You should comment on this proposed new procedure for hijacked domain names.
It’s rare that I ask the domain community to comment on a particular topic at ICANN. It’s even rarer that domain investors actually follow through. But there’s an important process going on to establish a mechanism to return hijacked domain names, and your input is needed.
That a process to return stolen domain names is in the works is a good thing. We hear every day about stolen domains, and the challenges of getting them returned. Right now there is no set process to address this. Each registrar tries to work with the new registrar for the stolen domain to get it back. But it doesn’t always work.
Yet, like all good ideas, a domain hijacking reversal process could create new problems. Here’s a very possible scenario:
You buy a domain name from Jack for $5,000. After completing Escrow.com and getting the domain name in your possession, Jack files a complaint saying you stole the domain from him.
The current procedure proposal returns a domain name to the victim within 48 hours, and there’s no way to dispute the return of the domain. Thankfully, the working group realizes this is a shortcoming and is asking for your feedback on how to do this.
For details and to leave a comment, go here. Please leave meaningful feedback, not just “this is a bad idea”. Because it really isn’t a bad idea; it’s a good one. It just needs some added protections.
Andrew Allemann says
BTW, thanks to George Kirikos for initially bringing this to my attention.
Louise says
“ICANN Compliance shall collect and investigate complaints of Registrars who employ the ETRP in bad faith, or are unresponsive to Registrant claims of domain hijacking.”
ICANN hasn’t investigated complaints until now, so why should it start?
DNSSEC should take care of this. ICANN apparently has not faith in DNSSEC.
George Kirikos says
The article is mistaken, the proposed procedure (ETRP) would allow give the prior registrant (at the old registrar) the ability to undo a transfer for up to 6 MONTHS, without any due process. I oppose the proposal, because it would allow *reverse* hijacking, by domain sellers who get seller’s remorse or who are outright fraudulent with no remorse!
e.g. you buy example.com from Person A, and transfer it from registrar X to registrar Y. Later (up to 6 months later under the current proposal), A claims it is stolen. Without any due process, the name is immediately returned to registrar X and A’s possession!
This proposal is so completely flawed, I don’t have enough room on this form. I’ll be submitting comments probably next week, but I definitely oppose this proposal (one can view the workgroup’s mailing list archives for some of my comments, or on various domain name forums). Good security needs to be proactive, before a registrant change or transfer happens, not reactive.
George Kirikos says
Actually, I guess the article is ambiguous…..the 48 hours should refer to the time period after the ETRP is initiated. The ETRP, which would allow the reverse hijacking, could happen anytime within 6 months of the domain name transfer (transfer to another registrar), without any due process.
There already *exists* a Transfers Dispute Process (TDRP), which has due process, and of course courts always exists for true emergencies. This proposal just isn’t needed, and actually makes things worse, because legitimate buyers would face new risks that they can’t manage if a legitimate transfer could be undone without any due process.
Folks who are security-conscious are better served by registrars who *prevent* the hijackings in the first place, not ones who only rely on undoing thefts after they already (or allegedly) happen. The reports from 5+ years ago discussed those recommendations, which most registrars simply ignored. ICANN should be raising standards that promote proactive security, and shouldn’t be promoting “solutions” that have such collateral damage (worse damage to the secondary market than the actual problem from hijackings).
Andrew Allemann says
Isn’t it 60 days, not 6 months?
Louise says
George, do you mean that there should be more definitive identifier on the Registrant at initial registration, such as verifying the mailing address, or logging the IP addy at registration?
George Kirikos says
Up to *6 months.* See point 3.2 on page 50 of the proposal:
“or within 60 days of the Registrant becoming aware of the transfer (but in no event more than six (6) months after the Inter-Registrar domain name transfer).”
So of course people are going to claim “they weren’t aware” of the transfer, to get the 6 month timeframe.
This would be a nightmare for escrow services like Moniker/Escrow.com or for auction providers (Latona, SnapNames, etc.). Suppose I win example.com in an auction. Seller transfers it to Moniker for a “secure transfer”, and I send Moniker the payment. Moniker sends payment to seller. 2 months later (or 2 days later, even), I transfer the domain to Tucows. You think the deal is done.
But, then 4 months after the sale, the seller claims the name is stolen, and convinces GoDaddy to undo the transfer (and the name has gone from Moniker to Tucows in the meantime; perhaps the buyer was Microsoft, who built a huge site around it, like docs.com or office.com via stealth acquisition through a Marksmen, etc.). Lots of folks would be negatively affected (of course, folks will have to bid lower to reflect this liability that the domain name has embedded within it, or just might be so turned off that they don’t bid at all, and avoid deals completely).
If you look at their mailing list archives, I discuss all this:
http://forum.icann.org/lists/gnso-irtp-b-jun09/
and proposed instead that if they bring in the ETRP, that they simultaneously allow consumers to opt-in to *irrevocable* transfers, see:
http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00334.html
There, the transfer would be undoable, and the losing registrar presumably would have done the proper checks to make sure a hijacking isn’t taking place.
Registrars *should* already be doing this, of course, so we shouldn’t *have* to be arguing for an irrevocable transfer policy. But, if the ETRP came into force (without any due process to undo a transfer), and buyers had a choice, it’s clear that *irrevocable* transfers would be a must to minimize risks.
This whole workgroup is really approaching things from the wrong direction, and should go back to the original reports from 5 years ago, where procedures were properly discussed to prevent hijackings from happening in the first place (e.g. 2-factor security, out-of-band communications, not relying upon email for everything, etc.).
Louise says
“ETRP must be initiated by the PTRa within 60 days . . . or within 60 days of the Registrant becoming aware of the transfer (but in no event more than six (6) months after the Inter-Registrar domain name transfer).”
Depends when the PRT becomes aware of it.
Jothan says
I’d also encourage comments, with constructive suggestions on improvements or changes.
I for one am going to suggest that there need be some challenge process and providing ICANN the ability to attach consequences to false submissions or attempt reverse hijacking.
For example, the presence of a purchase and sales agreement between the new and old registrant SHOULD be taken into consideration.
BuyBestDomains says
“You buy a domain name from Jack for $5,000. After completing Escrow.com and getting the domain name in your possession, Jack files a complaint saying you stole the domain from him.”
This is nonsense!
If you have proof (Escrow.com payment and other details)
How come seller says that?