GNSO Email Archives: [registrars]

ICANN/GNSO GNSO Email List Archives

[registrars]

<<< Chronological Index >>> <<< Thread Index >>>

Re: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy

To: "Nevett, Jonathon" <jnevett@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy
From: elliot noss <enoss@xxxxxxxxxx>
Date: Sat, 23 Feb 2008 05:10:30 -0500
Cc: John Berryhill <john@xxxxxxxxxxxxxxxxx>, Registrar Constituency <registrars@xxxxxxxxxxxxxx>, Tim Ruiz <tim@xxxxxxxxxxx>
In-reply-to: <C1AA792E76F72C4090B29DEDEC511F5D15291F@NSIVA-EXCHANGE2.CORPIT.NSI.NET>
List-id: registrars@xxxxxxxxxxxxxx
References: <20080221170202.dc5d76307e08b3dc7f186cac1bc30a7a.6fa1839328.wbe@email.secureserver.net> <6.2.5.6.0.20080222022744.05147778@domainit.com> <017401c87560$b0b98e80$6a01a8c0@cubensis> <C1AA792E76F72C4090B29DEDEC511F5D15291F@NSIVA-EXCHANGE2.CORPIT.NSI.NET>
Sender: owner-registrars@xxxxxxxxxxxxxx

first things first. there are have been some unconstructivecontributions to this thread, not the least of which was mine. imho,john should not have posted this on a public list. most importantly, Ishould NOT have thrown a log on the fire with my post. it is my semi-annual reminder to i) wait ii) re-read iii) only then hit send.

next, I was not intending to demean phil sbarbaro in my earlier post(although I seemed to have opened the door for others to do so). myapologies to phil. in the first year or two of the srs phil was stuckdealing with the hijackings that resulted from nsi's poor businessprocesses (well before champ or jon or....). we worked together todeal with a number of these. that co-operation started a finetradition that the vast majority of registrars honour.

the freedom to transfer between registrars and standardize policy wasan extremely hard-won battle. it took a long time, was much morefrustrating than this argument and, in the end, we were successful ata policy level. sadly, that has not been backed up with compliance.


there are two important FACTS that all of the below ignores.

FACT ONE. ICANN's lack of enforcement of transfer policy brings thewhole contract regime and policy development process into disrepute.we are already reviewing the old policy, now three years old, beforewe start enforcing the existing policy. ICANN has allowed contractedparties to do as they please despite what is now years of very publiccomplaining. they have made assurances in delhi that this will change.I will take them at their word and wait and hope.

FACT TWO. every day there are registrants who wish to use the supplierof their choice and are unable to transfer because of these violationsof transfer policy. if the rest of us were to enact these tactics as"SOP" there would be a huge number of people who want to transfer togo daddy who would be unable to. of course we would just be"protecting" "our" customers at that point.

just about everyone on this list knows how the two violations work inconcert:

- registrant want to change suppliers and needs to update old contactinformation, which, of course, happens most often in the last 60 daysof registration;


- transfer refused due to the first violation;

- registrant waits the 60 days, tries again;

- transfer refused due to second violation.

as I understand the position of those who do this, this person hassuffered no harm because they are still being supplied by the greatsupplier they previously had. of course the registrant feelsdifferently.

I think it would be very helpful in talking about reasonableness toget some data. jon, tim, how many transfers are refused each month dueto i) the 60 day hold for changed information and ii) being in thegrace period. and please, at some point, could I have yourjustifications for denying transfers in the grace period!

lastly, your market comments simply fly in the face of marketrealities. these are items that cost $0.75/month (of which $0.55 goesto our friendly taxing authorities verisign and ICANN). the"disclosure" you talk about is buried in clickthrough agreements thatnobody reads. the cost in time and effort for people to move is simplyoutweighed by the benefit. again, roger cochetti redux.

you talk about theoretical situations that are simply not NSIs or godaddy's. provide the data and let's have a substantive debate aboutreasonableness instead of evoking fears of bogeymen. we have all welllearned that when someone tells us they are "protecting" us they areprobably limiting our freedoms.

at the end of the day, even debating that is, as I have said over andover, simply wrong because the rules don't allow you to do it. yourarguments are clever sophistry. your job is well done. now staff haveto do theirs.


