the internal private network domain name used by routers manufactured by the Complainant and a third party that are already present and active in many homes across the world. Given this fact, it seems most likely to the Panel that the Respondent intends to exploit name collisions between the private domain names operating the various network products and the public domain name that is the disputed domain name.

page 6

According to ICANN, “a name collision occurs when an attempt to resolve a name used in a private name space (e.g., under a non-delegated Top-Level Domain, or a short, unqualified name) results in a query to the public Domain Name System (DNS). When the administrative boundaries of private and public namespaces overlap, name resolution may yield unintended or harmful results”. [1] It is clear to the Panel that the

registration of a public domain name in a deliberate attempt to provoke such name collisions with a
distinctive and widely used private domain name categorically would not confer rights and legitimate interests
upon a respondent within the meaning of the Policy. That the Respondent’s intentions are to provoke name
collisions for malicious reasons may be seen from the fact that the Respondent’s domain name <o2.box>,
which appears to target the Complainant’s competitor and its corresponding customers, is currently giving
rise to a malware warning in certain circumstances. The Complainant’s apprehension that the disputed

domain name may be used in the same way strikes the Panel as reasonable.

The Panel f inds the second element of the Policy has been established.

D. Registered and Used in Bad Faith

The Panel notes that, for the purposes of paragraph 4(a)(iii) of the Policy, paragraph 4(b) of the Policy establishes circumstances, in particular, but without limitation, that, if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith.

In the present case, as discussed in the previous section of this Decision, the Panel notes that the Respondent has registered a domain name matching the Complainant’s trademark and private domain name, which is used by the Complainant’s customers to conf igure the Complainant’s various products, in order to provoke name collisions for malicious reasons. Furthermore, the Respondent has done so in the knowledge of the Complainant’s rights. On no view could this be regarded as a good faith activity within the meaning of the Policy. To the extent that the name collision concerned may not at present necessarily be causing harmful results (while mindful of the fact that some of the Complainant’s customers have been reporting issues, and that an ongoing result has been noted in the case of the Respondent’s other similar domain name, <o2.box>) the Panel considers in any event that the presence of the disputed domain name in the hands of the Respondent represents an abusive threat hanging over the head of the Complainant and therefore a continuing abusive use. See SODEXO v. Domain ID Shield Service, Domain ID Shield Service CO, Limited / zhang yan sheng, GNAME.COM PTE. LTD., WIPO Case No. D2021-0790 and Conair Corp. v. Pan Pin, Hong Kong Shunda International Co. Limited, WIPO Case No. D2014-1564. The Panel notes that the Respondent’s overall bad faith intentions are also evident f rom its registration of the domain name <wpad.box>, which based upon the Complainant’s submissions is also likely to form part of an attempted malicious exploit against the Complainant’s customers and those of others.

Turning to the fact that the disputed domain name has been of fered for sale in a substantial amount, the Panel notes that this in itself could give rise to a f inding of registration and use in bad faith in the circumstances of this case. It is clear, taking the disputed domain name as a whole, that it is intended to mimic the Complainant’s internal or private domain name as well as its trademarks. The Panel is satisf ied, therefore, that the Respondent is targeting the Complainant, and that while the disputed domain name appears to be being of fered for general sale, it is nevertheless clear that the Respondent expects the disputed domain name to be purchased by the Complainant for a substantial sum in the hope of avoiding the threat to its customers of potential name collisions, and that the Respondent has fixed the price accordingly. (The Panel notes that following on from its observation of a hypothetical personal name use, the sum sought does not strike the Panel as prima facie reasonable for an individual purchaser.) On this topic, the Panel notes that the fact that the disputed domain name is in a TLD that is blockchain native and DNS routable, and that it is the corresponding NFT that is being offered for sale, is of no particular signif icance f rom the point of view of the applicability of the Policy. As the Panel understands it, ownership of the NFT is required for and equivalent to ownership of the disputed domain name itself . The of fering of the NFT for sale is therefore equivalent to the of fering of the disputed domain name for sale, and as far as the Panel is concerned, this particular circumstance either falls within the wording of the Policy, paragraph 4(b)(i), or, given that the examples in paragraph 4(b) are expressed to be non-exhaustive, within the more general meaning of registration and use in bad faith in terms of the Policy, paragraph 4(a)(iii).

page 7

The Panel adds that it has not overlooked the fact that the Respondent is a “disclosed” registrant which itself consists of a blatantly false identity. In the Panel’s view, this supports an inference of the Respondent’s bad faith in the circumstances of the present case as it suggests that the Respondent is making an attempt to shield its illegitimate conduct from a UDRP proceeding (see, for example, Lidl Stiftung & Co. KG v. Domain Privacy Service FBO Registrant, The Endurance International Group, Inc. / Name Redacted, WIPO Case No. D2020-3128).

All of these matters raise a substantial case on this topic for the Respondent to answer. However, in the face of the Complainant’s serious allegations the Respondent has chosen to remain silent. It has not taken the opportunity to challenge any of the Complainant’s submissions or to place any explanation before the Panel which might suggest that its motivations are not in bad faith. In the absence of such, the Panel has been unable to identify any reasonable exculpatory factors in connection with the Respondent’s registration and use of the disputed domain name.

The Panel f inds that the Complainant has established the third element of the Policy.

7. Decision

For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the disputed domain name <fritz.box> be transferred to the Complainant.

/Andrew D. S. Lothian/ Andrew D. S. Lothian Presiding Panelist

/Andrea Jaeger-Lenz/ Andrea Jaeger-Lenz Panelist

/Phillip V. Marano/
Phillip V. Marano
Panelist
Date: April 23, 2024