Re: [gnso-irtp-b-jun09] 60 day lock following registrant change

[George Kirikos <icann@xxxxxxxx>]

Hello,

On Thu, Jul 15, 2010 at 9:32 AM, Michele Neylon :: Blacknight
<michele@xxxxxxxxxxxxx> wrote:
> On 15 Jul 2010, at 13:56, George Kirikos wrote:
>> On Thu, Jul 15, 2010 at 6:39 AM, Michele Neylon :: Blacknight
>> <michele@xxxxxxxxxxxxx> wrote:
>>> This working group is  discussing transfer _policy_
>>>
>>> Transfer policy needs to be applicable to _ALL_ registrants - not just 
>>> those who are willing to pay a premium for extra levels of security etc
>>>
>>> Also, the Verisign and Neustar registry locks did not exist when this WG 
>>> started
>>
>> Following that logic, one also shouldn't be tailoring "policy" to the
>> *least* security-conscious registrants, those who are posting their
>> registrant username/password directly on their Facebook page with a
>> note "please steal my domain name" and then later want to undo their
>> domain name transfer because the name was "stolen" via some emergency
>> procedure.
>
>
> If you want to have a sane discussion with me that's fine. If you insist on 
> using really stupid examples like the one above then there's no point in me 
> replying to you

Yet, you replied nonetheless. ;-) Let me give a less extreme example,
if that would make you happy. Suppose Bill owns example.com, and has a
choice of registrars to use. He picks "Leaky Sieve Registrar" that
send usernames/passwords in cleartext on demand via email 100% of the
time, instead of "Vault Registrar" that offers a higher level of
security, perhaps resetting passwords only after a telephone
verification, SMS, etc. Perhaps "Leaky Sieve" charges $10/yr for
domains versus $12/yr at "Vault Registrar."

Policy needs to take into account that these choices do exist in the
marketplace. Charter Question A demands that this be taken into
account, because it's an explicit alternative. "Whether a process for
urgent return/resolution of a domain name should be developed." If a
domain name is valuable enough, and you explicitly made a choice for
weaker security, you should bear some of the responsibility.

If we make policies to help people who make bad choices, that opens up
the entire issue of "Moral Hazard"

http://en.wikipedia.org/wiki/Moral_hazard

and will cause people to engage in even more risky behaviour, and
place the burden upon someone else (the secondary market, for example,
if irrevocable transfers are eliminated). In other words, in
attempting to "help" people who won't help themselves, you make the
situation even worse.

Some folks don't buy health insurance, for example. If society pays
for all health costs unconditionally and "equally", then that policy
can be abused (e.g. by smokers, who might generate higher health
costs, that are paid for by everyone else).

>> UDRP isn't "free", by the way.
>
> Who said it was??

You said "Transfer policy needs to be applicable to _ALL_ registrants
- not just those who are willing to pay a premium for extra levels of
security etc". I was arguing that existing policies and reality don't
apply to *all* registrants regardless of their income/wealth, etc.
Economics are implicit within all policies, whether you like it or
not.

> Yes, but that doesn't mean that other customers should be punished by a lack 
> of policy to assist them
>
> By your logic, if I install a safe in my house and a burglar alarm then I am 
> somehow on a different "level" to someone who hasn't. While the economic 
> levels are obvious that doesn't mean that the crime of breaking into my house 
> is any lessened by the levels of security I may (or may not) have implemented

You assume "policies" are their only option. There are always
alternatives, e.g. courts, they could have been more proactive, etc.

To answer your example of the breaking into a house, they're both
crimes, but one might be more severe, more of an "emergency" than
another. Let's suppose the "damages" were even identical $10,000 in
cash is stolen from both houses, one that had the safe and burglar
alarm, and one that had no security. Why isn't that "Moral Hazard" if
policy treats those cases identically? Indeed, folks might be
incentivized to not buy safes at all, if a policy existed to treat
them identically and cover 100% of the losses. I'm for a society where
people are incentivized to take responsibility for themselves....to
invest in the safes when they have something valuable to protect,
especially when that choice exists in the marketplace. Overall
security would be higher, and there'd be fewer thefts in that society,
as people were being proactive.

> While the study is interesting the audience is too narrow to be of any value 
> ie. Andrew's readers are going to be more "savvy" than your average SME

As I said, it was unscientific. But, the "average SME" isn't going to
be suffering an "emergency", is he/she? This is supposed to be a
policy for "urgent" cases, where there's the potential for the damages
to be of high magnitude. Those owners of high value (i.e. "important")
domains are *supposed* to be *savvy*!

> Normal users make assumptions. If I go to a garage to get my car serviced I 
> assume that the personnel know what they are doing and that they will do it 
> to a certain level. I am not a mechanic, so I don't care or need to know 
> about the "level", but as a consumer I should feel confident that when I pick 
> up my car from the garage that it will be safe to drive
>
> I would be pretty confident that most registrants assume that when they buy 
> domains and / or hosting that a certain degree of security etc., is present.

I've long argued that I'm 100% for higher levels of *proactive*
security. Raise the standards for everyone, that would reduce thefts.
Some folks put a GPS locator device on their car, to be able to track
it if it's stolen. Some invest in "The Club" to lock their steering
wheel.

The "ETRP" is saying, though, that if your car is *claimed* to be
stolen, the police should drop everything they're doing (i.e. impose a
cost on society) to treat your case as an emergency, whether your car
is a 1980 Lada or a 2010 Rolls Royce. Car owners are aware of the
risks, so should domain owners. I'm all for better education.

> Of course bigger companies, tech savvy types etc., might know more and might 
> ask more questions, but let's face it, for most people domains are tools. 
> They enable them to send / receive email etc., They don't view their domain 
> as being of any value to them until their ability to use the domain is 
> removed or hampered in some way.

Educate them, then. That was one of the recommendations from 5 years
ago. Has it been implemented? If not, why not?

>> As above, in creating a policy for emergencies, just as the
>> issues report discussed last year, isn't it supposed to be qualified
>> to only those situations where the magnitude of the harm is great?
>
> Well this is something that we did discuss quite a bit initially
>
> My personal view is that yes - I can see how some entities would place a 
> greater "value" or see a higher "impact" with their domain being taken, but 
> that ultimately even my personal domain name is of value to me.

It needs to be discussed more, then, because the choice to not apply
it only to *urgent* cases means that the cost/benefit calculation
changes, i.e. the "costs" imposed upon others by not properly
qualifying any procedure to true emergencies begin to exceed all
benefits.

e.g. a proper policy limited to "urgent" situations has a benefit of
$5 million and a cost of $100,000. A broader policy that is
unqualified has benefits of $5.5 million (i.e. an extra $500K in
benefits because it applies to more marginal cases), but has greater
costs now of $10 million (because of the increase in "costs",
"burdens" imposed due to greater conflicts caused by that policy,
etc.). I'm arguing that if there's going to be a policy, it should be
like the former, and not the latter.

And I note that no one has responded to the thread that directly asks
those questions, to get a better sense of the actual damages,
statistics, etc.:

http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00384.html

and to be able to gauge benefits vs. costs. These questions might seem
"difficult", but if they're not going to be answered, then there
should be no further work done, as one would be considering the output
of this group to be "religion-based" rather than
"scientifically-based." (i.e. just taking things on "faith" and
handwaving alone, "think of the children" emotionality vs. being data
driven).

Sincerely,

George Kirikos
416-588-0269
http://www.leap.com/