If You're Typosquatting Domain Names To Get Misaddressed Emails, Maybe Don't Target A 'Brand Protection' Law Firm
from the just-saying dept
Via Slashdot, we learn of a lawsuit filed by a “brand protection and anti-counterfeiting” law firm, Gioconda Law Group, against Arthur Wesley Kenzie — a guy who apparently has been registering typo versions of company domain names (typosquatting) and then receiving the emails received at those domains — possibly using them to pitch his own “security” help to the companies. He did this to Lockheed Martin, who chose to just get the domain transferred to them via the UDRP process, but Gioconda is suing for “trademark infringement and unlawful interception of a law firm’s private electronic communications.” The trademark claims may make sense — since you could argue that there’s a likelihood of confusion. And, clearly, what this guy was doing was sleazy. But is it really “unlawful interception of a law firm’s private” emails? That’s where it seems much trickier. After all, he didn’t actually “intercept” anything. They were sent to him. The “problem” is that the senders chose the wrong address.
Gioconda seems to be claiming that because the emails didn’t bounce, he was guilty of setting up special email boxes to intercept the law firm’s emails:
“We discovered the cybersquatting and sent several test e-mail messages… to see if they were delivered to the misspelled e-mail addresses, and indeed, they were received by active mailboxes.”
But, uh, plenty of domains are set up to allow any email to be received by an active (usually admin or default) account. So the fact that the emails went to a live account, rather than a bounced account doesn’t automatically indicate “unlawful interception.” That said, it does seem like what the guy did was pretty questionable, but it just seems dangerous to set a precedent that having someone send an email to the wrong address is somehow an illegal “interception.”
Filed Under: arthur wesley kenzie, typosuatting, udrp
Companies: gioconda law group, lockheed martin
Comments on “If You're Typosquatting Domain Names To Get Misaddressed Emails, Maybe Don't Target A 'Brand Protection' Law Firm”
What an Idot. I’m guessing the firm called it what it was, and in the end the courts don’t usually care what the claim is called as long as it’s actionable. Betting it’ll stick somehows.
I’ve had a certain domain for over 15 years. Relatively recently, someone else registered a similar domain, and I frequently get email that was obviously intended for them.
This isn’t my fault or my problem. Nor is it my obligation to lift a finger to do anything about it. We all make typos: sometimes they transform a working address into an invalid one and we find out about it. Other times they transform it into a different working address, and we don’t. That’s how it’s been since forever, and suing someone over it just indicates an amazingly low clue level combined with a vicious streak of entitlement.
Re: Re:
But the question here isn’t about a coincidentally similar working address, but rather about a possibly intentionally similar address. It may not be the typosquatter’s fault that email is being sent to his domain, but could be his fault that he chose that domain in the first place to receive such emails.
Instead of warning your neighbor that his car is leaking gasoline, you place a canister under the leak and collect the gas and use it yourself. It’s not your fault that the gas was leaking, but you were unethical in using the situation to your advantage. Whether that’s actionable is up the judge though.
Re: Re: Re:
It doesn’t matter, if it is intentionally or not, trying to punish somebody else for your own mistakes and failures is not ok in my book ever.
If you screw it up deal with the consequences of your own damn mistakes whatever they may be, just because they could be serious is not others fault, you made the mistakes and others can and will exploit those and you should suffer all the consequences of not being able to deal with them in a reasonable matter, this is not a case where somebody took active steps to harm you, to infiltrate your home or business or to extricate information, this was a passive action that resulted in collection of data, important or not by the failure of individuals or institutions to fallow proper procedure and protocols to safeguard themselves.
Re: Re: Re: Re:
But since this typosquatting affects the intended recipient as much as the sender, the intended recipient is being punished for the mistakes of others. If I’m expecting an email from someone and they mistype the email address, that is not my fault. So you actually agree that this kind of typosquatting is not OK.
Re: Re: Re:2 Re:
Go complain with the person who sent it.
Typesquating may not be ok, but it is not a criminal matter either or should never be.
Once down that road liability applies to everything, not just the bad the good to, can you imagine being prosecuted and punished for the mistakes of others?
