ICANN/GNSO GNSO Email List Archives

[registrars]


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy

  • To: Christine Jones <cjones@xxxxxxxxxxx>
  • Subject: RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy
  • From: Paul Goldstone <paulg@xxxxxxxxxxxx>
  • Date: Fri, 22 Feb 2008 03:38:18 -0500
  • Cc: john@xxxxxxxxxxxxxxxxx, "'elliot noss'" <enoss@xxxxxxxxxx>, "'Bruce Tonkin'" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>, "'Tim Ruiz'" <tim@xxxxxxxxxxx>, "'Adam Dicker'" <amd@xxxxxxxxxxxxxxxxxxx>, registrars@xxxxxxxxxxxxxx
  • In-reply-to: <20080221170202.dc5d76307e08b3dc7f186cac1bc30a7a.6fa1839328 .wbe@email.secureserver.net>
  • List-id: registrars@xxxxxxxxxxxxxx
  • References: <20080221170202.dc5d76307e08b3dc7f186cac1bc30a7a.6fa1839328.wbe@email.secureserver.net>
  • Sender: owner-registrars@xxxxxxxxxxxxxx

Christine,

I acknowledge the possibility that a 60 day lock may prevent a small 
percentage of problems, but how much more often does it cause problems 
by making it difficult for registrants to rightfully transfer their domains?

More to the point, which of the following ICANN reasons justify 
prevention of a registrar transfer based on a contact update?:

=======================================================================

http://www.icann.org/transfers/policy-12jul04.htm

   1. Evidence of fraud
   2. UDRP action
   3. Court order by a court of competent jurisdiction
   4. Reasonable dispute over the identity of the Registered Name 
Holder or Administrative Contact
   5. No payment for previous registration period (including credit 
card charge-backs) if the domain name is past its expiration date or 
for previous or current registration periods if the domain name has 
not yet expired. In all such cases, however, the domain name must be 
put into "Registrar Hold" status by the Registrar of Record prior to 
the denial of transfer.
   6. Express written objection to the transfer from the Transfer 
Contact. (e.g. - email, fax, paper document or other processes by 
which the Transfer Contact has expressly and voluntarily objected 
through opt-in means)
   7. A domain name was already in ?lock status? provided that the 
Registrar provides a readily accessible and reasonable means for the 
Registered Name Holder to remove the lock status.
   8. A domain name is in the first 60 days of an initial registration period.
   9. A domain name is within 60 days (or a lesser period to be 
determined) after being transferred (apart from being transferred back 
to the original Registrar in cases where both Registrars so agree 
and/or where a decision in the dispute resolution process so directs).

=======================================================================

Rejecting a transfer because of a contact change and claiming that 
alone as evidence of (potential) fraud is in my opinion a stretch.  
One could just as easily claim that a transfer in itself is evidence 
of (potential) fraud.

For the registrars who prevent domain transfers for 60 days following 
a contact update, why only 60 days?  What if it was fraud and the 
original owner still isn't aware of their domain being hijacked?  
Perhaps these registrars should keep the domain indefinitely due to 
the potential fraud.  I'm of course being sarcastic here.

For some perspective, back in the day we only needed a registry 
liaison.  Nowadays we also need a full-time registrar liaison just to 
deal with the obstacles that some registrars create that prevent 
legitimate transfers.

I don't dispute that fraud should be prevented, but like I said, the 
60 day lock idea prevents many legitimate transfers and so I think a 
different solution needs to be implemented to address domain hijacking.

