RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy

["Nevett, Jonathon" <jnevett@xxxxxxxxxxxxxxxxxxxx>]

Let me throw another one out for consideration:

7. A domain name was already in "lock status" provided that the 
Registrar provides a readily accessible and reasonable means for the 
Registered Name Holder to remove the lock status.

In the example that Christine gave, Go Daddy locks a name after a Whois contact change for 60 days.  If the customer tries to transfer during the 60 day period, then the transfer could be denied under #7 as it was already in lock status.  The issue comes down to whether the customer has a reasonable means to lift the lock.  

Is it reasonable for a registrar to require a registrant to appear in person at the registrar's offices in order to authorize the transfer (I understand that one registrar actually does this)?  The first reaction likely would be no.  Would it change your mind, however, if this were the policy for only two or three character domain names valued at over $1 million?  Would it change your mind if the customer was so worried about hijackings that it agreed to this requirement in writing as a security measure?  What if the customer was a prior victim of hijacking and saw its domain name travel to three or four registrars around the world before getting it back six months later?  Would it change your mind if the customer requested and actually paid the registrar to be provided with this additional security measure?  

Is it reasonable to deny transfers for 60 days after a Whois Admin or Primary Contact change, which is typical in hijacking cases?  Is it reasonable to lock names for 60 days after a Whois Admin or Primary Contact change and require additional verification of the contact information in order to transfer during that 60 day period? 

Issues of reasonableness under law are anything, but black and white.  Therefore, the rhetoric that we recently have read and heard about "clear violations" is just that -- rhetoric.

Who should decide what is reasonable in these difficult scenarios?  Should it be ICANN staff, the GNSO PDP process already looking at these specific issues, or the market?  If customers don't like Go Daddy's (or Network Solutions') security policy, then the competitive marketplace could provide a solution.  Other registrars could market to customers who care less about security and hijackings and don't want to wait 60 days or provide additional verification after a Whois Admin or Primary Contact change.  In a competitive marketplace, there is a great deal of room for market differentiation.  This could and should be a differentiator.  We would be hurting registrants if we didn't have the ability to provide additional security protections.  

Thanks.

Jon

-----Original Message-----
From: owner-registrars@xxxxxxxxxxxxxx [mailto:owner-registrars@xxxxxxxxxxxxxx] On Behalf Of John Berryhill
Sent: Friday, February 22, 2008 9:39 AM
To: G2L52; 'Christine Jones'
Cc: 'elliot noss'; 'Bruce Tonkin'; 'Tim Ruiz'; 'Adam Dicker'; registrars@xxxxxxxxxxxxxx
Subject: RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy



>   1. Evidence of fraud

One bit of evidence might be a contact change to the domain of an applicant
in Colorado originating from an IP address in Iran.  Of course, I was not
suggesting that one data point constitute a totality of one's investigation.
However, on top of the other data, having a reason to investigate further, a
quick look at the quite neutral records of the Colorado Secretary of State,
and at such domain data as that for marriage.org, along with the
unlikelihood that a party with a definite view on the subject of marriage
would suddenly sell a domain name after 12 years to someone advertising, for
example, "extramarital dating sites", does paint a larger picture.

I believe my point was obscured by some who had not attended the recent
meeting.   My intention was to point out a definite situation in which,
regardless of one's interpretation of the policy, someone is breathing a
deep sigh of relief over the fact that the domain name is not subject to a
further registrar transfer for a while.  My comments on this particular
event appear to have been misinterpreted to some degree, since it was
suggested emphatically to me that the anti-hijacking utility of the GoDaddy
policy was some sort of fiction.

We've heard from the anti-phishing group on the subject of "fast flux" DNS
and its problems.  Having to chase hi-jacked domains name hither and yon,
suggests that there needs to be a balance between a distributed
inconvenience for many, versus a catastrophic event for a few.