- Impact
- 0
There have been several recent news reports claiming that the ownership of domain names may be in jeopardy. The basis of these reports stems from the recent policy changes by ICANN regarding the transfer of domain names between registrars that went into effect November 12, 2004. The policy changes seem to have generated a wave of paranoia due to the news stories connected to it.
Transferring a Domain Name the Old Way
Prior to November 12, in order to transfer a domain name from one registrar (the "losing" registrar) to another (the "gaining" registrar), the domain name owner had to specifically approve the transfer with both the losing registrar and the gaining registrar. If the losing registrar did not receive approval, the transfer wasn't done.
The Problem
Several registrars were sending fake renewal notices to domain name owners in order to get them to transfer their accounts. Without looking closely at the notices, they seemed to be the real thing. While that would ultimately be the fault of the domain name owner, registration documents - even renewal notices - can look quite complex. Even attempting to transfer a domain name legitimately sometimes resulted in a nightmare.
In an effort to stop the loss of existing business and to remedy the problem of fake renewal notices, the losing registrar would not complete the transfer, even after receiving notice from the domain name owner.
Transferring a Domain Name the New Way
As of November 12th, all that has changed.
The new policy states that the gaining registrar must "obtain express authorization from either the Registered Name Holder or the Administrative Contact." That's done using a Standardized Form of Authorization with proper identification, either physical or electronic. If electronic, the identification must be in the form of an electronic signature or "consent from an individual or entity that has an e-mail address matching the Transfer Contact e-mail address." If done physically: "The acceptable forms of physical identity are: notarized statement, valid drivers license, passport, article of incorporation, military ID; state/government issued ID, [or] birth certificate... A transfer must not be allowed to proceed if no confirmation is received by the gaining registrar." It's in the best interest of the gaining registrar to make sure the identification is accurate.
The new policy also states that a domain name registration can be transferred without the approval of the losing registrar: "Failure by the Registrar of Record [the losing registrar] to respond within five calendar days to a notification from the Registry regarding a transfer request will result in a default 'approval' of the transfer." The losing registrar is not required to contact the domain name owner. In other words, the losing registrar must transfer the domain name, except in the case of:
Evidence of fraud.
UDRP [Uniform Domain Name Dispute Resolution Policy] action
Court order by a court of competent jurisdiction .
Reasonable dispute over the identity of the Registered Name Holder or Administrative Contact.
No payment for previous registration period (including credit card charge-backs) if the domain name is past its expiration date or for previous or current registration periods if the domain name has not yet expired. In all such cases, however, the domain name must be put into "Registrar Hold" status by the Registrar of Record prior to the denial of transfer.
Express written objection to the transfer from the Transfer Contact. (e.g. - email, fax, paper document or other processes by which the Transfer Contact has expressly and voluntarily objected through opt-in means).
A domain name was already in “lock status” provided that the Registrar provides a readily accessible and reasonable means for the Registered Name Holder to remove the lock status.
A domain name is in the first 60 days of an initial registration period.
A domain name is within 60 days (or a lesser period to be determined) after being transferred (apart from being transferred back to the original Registrar in cases where both Registrars so agree and/or where a decision in the dispute resolution process so directs).
The Perceived Problem
The problem that many people are having, that was touched off by the Netcraft report, is the mistaken belief that ownership of a domain name can now easily be hijacked by anyone wishing to do so. The policy affects only the change of registrars, not the ownership of the domain name itself.
In addition, the new policy clearly states that the gaining registrar must have sufficient identification in order to proceed. Does this mean that someone could forge the identification and steal the domain name? That risk is always there, but the new policy allows for an easier remedy when something does go wrong. "Even in the event that a terrible mistake does happen [regarding domain transfers], you have recourse through arbitration that didn't exist before," said Ross Rader, author of the ICANN policy. "Typically, when registrants lose their name to a hijacker they never see it again unless they have the means or get lucky. Those safeties are guaranteed," Rader explained. In his November 11, 2004 blog, Rader elaborated, "... under the old policy, if a domain name was 'slammed' or 'hijacked' there was no formal recourse, outside of costly litigation, for a registrant to get their name back or reconnect it with the original and rightful supplier. Under the new policy, there are a series of administrative processes and arbitration mechanisms that give registrants a cost-effective means for ensuring that mistakes are made correct."
What Now?
The majority of domain name registrars are offering their customers the ability to "lock" their domain to prevent an unauthorized transfer. It's similar to what many of the telephone companies offer in order to prevent "slamming" — the unauthorized transfer of a telephone number to a different long distance company. What this does is it "locks" the account — it can't be transferred — until the owner changes its status to "unlock." You can contact your domain name registrar for futher information.
