|
|
|
||
index >
|
Opinion: Transfer requests will default to approval if holding registrar
doesn't object. But will the new procedures help prevent theft of domain
by transfer fraud? The new rules, originally announced by ICANN (the Internet Corporation for Assigned Names and Numbers) on July 12, were "approved unanimously by both ICANN's Generic Names Supporting Organization [GNSO] and its Board of Directors." About a year ago I wrote about problems with domain registration transfers that made it all too easy to steal someone else's domain. I got a shocking amount of mail from victims of domain theft at the time and developed a low opinion of registrars. It was clear they all wanted to just bury the matter, and they don't get the benefit of the doubt from me anymore. (Register.com's Web site is scrupulously lacking in any information for press to use for contacts. There was a time when they had a contact and just moved slow on it, but they lack even this now.) So I was ready to assume the worst when I read about the new rules. They streamline certain procedures so as to facilitate transfers in cases where the registrar previously holding the domain—the "registrar of record"—drags its feet. It seems the real problem, as ICANN puts it, was not registrars being too easy with transfers, but those not proceeding with a timely transfer when a legitimate request came in. And more specifically, Network Solutions has a lousy reputation in this regard. (Am I now accusing them of conflicting offenses, being too lax with transfer security and not willing enough to proceed with the transfer? Let them call me up and explain it to me.) It seems that the sorts of problems I was observing have less to do with the transfers between registrars than with other security policies of the registrar, specifically changing the administrative contact information. The new ICANN policies shouldn't make the problems any worse because they still require that the registrar of record contact the owner. If the owner information is incorrect, it's really a separate issue. And if there is a real dispute over a domain transfer, there is a set and orderly policy for dispute resolution
But owner information often is incorrect—because the owner wanted it that way. The WHOIS database is one of the great farms from which spammers harvest e-mail addresses, so many domain owners intentionally put in false contact information. Even the other contact information is often false out of privacy concerns. This information is usually separate from the registrar's billing database; while false information in the contact records usually violates registrar policy, as long as they get paid they usually look the other way. And it's not illegal to put false contact information in a WHOIS record, although there has been some talk in Congress of making it so. The real answer seems to be domain locking, which it now appears all registrars support. Locking puts a "Status: REGISTRAR-LOCK" in your WHOIS record and prevents a default transfer of the type just instated by ICANN. GoDaddy, for example, has put a notice up warning all customers that they better lock their domains if they want to be sure of protecting them. I haven't seen a single definition, but it appears that "REGISTRAR-LOCK" doesn't just prevent unauthorized transfers, but any other change in the domain record too. The only way to make a change is to log in to the master account and use the registrar's interface. If this is universally the case, it's the solution to the problem. It's just up to you to secure your master account information. Taking ICANN at its word—that there was a problem with expediting legitimate transfer requests—I can see the reasonableness of the new policies. It does make competition more practical by denying registrars the ability to stall. What we need now are policies and technologies that make contact records more secure and eliminate all this ridiculous false information. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog. But beyond locking, I like the approach as that used by Domains By Proxy. Instead of your contact information referring to you, it refers to Domains By Proxy. You can tell them to forward contact requests on to you, or not. They only work with a small number of registrars? Why shouldn't all registrars offer this? In fact, why shouldn't it be part of the standard? Come to think of it, isn't the whole idea that domain contact information needs to be public kind of quaint and antiquated? If you want to make your domain contact information public, put up a Web server and write a page for it. This looks like a job for ICANN. In the end, if there are many attempts to steal domains and users have to utilize the (4,449 word) Dispute Resolution Policy to resolve them, it's still a failure even if it works every time. The system needs to protect domain owners from having to engage in the process too. I haven't yet seen where ICANN has helped this.
source http://www.eweek.com/ |