[gnso-irtp-b-jun09] Problems with the Expedited Transfer Reverse Policy

[George Kirikos <icann@xxxxxxxx>]

The ITRP just had a conference call, and I was basically ganged up on
for pointing out all the flaws in the proposed ETRP (Expedited
Transfer Reverse Policy).

How will businesses and consumers be affected when folks can simply
undo a legitimate transfer "at will", without due process, within 6
months? How will an escrow work if the prior owner can simply claim
"hijacking" and undo a transfer, when it's simply a case of seller's
remorse? We see irrevocable transfers in the real estate industry, and
that market works fine, because people are *proactive* about security.
Here, the folks pushing for this flawed proposal seek to implement a
*reactive* policy that *will* be misused.

I'm totally appalled at how they want to create a huge loophole in
policy, that will have collateral damage which is much bigger than the
"problem" they're trying to solve.

A transcript of what went down should be available later at:

http://brussels38.icann.org/node/12502

To see why this policy is flawed, consider the following scenario:

1. Example.com is registered at GoDaddy, to Party A.
2. Party B agrees to buy the domain name for $1,000, and transfers it
to Tucows legitimately.
3. Party B builds up a large website, investing millions of dollars
(perhaps it was Microsoft, who has bought domain names like kin.com
and docs.com in the aftermarket, or B&N, who bought nook.com in the
secondary market).
4. 6 months later, Party A gets seller's remorse, and decided to
invoke the policy, claiming the domain name was hijacked, and the
domain name is returned immediately to GoDaddy (the original
registrar), under the full control of Party A again.
5. Tucows (the new registrar) and Party B can't do anything about it,
to dispute the use of this policy, as its currently proposed!

(there exists a "TDRP" Transfer Dispute Resolution Procedure in place
now that *does* have due process, but some folks seem to think it's
not good enough)

Fact: If there's a real dispute, one side is lying! It should be up to
a court to decide, not simply getting involved and undoing a
legitimate transfer! Remember, the original registrar (GoDaddy in the
example above) had every opportunity to authenticate Party A's desire
to transfer the domain name to Tucows (where Party B wants it to be)
BEFORE the domain name transfer took place! The domain could be
unlocked only after talking to Party A by phone first, for example. Or
some other "executive lock" procedure (VeriSign lock is just one
example of many). The EPP code could be sent by SMS, for example.
There are myriad ways to be proactive about security, and I'm 100% in
favour of those.

The workgroup pretends fraud exists only by "domain hijackers", and
seems incapable of seeing fraud within the community of domain
sellers. One need only look at the case of Nelson Brady and SnapNames,
to see what kinds of frauds are possible. It's bad enough when you
have to deal with that kind of fraud, but then to add a brand new
risk, of legitimate transfers being undone simply upon a *claim* of
hijacking??!!? (not *proof* or a court order or some other due
process)

I find it simply unreal that these serious concerns are not being
taken seriously, and are being brushed aside by this workgroup.

Sincerely,

George Kirikos
http://www.leap.com/