ICANN ICANN Email List Archives

[gnso-irtp-b-jun09]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-irtp-b-jun09] 60 day lock following registrant change

  • To: "Gnso-irtp-b-jun09@xxxxxxxxx List" <Gnso-irtp-b-jun09@xxxxxxxxx>
  • Subject: Re: [gnso-irtp-b-jun09] 60 day lock following registrant change
  • From: George Kirikos <icann@xxxxxxxx>
  • Date: Tue, 6 Jul 2010 19:23:36 -0400

Hello,

On Tue, Jul 6, 2010 at 5:04 PM, Rob Golding <rob.golding@xxxxxxxxxxxxxxx> wrote:
> George Kirikos wrote ...
>
>> Fraud by a buyer is easy for you to manage -- insist upon a wire
>> transfer. It's your choice to use credit cards or other risky forms of
>> payments
>
> I'm certain it was explained to you during the working group held during the
> recent ICANN meetings in Brussels, a "wire-transfer" is no more secure than
> any other payment method - any EFT can be recalled by the sending bank
> should the account holder report it as unauthorised/fraudulent. This is the
> same with personal and business cheques upto 2 years after they've been
> cashed !

Perhaps you should do more research into payment systems. Wire
transfers are considered the most secure form of payment.  See:

http://www.cdnpay.ca/publications/general_lvts_payments.asp
http://www.federalreserve.gov/paymentsystems/lowvaluepay/lowvaluepayments.pdf

and search the pages for the words "irrevocable" or "secure."
Escrow.com, for example, isn't going to accept a large payment unless
it's by wire transfer:

https://www.escrow.com/support/payment.asp

While it's *possible* in very obscure circumstances to recall a wire
transfer, it's definitely not guaranteed. And it's a lot more serious
to undo a wire transfer falsely.

If you truly believe that you can unconditionally recall a wire (or
even a cheque) 2 years later, feel free to wire me $100,000 (in
exchange for a low quality domain name, and we'd have a written
contract that is binding), and then try to undo it 2 years from now.
Let me pick a new bank, so I can guarantee that I close the account
the week after I've received the funds, too. :-)

>> Given fraud can happen from both buyer and seller, what happens when
>> the seller commits fraud *after* a sale, by undoing it on a whim,
>> using the current ETRP proposal
>
> The proposal to provide a *registrar* with the ability to "recall" a
> transfer isn't about fraudulent sales of domains - that's a change of
> *registrant* - it's about fraudulent transfers to another registrar which
> the registrar has to believe was done without the registrants consent.

For all intents and purposes, it's the old registrant who is recalling
it (why would a losing registrar not cooperate with their old client?)
with the registrar cooperating with them do initiate the command to
the registry. If there's no "change of registrant", then the
registrant has actual control of the domain at the new registrar! They
can just transfer it back, as there's no theft.

The change of registrant often happens around the same time as a
transfer. Read item (c) of this workgroup's charter. It's common for a
purchaser to want the domain to end up at their favourite registrar.
If the purchaser completes the deal by initiating a transfer to the
gaining registrar,  which is then accepted by the prior owner at the
losing registrar, the WHOIS at the new registrar will immediately
change to the purchaser when the transfer is complete. That
transaction will then be caught and affected by the ETRP proposal
(i.e. prior owner, at losing registrar, can invoke the transfer
reversal).

[If the purchaser does the change of registrant entirely at the old
registrar, with the desire to them move it to their favourite
registrar, then they'd have to deal with situations like that at
GoDaddy, where potentially the name is forced to stay there for 60
days, or more.......(ICANN hasn't said why *60 days* is magical, and
why one can't "opt-in" to a 50 year lock when presented with that
option by the old registrar) and subject to its own set of "risks"
(e.g. not being in a desirable legal jurisdiction, or being subject to
a registrar's ad-hoc procedures)]

>> not having clear title to a domain name for a period of up to
>> 6 months after
>
> My personal opinion is that 6 months is too long a window.
>
>> Depending on the "urgency", a court can act much more swiftly to
>> return a hijacked domain name.
>
> Or not as the sex.com debacle showed.

Mr. Kremen was compensated financially for his losses. Perhaps
NSI/VeriSign care to comment.

http://www.prnewswire.com/news-releases/sexcom-settles-monumental-case-against-verisignnetwork-solutions-72557542.html
http://www.circleid.com/posts/sexcom_settles_monumental_case_against_verisign_network_solutions/

That settlement, if registrars/registries were rational, should have
caused them to be more proactive about security. It should have been a
"teachable moment." But, I guess not, since the Panix.com incident was
*after* that. Let's go back to the report from 5 years ago:

http://www.icann.org/en/announcements/hijacking-report-12jul05.pdf

top of page 14 says:

"Such a mechanism would require a determination of what qualifies as
urgent, how to determine whether the allegation of fraud is valid, and
who is authorized to make this determination."

That language shows some balance. Contrast that with the proposed ETRP.

