RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy

[Paul Goldstone <paulg@xxxxxxxxxxxx>]

In my opinion, the suggestions that a registrant who doesn't like a 
particular registrar policy can simply find another registrar is 
flawed in this case due to the very reason we're discussing it in the 
first place.

Whereas one registrar may convince a registrant why they should 
transfer (perhaps for the reason we're discussing), once that process 
begins, they may find it impossible to complete due to something as 
simple as a contact change, which is often necessary to facilitate the 
transfer in the first place.  The registrant then decides to stay with 
their original registrar, for the wrong reasons, and for reasons that 
should be protected by the ICANN transfer policies.

I can appreciate that some registrants are perfectly happy with their 
current registrar and may want to opt in for this type of added 
security, or even opt to reject all transfer requests regardless of 
contact changes.  However, the majority of registrants probably don't 
want this unknown restriction preventing them from choosing which 
registrar they want to use at any given time.  ICANN responded to 
Elliot in Delhi that this was under review and they'd get back to us 
within a week.  Does anyone know where that stands?

Also, I'd appreciate if someone could explain why if somebody's domain 
is hijacked, or better yet, if somebody's property is STOLEN, law 
enforcement doesn't take over at that point?  Why are there stories of 
property being stolen for months when it's clear that fraud has been 
committed and there's a digital trail?  Are they not receptive?  Could 
someone please clarify this for the group?

While on the topic of transfers, I want to repeat another common 
problem that I mentioned a while ago.  There are many cases where we 
deal with an unresponsive or otherwise unhelpful reseller, and when we 
contact the actual registrar to resolve the issue, we are referred 
back to the reseller, who continues to be unresponsive or unhelpful.  
This often takes hours and days of work (over a single domain) until 
we reach a point that the registrant gives up, or the domain becomes 
due for renewal at the original registrar.  I for one feel that the 
registrar should be ultimately responsible for registrant services, 
which they are according to ICANN policies but not so much in the real world.

In response to Champ's comments, I've been involved with domains since 
1996 and I have a great deal of respect and admiration for 
participants on this list, many of whom have helped take their 
companies to impressive heights.  I think it's healthy and perfectly 
acceptable that when any of us disagree with a certain policy or 
procedure, especially when we feel it is in conflict with an ICANN 
policy that we must all adhere to, that we speak our mind and discuss 
it.  I wish even more people spoke up because I often hear from people 
off list who have strong opinions but are uncomfortable joining the 
discussion.  Having said that, I would add that the (upcoming) 
"private" list will be a much better venue so that comments don't 
appear like public bashing, and so that people can speak their mind 
without announcing it to the world.

Best Regards,

~Paul
:DomainIt


At 02:04 PM 2/22/2008, Nevett, Jonathon wrote:
>Let me throw another one out for consideration:
>
>7. A domain name was already in "lock status" provided that the 
>Registrar provides a readily accessible and reasonable means for the 
>Registered Name Holder to remove the lock status.
>
>In the example that Christine gave, Go Daddy locks a name after a Whois contact change for 60 days.  If the customer tries to transfer during the 60 day period, then the transfer could be denied under #7 as it was already in lock status.  The issue comes down to whether the customer has a reasonable means to lift the lock.  
>
>Is it reasonable for a registrar to require a registrant to appear in person at the registrar's offices in order to authorize the transfer (I understand that one registrar actually does this)?  The first reaction likely would be no.  Would it change your mind, however, if this were the policy for only two or three character domain names valued at over $1 million?  Would it change your mind if the customer was so worried about hijackings that it agreed to this requirement in writing as a security measure?  What if the customer was a prior victim of hijacking and saw its domain name travel to three or four registrars around the world before getting it back six months later?  Would it change your mind if the customer requested and actually paid the registrar to be provided with this additional security measure?  
>
>Is it reasonable to deny transfers for 60 days after a Whois Admin or Primary Contact change, which is typical in hijacking cases?  Is it reasonable to lock names for 60 days after a Whois Admin or Primary Contact change and require additional verification of the contact information in order to transfer during that 60 day period? 
>
>Issues of reasonableness under law are anything, but black and white.  Therefore, the rhetoric that we recently have read and heard about "clear violations" is just that -- rhetoric.
>
>Who should decide what is reasonable in these difficult scenarios?  Should it be ICANN staff, the GNSO PDP process already looking at these specific issues, or the market?  If customers don't like Go Daddy's (or Network Solutions') security policy, then the competitive marketplace could provide a solution.  Other registrars could market to customers who care less about security and hijackings and don't want to wait 60 days or provide additional verification after a Whois Admin or Primary Contact change.  In a competitive marketplace, there is a great deal of room for market differentiation.  This could and should be a differentiator.  We would be hurting registrants if we didn't have the ability to provide additional security protections.  
>
>Thanks.
>
>Jon
>
>-----Original Message-----
>From: owner-registrars@xxxxxxxxxxxxxx [mailto:owner-registrars@xxxxxxxxxxxxxx] On Behalf Of John Berryhill
>Sent: Friday, February 22, 2008 9:39 AM
>To: G2L52; 'Christine Jones'
>Cc: 'elliot noss'; 'Bruce Tonkin'; 'Tim Ruiz'; 'Adam Dicker'; registrars@xxxxxxxxxxxxxx
>Subject: RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy
>
>
>
>>   1. Evidence of fraud
>
>One bit of evidence might be a contact change to the domain of an applicant
>in Colorado originating from an IP address in Iran.  Of course, I was not
>suggesting that one data point constitute a totality of one's investigation.
>However, on top of the other data, having a reason to investigate further, a
>quick look at the quite neutral records of the Colorado Secretary of State,
>and at such domain data as that for marriage.org, along with the
>unlikelihood that a party with a definite view on the subject of marriage
>would suddenly sell a domain name after 12 years to someone advertising, for
>example, "extramarital dating sites", does paint a larger picture.
>
>I believe my point was obscured by some who had not attended the recent
>meeting.   My intention was to point out a definite situation in which,
>regardless of one's interpretation of the policy, someone is breathing a
>deep sigh of relief over the fact that the domain name is not subject to a
>further registrar transfer for a while.  My comments on this particular
>event appear to have been misinterpreted to some degree, since it was
>suggested emphatically to me that the anti-hijacking utility of the GoDaddy
>policy was some sort of fiction.
>
>We've heard from the anti-phishing group on the subject of "fast flux" DNS
>and its problems.  Having to chase hi-jacked domains name hither and yon,
>suggests that there needs to be a balance between a distributed
>inconvenience for many, versus a catastrophic event for a few.