Re: [gnso-irtp-b-jun09] 60 day lock following registrant change

["Michele Neylon :: Blacknight" <michele@xxxxxxxxxxxxx>]

On 15 Jul 2010, at 15:41, George Kirikos wrote:
>> 
>> 
>> If you want to have a sane discussion with me that's fine. If you insist on 
>> using really stupid examples like the one above then there's no point in me 
>> replying to you
> 
> Yet, you replied nonetheless. ;-)

Well if I didn't you'd have complained .. (not that I hadn't replied, but that 
nobody had replied .. )


> Let me give a less extreme example,
> if that would make you happy.

that's unlikely, but thanks for trying (though my current emotional state has 
nothing to do with this mailing list or WG)


> Suppose Bill owns example.com, and has a
> choice of registrars to use. He picks "Leaky Sieve Registrar" that
> send usernames/passwords in cleartext on demand via email 100% of the
> time, instead of "Vault Registrar" that offers a higher level of
> security, perhaps resetting passwords only after a telephone
> verification, SMS, etc. Perhaps "Leaky Sieve" charges $10/yr for
> domains versus $12/yr at "Vault Registrar."
> 
> Policy needs to take into account that these choices do exist in the
> marketplace.

Yes - I do not disagree


> Charter Question A demands that this be taken into
> account, because it's an explicit alternative. "Whether a process for
> urgent return/resolution of a domain name should be developed." If a
> domain name is valuable enough, and you explicitly made a choice for
> weaker security, you should bear some of the responsibility.

No - this is where I disagree


> 
> If we make policies to help people who make bad choices, that opens up
> the entire issue of "Moral Hazard"
> 
> http://en.wikipedia.org/wiki/Moral_hazard

> 
> and will cause people to engage in even more risky behaviour, and
> place the burden upon someone else (the secondary market, for example,
> if irrevocable transfers are eliminated).

So I'm meant to feel sorry for domainers?


> In other words, in
> attempting to "help" people who won't help themselves, you make the
> situation even worse.

You really should join some of the other fun PDPs .. :)

While I can agree with you to a point I'd still disagree. Domain Registry of 
America, for example, use tactics that have been deemed to be misleading and 
possibly even illegal. Our clients get hit with their letters all the time. 
(Rob Golding mentioned them last night)
Personally I would like to see policy that had the "teeth" to stop this kind of 
thing. 
So if a small business owner is duped by these kinds of companies they can be 
seen to have "made a bad choice", but do they have the information available to 
them to do otherwise?


> 
> Some folks don't buy health insurance, for example. If society pays
> for all health costs unconditionally and "equally", then that policy
> can be abused (e.g. by smokers, who might generate higher health
> costs, that are paid for by everyone else).

That's a very narrow view

In many European countries health insurance is not the norm - we have cover 
without it

> 
>>> UDRP isn't "free", by the way.
>> 
>> Who said it was??
> 
> You said "Transfer policy needs to be applicable to _ALL_ registrants
> - not just those who are willing to pay a premium for extra levels of
> security etc". I was arguing that existing policies and reality don't
> apply to *all* registrants regardless of their income/wealth, etc.

> Economics are implicit within all policies, whether you like it or
> not.

Again - we have to disagree


> 
>> Yes, but that doesn't mean that other customers should be punished by a lack 
>> of policy to assist them
>> 
>> By your logic, if I install a safe in my house and a burglar alarm then I am 
>> somehow on a different "level" to someone who hasn't. While the economic 
>> levels are obvious that doesn't mean that the crime of breaking into my 
>> house is any lessened by the levels of security I may (or may not) have 
>> implemented
> 
> You assume "policies" are their only option. There are always
> alternatives, e.g. courts, they could have been more proactive, etc.

Now you're going off on a tangent

> 
> To answer your example of the breaking into a house, they're both
> crimes, but one might be more severe, more of an "emergency" than
> another. Let's suppose the "damages" were even identical $10,000 in
> cash is stolen from both houses, one that had the safe and burglar
> alarm, and one that had no security. Why isn't that "Moral Hazard" if
> policy treats those cases identically? Indeed, folks might be
> incentivized to not buy safes at all, if a policy existed to treat
> them identically and cover 100% of the losses. I'm for a society where
> people are incentivized to take responsibility for themselves....to
> invest in the safes when they have something valuable to protect,
> especially when that choice exists in the marketplace. Overall
> security would be higher, and there'd be fewer thefts in that society,
> as people were being proactive.
> 
>> While the study is interesting the audience is too narrow to be of any value 
>> ie. Andrew's readers are going to be more "savvy" than your average SME
> 
> As I said, it was unscientific. But, the "average SME" isn't going to
> be suffering an "emergency", is he/she?

