As a result, in October 2007, the United States, the European Community, Switzerland and Japan simultaneously announced that they would negotiate a new intellectual property enforcement treaty, the Anti-Counterfeiting Trade Agreement, or ACTA. ACTA represents a significant achievement in the fight against the infringement of intellectual property rights, particularly against the proliferation of counterfeiting and piracy on a global scale, and provides a mechanism for the parties to work together in a more collaborative manner to achieve the common goal of effective Intellectual Property Rights (IPR) enforcement. When it enters into force with all participants, ACTA will formalize the legal foundation for a first-of-its-kind alliance of trading partners, representing more than half of world trade.

Highlights

• On Saturday, October 1, 2011, Representatives of the U.S., Japan, Australia, Canada, the E.U., South Korea, Mexico, Morocco, New Zealand, Singapore and Switzerland met in Japan for the signing ceremony for the Anti-Counterfeiting Trade Agreement (ACTA).
• ACTA – initially designed to be a treaty, thus requiring Senate ratification in the U.S. — will likely be an “executive agreement” that cannot alter or supersede U.S. law. Fortunately, ACTA is consistent with existing U.S. law and does not require any change to U.S. law prior to implementation in the United States. In particular, ACTA is consistent with U.S. copyright, patent, and trademark laws. For example, the application of injunctive relief as provided for in the Digital Millennium Copyright Act (17 USC §512j) and other provisions of U.S. law is consistent with and implements the obligations of ACTA. The United States may therefore enter into and carry out the requirements of the Agreement under existing legal authority, just as it has done with other trade agreements.
• ACTA provides for: (1) enhanced international cooperation; (2) promotion of sound enforcement practices; and (3) a legal framework for IPR enforcement in the areas of criminal enforcement, enforcement at the border, civil and administrative actions, and distribution of IPR infringing material on the Internet. Listed below are the most notable provisions:
  • ACTA will require that border enforcement authorities be empowered to act on their own initiative (“ex officio”) against both imports and exports of counterfeit and pirated goods.
  • ACTA will require that criminal authorities be able to act on their own initiative in piracy and counterfeiting cases, rather than waiting for a complaint.
  • ACTA will further clarify existing international requirements for the availability of criminal penalties when piracy or counterfeiting is carried out for commercial advantage.
  • ACTA will require criminal remedies for the importation or use of labels or packaging for counterfeit goods
  • ACTA will include new rules on criminal seizure and destruction of counterfeit goods, seizure of the equipment and materials used in their manufacture, and seizure of the criminal proceeds from piracy and counterfeiting offenses.
  • ACTA will clarify existing international requirements to protect against circumvention of digital security technologies (such as passwords or encryption).
  • ACTA will require parties to address copyright piracy on digital networks, while preserving principles such as freedom of expression, fair process, and privacy.
  • ACTA will enhance the international framework for civil enforcement provisions dealing with issues such as damages, provisional measures, recovery of costs and attorneys’ fees, and destruction of infringing goods.
• With respect to the legal framework, ACTA establishes a strengthened standard, as demonstrated in the highlighted parts above, that builds on the minimum standards of the WTO Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS). This marks a considerable improvement in international trade norms for effectively combating the global proliferation of commercial-scale counterfeiting and piracy in the 21st Century.
• What ACTA is NOT about:
  • Seizing portable music players and laptops at the border
  • Extending the term of protection for copyrights
  • Preventing “parallel” imports
  • Filtering internet traffic for infringing copyright works
  • Limiting access to generic pharmaceuticals
  • Reducing the court’s involvement in determining infringement
  • Weakening privacy laws
  • Lowering evidentiary standards for injunctions
  • Freezing bank accounts of suspected infringers
• Not all participants are completely satisfied with the final version of ACTA. Critics in the E.U. have suggested the trade agreement doesn’t comply with Europe’s data privacy laws, and have questioned its compatibility with E.U. law.

Commentary

Critics claim that ACTA has several features that raise significant potential concerns for consumers’ privacy and civil liberties, for innovation and the free flow of information on the Internet, for legitimate commerce, and for developing countries’ ability to choose policy options that best suit their domestic priorities and their level of economic development.