The law is not some surgical instrument, it is a carpet bomb, it will hit anything indiscriminately and the good and bad in every situation will be destroyed by it, so make it sure the bad is most of the cases and justify the pain it will cause to the good things.
And for the love of God(the spaghetti monster God) I can’t see why anybody would want to make receiving by mistake data criminal or punishable, I can see where it could go wrong, where it could be used for censorship, where it could be used to trap innocent people and that all because of some jackass that is being an ass using a minor exploit of the system to get ahead and could be prosecuted by other means, if he goes further and do something truly illegal.
Re: Re: Re:2 Re:
Responsibility for the e-mail reaching the intended recipient lies with the sender.
There are too many domains used by legitimate entities that are typos of other legitimate entities. Take CBS Systems International (CSB.com) for example. How many e-mails do you think CSB.com receives on a daily basis that are intended for CBS.com? Should CSB be forced to hand over their domain?
Re: Re: Re:3 Re:
Kenzie is not a legitimate entity. That’s the difference.
Re: Re: Re:4 Re:
Does it matter?
Nobody and I mean nobody should be found guilty of intercepting anything because senders are at fault.
Re: Re: Re: Re:
“trying to punish somebody else for your own mistakes and failures is not ok in my book ever.”
This wouldn’t be punishing somebody else for your own mistakes though. This is the typosquatter, who by definition registers his domain for the express purpose of benefiting from the anticipatable typos that some people will make when typing email addresses, setting himself up to benefit from mistakes of third parties and the first party, the intended recipient, suing because the typosquatter has acted unethically.
“this is not a case where somebody took active steps to harm you”
No, but that doesn’t make it right. This is a person who sticks his hand out to catch the money falling out of someone else’s pocket, who accepts and keeps it while knowing that he was not its intended recipient.
Once again, if you never took an ethics class, just because you can do something doesn’t mean you should do something.
Re: Re: Re:2 Re:
He is exploiting the the mistakes of others, it may be immoral, unethical but it shouldn’t be criminal or illegal, it creates a whole new set of problems to deal with, he is not redirecting anybody to that place is he? he is not forcing people to make the typos is he?
You may not like it, it may cause you some headaches, it may embarrass you but it should not be a criminal matter ever.
Can you see people playing football on those terms?
Would you make it illegal to exploit others flaws to make the game more “ethical”?
These is not something that exploits direct flaw, beyond your control to extract information from anybody, this is not somebody taking its time to study code and find a whole in it so it can gain access to your computers and take information from those these is somebody doing a questionable thing, maybe unethical, that have potential to cause some degree of harm for which he could be held responsible depending on the actions he takes further, like if he gets his hands on bank account info and withdraw money from those then he should be prosecuted, then real malicious intent was proven without a doubt, then the legal system should be used.
The legal system is a goddamn hammer if you want to use it to try and make the world ethical it will fail and you will create a police state with it trying to enforce your form of ethics upon everybody, leave the legal system to things that really, really need it and where the harm it can do is worth the pain it will bring to everyone, because it will not work 100% of the time and it will put innocents at risk so it better be a very good reason to make it so.
But not for this where the obvious solution is to protect emails with encryption where only the people intended to see it can decrypt that crap.
This may be grounds to keep an eye on the dude sure, to initiate legal proceeding you must be kidding, unethical or otherwise I don’t see why anybody should go to jail or prosecute or punished in any way for receiving data sent to them in error ever.
Re: Re: Re:
How about if money bags fell out of an armored car? Unethical or illegal? And you can bet it’s actionable under most contemporary legal theories except perhaps “finder’s keepers, loser’s weepers”.
Re: Re: Re: Re:
Are you prosecuted or punishing for finding money bags on the streets and doing nothing?
Are you prosecuted for putting up a washing business near a dirty job?
Are you unethical for finding money on the streets and giving it back?
You can be punished for what you did after with that money of bag, not for finding it, or standing where you know it will fall.
Suppose you know there is a place where trucks always let something fall, are you unethical to go there and exploit that to take pictures and show the world that the transport company is profiting unduly from it?