(a) ALL cases are considered "urgent" (i.e. absolutely zero
qualification is made)
(b) ALL allegations are considered "valid" (shoot first, ask questions later)
(c) ONLY the losing registrar (the one who had weak "security" to
begin with) is authorized to make the determination

Now, continue on page 14 (and, the rest of the document was also
prepared with great care and balance, unlike the workgroup report),
which notes:

"One means of dealing with the hijacking question would be to assign
the financial and legal risks associated with fraudulent hijacking to
the party most able to control the risk: the registrar closest to the
wrongdoer. Holding registrars accountable in this manner would create
incentives for registrar to take whatever steps are necessary to
prevent the occurrence of fraudulent hijackings."

That's really the "elephant in the room". Holding the registrars
responsible both financially and legally creates the proper
incentives. Why didn't the workgroup go down this route -- perhaps
because registrars/registries have so much voting power in the GSNO,
in contrast to lowly registrants? The ETRP? All the wrong incentives.

> And if the domain is moved to an "unhelpful" registrar (as the group is
> often referring back to certain unresponsive Far-East providers) do you
> really think even with a judgement, you'll be able to get it enforced ?

You don't move against the registrar, that's just dumb. You enforce it
with the registry (VeriSign), in the good old USA (realistically, most
hijackings of any importance occur in .com). The examples I provided
(Microsoft botnet, movie piracy) all involved foreign registrars that
were trumped by seeking an order from VeriSign. VeriSign might be able
to add some color and fill in the details? I could probably go into
PACER and download the relevant orders for "proof", though, but
perhaps Barbara can save me the 8 cents/page.

> Having to (rather than having the *option* to) go through the court method
> for a registrant to obtain their transferred domain back IMHO means you're
> restricting this to a very small subset of potential registrants - I firmly
> believe that *all* registrants should be taken care of, not just those with
> fatter cheque books.

You're suggesting once again that *all* cases are equal. That wasn't
what even the report from 5 years ago said about "require a
determination of what qualifies as urgent." Remember, the TDRP already
exists, and that has due process.

If you want all registrants to be "taken care of", the best way to do
that is to raise minimum standards at all registrars, taking the best
practices that were recommended in the past reports (which have mostly
been ignored; you know, 2-factor security, out-of-band
communications.....I sound like a broken record, perhaps, but I'll
keep repeating them until folks explain why those recommendations have
not been implemented, which proactively reduce hijackings).

Let me leave a couple of analogies. Suppose we had a world where
payment systems varied in their level of security, from the low
security of credit cards to the highest security of wire transfers.
The ETRP would be the equivalent of outlawing wire transfers, and
forcing everyone to only accept credit cards. What would be the
result? It would undermine the financial system, because folks would
no longer be able to rely upon the irrevocability of payments, and
would need to deal with credit risk in *every* transaction (i.e.
chargebacks, etc.). The ETRP would be permitting "domain clawbacks",
essentially, a new risk for those involved in the secondary market.
When ICANN mandates that all registrars *must only* accept credit
cards, and must cease using wire transfers, then it might be able to
make a case for the ETRP --- both policies would be equally dumb
(given the number of registrars that go out of compliance for not
paying their bills, perhaps ICANN needs to learn more about credit
risk....).

Here's the other analogy for the geeky crowd. Various operating
systems allow one to do 'dangerous' things from a shell or logged in
as root. Stuff like deleting all the fieles on your hard disk, for
example (rm -rf / ). The ETRP would be the equivalent of saying "no
one can use a shell, you shall all only use a file manager." (or, "you
shall all switch to Mac, and further use of Windows is not permitted")
For some (or even a large class of) users, these kinds of broads
restrictions would cause real damage. If you want to be a nanny to a
certain class of users (who in a competitive system certainly have the
incentives and ability to choose secure registrars, if security is
important to them), you shouldn't do so at the expense of another
class of users who need certain functionality (the functionality in
the domain name transfer system being the irrevocability, or at least
due process like the TDRP offers). For those who know what they're
doing, we should be able to continue, e.g. with a parallel
"irrevocable transfer procedure" as per:

http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00334.html

without suffering the economic damage that would be felt by those
caught by the policy.

************ IMPORTANT BELOW ***************

When all is said and done, if you want to solve the domain name
hijacking issue, it's simple. Go to section 3.3 of the Workgroup
report's Annex C, where it says (page 51):

"3.3 PTRa must obtain an ETRP Authorization from the Registrant to
initiate a ETRP."

To solve the domain name hijacking issue, all you need to do is
require that registrant changes and outgoing transfers have the
identical standard! (of course, one also needs to look at section 3.4,
including 3.4.2, to say the form of that authorization) Instead of
wasting everyone's time on a *clawback* procedure, that can and will
be *misused*, why not focus on the actual problem, authenticating the
real transfers and registrant changes? That's the other "elephant in
the room."

If *that* had been the focus of the workgroup, it would be on the
right track, and I wouldn't be here. I'd be applauding the report,
instead of picking it apart.

Sincerely,

George Kirikos
416-588-0269
http://www.leap.com/



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy