Cybersecurity firm Proofpoint Inc. has filed a lawsuit against Facebook Inc. to allow it to keep a number of domain names that imitate Facebook and Instagram used in security training programs.

The drama began in November when Facebook filed a Uniform Domain-Name Dispute-Resolution request with domain registrar Namecheap Inc. to gain control of several domain names that were mimicking Facebook and Instagram brands.

The domain names included facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net and instagrarn.org. An arbitrator subsequently ruled on Jan. 25 that the lookalike domains should be transferred to Facebook within 10 days.

Facebook argues that the domain names are registered in bad faith and are confusingly similar to its brands. Proofpoint argues in its lawsuit filed Feb. 9, however, that the domain names are not confusing. It says the domain names were registered in good faith and for legitimate purposes, in this case, security and phishing training.

“Consumer confusion is unlikely because Proofpoint clearly states on the websites to which the domain names are pointed: ‘Hi! This web site belongs to Proofpoint Security Awareness Training. This domain is used to teach employees how to recognize and avoid phishing attacks,’” the lawsuit states.

“By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names,” the lawsuit adds.

Although the idea of using misspelled or fake domain names for security testing on the surface seems to be a solid idea, some question whether Proofpoint taking legal action is the right way to deal with the issue at hand.

“I think, litigation over the issue is a very bad idea,” Ilia Kolochenko, founder and chief executive of web security company ImmuniWeb, told SiliconANGLE. “First, Proofpoint uses the domains in question for commercial activities, or at least to further its direct commercial interests and business. Second, Facebook still has the right to prevent trademark dilution: in the specific context, Facebook may successfully argue that leveraging their platform as a phishing example – may scare away existing or new users and otherwise damage Facebook’s reputation.”

Kolochenko added that he thinks Facebook has a good chance to prevail in court. “Eventually, this dispute being taken into a court may create a dangerous legal precedent that would hinder most of the legitimate anti-phishing exercises and training by cybersecurity companies,” he said. “The best solution would probably be to get contractual permission from Facebook to use its name for specific purposes and pay Facebook a fair consideration for this.”

Photo: Patrick Feller/Flickr