Additionally, the secrecy of the negotiation process has left the public with many concerns and questions. Gigi Sohn, Public Knowledge’s president and co-founder, called the ACTA negotiations an “extremely flawed” process. “ACTA should have been considered a treaty, and subject to public Senate debate and ratification or, in the alternative, debated in an open and transparent international forum such as the World Intellectual Property Organization,” she said. “Instead, public interest groups and the tech industry had to expend enormous resources to force the process open to permit public views to be presented and considered.”

The Impact

Although this agreement does not change U.S .law, it will alter international law. Companies engaging in business on an international level will need to educate themselves on the effects of ACTA. Critics of ACTA in the U.S. have said the treaty could allow foreign organizations to target U.S. companies and websites that don’t comply with overseas copyright laws. The truth of this statement has not been proven. However, ACTA leaves the door open for countries to introduce the so-called “three-strikes rule”, which would see Internet users cut off if they download copyrighted material, as national authorities would be able to order the ISPs to disclose personal information. This concern about the privatization of enforcement has the potential to impact the operations of U.S. companies.

Trademark owners outside of the adult industry may sign up with ICM Registry to block trademarks from showing up on its new .XXX gTLD. Trademark owners have been making several common errors when applying for a .XXX gTLD.[1] If your company plans on submitting an application before the Sunrise B October 28, 2011 deadline, keeping these mistakes in mind can help you avoid paying multiple fees and having to reapply.[2]

Research which registrar you will use when submitting an application. Some registrars are more experienced than others.[3] Make sure you choose a registrar that will pre-check your application for compliance with all of the application guidelines.[4]

Also, the most common application mistakes to avoid are:[1]

• Eligibility. Make sure that your trademark is eligible. To be eligible, you must have a trademark that was registered prior to September 1, 2011, and you must have the following information:
  • Trademarked Name
  • Trademark Registration Number: Note that your trademark registration number is not the same as your application number
  • Nation Code: The country where your trademark was registered
  • Trademark Registration Date: The date your trademark was registered
  • Trademark Ownership: Your relation to the trademark: Owner or Assignee
• Dropping .com from Trademark. Do not drop the ‘.com’ from your trademark if it includes a ‘.com’. If you want ‘example.com’ to be eligible for ‘example.xxx.’ and not just ‘examplecom.xxx’ you can file amendment 7 with the United States Patent and Trademark Office to have the ‘.com’ removed.
• Inexact Match. Apply to register a domain that is an exact match for your trademark. If you want to register characters in addition to the actual brand name, such as slogans or tag lines, apply under Sunrise AD using a pre-existing domain name because members of the adult entertainment industry (the “Sponsored Community”) is very broad.

While this process is intended to provide greater security, it also opens the doors for brand abuse. To help thwart misuse, ICM Registry, the company that will act as a registry for all domains ending in .XXX, has developed a comprehensive rights protection mechanism (RPM) for the launch period of these new gTLD’s. To protect non-adult entertainment industry rights holders from trademark infringement, ICM is also providing an opportunity for these rights owners to block their mark from registration. The opt-out effectively blocks names at the .XXX registry and means they cannot be used as conventional web addresses. This feature, provided by ICM for a onetime fee, will only be available to trademark holders during the sunrise period, which began earlier this week on September 7^th.

There will be two initial sunrise periods (A and B) for the launch of .XXX, allowing trademark holders and adult entertainment webmasters to secure their .XXX domains. This includes companies that own trademarks outside of the adult entertainment industry that wish to defensively register domains the same way that they register “sucks” sites. Both sunrise periods will run concurrently followed by a landrush period and finally a general availability period:

Sunrise A Sunrise A is dedicated to members of the adult entertainment community with either verifiable trademark rights or owners of exact matching domains in other Internet Assigned Numbers Authority (IANA) TLDs which is also known as “Grandfathering.” This period is open from September 7, 2011 to October 28, 2011.