Regards

On Feb 22, 2008, at 2:04 PM, Nevett, Jonathon wrote:

Let me throw another one out for consideration:

7. A domain name was already in "lock status" provided that the
Registrar provides a readily accessible and reasonable means for the
Registered Name Holder to remove the lock status.
In the example that Christine gave, Go Daddy locks a name after aWhois contact change for 60 days. If the customer tries to transferduring the 60 day period, then the transfer could be denied under #7as it was already in lock status. The issue comes down to whetherthe customer has a reasonable means to lift the lock.
Is it reasonable for a registrar to require a registrant to appearin person at the registrar's offices in order to authorize thetransfer (I understand that one registrar actually does this)? Thefirst reaction likely would be no. Would it change your mind,however, if this were the policy for only two or three characterdomain names valued at over $1 million? Would it change your mindif the customer was so worried about hijackings that it agreed tothis requirement in writing as a security measure? What if thecustomer was a prior victim of hijacking and saw its domain nametravel to three or four registrars around the world before gettingit back six months later? Would it change your mind if the customerrequested and actually paid the registrar to be provided with thisadditional security measure?
Is it reasonable to deny transfers for 60 days after a Whois Adminor Primary Contact change, which is typical in hijacking cases? Isit reasonable to lock names for 60 days after a Whois Admin orPrimary Contact change and require additional verification of thecontact information in order to transfer during that 60 day period?
Issues of reasonableness under law are anything, but black andwhite. Therefore, the rhetoric that we recently have read and heardabout "clear violations" is just that -- rhetoric.
Who should decide what is reasonable in these difficult scenarios?Should it be ICANN staff, the GNSO PDP process already looking atthese specific issues, or the market? If customers don't like GoDaddy's (or Network Solutions') security policy, then thecompetitive marketplace could provide a solution. Other registrarscould market to customers who care less about security andhijackings and don't want to wait 60 days or provide additionalverification after a Whois Admin or Primary Contact change. In acompetitive marketplace, there is a great deal of room for marketdifferentiation. This could and should be a differentiator. Wewould be hurting registrants if we didn't have the ability toprovide additional security protections.
Thanks.

Jon

-----Original Message-----
From: owner-registrars@xxxxxxxxxxxxxx [mailto:owner-registrars@xxxxxxxxxxxxxxx] On Behalf Of John Berryhill
Sent: Friday, February 22, 2008 9:39 AM
To: G2L52; 'Christine Jones'
Cc: 'elliot noss'; 'Bruce Tonkin'; 'Tim Ruiz'; 'Adam Dicker'; registrars@xxxxxxxxxxxxxx
Subject: RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy
   1. Evidence of fraud
One bit of evidence might be a contact change to the domain of anapplicantin Colorado originating from an IP address in Iran. Of course, Iwas notsuggesting that one data point constitute a totality of one'sinvestigation.However, on top of the other data, having a reason to investigatefurther, aquick look at the quite neutral records of the Colorado Secretary ofState,
and at such domain data as that for marriage.org, along with the
unlikelihood that a party with a definite view on the subject ofmarriagewould suddenly sell a domain name after 12 years to someoneadvertising, for
example, "extramarital dating sites", does paint a larger picture.
I believe my point was obscured by some who had not attended therecentmeeting. My intention was to point out a definite situation inwhich,regardless of one's interpretation of the policy, someone isbreathing adeep sigh of relief over the fact that the domain name is notsubject to afurther registrar transfer for a while. My comments on thisparticular
event appear to have been misinterpreted to some degree, since it was
suggested emphatically to me that the anti-hijacking utility of theGoDaddy
policy was some sort of fiction.
We've heard from the anti-phishing group on the subject of "fastflux" DNSand its problems. Having to chase hi-jacked domains name hither andyon,
suggests that there needs to be a balance between a distributed
inconvenience for many, versus a catastrophic event for a few.

Follow-Ups:
- RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy
  - From: Mitchell, Champ

References:
- RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy
  - From: Christine Jones
- RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy
  - From: Paul Goldstone
- RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy
  - From: John Berryhill
- RE: [registrars] An Opportunity to Prove A Point - Hi-Jacked Name At GoDaddy
  - From: Nevett, Jonathon

<<< Chronological Index >>> <<< Thread Index >>>