In this case the guy may be exploiting some minor thing for his own benefit at the expense of others but even so that should not be enough to make him guilty of anything, it also criminalizes a whole set of other scenarios where the exploitation of errors is desirable, ethical and moral.
What did he do with that data?
The collection of it is not criminal and should not be, what he did with that data and what data he gained though is another matter.
Did he use the data to gain access to something and took it?
That is criminal, that you can prosecute.
Did he made you look like a fool?
That is not criminal, that you is your problem.
Re: Re: Re:2 Re:
Read the article to find out what he was doing with the data:
“Kenzie was also previously found guilty of cybersquatting when he purchased confusingly similar domain names in another case. In that case, which was to fish information about Lockheed Martin, Kenzie had claimed that he was performing ?research? about Lockheed?s email vulnerabilities without its permission. However, in May, the panel that handles domain name disputes found that Kenzie?s attempts were motivated by bad faith to extort money and not done in good faith. In the Lockheed case, the panel found that Kenzie himself had created the vulnerabilities that he was researching and that ?his purpose was to offer services to the Complainant, looking for a financial gain.?”
Re: Re: Re:
Sadly the situation would be better defined as: if your neighbors car leaked gas and it drained onto your property, where you then proceed to collect it for your own use.
Under your thought process it’d now become illegal for you to have mail in your mailbox that doesn’t have your name on it, regardless of if you have even opened the mail yet or not, or even returned home from work.
Re: Re: Re: Re:
No, this would be closer to a scenario in which you moved right next to someone who lived in the middle of nowhere after realizing that some people were likely to send mail to an address very similar to your neighbor’s address so that you could benefit from the mistakes you knew those people would make. It’s unethical, even if it’s not your fault that they’re sending mail to you.
Re: Re: Re:2 Re:
Unethical may be, but it should not be criminal and not actionable that should be reserved for real problems.
You should go complain to the people who a) deliver the mail or b) send it to the wrong address.
Re: Re: Re:3 Re:
You can’t prevent typos. They are by definition honest mistakes. Saying “complain to the people who send it to the wrong address” is like saying, “blame people who accidentally do something they didn’t intend to do.” He knows he’s not the intended recipient. He set up a domain name to take advantage of that.
You’d be prosecuted for theft by receiving if you didn’t say anything when UPS dropped off a package at your house instead of your neighbor who was the intended recipient, especially if it could be proved that you moved there expressly to receive such packages. This isn’t a passive action.
Re: Re: Re:2 Re:
Would it be ok to be sued for not taking care of your own problems and causing potential liability to others by not doing enough to secure your own mail?
Because if receiving mail in error is ground for prosecution ad punishment you have created liability, and thus if you cannot find a way to secure and people keep sending it to the wrong place you should be liable for that because you are now threatening others by inaction.
Once you go down that road it turns south very quickly.
Re: Re: Re:3 Re:
You didn’t read the article.
“Kenzie was also previously found guilty of cybersquatting when he purchased confusingly similar domain names in another case. In that case, which was to fish information about Lockheed Martin, Kenzie had claimed that he was performing ?research? about Lockheed?s email vulnerabilities without its permission. However, in May, the panel that handles domain name disputes found that Kenzie?s attempts were motivated by bad faith to extort money and not done in good faith. In the Lockheed case, the panel found that Kenzie himself had created the vulnerabilities that he was researching and that ?his purpose was to offer services to the Complainant, looking for a financial gain.?”
the arguments of lawyers and engineers
Why the hell don’t these lawyers learn some basic crytography and accept responsibility for their own secure communications, instead of putting it on everyone else?
Hmm… I think I just answered my own question.
We cant have our cake and eat it either
while I would love to jump on a bandwagon about this.. I fail to see what is legally actionable.
It is clear that Wesley Kenzie is useless piece of shit. Lets let Slashdot, Streisand, what have you sort it out and move along.
Nigel
They may have a point
I don’t think it’s about the sender, or that it’s intended to be. It’s about the receiver intentionally and willfully setting up a system to take advantage of honest mistakes by the sender in order to read someone else’s mail.
