Re: [gnso-irtp-b-jun09] 60 day lock following registrant change

[George Kirikos <icann@xxxxxxxx>]

Hello,

On Thu, Jul 15, 2010 at 12:18 PM, Michele Neylon :: Blacknight
<michele@xxxxxxxxxxxxx> wrote:
> In any case I don't see what this has got to do with the 60 day lock

It also forces people to be at a registrar against their will,
undermining the purpose of the transfers policy. That affects not only
"domainers" but anyone with a registrant change (if it's allowed to
stand).

> So a GoDaddy or Enom is expected to somehow remove all the automation and 
> convenience that they give their clients so that they can somehow know about 
> each and every transfer and validate them manually?
>
> That doesn't scale
>
> I'd also suspect that you'd be one of the first to complain if we all started 
> charging 100 euro / year for a .com (regardless of its perceived value)

It's their choice. How is it Fabulous can offer "Executive Lock",
without charging any extra? Or ask Moniker how much "MaxLock" costs,
or how much VeriSign Lock costs MarkMonitor clients, etc. That's a
choice that the registrant is fully in control of, for the "important"
domains.

Remember, I proposed an "Irrevocable Transfer Procedure", for those
who want transfers / registrant changes, etc. to be "final" (as they
should be).

As for automation....sending SMS codes can be 100% automated (e.g.
password recovery of Gmail accounts). Sending faxes can be 100%
automated. Using 2-factor security can be 100% automated. Sending an
email to 10 different email addresses if there's any domain change can
be 100% automated. Some registrars will find excuses, others seek
solutions.

If some registrars can't compete, they should be allowed to fail, to
go out of business. Trust me, I have no sympathy for "bad registrars".
Am I supposed to feel "sorry" for them? If you consider yourself a
"good registrar", you should welcome the opportunity for the bad
registrars to be forced out of the business.

> I'm reading the same paragraph as you and I do not interpret it as that at all
> "any" financial impact does not mean that all policies will have an impact
>
> It only means that there should be consideration *if* there is one .. if 
> there isn't it's completely moot

Nearly every policy has some financial impact. A 60-day lock, where
you can't be at the registrar of your choice most definitely has a
financial impact on registrars. Why else do you see them complaining
when registrars are holding their names "hostage"? Does this sound
like a "happy customer"

http://twitter.com/chiefted/statuses/18527676833

If I'm willing to pay $X to get out of that 60-day lock, for example,
or to opt-out of the "clawback" procedure, that's a direct measure of
the financial impact to me of some of the policies.

Suppose Mikey owns Bar.com, for example, and wants to sell it to me. I
might have paid $1,000,000 if the current policies (i.e. irrevocable
transfer) existed. If I had to buy it and risk him executing a ETRP
six months from now, or risk it being held for 60 days at a registrar
that I consider undesirable, for whatever reason (e.g. bad
jurisdiction, doesn't provide all the services I desire, doesn't offer
VeriSign lock, has strange TOS that nickel and dime me, etc.), I might
only be willing to pay $800,000. Consider that across *all* domains,
and it begins to add up.

In a financial example, people from time-to-time rage against
"short-sellers" or " high frequency trading" or whatever cause celebre
exists amongst the short-sighted and uninformed/misinformed. So they
start talking about imposing various trading restrictions, etc., that
cause far more damage than they purport to fix. It might make them
"feel good" that they're "doing something", but it causes far more
damage by undermining markets (e.g. it decreases liquidity, raises
bid-ask spreads, makes legitimate hedging costlier, etc.). Sound
policy needs to be more than just reactionary, "gotta do something",
"think of the children" kind of emotional stuff.


>>>> As I said, it was unscientific. But, the "average SME" isn't going to
>>>> be suffering an "emergency", is he/she?
>>>
>>> I don't think you are qualified to judge that
>>
>> Yes, I am.
>
> Based on what exactly?