I don't think you are qualified to judge that

We, Blacknight, are an SME. If blackreg.com were hijacked it would cause a LOT 
of headaches for us and our clients, which we would classify as an "emergency"

In any case an "emergency" is subjective

The key thing is that there is one and there is urgency


> This is supposed to be a
> policy for "urgent" cases, where there's the potential for the damages
> to be of high magnitude. Those owners of high value (i.e. "important")
> domains are *supposed* to be *savvy*!

Again I disagree


> 
>> Normal users make assumptions. If I go to a garage to get my car serviced I 
>> assume that the personnel know what they are doing and that they will do it 
>> to a certain level. I am not a mechanic, so I don't care or need to know 
>> about the "level", but as a consumer I should feel confident that when I 
>> pick up my car from the garage that it will be safe to drive
>> 
>> I would be pretty confident that most registrants assume that when they buy 
>> domains and / or hosting that a certain degree of security etc., is present.
> 
> I've long argued that I'm 100% for higher levels of *proactive*
> security. Raise the standards for everyone, that would reduce thefts.
> Some folks put a GPS locator device on their car, to be able to track
> it if it's stolen. Some invest in "The Club" to lock their steering
> wheel.
> 
> The "ETRP" is saying, though, that if your car is *claimed* to be
> stolen, the police should drop everything they're doing (i.e. impose a
> cost on society) to treat your case as an emergency, whether your car
> is a 1980 Lada or a 2010 Rolls Royce. Car owners are aware of the
> risks, so should domain owners. I'm all for better education.
> 
>> Of course bigger companies, tech savvy types etc., might know more and might 
>> ask more questions, but let's face it, for most people domains are tools. 
>> They enable them to send / receive email etc., They don't view their domain 
>> as being of any value to them until their ability to use the domain is 
>> removed or hampered in some way.
> 
> Educate them, then. That was one of the recommendations from 5 years
> ago. Has it been implemented? If not, why not?

How?


> 
>>> As above, in creating a policy for emergencies, just as the
>>> issues report discussed last year, isn't it supposed to be qualified
>>> to only those situations where the magnitude of the harm is great?
>> 
>> Well this is something that we did discuss quite a bit initially
>> 
>> My personal view is that yes - I can see how some entities would place a 
>> greater "value" or see a higher "impact" with their domain being taken, but 
>> that ultimately even my personal domain name is of value to me.
> 
> It needs to be discussed more, then, because the choice to not apply
> it only to *urgent* cases means that the cost/benefit calculation
> changes, i.e. the "costs" imposed upon others by not properly
> qualifying any procedure to true emergencies begin to exceed all
> benefits.
> 
> e.g. a proper policy limited to "urgent" situations has a benefit of
> $5 million and a cost of $100,000. A broader policy that is
> unqualified has benefits of $5.5 million (i.e. an extra $500K in
> benefits because it applies to more marginal cases), but has greater
> costs now of $10 million (because of the increase in "costs",
> "burdens" imposed due to greater conflicts caused by that policy,
> etc.). I'm arguing that if there's going to be a policy, it should be
> like the former, and not the latter.
> 
> And I note that no one has responded to the thread that directly asks
> those questions, to get a better sense of the actual damages,
> statistics, etc.:

Don't take it personally, but not all of us have the time to do our dayjobs and 
answer each and every post on every single list we're on  .. 



> 
> http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00384.html
> 
> and to be able to gauge benefits vs. costs. These questions might seem
> "difficult", but if they're not going to be answered, then there
> should be no further work done, as one would be considering the output
> of this group to be "religion-based" rather than
> "scientifically-based." (i.e. just taking things on "faith" and
> handwaving alone, "think of the children" emotionality vs. being data
> driven).
> 
> Sincerely,
> 
> George Kirikos
> 416-588-0269
> http://www.leap.com/
> 

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://blacknight.mobi/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845