Regards,

~Paul
:DomainIt


At 07:02 PM 2/21/2008, Christine Jones wrote:
>John, Elliot and Esteemed Colleagues-
>
>I'm in my seventh year as Go Daddy General Counsel.  Although I follow the spirited discussion of this group closely, I have never once posted a response to this group.  I feel I must now break my silence, however, for a few reasons.
>
>First, although he never thought he would hear me say this, Rob Hall is right.  Mostly.  Phil Sbarbaro is not a sorry ass.  Quite the contrary.  Phil worked hard for some of the protections all registrars now enjoy.  Since he is not able to defend himself here, we should leave the critical comments to those of us who can.  For the record, Phil is not undefeated.  I did beat up on him pretty badly in the Go Daddy v. VeriSign case (you all remember it, the one regarding deceptive advertising and forced domain name transfers).  But, let's keep him out of this.
>
>Second, the short answer to t! he popcorn eating audience is this: Go Daddy will follow its standard operating procedure in this case, as we attempt to do in every case.
>
>The longer answer, for those who are still interested in the movie, follows.
>
>We instituted the 60-day lock after a Change of Registrant to prevent names FROM our registrar from being transferred shortly after they were hijacked.  This is a case where (allegedly) the domain name was hijacked and transferred TO our registrar.  But of course, we can help.  And here is why:
> 
>The registrant at the time of transfer is contesting the transfer.  We draw from the Transfer Policy that states: "In the event of a dispute, the Registered Name Holder's authority supersedes that of the Administrative Contact."  Since the domain name transferred over with "Marriage Ministries International" listed as the registrant, we should be able to help this entity recover the domain name, so long as this entity can prove who they say they are.  Because we have a standard process concerning these matters, we have a form that they need to fill out in order for us to help them.  Just have them contact <mailto:undo@xxxxxxxxxxx>undo@xxxxxxxxxxx.  We do not require an Indemnification Agreement unless the previous registrant (or registrar) require that the name be transferred back to the previous registrar (remember the name will be locked for 60-days, which, of course, allows sufficient time for any complaining party to lodge a legal dispute).  
> 
>This is not why we would help this entity:
> 
>Do you they really think that the registrar has the right to return a domain name simply based on the fact that the name is a high-profile name and the previous registrant is claiming the name was hijacked?  Since when, did we, as registrars, become detectives or judges in these matters?  Why would we be able to help the previous registrant of marriage.com (no matter what kind of documentation they (or any other non-legal body) gave us to prove the domain name was hijacked?) versus any other previous registrant?  The answer is, we CANNOT!   Unless (as mentioned above), we receive unbiased, standard documents to reflect that they were the registrants at the time of transfer, there is nothing we, as a registrar, can do.  What other registrar has this unbiased, standard process in place?  Likewise, why would "determining whether the originating IP address of the authorization is localizable to Colorado or to somewhere else" make a difference?  IT DOES NOT!!  Are registrars really relying on this type of evidence to determine whether or not they should return a name to the previous registrant?  Seriously?!!  (See, Kremen v. Cohen for why this is a bad idea.)
> 
>I consider John Berryhill and friend of mine.  But, here is why I am more afraid of some of the people in this email thread than any hijacker:
> 
>They wasted time sending this email and are basically doubting the 60-day lock despite that it actually helps registrants when their name is hijacked.  So, again, Go Daddy is here to save the day by relying on the Transfer Policy to assist this person.  Unfortunately, when we (as the losing registrar) have gone to other registrars with this same scenario, the registrars have been unwilling (basically fearful) to reinstate the registrant at the time of transfer, despite the fact that the Transfer Policy supports this action.  (Read: Elliot wasn't there to bail out my sorry ass.)  Perhaps we can blame this on the administrators that receive these complaints as not really understanding the Transfer Policy.  But how can we blame them?  The real fault lies in the people that have the authority to apply the Transfer Policy to situations like these.
> 
>In the end, GoDaddy.com (or any other registrar) is not required to help this previous registrant.  In fact, referring them to the UDRP would not be WRONG.  Why again is this GoDaddy's fault or problem to fix?  And why, if we don't take any action, would we be the bad guy?  We can rely on the TRANSFER POLICY to reinstate the previous registrant (if they provide valid documentation).  But we don't have to.   This is the way we have found to work within the confines of the Transfer Policy to help registrants.  By the way, what do you do to help registrants without relying on your biased judgment or detective work?  
> 
>Incidentally, THANK GOODNESS that the domain name was not allowed to transfer away (due to the 60-day lock after the registrant changed).  Because now, GODADDY knows exactly what to do and the previous registrar does not have to rely on another registrar that may not have any standard practices in place for these kinds of matters.
> 
