RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy

[Christine Jones <cjones@xxxxxxxxxxx>]

<html><body>John, Elliot and Esteemed Colleagues-<br><br>I'm in my seventh year as Go Daddy General Counsel.&nbsp; Although I follow the spirited discussion of this group closely, I have never once posted a response to this group.&nbsp; I feel I must now break my silence, however, for a few reasons.<br><br>First, although he never thought he would hear me say this, Rob Hall is right.&nbsp; Mostly.&nbsp; Phil Sbarbaro is not a sorry ass.&nbsp; Quite the contrary.&nbsp; Phil worked hard for some of the protections all registrars now enjoy.&nbsp; Since he is not able to defend himself here, we should leave the critical comments to those of us who can.&nbsp; For the record, Phil is not undefeated.&nbsp; I did beat up on him pretty badly in the <span style="font-style: italic;">Go Daddy v. VeriSign</span> case (you all remember it, the one regarding deceptive advertising and forced domain name transfers).&nbsp; But, let's keep him out of this.<br><br>Second, the short answer to t!
 he popcorn eating audience is this: Go Daddy will follow its standard operating procedure in this case, as we attempt to do in every case.<br><br>The longer answer, for those who are still interested in the movie, follows.<br><br><div>We instituted the 60-day lock after a Change of
Registrant to prevent names&nbsp;FROM our&nbsp;registrar from being transferred
shortly after they were hijacked.&nbsp; This is a case where (allegedly)&nbsp;the
domain name was hijacked and transferred TO our registrar.&nbsp; But of
course, we&nbsp;can help.&nbsp; And here is why:</div> <div>&nbsp;</div> <div>The
registrant at the time of transfer is contesting the transfer.&nbsp; We draw
from the Transfer Policy that states: "In the event of a dispute, the
Registered Name Holder's authority supersedes that of the
Administrative Contact."&nbsp; Since the domain name transferred over with
"Marriage Ministries International" listed as the registrant, we should
be able to help this entity recover the domain name, so long as this
entity can prove who they say they are.&nbsp; Because we have a standard
process concerning these matters, we have a form that they need to fill
out in order for us to help them.&nbsp; Just have them contact <a href="mailto:undo@xxxxxxxxxxx"; onclick="Popup.composeWindow('pcompose.php?sendto=undo%40godaddy.com');; return false;" target="_blank" __onclick="Popup.composeWindow('pcompose.php?sendto=undo%40godaddy.com');; return false;">undo@xxxxxxxxxxx</a>.&nbsp;
We do not require an Indemnification Agreement unless the previous
registrant (or registrar) require that the name be transferred back to
the previous registrar (remember the name will be locked for 60-days,
which, of course, allows sufficient time for any complaining party to
lodge a legal dispute).&nbsp;&nbsp;</div> <div>&nbsp;</div> <div>This is not why we would help this entity:</div> <div>&nbsp;</div> <div>Do
you they really think that the registrar has the right to return a
domain name simply based on the fact that the name is a high-profile
name and the previous registrant is claiming the name was hijacked?&nbsp;
Since when, did we, as registrars, become detectives or judges in these
matters?&nbsp; Why would we&nbsp;be able to help the previous registrant of
marriage.com (no matter what kind of documentation they (or any other
non-legal body) gave us to prove the domain name was hijacked?) versus
any other previous registrant?&nbsp; The answer is, we CANNOT!&nbsp;&nbsp; Unless (as
mentioned above), we receive unbiased, standard documents to reflect
that they were the registrants at the time of transfer, there is nothing
we, as a registrar, can do.&nbsp; What other registrar has this unbiased,
standard process in place?&nbsp; Likewise, why would "determining whether
the originating IP address of the authorization is localizable to
Colorado or to somewhere else"&nbsp;make a difference?&nbsp; IT DOES NOT!!&nbsp; Are
registrars really relying on this type of evidence to determine whether
or not they should return a name to the previous registrant?&nbsp;
Seriously?!!&nbsp; (See, <span style="font-style: italic;">Kremen v. Cohen</span> for why this is a bad idea.)<br></div> <div>&nbsp;</div> <div>I consider John Berryhill and friend of mine.&nbsp; But, here is why I am more afraid of some of the people in this email thread than any hijacker:</div> <div>&nbsp;</div> <div>They
wasted time sending this email and are basically&nbsp;doubting the 60-day
lock despite that it actually helps registrants when their name is
hijacked.&nbsp; So, again, Go Daddy is here to save the day by relying on
the Transfer Policy to assist this person.&nbsp; Unfortunately, when we (as
the losing registrar) have gone to other registrars with this same
scenario, the registrars have been unwilling (basically fearful) to
reinstate the registrant at the time of transfer, despite the fact that
the Transfer Policy supports this action.&nbsp; (Read: Elliot wasn't there to bail out my sorry ass.)&nbsp; Perhaps we can blame this on
the administrators that receive these complaints as not really
understanding the Transfer Policy.&nbsp; But how can we blame them?&nbsp; The
real fault lies in the people that have the authority to apply the
Transfer Policy to situations like these.</div> <div>&nbsp;</div> <div>In
the end, GoDaddy.com (or any other registrar) is not required to help
this previous registrant.&nbsp; In fact, referring them to the UDRP would
not be WRONG.&nbsp; Why again is this GoDaddy's fault or problem to fix?&nbsp; And
why, if we don't take any action, would we be the bad guy?&nbsp; We can rely
on the TRANSFER POLICY to reinstate the previous registrant (if they
provide valid documentation).&nbsp; But we don't have to.&nbsp;&nbsp; This is the way
we have found to work within the confines of the Transfer Policy to
help registrants.&nbsp; By the way, what do you do to help registrants
without relying on your biased judgment or detective work?&nbsp; </div> <div>&nbsp;</div> <div>Incidentally,
THANK GOODNESS that the domain name was not allowed to transfer away
(due to the 60-day lock after the registrant changed).&nbsp; Because now,
GODADDY knows exactly what to do and the previous registrar does not
have to rely on another registrar that may not have any standard
practices in place for these kinds of matters.</div> <div>&nbsp;</div> <div>Unfortunately,
the department that needs to receive this request has not received any
documents from the previous registrant.&nbsp; I understand that our support
department could have possibly steered the previous registrant in a
better direction.&nbsp; But really, all of this wasted time and energy on
this subject could have been used to tell these people that they need
to go to <a href="mailto:undo@xxxxxxxxxxx"; onclick="Popup.composeWindow('pcompose.php?sendto=undo%40godaddy.com');; return false;" target="_blank" __onclick="Popup.composeWindow('pcompose.php?sendto=undo%40godaddy.com');; return false;">undo@xxxxxxxxxxx</a>.&nbsp; We anticipate that either the previous registrar or registrant will contact us within the next 48 hours to make their claim.&nbsp; In the meantime, we have a placed a lock on this domain name.  </div> <div>&nbsp;</div> <div>And
please, if the previous registrant ends&nbsp;up getting this name back, don't
think that it has anything to do with this email or any kind of effort
or pressure you have placed on GoDaddy.&nbsp; Don't take any credit.&nbsp; We are
just following our unbiased, SOP.&nbsp; </div> <div>&nbsp;</div> <div>Here is an opportunity&nbsp;for other registrars&nbsp;to prove a point: Get your own SOPs in order.<br></div> <div>&nbsp;<br>Very truly yours,<br>Christine Jones<br><br></div><br>
<blockquote webmail="1" style="border-left: 2px solid blue; margin-left: 8px; padding-left: 8px;">
-------- Original Message --------<br>
Subject: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name<br>
At GoDaddy<br>
From: "John Berryhill" &lt;john@xxxxxxxxxxxxxxxxx&gt;<br>
Date: Thu, February 21, 2008 10:14 am<br>
To: "'Tim Ruiz'" &lt;tim@xxxxxxxxxxx&gt;, "'Christine Jones'"<br>
&lt;cjones@xxxxxxxxxxx&gt;, "'Adam Dicker'" &lt;amd@xxxxxxxxxxxxxxxxxxx&gt;,<br>
&lt;registrars@xxxxxxxxxxxxxx&gt;<br>
Cc: "'elliot noss'" &lt;enoss@xxxxxxxxxx&gt;, "'Bruce Tonkin'"<br>
&lt;Bruce.Tonkin@xxxxxxxxxxxxxxxxxx&gt;<br>
<br>
<br>
<br>
For those that enjoyed the Delhi fireworks show between myself and Elliot on<br>
the subject of Godaddy's interpretation of the transfer policy, a unique<br>
opportunity has arisen to provide an acid test of whether Godaddy is<br>
