ICANN/GNSO GNSO Email List Archives

[registrars]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy



first things first. there are have been some unconstructive contributions to this thread, not the least of which was mine. imho, john should not have posted this on a public list. most importantly, I should NOT have thrown a log on the fire with my post. it is my semi- annual reminder to i) wait ii) re-read iii) only then hit send.

next, I was not intending to demean phil sbarbaro in my earlier post (although I seemed to have opened the door for others to do so). my apologies to phil. in the first year or two of the srs phil was stuck dealing with the hijackings that resulted from nsi's poor business processes (well before champ or jon or....). we worked together to deal with a number of these. that co-operation started a fine tradition that the vast majority of registrars honour.

the freedom to transfer between registrars and standardize policy was an extremely hard-won battle. it took a long time, was much more frustrating than this argument and, in the end, we were successful at a policy level. sadly, that has not been backed up with compliance.

there are two important FACTS that all of the below ignores.

FACT ONE. ICANN's lack of enforcement of transfer policy brings the whole contract regime and policy development process into disrepute. we are already reviewing the old policy, now three years old, before we start enforcing the existing policy. ICANN has allowed contracted parties to do as they please despite what is now years of very public complaining. they have made assurances in delhi that this will change. I will take them at their word and wait and hope.

FACT TWO. every day there are registrants who wish to use the supplier of their choice and are unable to transfer because of these violations of transfer policy. if the rest of us were to enact these tactics as "SOP" there would be a huge number of people who want to transfer to go daddy who would be unable to. of course we would just be "protecting" "our" customers at that point.

just about everyone on this list knows how the two violations work in concert:

- registrant want to change suppliers and needs to update old contact information, which, of course, happens most often in the last 60 days of registration;

- transfer refused due to the first violation;

- registrant waits the 60 days, tries again;

- transfer refused due to second violation.

as I understand the position of those who do this, this person has suffered no harm because they are still being supplied by the great supplier they previously had. of course the registrant feels differently.

I think it would be very helpful in talking about reasonableness to get some data. jon, tim, how many transfers are refused each month due to i) the 60 day hold for changed information and ii) being in the grace period. and please, at some point, could I have your justifications for denying transfers in the grace period!

lastly, your market comments simply fly in the face of market realities. these are items that cost $0.75/month (of which $0.55 goes to our friendly taxing authorities verisign and ICANN). the "disclosure" you talk about is buried in clickthrough agreements that nobody reads. the cost in time and effort for people to move is simply outweighed by the benefit. again, roger cochetti redux.

you talk about theoretical situations that are simply not NSIs or go daddy's. provide the data and let's have a substantive debate about reasonableness instead of evoking fears of bogeymen. we have all well learned that when someone tells us they are "protecting" us they are probably limiting our freedoms.

at the end of the day, even debating that is, as I have said over and over, simply wrong because the rules don't allow you to do it. your arguments are clever sophistry. your job is well done. now staff have to do theirs.

Regards

On Feb 22, 2008, at 2:04 PM, Nevett, Jonathon wrote:


Let me throw another one out for consideration:

7. A domain name was already in "lock status" provided that the
Registrar provides a readily accessible and reasonable means for the
Registered Name Holder to remove the lock status.

In the example that Christine gave, Go Daddy locks a name after a Whois contact change for 60 days. If the customer tries to transfer during the 60 day period, then the transfer could be denied under #7 as it was already in lock status. The issue comes down to whether the customer has a reasonable means to lift the lock.

Is it reasonable for a registrar to require a registrant to appear in person at the registrar's offices in order to authorize the transfer (I understand that one registrar actually does this)? The first reaction likely would be no. Would it change your mind, however, if this were the policy for only two or three character domain names valued at over $1 million? Would it change your mind if the customer was so worried about hijackings that it agreed to this requirement in writing as a security measure? What if the customer was a prior victim of hijacking and saw its domain name travel to three or four registrars around the world before getting it back six months later? Would it change your mind if the customer requested and actually paid the registrar to be provided with this additional security measure?

Is it reasonable to deny transfers for 60 days after a Whois Admin or Primary Contact change, which is typical in hijacking cases? Is it reasonable to lock names for 60 days after a Whois Admin or Primary Contact change and require additional verification of the contact information in order to transfer during that 60 day period?

Issues of reasonableness under law are anything, but black and white. Therefore, the rhetoric that we recently have read and heard about "clear violations" is just that -- rhetoric.

Who should decide what is reasonable in these difficult scenarios? Should it be ICANN staff, the GNSO PDP process already looking at these specific issues, or the market? If customers don't like Go Daddy's (or Network Solutions') security policy, then the competitive marketplace could provide a solution. Other registrars could market to customers who care less about security and hijackings and don't want to wait 60 days or provide additional verification after a Whois Admin or Primary Contact change. In a competitive marketplace, there is a great deal of room for market differentiation. This could and should be a differentiator. We would be hurting registrants if we didn't have the ability to provide additional security protections.

Thanks.

Jon

-----Original Message-----
From: owner-registrars@xxxxxxxxxxxxxx [mailto:owner-registrars@xxxxxxxxxxxxxxx ] On Behalf Of John Berryhill
Sent: Friday, February 22, 2008 9:39 AM
To: G2L52; 'Christine Jones'
Cc: 'elliot noss'; 'Bruce Tonkin'; 'Tim Ruiz'; 'Adam Dicker'; registrars@xxxxxxxxxxxxxx
Subject: RE: [registrars] An Opportunity to Prove A Point - Hi- Jacked Name At GoDaddy



   1. Evidence of fraud

One bit of evidence might be a contact change to the domain of an applicant in Colorado originating from an IP address in Iran. Of course, I was not suggesting that one data point constitute a totality of one's investigation. However, on top of the other data, having a reason to investigate further, a quick look at the quite neutral records of the Colorado Secretary of State,
and at such domain data as that for marriage.org, along with the
unlikelihood that a party with a definite view on the subject of marriage would suddenly sell a domain name after 12 years to someone advertising, for
example, "extramarital dating sites", does paint a larger picture.

I believe my point was obscured by some who had not attended the recent meeting. My intention was to point out a definite situation in which, regardless of one's interpretation of the policy, someone is breathing a deep sigh of relief over the fact that the domain name is not subject to a further registrar transfer for a while. My comments on this particular
event appear to have been misinterpreted to some degree, since it was
suggested emphatically to me that the anti-hijacking utility of the GoDaddy
policy was some sort of fiction.

We've heard from the anti-phishing group on the subject of "fast flux" DNS and its problems. Having to chase hi-jacked domains name hither and yon,
suggests that there needs to be a balance between a distributed
inconvenience for many, versus a catastrophic event for a few.







<<< Chronological Index >>>    <<< Thread Index >>>