Sunrise B Sunrise B was created especially for Intellectual Property holders who are non-members of the adult entertainment community with verifiable trademark rights so that they can block their domains in the .XXX sTLD. This period is open from September 7, 2011 to October 28, 2011.

Landrush Landrush is for members of the adult Sponsored Community but NOT on a first come, first served basis. Unlike Sunrise A and Sunrise B, there are no qualification requirements needed for Landrush. Applications for competing names will go to a closed-auction at the end of the Landrush period. This period is open from November 7, 2011 to November 25, 2011.

General Availability General Availability is when members of the adult entertainment community get regular, resolving names on a first come, first served basis. Non-members of the adult Sponsored Community can also get “Non-Resolving” names.[1] The period opens December 6, 2011 and is ongoing.

Please note that to be successful, applications made during the sunrise periods must provide basic trademark particulars such as the mark, registration number and date, designated class(es), the country or region, and the status of the entity submitting the request. Applications are $200-$300 per registered mark, assessed as a one-time fee and will run for the length of ICM’s contract with ICANN (at least 10 years). If you miss the Sunrise Period or want to block others from using a .XXX domain corresponding to an unregistered trademark, you can defensively register .XXX domains once the general availability period opens in December 2011. However, keep in mind that the annual registration fees for .XXX domains are expected to be significantly higher than the annual fees for domains in existing TLDs like .com, .net, etc.

The .XXX registration process requires all registrants to agree to participate in and abide by specific dispute resolution procedures that will provide mechanisms for brand owners to challenge .XXX domains that infringe trademarks. ICM is contracting with the National Arbitration Forum to provide the RES and CEDRP dispute resolution services. ICM estimates that the cost for each service will be US$750 to US$1,500. During these disputes, the domain will be locked against transfers. Decisions will not be published. Statistical information about the process itself will be made available. In the event of a conflict between a trademark rights holder and a member of the adult entertainment industry, the domain will be awarded to the adult entertainment industry member and the Sunrise B applicant will be notified.

Although ICM services have been approved by ICANN, there are legal issues that have not been tested. Participating in this process could limit your legal remedies because of your agreement to participate in and abide by the dispute resolution procedures outlined. Additionally, porn and mainstream businesses alike complain they are being forced to buy domain names they don’t want, don’t need and won’t use. A few companies are refusing to pay, but also demanding that ICM block their domains free of charge. ICM responded to the legal threats with a seven-page report in July, claiming that a registry cannot be sued for trademark infringement. The letters, though, have placed ICM on notice, which increases the potential for liability if ICM sells the trademarked names.

As this exchange indicates, registering domains with ICM is one option but may not be the only option available to companies seeking to protect their trademarks. Cyveillance encourages companies to take a hard look at their brand protection strategy to determine if defensively registering for .XXX gTLDs is the only and best option for their brand protection. The ongoing battle for domain name registration and brand protection is always going to be waged; the key to minimizing losses is tied to a company’s assessment of their true threats and their proactive approach to minimizing those threats.

The sender name is spoofed to appear to come from “protection@nsa.security.gov” and the links go to national-security-agency.com, a domain that was just registered yesterday. This attack is a perfect example of how deeply spear-phishers understand the psychology of social engineering users. It invokes the authority of a respected and mysterious government agency, it uses fear of being hacked or getting “in trouble” at work to prompt action, and it takes advantage of current events in the form of the widely reported (i.e. verifiable fact) and recent RSA token hack. This is a potent cocktail of logic, emotion and authority to manipulate the user into a desired action, and is typical of today’s advanced Phishers.

Here are some of the tips that can help you spot scams like this one:

1. Supposed needs for patches, security updates and vulnerability fixes are a favorite technique of scammers and phishers. Even if the message appears to come from someone in your own company, treat all such requests as suspicious and verify with your IT team by voice or fresh email to the actual IT person who supports you.
2. Treat ANY email that tells you to download something as malicious until proven otherwise. Again, contact your IT team before installing anything on your system.
3. Hover (but do NOT click) your mouse over all links in the email. The true destination of the link will pop up next to your mouse pointer. If you’ve never heard of the site, treat it as dangerous. Does the site in the link address match the site in the sender’s email address? If it does not, be suspicious. Is the pop up destination different from the URL shown in the visible text of the email, what we call a bait-and-switch link? If so, this is a major warning.
4. Finally, any link that ends in .zip or .exe should be treated as extremely hazardous and not clicked on.