sincere, or whether the Transfer Policy is broken.<br>
<br>
As you know, Elliot Noss and others have expressed eloquent and enthusiastic<br>
skepticism concerning the "anti-hi-jacking" rationale of Godaddy's 60 day<br>
hold.<br>
<br>
Here's what landed in my lap this morning.<br>
<br>
Married.com has been registered since 1995 to Marriage Ministries<br>
International through Melbourne IT as follows:<br>
<br>
Domain Name.......... married.com<br>
  Creation Date........ 1995-05-31<br>
  Registration Date.... 2002-11-23<br>
  Expiry Date.......... 2008-05-30<br>
  Organisation Name.... Marriage Ministries International<br>
  Organisation Address. 9132 W. Bowles Avenue<br>
  Organisation Address. _<br>
  Organisation Address. Littleton<br>
  Organisation Address. 80123<br>
  Organisation Address. CO<br>
  Organisation Address. UNITED STATES<br>
<br>
Admin Name........... Jason Phillipps<br>
  Admin Address........ 9132 W. Bowles Avenue<br>
  Admin Address........ _<br>
  Admin Address........ Littleton<br>
  Admin Address........ 80123<br>
  Admin Address........ CO<br>
  Admin Address........ UNITED STATES<br>
  Admin Email.......... jasonphillipps@[xxxx]<br>
<br>
On or about February 5, 2008, it was hi-jacked and transferred to GoDaddy,<br>
most likely by compromise of the admin contact email address.<br>
<br>
Registrant:<br>
   Domain Manager <a href="https://email.secureserver.net/pcompose.php#Compose"; onclick="Popup.composeWindow('pcompose.php?sendto=DomainManager2006%40Gmail.com'); return false;">DomainManager2006<b></b>@Gmail.com</a><br>
   Sattarkhan Blvd.<br>
   Copenhagen,  2400<br>
   Denmark<br>
<br>
The hi-jacker entered into a deal to sell the domain name through escrow.com<br>
for $100,000.<br>
<br>
I was contacted by the prospective buyer, who had contacted the former<br>
registrant in the course of his due diligence.  The former registrant had no<br>
idea how the domain name was transferred to GoDaddy, and when they contacted<br>
GoDaddy support, he was told to "use the UDRP" and that there was nothing<br>
else GoDaddy could do.<br>
<br>
Of course, the UDRP is useless here, since "married" wasn't being used as a<br>
trade or service mark for marriage counseling, and GoDaddy support's advice<br>
is typical of the useless things that are told to parties in this instance.<br>
<br>
So, as the situation stands, and as I tried to convey to Elliot, it is in<br>
circumstances such as this one that I am GLAD the name is at GoDaddy, since<br>
it is at least not going anywhere for another 45 days.<br>
<br>
The remaining questions are these:<br>
<br>
1.  Is GoDaddy actually going to look into the situation and USE the 60 day<br>
period to resolve a domain hi-jacking?  The initial indication from GoDaddy<br>
support is "no". <br>
<br>
2.  What is the mechanism by which a registrant may request his/her<br>
registrar to institute a Transfer Dispute Resolution Proceeding?  This ball<br>
is in Bruce's court.  Melbourne IT provides no information to registrants<br>
that is readily accessible which, as I have long argued, is the fundamental<br>
flaw of the TDRS - there is no coupling between the people who've had their<br>
names transferred without authorization, and the people who are in a<br>
position to invoke the policy.<br>
<br>
Now it may be that the registrant's admin email address was compromised.<br>
Still, both Melbourne IT and GoDaddy will be able to determine whether the<br>
originating IP address of the authorization is localizable to Colorado or to<br>
somewhere else.<br>
<br>
So, Elliot, let's fire up the oven, put on some crow, and find out who gets<br>
to eat it.  Either (a) GoDaddy does nothing to investigate or remedy this<br>
hi-jacking, and their justification for the 60 day hold is a farce; (b)<br>
Melbourne IT does nothing, and the Transfer Policy dispute mechanism is a<br>
farce; or (c) the situation is appropriately resolved, and it turns out that<br>
GoDaddy's policy actually does help address hi-jackings.<br>
<br>
But, as it stands, the only hopeful point in the situation is that since the<br>
name is at GoDaddy, it is going to stay there for a while.<br>
<br>
The point is GoDaddy's to prove, or not.<br>
<br>
<br>
John Berryhill, Ph.d., Esq.<br>
4 West Front St. <br>
Media, PA  19063<br>
(610) 565-5601<br>
(267) 386-8115 fax<br>
<br>
<br>

</blockquote></body></html>