RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy

[Tim Ruiz <tim@xxxxxxxxxxx>]

Jon makes an excellent point, I agree, and it complies with the policy.
Regarding Jon's question about who should decide what is reasonable,
this should not be decided by a so-called *clarification* of the policy.
This is the concern I have with the current PDP, and ICANN's proposed
advisory. It is not appropriate to change policy, or make new policy,
under the guise of *clarification* thereby avoiding the full involvement
and input of the community.

And to *throw another one out for consideration:*

6. Express written objection to the transfer from the Transfer Contact.
(e.g. - email, fax, paper document or other processes by which the
Transfer Contact has expressly and voluntarily objected through opt-in
means) 

At Go Daddy, this comes up most often in relation to names registered by
Domains By Proxy or names that undergo a complete change of Registered
Name Holder. In the former case, Domains By Proxy is the actual
Registered Name Holder and has a separate agreement with its customers.
In the latter case, there is no requirement or policy regarding names
that undergo a change of hands. Registrars have implemented various
methods to accomodate this, some are clearly geared toward ease of
process. Others, like Go Daddy's, is geared toward security of the
process. If the security requirements of Go Daddy's process is not
acceptable to a particular Registered Name Holder, they can certainly
transfer the name to a registrar with a process they prefer and follow
through on the change of hands after the transfer.
 

Tim 

-------- Original Message --------
Subject: RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked 
Name At GoDaddy
From: "Nevett, Jonathon" <jnevett@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, February 22, 2008 1:04 pm
To: <john@xxxxxxxxxxxxxxxxx>, "G2L52" <paulg@xxxxxxxxxxxx>, "Christine
Jones" <cjones@xxxxxxxxxxx>
Cc: "Registrar Constituency" <registrars@xxxxxxxxxxxxxx>


Let me throw another one out for consideration:

7. A domain name was already in "lock status" provided that the 
Registrar provides a readily accessible and reasonable means for the 
Registered Name Holder to remove the lock status.

In the example that Christine gave, Go Daddy locks a name after a Whois
contact change for 60 days. If the customer tries to transfer during the
60 day period, then the transfer could be denied under #7 as it was
already in lock status. The issue comes down to whether the customer has
a reasonable means to lift the lock. 

Is it reasonable for a registrar to require a registrant to appear in
person at the registrar's offices in order to authorize the transfer (I
understand that one registrar actually does this)? The first reaction
likely would be no. Would it change your mind, however, if this were the
policy for only two or three character domain names valued at over $1
million? Would it change your mind if the customer was so worried about
hijackings that it agreed to this requirement in writing as a security
measure? What if the customer was a prior victim of hijacking and saw
its domain name travel to three or four registrars around the world
before getting it back six months later? Would it change your mind if
the customer requested and actually paid the registrar to be provided
with this additional security measure? 

Is it reasonable to deny transfers for 60 days after a Whois Admin or
Primary Contact change, which is typical in hijacking cases? Is it
reasonable to lock names for 60 days after a Whois Admin or Primary
Contact change and require additional verification of the contact
information in order to transfer during that 60 day period? 

Issues of reasonableness under law are anything, but black and white.
Therefore, the rhetoric that we recently have read and heard about
"clear violations" is just that -- rhetoric.

Who should decide what is reasonable in these difficult scenarios?
Should it be ICANN staff, the GNSO PDP process already looking at these
specific issues, or the market? If customers don't like Go Daddy's (or
Network Solutions') security policy, then the competitive marketplace
could provide a solution. Other registrars could market to customers who
care less about security and hijackings and don't want to wait 60 days
or provide additional verification after a Whois Admin or Primary
Contact change. In a competitive marketplace, there is a great deal of
room for market differentiation. This could and should be a
differentiator. We would be hurting registrants if we didn't have the
ability to provide additional security protections. 

Thanks.

Jon

-----Original Message-----
From: owner-registrars@xxxxxxxxxxxxxx
[mailto:owner-registrars@xxxxxxxxxxxxxx] On Behalf Of John Berryhill
Sent: Friday, February 22, 2008 9:39 AM
To: G2L52; 'Christine Jones'
Cc: 'elliot noss'; 'Bruce Tonkin'; 'Tim Ruiz'; 'Adam Dicker';
registrars@xxxxxxxxxxxxxx
Subject: RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked
Name At GoDaddy



>   1. Evidence of fraud

One bit of evidence might be a contact change to the domain of an
applicant
in Colorado originating from an IP address in Iran. Of course, I was not
suggesting that one data point constitute a totality of one's
investigation.
However, on top of the other data, having a reason to investigate
further, a
quick look at the quite neutral records of the Colorado Secretary of
State,
and at such domain data as that for marriage.org, along with the
unlikelihood that a party with a definite view on the subject of
marriage
would suddenly sell a domain name after 12 years to someone advertising,
for
example, "extramarital dating sites", does paint a larger picture.

I believe my point was obscured by some who had not attended the recent
meeting. My intention was to point out a definite situation in which,
regardless of one's interpretation of the policy, someone is breathing a
deep sigh of relief over the fact that the domain name is not subject to
a
further registrar transfer for a while. My comments on this particular
event appear to have been misinterpreted to some degree, since it was
suggested emphatically to me that the anti-hijacking utility of the
GoDaddy
policy was some sort of fiction.

We've heard from the anti-phishing group on the subject of "fast flux"
DNS
and its problems. Having to chase hi-jacked domains name hither and yon,
suggests that there needs to be a balance between a distributed
inconvenience for many, versus a catastrophic event for a few.