Re: [gnso-irtp-b-jun09] 60 day lock following registrant change

[George Kirikos <icann@xxxxxxxx>]

Hello,

On Thu, Jul 15, 2010 at 11:13 AM, Michele Neylon :: Blacknight
<michele@xxxxxxxxxxxxx> wrote:
> On 15 Jul 2010, at 15:41, George Kirikos wrote:
>> Charter Question A demands that this be taken into
>> account, because it's an explicit alternative. "Whether a process for
>> urgent return/resolution of a domain name should be developed." If a
>> domain name is valuable enough, and you explicitly made a choice for
>> weaker security, you should bear some of the responsibility.
>
> No - this is where I disagree

Why should society bear the costs of other people's irresponsibility?
We see that in the US mortgage market, for example, where some people
entered into "bad deals" and then wanted a "bailout", to be able to
renegotiate their loans, have the government pay their mortgages,
whatever.

When people don't bear some of the responsibility for their own
actions, that's far worse. But, at least your position is explicit.

>> and will cause people to engage in even more risky behaviour, and
>> place the burden upon someone else (the secondary market, for example,
>> if irrevocable transfers are eliminated).
>
> So I'm meant to feel sorry for domainers?

The "secondary market" is not the only example of folks hurt, and the
secondary market is more than just "domainers." It's like suggesting
that the secondary market for housing only consists of "house
flippers." Suppose MarkMonitor or Marksmen does a stealth acquisition
on behalf of Google or Microsoft for a domain name. The name is
acquired, and put to use. What's going to happen when that name is
clawed back immediately by the ETRP, as currently proposed, due to
seller's remorse and lack of due process via a dispute mechanism?

That's why last year it was correctly written that:

http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00384.html

"The emergency action procedures should be tested to verify they are
resilient to tampering and difficult to exploit. In particular, it
should be difficult or impossible for an attacker to effect a hijack
or interfere with a transfer under the guise of requesting urgent
restoration of a domain."

It's not about feeling "sorry for domainers", it's about not opening
up a new loophole that can be exploited, when one attempts to fix a
different problem (same goes for the 60 day lock following registrant
change, how that can be abused by registrars to essentially rewrite
the intent of the transfers policy under the guise of "improving
security"). And as folks clearly know, the loopholes are routinely
exploited, especially by registrars.

>> In other words, in
>> attempting to "help" people who won't help themselves, you make the
>> situation even worse.
>
> You really should join some of the other fun PDPs .. :)
>
> While I can agree with you to a point I'd still disagree. Domain Registry of 
> America, for example, use tactics that have been deemed to be misleading and 
> possibly even illegal. Our clients get hit with their letters all the time. 
> (Rob Golding mentioned them last night)
> Personally I would like to see policy that had the "teeth" to stop this kind 
> of thing.
> So if a small business owner is duped by these kinds of companies they can be 
> seen to have "made a bad choice", but do they have the information available 
> to them to do otherwise?

You don't need a policy that has "teeth" to "stop this kind of thing."
If you're a registrar, you can validate outgoing transfers by
telephone (before unlocking the domain name or issuing an EPP
auth_info code). It's your choice whether or not you want to educate
your customers. Other registrars do educate their customers, e.g.
EasyDNS, to name an example:

http://support.easydns.com/domain.slammers/index.php

If you called the client you're about to lose, and asked them why
they're leaving, you would put a stop to things. Or, if you have legal
standing, go ahead and sue the "bad guys." If a registrar's business
model is 100% electronic, and are never going to pick up the phone to
talk to their own customer, that's their own choice.

>> Economics are implicit within all policies, whether you like it or
>> not.
>
> Again - we have to disagree

Go look at the AOC document:

http://www.icann.org/en/announcements/announcement-30sep09-en.htm

"To ensure that its decisions are in the public interest, and not just
the interests of a particular set of stakeholders, ICANN commits to
perform and publish analyses of the positive and negative effects of
its decisions on the public, including any financial impact on the
public, and the positive or negative impact (if any) on the systemic
security, stability and resiliency of the DNS."

It cannot be more clear. If economics were not implicit (and heck even
explicit), then these policies would be religious edicts, not
carefully balanced policies as they should be. If you only look at
"benefits", your job is only half-done, because you've not weighed the
"costs." (and the job is not even half-done, as even the "benefits"
for this workgroup remain unknown, because of the lack of data to
date)


>> As I said, it was unscientific. But, the "average SME" isn't going to
>> be suffering an "emergency", is he/she?
>
> I don't think you are qualified to judge that

Yes, I am. By definition, a policy meant for "emergencies" is meant
for *extreme* events, not "average" events. If the imaginary "average
SME" could even qualify for an "emergency" (where the damages are high
and return is urgent), then by definition they weren't "average" to
begin with.

For example, in the financial crisis, some banks were *allowed* to
fail. Some were "too big to fail." I'm sure those small banks that got
wiped out felt they were in an "emergency", but there was no systemic
risk due to their failure.

> We, Blacknight, are an SME. If blackreg.com were hijacked it would cause a 
> LOT of headaches for us and our clients, which we would classify as an 
> "emergency"
>
> In any case an "emergency" is subjective
> The key thing is that there is one and there is urgency

1) You don't get to self-declare that "we're in an emergency" -- it
has to be according to a 3rd party standard (i.e. one this workgroup
was *supposed* to develop, to distinguish between "urgent" and
"non-urgent" cases). Otherwise, *every* case becomes an "emergency",
which subverts the policy.

2) Just because something is "subjective" doesn't mean one "gives up."
One applies rules, makes judgments about "subjective" things *all the
time.* If you can't come up with a standard, leave it to someone who
can, i.e. an independent court.

3) Simply saying "there is one" and "there is urgency." doesn't make
it one. Go back to the "too big to fail" example. Some are bigger than
others, and one has to draw a line somewhere. If one is incapable of
drawing that line anywhere at all, then perhaps one shouldn't be a
decision-maker, and leave it to those who can make the tough
decisions.

>> Educate them, then. That was one of the recommendations from 5 years
>> ago. Has it been implemented? If not, why not?
>
> How?

Registrants are educated via WHOIS reminders to keep their WHOIS up to
date. There are advisories by ICANN. Registrars can proactively hold
seminars. They can blog, as MarkMonitor has done about VeriSign Lock
on CircleID, etc.

People learn, e.g. Facebook and privacy, whatever.


>> And I note that no one has responded to the thread that directly asks
>> those questions, to get a better sense of the actual damages,
>> statistics, etc.:
>
> Don't take it personally, but not all of us have the time to do our dayjobs 
> and answer each and every post on every single list we're on  ..

Yes, but that's one of the most fundamental questions, that questions
the entire basis for this workgroup. You don't need a policy if there
are no benefits, or if the benefits are miniscule (i.e. because
there's only a small number of hijackings that are serious and not
undone in a timely manner) relative to the costs. That will need to be
answered at some point (before a final report, although it should have
been done before the preliminary report!), one can be sure, otherwise
it leaves the policy to be challenged due to Paragraph 4 of the AOC
via a reconsideration request, etc. If you can't analyze the positive
and negative effects, then I repeat this is just a religious
endeavour, and not a scientifically-based data-driven policy group.

Sincerely,

George Kirikos
416-588-0269
http://www.leap.com/