Another thing to remember, as I said before, this policy affects only the change of registrars, not the ownership of the domain name itself.
Transferring a Domain Name the Old Way
Prior to November 12, in order to transfer a domain name from one registrar (the "losing" registrar) to another (the "gaining" registrar), the domain name owner had to specifically approve the transfer with both the losing registrar and the gaining registrar. If the losing registrar did not receive approval, the transfer wasn't done.
The Problem
Several registrars were sending fake renewal notices to domain name owners in order to get them to transfer their accounts. Without looking closely at the notices, they seemed to be the real thing. While that would ultimately be the fault of the domain name owner, registration documents - even renewal notices - can look quite complex. Even attempting to transfer a domain name legitimately sometimes resulted in a nightmare.
In an effort to stop the loss of existing business and to remedy the problem of fake renewal notices, the losing registrar would not complete the transfer, even after receiving notice from the domain name owner.
Transferring a Domain Name the New Way
As of November 12th, all that has changed.
The new policy states that the gaining registrar must "obtain express authorization from either the Registered Name Holder or the Administrative Contact." That's done using a Standardized Form of Authorization with proper identification, either physical or electronic. If electronic, the identification must be in the form of an electronic signature or "consent from an individual or entity that has an e-mail address matching the Transfer Contact e-mail address." If done physically: "The acceptable forms of physical identity are: notarized statement, valid drivers license, passport, article of incorporation, military ID; state/government issued ID, [or] birth certificate... A transfer must not be allowed to proceed if no confirmation is received by the gaining registrar." It's in the best interest of the gaining registrar to make sure the identification is accurate.
The new policy also states that a domain name registration can be transferred without the approval of the losing registrar: "Failure by the Registrar of Record [the losing registrar] to respond within five calendar days to a notification from the Registry regarding a transfer request will result in a default 'approval' of the transfer." The losing registrar is not required to contact the domain name owner. In other words, the losing registrar must transfer the domain name, except in the case of:
Evidence of fraud.
UDRP [Uniform Domain Name Dispute Resolution Policy] action
Court order by a court of competent jurisdiction .
Reasonable dispute over the identity of the Registered Name Holder or Administrative Contact.
No payment for previous registration period (including credit card charge-backs) if the domain name is past its expiration date or for previous or current registration periods if the domain name has not yet expired. In all such cases, however, the domain name must be put into "Registrar Hold" status by the Registrar of Record prior to the denial of transfer.
Express written objection to the transfer from the Transfer Contact. (e.g. - email, fax, paper document or other processes by which the Transfer Contact has expressly and voluntarily objected through opt-in means).
A domain name was already in “lock status” provided that the Registrar provides a readily accessible and reasonable means for the Registered Name Holder to remove the lock status.
A domain name is in the first 60 days of an initial registration period.
A domain name is within 60 days (or a lesser period to be determined) after being transferred (apart from being transferred back to the original Registrar in cases where both Registrars so agree and/or where a decision in the dispute resolution process so directs).
The Perceived Problem
The problem that many people are having, that was touched off by the Netcraft report, is the mistaken belief that ownership of a domain name can now easily be hijacked by anyone wishing to do so. The policy affects only the change of registrars, not the ownership of the domain name itself.
In addition, the new policy clearly states that the gaining registrar must have sufficient identification in order to proceed. Does this mean that someone could forge the identification and steal the domain name? That risk is always there, but the new policy allows for an easier remedy when something does go wrong. "Even in the event that a terrible mistake does happen [regarding domain transfers], you have recourse through arbitration that didn't exist before," said Ross Rader, author of the ICANN policy. "Typically, when registrants lose their name to a hijacker they never see it again unless they have the means or get lucky. Those safeties are guaranteed," Rader explained. In his November 11, 2004 blog, Rader elaborated, "... under the old policy, if a domain name was 'slammed' or 'hijacked' there was no formal recourse, outside of costly litigation, for a registrant to get their name back or reconnect it with the original and rightful supplier. Under the new policy, there are a series of administrative processes and arbitration mechanisms that give registrants a cost-effective means for ensuring that mistakes are made correct."
What Now?
The majority of domain name registrars are offering their customers the ability to "lock" their domain to prevent an unauthorized transfer. It's similar to what many of the telephone companies offer in order to prevent "slamming" — the unauthorized transfer of a telephone number to a different long distance company. What this does is it "locks" the account — it can't be transferred — until the owner changes its status to "unlock." You can contact your domain name registrar for futher information.
Another thing to remember, as I said before, this policy affects only the change of registrars, not the ownership of the domain name itself.
