Have you submitted comments about inter-registrar transfers?
Earlier this month I made a call-to-action on an important comment period at ICANN. At issue is the “Inter-Registrar Transfer Policy Part B Initial Report”. Part of the report suggests a mechanism by which victims of domain thefts can regain control of their domains. But important safeguards must be in place to not disrupt the domain name aftermarket.
Running Domain Name Wire, I’m often made aware of domain name thefts. Many victims reach out to me in an effort to publicize their case and (hopefully) get the word out before a stolen domain name is resold. I have also nearly been a victim myself, having almost purchased a stolen domain name before getting suspicious and doing more research on the ownership history.
But it occurs to me, as I consider this initial report, that I have no idea how many domain names are actually stolen on a monthly basis. Furthermore, I have no idea how many of those are never returned. From my conversations with various industry companies, this number seems to be very small.
Before embarking on an effort to change the system, I think it would be wise to scope out the size of the problem. Large registrars should be asked to voluntarily disclose the number of domain names stolen in a typical month, and how many aren’t recovered after 30 days. For some reason a handful of registrars seem unwilling to provide this data, but many more will. In an effort to anonymize the data, it could be provided to a secure third party that aggregates it and reports it as a single number.
If, after collecting this data, it is determined to be a large enough problem, please consider the following with regards to ETRP and the inter-registrar transfer policy:
1. Any changes should carefully consider effects on the secondary market for domain names. Every day, hundreds (thousands?) of domain names are sold in the secondary market. Not only do “evil domainers” use this market, but Fortune 500 companies depend on the secondary market as well.
2. It seems that a common hijacking approach is to gain control of the victim’s email address and/or registrar account. Security efforts should be aimed at this problem, and not extended to become overly broad. For example, if someone changes the mailing address of their domain’s administrative contact, should the domain be unnecessarily locked down? I don’t think so. Unless a registrar provides *specific data* showing this is a sign of hijacking, it shouldn’t be considered, and registrars should be specifically forbidden from placing a transfer lock on a domain in this circumstance.
3. One pattern I’ve noticed in thefts is that domains are transferred from one respected domain name registrar to another respected registrar, and then quickly transferred to a questionable registrar. Consider limiting the number of registrar transfers within a specific time period.
4. 6 months is way too long to allow someone to initiate a theft claim. At most it should be 30 days. If the domain is important enough, it will be discovered within hours or days.
5. The new registrant of the domain must be given sufficient time to respond to an ETRP.