Education is needed to convey to your network users that the stakes here are high. Even if the intruder isn’t seeking a dime from your company, the potential cost with respect to response, data loss and reputation can be crippling. As indicated, the vast majority of these incidents are the result of your users’ social-media behavior. Actually, the exploitation of social media for the purpose of malware attacks is growing at the same or at an even greater pace than the overall use of these sites. Online tools – like the popular, URL-shortening ones for Tweets – are very handy in masking malware threats, and a lack of security-savvy on the part of users establish social networks as a virtual playground for cyber criminals.

In seeking to avoid fallout from this that would impact your business, we at Cyveillance strongly advocate the following five-point plan for our customers a plan that has helped us earn recognition by industry-research leader Gartner Inc. as a top provider of the surveillance/collection/analysis of social-media activity for commercial-organization networks:

1. Launch a social-media policy. We realize that many of our customers already have a policy in place. We examine it, however, to get a sense of whether it’s up to date. Social media changes all the time. Legal documents do not. We look to see whether the policy addresses “real” modern-day concerns about social media, or if it’s really just a copy/paste of some antiquated HR form. Here as some questions to consider within the policy: Is it OK for employees to say that they are representing the company on Facebook, Twitter, etc.? If so, what are the guidelines as for appropriate content to post?

2. Train everyone. As stated before on this blog, your weakest link can be your most uninformed employee. Printing and distributing a policy is fine. But reinforcing it with training is even better. Don’t lecture them. Instead, engage in interactive workshops or computer-based training sessions to test their awareness of the latest social engineering attack techniques. Too many organizations put all of their focus on firewalls and passwords. These days, hackers don’t necessarily need to know how to get around these measures to do damage. They just need to get a single user within the network to trust them via a cleverly disguised email.

3. Establish the significance. Meaning, make sure your users realize how important it is to remain informed and alert. If your logo is used to support some kind of malware scheme, for example, your future relationships with customers and partners will suffer. As conveyed previously, there’s tangible, bottom-line value in a company’s reputation. Within minutes, a successful intrusion can crush the good reputation that an organization has been building for years.

4. Don’t try to do it all on your own. Social media is a very, very large universe. In fact, nearly 56 percent of Internet users in the U.S. use some type of social media, according to the Pew Research Center. That translates to a lot of traffic to monitor. Consider tools such as social media monitoring solutions and protection appliances to address this need for you.

5. Keep it current. No matter what tools you use – as well as intrusion techniques you share with users – make sure everything is up-to-date. The entire landscape of social media and the methods used to exploit it are in a constant state of rapid transformation. What worked this month won’t necessarily work the next. Your security team needs to stay on top by constantly educating and re-educating itself and company staffers on the latest trends.

The bottom line is that – in the “share more, not less” world of today criminals can easily obtain the information needed to craft emails that can fool even the most savvy of users. With no “silver bullet” solution to thwart all intrusion attempts, the best practice is to educate users to make decisions, and equip yourself with the best monitoring tools to detect attacks in progress.

James Brooks, Director of Product Management, Cyveillance

Question to consider: What essentials do you feel are needed in a social-media policy?

The amount of attacks seen monthly is down compared to the first half of the year and could be related to the recent decline in spam, but the overall volume confirms that the problem of phishing is still easily one of the top threats on the Internet. Specifically, the use of more sophisticated and targeted attacks result in greater success and lucrative opportunities for online criminals. A recent story regarding socially-engineered attacks against High Value Targets (HVTs) in the Canadian government provides a great example of the danger this new breed of attack poses to organizations.