I said so in my prior email....the fact that they are *average* makes
it impossible. See:

>> By definition, a policy meant for "emergencies" is meant
>> for *extreme* events, not "average" events. If the imaginary "average
>> SME" could even qualify for an "emergency" (where the damages are high
>> and return is urgent), then by definition they weren't "average" to
>> begin with.
>>
>> For example, in the financial crisis, some banks were *allowed* to
>> fail. Some were "too big to fail." I'm sure those small banks that got
>> wiped out felt they were in an "emergency", but there was no systemic
>> risk due to their failure.
>
> An American  viewpoint again
>
> Over here none were allowed to fail

I'm Canadian. :-) Yes, and we've seen how the market has voted --- the
Euro has been killed. You want the domain system to be a "nanny
state".....I don't think everyone else does.

>>>> Educate them, then. That was one of the recommendations from 5 years
>>>> ago. Has it been implemented? If not, why not?
>>>
>>> How?

You have an "excuse" for every educational tool. Yet, somehow you
don't apply the same critical standards to the workgroup's report.
It's "perfect", isn't it? :-)

>> Registrants are educated via WHOIS reminders to keep their WHOIS up to
>> date.
>
> Which are often treated as spam ..

How often? Show me the data. Certainly registrars can educate via
their web interfaces, oh, I don't know, when they're going to
*register* the domain name in the first place, or renew it, or make
any changes to it? If some registrars can put up 10 screens to "up
sell" before a "checkout", they can certainly design systems to
educate their own clients, if they wanted to. Some registrars prey on
their own customers' ignorance, though, and take advantage of them
(e.g. grabbing their customers' domains after expiry). I can see why
some registrars might not *want* to educate their own customers.

>> If you can't analyze the positive
>> and negative effects, then I repeat this is just a religious
>> endeavour, and not a scientifically-based data-driven policy group.
>
> Show me one that is?

The new gTLDs process is having attempts at economic reports. It's one
of the overarching issues. When folks talk about UDRPs, folks attempt
to measure the number of cases per year (if they're going up or down,
how they compare to the total number of registered domains, etc., when
arguing for/against the URS, or the GPML, etc.).

You implied above that certain security would cost "100 Euro/year".
How is it Gmail can implement SMS codes for account security, and do
it on a completely free service? How is it that PayPal can issue
security key fobs (2-factor security) for $5 (one time fee,
irregardless of account balances).

https://www.paypal.com/securitykey

(and obviously this scales beautifully, as it would be $5 whether I
own 1 domain or 100,000 domains, if applied to DNS)

> Most of the ICANN PDPs (not all) come from a perceived issue being identified 
> and a group of volunteers trying their best to come up with some kind of 
> solution (or not) to whatever the problem is
>
> In the case of IRTP we have had some hard data from ICANN Compliance, so 
> claiming that there was none at all is a misrepresentation of the facts.

Yes, that data was a small number of complaints to ICANN (something
like 50 cases, total, of claimed "hijackings"), making it rank 10th in
importance. And that "data" didn't list the domains involved, weigh
the actual "urgency" for each case, the damages, which registrars were
involved, and so on. Which ones were resolved, and which ones weren't.
Where are all the TDRP decisions, for example, so one might compare
actual cases where transfers are in dispute, to see if there are
failures of that policy? Is there a trend (e.g. one can count the
number of annual UDRP cases, court cases involving cybersquatting,
etc.)?

Garbage-in, garbage-out. There might have well have been "none", when
the "data" is of so low quality, and the registrars that claim there's
a "real problem" won't provide their data. e.g. how many domains are
being hijacked from NSI, GoDaddy, etc. on a daily basis? What were the
root causes of those hijackings? Don't you think that should *guide*
policy? Or are registrars too embarrassed to disclose the real numbers
and real facts? Too embarrassed that if we actually looked at the
cases of theft, that the blame might fall upon them (while dumb
registrants might not read ICANN Security Reports, aren't registrars
supposed to keep up from recommendations from 5 years ago?), instead
of the so called "dumb registrants" who "don't know any better" that
you're trying to "nanny."

Sincerely,

George Kirikos
416-588-0269
http://www.leap.com/