Domain name registrars have been assured that ICANN Compliance will not pursue them for failing to implement the new Transfer Policy on privacy-protected names.
As we reported late November, the new policy requires registrars to send out “change of registrant” confirmation emails whenever certain fields in the Whois are changed, regardless of whether the registrant has actually changed.
The GNSO Council pointed out to ICANN a number of unforeseen flaws in the policy, saying that vulnerable registrants privacy could be at risk in certain edge cases.
They also pointed out that the confirmation emails could be triggered, with not action by the registrant, when privacy services automatically cycle proxy email addresses in the Whois.
This appears to have already happened with at least one registrar that wasn’t paying attention.
But ICANN chair Steve Crocker told the GNSO Council chair last week that ICANN staff have been instructed to ignore violations of the new policy, which came into effect December 1, in cases involving privacy-protected domains (pdf).
It’s a temporary measure until the ICANN board decides whether or not to defer the issue to the GNSO working group currently looking at policies specifically for privacy and proxy services.
Law enforcement and IP owners were dealt a setback last week when the National Arbitration Forum ruled that they cannot block domain transfers unless they have a court order.
The ruling could make it more difficult for registrars to acquiesce to requests from police trying to shut down piracy sites, as they might technically be in breach of their ICANN contracts.
NAF panelist Bruce Meyerson made the call in a Transfer Dispute Resolution Policy ruling after a complaint filed by EasyDNS against Directi (PublicDomainRegistry.com).
You’re probably asking right about now: “The what policy?”
I had to look it up, too.
It’s designed for disputes where one registrar refuses to transfer a domain to another. As part of the IRTP, it’s a binding part of the Registrar Accreditation Agreement.
It seems to have been rarely used in full over the last decade, possibly because the first point of complaint is the registry for the TLD in question, with only appeals going to a professional arbitrator.
Only NAF and the Asian Domain Name Dispute Resolution Centre are approved to handle such cases, and their respective records show that only one TDRP appeal has previously filed, and that was in 2013.
In the latest case, Directi had refused to allow the transfer of three domains to EasyDNS after receiving a suspension request from the Intellectual Property Crime Unit of the City of London Police.
The IPCU had sent suspension requests, targeting music download sites “suspected” of criminal activity, to several registrars.
The three sites — maxalbums.com, emp3world.com, and full-albums.net — are all primarily concerned with hosting links to pirated music while trying to install as much adware as possible on visitors’ PCs.
The registrants of the names had tried to move from India-based Directi to Canada-based EasyDNS, but found the transfers denied by Directi.
EasyDNS, which I think it’s fair to say is becoming something of an activist when it come to this kind of thing, filed the TDRP first with Verisign then appealed its “No Decision” ruling to NAF.
NAF’s Meyerson delivered a blunt, if reluctant-sounding, win to EasyDNS:
Although there are compelling reasons why the request from a recognized law enforcement agency such as the City of London Police should be honored, the Transfer Policy is unambiguous in requiring a court order before a Registrar of Record may deny a request to transfer a domain name… The term “court order” is unambiguous and cannot be interpreted to be the equivalent of suspicion of wrong doing by a policy agency.
To permit a registrar of record to withhold the transfer of a domain based on the suspicion of a law enforcement agency, without the intervention of a judicial body, opens the possibility for abuse by agencies far less reputable than the City of London Police.
That’s a pretty unambiguous statement, as far as ICANN policy is concerned: no court order, no transfer block.
It’s probably not going to stop British cops trying to have domains suspended based on suspicion alone — the Metropolitan Police has a track record of getting Nominet to suspend thousands of .uk domains in this way — but it will give registrars an excuse to decline such requests when they receive them, if they want the hassle.
One of Go Daddy’s most unpopular practices – the infamous 60-day domain name transfer lock – has essentially come to an end.
From today, customers will be able to unlock their domains before the period is up, by contacting a special support team, according to director of policy planning James Bladel.
For many years Go Daddy has blocked domains from being transferred to other registrars if changes have been made to the registrant contact information within the last 60 days.
The company alerts users to the lock before they make changes to their Whois data, but that hasn’t stopped the policy bugging the hell out of domainers and regular registrants.
It’s designed to prevent domain hijackings – something Go Daddy says it does very well – but when false positives occur it often looks like a nefarious customer retention strategy.
“It’s a very effective tool for preventing harm, but it does catch out a lot of folks who want to legitimately change registrant data,” Bladel said.