Organizations should continue to monitor for suspicious activity related to the attack described in the article above as well as educate their users on the latest threats that plague the Internet. Users can minimize the potential for falling victim to email and Web-based attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

Cyveillance recently asked the United States Embassy in Moscow to comment on cooperation between our countries in the fight on cybercrime for publication on CyveillanceBlog.com. Below, the responses to our inquires from the U.S. Embassy in Moscow:

Cyveillance: Is there regular dialogue between the American and Russian governments at the diplomatic level on the topic of international cybercrime? If so, how often does such engagement occur?

U.S., Embassy in Moscow: Yes, on more than one level. For example, there is ongoing dialogue between U.S. and Russian diplomats concerning matters of Internet governance, of which law enforcement efforts against cyber crime are an integral part. These discussions typically occur in a multi-national setting such as the United Nations. Additionally there is ongoing dialogue and cooperation between our respective investigators on particular cyber crime cases. This dialogue occurs in several ways, including through periodic face-to-face meetings several times per year. In some instances, these discussions focus on a particular area of cyber crime. For example, there is a bilateral United States – Russia IPR Working Group which meets regularly to discuss issues related to intellectual property protection, including in cyber space, with special focus on enforcement.

Cyveillance: With the shutdown Russia-based Spamit this fall and the investigation into the activities of alleged spammer Igor Gusev, it appears Russian authorities may be taking steps to curtail cybercrime. From the U.S. Embassy in Moscow’s perspective, are these isolated incidents or does it appear that there may be a shift in the climate for cybercriminals in Russia?

U.S., Embassy in Moscow: We are hopeful that these examples mark the beginning of the creation of a much more difficult environment for cyber criminals, not only in Russia, but worldwide. As you know, cyber crime transcends national boundaries not only in the perpetrator-victim sense, but also in the sense that members of the same cyber-driven criminal organization are often based in several countries. It is more important than ever that each nation take steps to clamp down on cyber crime.

Cyveillance: Russia traditionally enjoys a population that is well educated in math and engineering. Some authors suggest that the lack of opportunities in traditional business environments may tempt talented programmers into criminal activity. Is the State Department aware of any formal efforts that will help encourage Russian technologists to pursue legal opportunities using their skills, as opposed to those offered by cybercrime?

U.S., Embassy in Moscow: President Medvedev has made technological development a very high priority in his administration’s vision for the future of Russia. One example of this is the plan to develop a cyber industry, along the lines of Silicon Valley, based in the town of Skolkovo near Moscow. The prioritization of economic development in the tech sector, provided it is coupled with a strong law enforcement response to cyber crime, should incentivize individuals with technical skills to seek legitimate career paths.

Cyveillance: While there have been some recent notable exceptions, Western cybercrime researchers and even some in law enforcement sometimes feel that Russian cybercriminals are out of reach and enjoy a de facto immunity from prosecution. What is the State Department’s position on the amount and quality of cooperation received from Russian officials in international cybercrime investigations?

U.S., Embassy in Moscow: There has been some cooperation on cyber crime matters, but there is a need for far more. That is an overarching goal of the ongoing dialogue between our countries on these issues. Certainly, enhanced cooperation in this area would support the goals announced by President Medvedev for technological development in Russia, as those who consider investing in that development will expect a consistently strong law enforcement response to cyber and other crimes to protect their investments.

Cyveillance: From the State Department’s perspective, how much of American success in combating cybercrime of Russian origin is amenable to American law enforcement’s efforts? Are there inroads that remain to be made at the diplomatic level first?

U.S., Embassy in Moscow: The United States plays a leadership role in combating cyber crime, but no one nation can tackle this multi-national problem. The United States has law enforcement partnerships around the world with dedicated and highly professional counterparts in the area of cyber crime. We are striving to strengthen our partnership with our Russian counterparts in this area, which is certainly in our mutual interest.

Cyveillance: Is there anything else the State Department thinks cybercrime researchers or the general public should know about efforts to combat cybercrime in Russia?

U.S., Embassy in Moscow: Cyber crime presents complex problems that require a complex, multi-faceted response. This includes coordinated efforts not only by the governments of the United States, Russia and other countries, but also by those in industry and academia. We appreciate the opportunity to participate in this important dialogue.

Many thanks to U.S. Embassy staff for taking the time to answer our questions.