ICANN’s new domain transfer policy that starts Friday is intended to provide greater security and portability to the domain transfer process and protect against “domain slamming.”
But some registrars argue that the new policy by the Internet Corporation for Assigned Names and Numbers could actually raise risks of fraudulent domain transfers and are advising customers to lock their domains now.
ICANN, the technical coordination body for the Internet, said under the new transfer policy
The policy also stipulates that gaining registrars (the registrar that ends up with the domain after the transfer) are obligated “to obtain reliable evidence of the identity of the registrant or administrative contact that has requested the transfer using a digital signature, a unique code available only by e-mail to the authorized administrative contact, a notarized statement, or a valid driver license or passport.”
The new policy is to combat fraudulent domain name transfers, known as “domain slamming,” that have bedeviled the registrar sector for the past few yeas.
For example, Register.com filed suit against Domain Registry of America in 2002, charging that it used deceptive marketing tactics, including misusing the Register.com name and trademark and employing misleading marketing materials to confuse Register.com customers into believing they were renewing their domain names with Register.com. They were actually transferring their domain names to Domain Registry of America.
In September 2003, Network Solutions settled charges by the Federal Trade Commission that it duped consumers into transferring domain names through similar deceptive means.
“The environment today is just an absolute mess,” Ross Rader, author of the ICANN policy, told internetnews.com. “The likelihood that your domain name is going to be tampered with during transfer is very high under the existing rules. That goes away with the new rules,” said Rader, who is also the director of research and innovation at domain name registrar Tucows.
The new ICANN policy also includes a new mechanism for the resolution of Transfer Disputes. That mechanism includes a “transfer undo” functionality to help correct potential errors. It also entails a new Transfer Dispute Resolution Policy to help resolve disputes.
“Even in the event that a terrible mistake does happen [regarding domain transfers], you have recourse through arbitration that didn’t exist before,” Rader explained. “Typically, when registrants lose their name to a highjacker they never see it again unless they have the means or get lucky. Those safeties are guaranteed starting tomorrow.”
Some registrars, however, see the new policy as raising the potential for fraudulent transfer.
“We are concerned that this policy change puts your domain name at greater risk for being ‘slammed’,” domain registrar giant Network Solutions said in an e-mail to its domain registrants. “The prior policy allowed you to expressly approve a transfer request with your current domain name service provider before any transfer would occur. The new policy, however, eliminates this express approval safeguard, removing an additional protection against unauthorized transfer requests.”
Domain registrar GoDaddy issued a similar e-mail alert to its domain registrants as well.
“The previous ICANN policy allowed us to deny requests to transfer your domain names to another registrar unless you explicitly confirmed to us your intent to transfer. The new ICANN policy removes that protection,” GoDaddy stated in its e-mail notice.
“Starting November 12, when we receive a request to transfer your domain name to a new registrar, we will still attempt to contact you to confirm that you authorized the request. However, if you do not respond, or are not able to respond within 5 days, your domain name WILL be transferred,” the company explained.
Both Network Solutions and GoDaddy have recommended that customers “lock” their domains in order to prevent transfer. Network Solutions will actually now enable this feature (which it calls Domain Protect) by default. Locking a domain prevents changes and/or a transfer to a domain.
Most registrars offer this “lock down” technical feature to customers who can enable it as part of their account management activities.
Still, despite its e-mail warning, GoDaddy’s public relations department downplayed the fear end users might have about whether their sites are locked and prevented from an attempt to hijack it.
“There is no reason customers should have anything to worry about, even if they don’t lock their domains,” a GoDaddy spokesperson told internetnews.com. “The main thing to keep in mind is that the [policy] was written to ensure registrants have a remedy in case something goes wrong with a transfer for whatever reason.”
Rader scoffed at the notices. “It’s patently false propaganda,” he said of the e-mail notices and concerns raised by some registrars. “It’s perpetuated by large registrars that are looking to maintain their market share through misinformation.”
However, Eric Schaetzlein, CTO of domain services at domain registrar 1&1 Internet, said he does have issues about the change.
“The biggest drawback in the new policy is that it relies on the old registrar’s whois data,” Schaetzlein told internetnews.com. “But .com and .net are thin registries, meaning that this information has to be retrieved from about 300 different whois servers, every registrar having their own, and their own data format.”
He said some registrars are not even providing data and are thus gaining a competitive advantage, as their names can’t be automatically handled and need paperwork to be treated.
Rader also said every policy includes a continuous improvement process. “In the likelihood that we find there are rough spots in the process or that someone is abusing those processes, we have the opportunity to go back on regular intervals to review how the process is being implement and carried out and correct any inefficiencies that we inadvertently introduced,” Rader explained.
“I think all in all it is a hugely positive step forward,” he added.