Under the new policy, if Go Daddy blocks a transfer because of the 60-day lock, registrants will be given an email address to contact in order to appeal the block.
According to Bladel, after a human review the locks will be lifted and the Whois data will revert to its original state, unless the Go Daddy support team suspects a hijacking is in progress.
“The bad guys are not going to call and ask us to take a second look at this,” he said. “The bad guys want it to happen under the radar.”
The changes come thanks largely to a new revision of ICANN’s Inter-Registrar Transfer Policy, which came into effect today and specifies that transferring registrants need to be given a way to remove the locks on their domains within five days.
But Bladel said the way the policy is written gave Go Daddy a lot of leeway in how to interpret it – it could have kept the locks in place as before – but it decided to revise its policy to improve the customer experience.
Go Daddy’s unpopular 60-day domain name lockdown period, which prevents customers moving to other registrars, could be reduced to as little as five days under new ICANN policy.
ICANN’s GNSO Council this week voted to amend the Inter-Registrar Transfer Policy, which is binding on all registrars, to clarify when and how a registrar is allowed to block a transfer.
Today, Go Daddy has a policy of preventing transfers for 60 days whenever the registrant’s name is changed in the Whois record.
Other registrars may have similar policies, but Go Daddy is the only one you ever really hear complaints about.
Some have even posited that the practice violates the IRTP, which explicitly prevents registrars spuriously locking domains when customers update their Whois.
But ICANN’s compliance department has disagreed with that interpretation, drawing a distinction between “Whois changes” (cannot block a transfer) and “registrant changes” (can block a transfer).
Essentially, if you change your name in a Whois record the domain can be locked by your registrar, but if you change other fields such as mailing address or phone number it cannot.
Go Daddy and other registrars would still be able prevent transfers under the revised policy, but they would have to remove the block within five days of a customer request.
This is how ICANN explains the changes:
Registrar may only impose a lock that would prohibit transfer of the domain name if it includes in its registration agreement the terms and conditions for imposing such lock and obtains express consent from the Registered Name Holder: and
Registrar must remove the “Registrar Lock” status within five (5) calendar days of the Registered Name Holder’s initial request, if the Registrar does not provide facilities for the Registered Name Holder to remove the “Registrar Lock” status
Registrars may have some freedom in how they implement the new policy. Unblocking could be as simple as checking a box in the user interface, or it could mean a phone call.
Go Daddy, which was an active participant in the IRTP review and says it supports the changes, supplied a statement from director of policy planning James Bladel:
In the coming months, Go Daddy is making a few changes to our policy for domains in which the registrant information has changed.
We believe this new procedure will continue to prevent hijacked domain names from being transferred away, while making the transfer experience more user-friendly for our customers.
The changes were approved unanimously by the GNSO Council at its meeting on Thursday.
Before they become binding on registrars, they will have to be approved by the ICANN board of directors too, and the soonest that could happen is at its February 16 meeting.
The changes are part of a package of IRTP revisions – more to come in the near future – that have been under discussion in the ICANN community since 2007. Seriously.
The lingerie retailer Victoria’s Secret has won a cybersquatting complaint over the domain name victoriasecretswimsuit.com for the second time in as many years.
Judging by the Whois history, it appears that the company lost the domain following the demise of rogue registrar Lead Networks, which lost its accreditation last year.
Victoria’s Secret first secured the domain with an easily won UDRP complaint in May 2009.
An attorney from its outside law firm was subsequently listed as the admin contact, but the registrar of record remained the same – the Indian outfit Lead Networks.
At some time between August and October last year, the Whois contact changed to the current registrant, who’s hiding behind a privacy service.
Probably not coincidentally, that was about the same time as ICANN, having terminated Lead Networks’ accreditation, bulk-transferred all of its domains to Answerable.com.
Lead Networks was placed into receivership in March 2010 following a cybersquatting lawsuit filed by Verizon.
Answerable.com, a Directi business also based in India, was the registrar’s designated successor under ICANN’s policies. It has subsequently changed its name to BigRock.com.
The latest UDRP decision does not explain how Victoria’s Secret managed to lose its registration, but I’d speculate the inter-registrar transfer may have had something to do with it.
When a registrar loses its accreditation the names are transferred to a new registrar but the term of the registration is not extended. If a registrant ignores or does not receive the notifications sent by the gaining registar, they may find they lose their domains.