Yesterday a friend of mine related a rather interesting tale. Like a lot of security-minded individuals he owns a domain and uses a unique username when giving out an e-mail address. Like "bugtraq@hisdomain.com" or "amazon@hisdomain.com" etc. The idea is when you receive spam for that username you can easily figure out who it was that released your e-mail address and reprimand, sue, jump up and down in a frenzy, and so on.
He recently passed the CISM exam from ISACA. He hadn't heard anything from them for a while so he calls them up. The conversation goes a little like this:
Him: Hi, I haven't received anything about my CISM. You said I passed but I don't have a certificate or anything yet.
ISACA: That's not right, let me look up your information. What's your (blah blah blah)
ISACA: Oh. I see, you're using ISACA in your e-mail address. That's trademarked and you can't do that.
Him: Really? That's really a strange policy. Make it hisname-ISACA@hisdomain.com then.
ISACA: I'm sorry, that's still in violation of the trademark.
Him: I don't beli... Fine, just remove the e-mail address entirely.
ISACA: But then we have no e-mail address and can't complete your certification.
I'm no lawyer but I believe in order to be violating a Trademark there has to be some potential or perceived confusion in the marketplace. At least that's how I read 15 U.S.C. 1125(c). If my friend's intent was to market himself as ISACA@hisdomain.com as being the real ISACA then I could see there being a clear violation that should be legally challenged.
There is a "Cyberprivacy" section of 1125(c) but that deals only with DOMAIN NAMES and not the username portion of an e-mail address. Also there's this little tidbit:
(i) has a bad faith intent to profit from that mark, including a personal name which is protected as a mark under this section;
How can ISACA really know his intent? I don't really understand the thought process that any mention of ISACA without the ® sign means the user is an infringer. Anyone?