If it were physical mail, that would be a federal felony, possibly more than one. Why shouldn’t it be for email?
Re: They may have a point
While I agree with you entirely that if the guy intentionally created the domain to exploit honest mistakes, he should be held liable…I can’t help but think of all the terrible ways this will be abused by people in reverse when the receipt was not intentional, and yet they sue them anyway.
Kinda like when the DMCA is used to remove speech that’s critical about someone.
If there was a law firm, say Cheatem & Associates, at 1147 Main Street, and someone else set up a business at 1149 Main Street under the name Cheatum & Associates, sure, there might be a trademark issue.
What if that second ‘business’ was SOLELY in the business of READING AND PROFITIONG FROM the letters that people mistakenly dropped in the wrong mail slot after hours in the expectation that their private legal business was and would remain confidential?
You may have no issue with someone ‘NOT intercepting private communications’ based on the excuse that it was someone else’s mistake, not theirs, but I’d put the asshole prison, not just sue him.
Re: Re:
I hope you are never in any position of power ever.
hmmm
“but it just seems dangerous to set a precedent that having someone send an email to the wrong address is somehow an illegal “interception.””
I wouldn’t say he “intercepted” the email, but using any of information within the email could fall against rules.
Kind of like when I get my neighbor’s mail by accident. Just because it got sent to me, doesn’t mean I am allowed to rummage through his belonging and glean any info I find valuable.
As many around here, I’m a big fan of holding back on lawsuits as much as possible. But this is simply not one of those cases. Malicious intent and/or actual harm begets legal action in my book. This case has both.
Re: Re:
This is not something to be dealt by the law but by operating protocols, if people keep typing the wrong email address find a better way to communicate and that is more secure and reliable.
The problem with trying to punish the bad actors in this case is that eventually somebody without bad intentions will get caught in that net too, far more innocent people are going to be liable and punished by something that shouldn’t be criminal, if you make mistakes is not the other parties fault, if you are playing football you can’t really claim the other side is being dishonest for exploint your own damn faults. take some responsability for your actions for crying out loud.
Re: Re: Re:
Isn’t this just using the spectre of potential future abuses of the law to justify current ones?
Re: Re: Re: Re:
Specter?
Have you not paid attention to how law enforcement works?
But, uh, plenty of domains are set up to allow any email to be received by an active (usually admin or default) account.
In web hosting, that’s highly frowned upon now and should never be used. Anyone using it is in fact, high suspicious and most likely a scammer/spammer. If he was hosted by me, he’s have been investigated as soon as we saw he was doing that… but I guess not all web hosts are good net citizens.
Re: Re:
That’s how I have arranged all my email from before the internet was open to the public, and it’s how I have it set up now.
I’ve never once heard about it being “frowned upon”. In fact, many or most email hosts have it as a default.
It’s incredibly useful for everybody, not just scammers. I certainly would not consider doing it any other way, and if I got wind that I was “investigated” over such an innocuous practice, I would change services.
Loser
So this loser Kenzie also evidently registered KEVINMITNIKC.COM.
Several years back I was in charge of an email server at my work and it just so happened that our server ended up bouncing a few messages (unknown recipient or the like) that had spoofed headers. It just so happened that the spoofed domain happened to be used as a honeypot gather IPs suspected of being used for spamming… … We ended up changing the email server configuration…
Now, I’m not sure how popular use of these types of blacklists are now, but a few years ago it was quite the pain for us…
These days, it’s my belief that a well behaved email server should not bounce “unknown recipient” messages back to external sources.
Re: Re:
That’s how a lot of spam got threw our spam filter at work. Someone would send an E-Mail with a bad address and a spoofed header and it would get bounced to our servers that would then send it to our in boxes. This bypassed the spam filter because it thought we sent the initial E-Mail.
Would that count? The original E-Mail was “intended” for another person (real or not, the TO: wasn’t me) and ended up in my in box.