>Unfortunately, the department that needs to receive this request has not received any documents from the previous registrant.  I understand that our support department could have possibly steered the previous registrant in a better direction.  But really, all of this wasted time and energy on this subject could have been used to tell these people that they need to go to <mailto:undo@xxxxxxxxxxx>undo@xxxxxxxxxxx.  We anticipate that either the previous registrar or registrant will contact us within the next 48 hours to make their claim.  In the meantime, we have a placed a lock on this domain name. 
> 
>And please, if the previous registrant ends up getting this name back, don't think that it has anything to do with this email or any kind of effort or pressure you have placed on GoDaddy.  Don't take any credit.  We are just following our unbiased, SOP.  
> 
>Here is an opportunity for other registrars to prove a point: Get your own SOPs in order.
> 
>Very truly yours,
>Christine Jones
>
>
>-------- Original Message --------
>Subject: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name
>At GoDaddy
>From: "John Berryhill" <john@xxxxxxxxxxxxxxxxx>
>Date: Thu, February 21, 2008 10:14 am
>To: "'Tim Ruiz'" <tim@xxxxxxxxxxx>, "'Christine Jones'"
><cjones@xxxxxxxxxxx>, "'Adam Dicker'" <amd@xxxxxxxxxxxxxxxxxxx>,
><registrars@xxxxxxxxxxxxxx>
>Cc: "'elliot noss'" <enoss@xxxxxxxxxx>, "'Bruce Tonkin'"
><Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>
>
>
>
>For those that enjoyed the Delhi fireworks show between myself and Elliot on
>the subject of Godaddy's interpretation of the transfer policy, a unique
>opportunity has arisen to provide an acid test of whether Godaddy is
>sincere, or whether the Transfer Policy is broken.
>
>As you know, Elliot Noss and others have expressed eloquent and enthusiastic
>skepticism concerning the "anti-hi-jacking" rationale of Godaddy's 60 day
>hold.
>
>Here's what landed in my lap this morning.
>
>Married.com has been registered since 1995 to Marriage Ministries
>International through Melbourne IT as follows:
>
>Domain Name.......... married.com
>Creation Date........ 1995-05-31
>Registration Date.... 2002-11-23
>Expiry Date.......... 2008-05-30
>Organisation Name.... Marriage Ministries International
>Organisation Address. 9132 W. Bowles Avenue
>Organisation Address. _
>Organisation Address. Littleton
>Organisation Address. 80123
>Organisation Address. CO
>Organisation Address. UNITED STATES
>
>Admin Name........... Jason Phillipps
>Admin Address........ 9132 W. Bowles Avenue
>Admin Address........ _
>Admin Address........ Littleton
>Admin Address........ 80123
>Admin Address........ CO
>Admin Address........ UNITED STATES
>Admin Email.......... jasonphillipps@[xxxx]
>
>On or about February 5, 2008, it was hi-jacked and transferred to GoDaddy,
>most likely by compromise of the admin contact email address.
>
>Registrant:
>Domain Manager <https://email.secureserver.net/pcompose.php#Compose>DomainManager2006@xxxxxxxxx
>Sattarkhan Blvd.
>Copenhagen, 2400
>Denmark
>
>The hi-jacker entered into a deal to sell the domain name through escrow.com
>for $100,000.
>
>I was contacted by the prospective buyer, who had contacted the former
>registrant in the course of his due diligence. The former registrant had no
>idea how the domain name was transferred to GoDaddy, and when they contacted
>GoDaddy support, he was told to "use the UDRP" and that there was nothing
>else GoDaddy could do.
>
>Of course, the UDRP is useless here, since "married" wasn't being used as a
>trade or service mark for marriage counseling, and GoDaddy support's advice
>is typical of the useless things that are told to parties in this instance.
>
>So, as the situation stands, and as I tried to convey to Elliot, it is in
>circumstances such as this one that I am GLAD the name is at GoDaddy, since
>it is at least not going anywhere for another 45 days.
>
>The remaining questions are these:
>
>1. Is GoDaddy actually going to look into the situation and USE the 60 day
>period to resolve a domain hi-jacking? The initial indication from GoDaddy
>support is "no". 
>
>2. What is the mechanism by which a registrant may request his/her
>registrar to institute a Transfer Dispute Resolution Proceeding? This ball
>is in Bruce's court. Melbourne IT provides no information to registrants
>that is readily accessible which, as I have long argued, is the fundamental
>flaw of the TDRS - there is no coupling between the people who've had their
>names transferred without authorization, and the people who are in a
>position to invoke the policy.
>
>Now it may be that the registrant's admin email address was compromised.
>Still, both Melbourne IT and GoDaddy will be able to determine whether the
>originating IP address of the authorization is localizable to Colorado or to
>somewhere else.
>
>So, Elliot, let's fire up the oven, put on some crow, and find out who gets
>to eat it. Either (a) GoDaddy does nothing to investigate or remedy this
>hi-jacking, and their justification for the 60 day hold is a farce; (b)
>Melbourne IT does nothing, and the Transfer Policy dispute mechanism is a
>farce; or (c) the situation is appropriately resolved, and it turns out that
>GoDaddy's policy actually does help address hi-jackings.
>
>But, as it stands, the only hopeful point in the situation is that since the
>name is at GoDaddy, it is going to stay there for a while.
>
>The point is GoDaddy's to prove, or not.
>
>
>John Berryhill, Ph.d., Esq.
>4 West Front St. 
>Media, PA 19063
>(610) 565-5601
>(267) 386-8115 fax
>


<<< Chronological Index >>>    <<< Thread Index >>>