Tucows will follow TechOps subcommittee recommendation for domain transfers as ICANN figures out what to do.
Here’s the thing about GDPR and domain name registrars/registries: if they wait for ICANN to figure out how to address GDPR, it will be too late to make the necessary changes to comply with the law. GDPR enforcement goes into effect in just 23 days.
One registrar that has been at the forefront of making changes to comply with GDPR (and has been stating them publicly) is Tucows (NASDAQ: TCX), which owns both Enom and OpenSRS. It is the second largest domain name registrar in the world behind GoDaddy.
The company recently posted about changes it will make to its domain name transfer process as a result of GDPR.
As I’ve written about before, if you can’t access a domain registrant’s email address, you can’t do a transfer under the current methodology mandated by ICANN.
Tucows is adopting the proposal put forth by the TechOps subcommittee of the Contracted Party House inside GNSO. It removes the gaining registrar’s Form of Authorization requirement.
Today, if you were to transfer a domain name to a Tucows registrar, you would provide the transfer authorization code to Tucows. Tucows would then send a Form of Authorization email to the current registrant listed in Whois to verify that they authorize the transfer.
Once this verification is complete, the losing registrar begins its process. This includes sending an email to the domain registrant to ask if they’re OK with the transfer. If they don’t respond within 5 days, the transfer is completed.
Tucows is eliminating the first Form of Authorization. Once you provide the authorization code, Tucows will skip directly to sending the transfer request to the losing registrar.
This creates a security risk because of how losing registrars are currently required by ICANN to respond to transfer requests. If they send an email to the registrant and the registrant doesn’t respond, the transfer goes through.
The TechOps committee has proposed a solution to this. It would allow the losing registrar to deny the transfer if the domain owner doesn’t affirmatively confirm the transfer.
How many registrars will start denying transfers like this starting May 25? It’s hard to tell. Big ones might, but small registrars are mostly unprepared for GDPR changes.
Of course, there are common sense security measures that domain owners can take to protect their domains as Whois and the domain transfer system is in flux.
Be sure to set transfer lock on your domains and add two-factor authentication to your domain name registrar account. Also, check to see if your registrar offers added transfer protection.