Kenzie
Kenzie has a big, big legal problem. Bad faith cybersquatting can lead to $100k in “statutory damages.” Based on the fact that: Kenzie did this to Lockheed before, and was found guilty, he clearly intended to capture privileged law firm emails for personal gain and doesn’t have a good faith defense, he doesn’t stand a chance against a savvy and hardcore NYC lawyer, which Gioconda seems to be.
Kenzie
One major problem with Gioconda’s interception theory: to intercept means that, had Kenzie not acted the way he did, the emails would have otherwise reached the lawyers. However, that actually would not have happened. The mispelld emails sent to GiocondoLaw.com would NEVER have reached any recipients mailboxes at GiocondaLaw.com. Therefore, how was their any act of “interception”?
Kenzie
This isn’t a story about a guy who got sued for “accidentally” receiving someone elses email.
Kenzie deliberately set up a domain name to mimic GiocondaLaw.com, and then collected the misspelled emails. He also hid his identity by using domainsbyproxy, and redirected the misspelled domain name to the legit site. That is just f-d up behavior. It’s clearly tm infringement and cybersquatting, as I see it
Re: Kenzie
Yes he did, then he got to them and told them they had a problem and he had a solution for it.
Would you sue a lemon stand for putting it up in the middle of a traffic jam in a hot day?
He did get the emails others sent him in “error”, he should not be liable for it, if sending something in error creates liability, what happens if somebody sends you the plans for a crime and when you call the police and find out that you are the criminal for unlawful interception of private communication, rendering the whole evidence unacceptable would that be ok?
How are judges going to justify that it is illegal to receive information by accident in this case but not in others?
Now did he do anything else with the data? that might be unlawful?
If not let him go, he is a prick, probably a weasel too, but he did nothing criminal or that would justify expanding, changing or setting precedents here.
Because this precedent could come back to haunt others.
Receiving in error correspondence from others because those others are the party that made the mistake is not a crime and it should never be a crime, unlawful use of that correspondence could be a crime though.
He did not intercept anything, he set his place of business and waited, the dumb came pouring in, it may be unethical, shameful, weasel but should never be a crime, nor there should be liability since he was not the one that caused the problem he is exploiting a failure on the part of people, and error that can be corrected, and failure that can be addressed by other means, but somehow you people think that it is ok to use the law, set precedents and think that nothing bad can come out of it because you believe ethics have anything to do with law.
Kenzie
Coward, the problem with your argument is that it’s just nothing more than blaming the victim.
If someone deliberately registers a domain name that is confusingly similar to a trademarked name without a good reason, that’s called cybersquatting. Period.
To say a tm owner must register every variant of misspelled domain may be very good advice, but it still doesn’t justify the other parties’ cybersquatting.
Re: Kenzie
In this case the victim deserves the blame, you cannot fault others from exploiting your short cummings every time, specially when there are easy solutions to that problem like copying and pasting the email address instead of typing it, or registering the right email address and using an email manager.
The law is suppose to deal with real crime, real serious things and be the last resort because it is so powerful instead we have a generation of idiots that keep asking justice for everything without thinking about the consequences of such acts and then they complain that the system is broken.
Well surprise you people helped break it.
Kenzie
Exactly, if a judge were to rule that kenzie’s idiotic conduct constituted unlawful interception of email, I wouldn’t be surprised or shocked. It isn’t interception, so its illogical, but that’s why new laws get tested and amended. What he did is just wrong.
Kenzie
The bottom line is that Kenzie is a garden variety cybersquatter. Putting aside what he did or did not do with the misaddressed emails, he squarely falls within the definition of a bad faith cybersquatter. That is, he registered a domain name using someone else’s name and trademark, without a Bona Fide reason or defense. His explanation that he was “researching” someone else’s vulnerability is bogus. He CREATED the so-called vulnerability he was “researching.”. That’s just bogus.
Kenzie wouldn’t just keep the email, he sent a letter to the company asking for a $25,000 security engagement to ‘fix the problem’. If you read the Lockheed case, it’s referred to ask “Exhibit A”. Gioconda had the same thing, and so have 2 more companies that I know of from this creep.