NordVPN Promotion

Home / Blogs

A Case for Further DNS Registrar Industry Self-Regulation

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

In most industries, businesses that blatantly act against the interests of their customers to favor their own internal profit centers would either not be allowed or else subject to controls and oversight by the government. It is universally regarded as an unfair and deceptive business practice. In the domain name registrar business, however, the normal practices of legitimate business dealings and customer protection seem woefully wanting. Kelly’s Case described here illustrates the point, and it provides the opportunity for ICANN to demonstrate it can be responsive to egregious registrar behavior without government agencies or juridical bodies becoming engaged.

A young woman starting up a business recently conveyed a disturbing set of facts. I’ll call her Kelly. Kelly started up a web-based business five years ago, as part of an MBA enterprise development initiative. She created an LLC, registered a related domain name, and over the subsequent years built a business with innovative services, and a trademarked brand name with intellectual property—all associated with the domain name. She regularly ensured the domain registration fee was paid.

Suddenly she found the domain was not functional, and contacting the registrar was told that without her notice, knowledge, or approval, the domain had been hijacked—sold to what appeared to be a domain name collector. She was instantly out of business. Upon further inquiry to her amazement, she found out that the “hijacker” was the registrar itself—the auction unit within the registrar. After pursuing the matter within the registrar’s own processes, she was informed that the registrar regarded its obligations with to its own auction business unit, not her as a customer.

The basis for the registrar’s action was that five years previous when she had registered the domain name, she was enticed by the auction business unit to see what the domain name was worth. No further communication occurred and the relationship with the registrar auction unit itself was terminated—but apparently not the right to “hijack” the domain to sell it off. To the extent a clickthrough agreement existed, it would certainly be unconscionable. She never imagined that the registrar could years later simply transfer the domain name to its own business unit for sale to a third party without notice or approval by her. What is all the more appalling here is that the registrar also reviews its own actions and declared its actions are final in favor of the business unit. She was told by staff verbally that although this was patently unfair, the registrar regards its obligation is to its auction business unit rather than the registrar domain name customer.

From a legal and public policy standpoint, Kelly’s Case raises multiple significant concerns that seem increasingly common. The potential for abuse goes back to the Anti-cybersquatting Consumer Protection Act (ACPA) in 1999, and a considerable body of law has emerged. It is apparent that the U.S. Federal Trade Commission and its counterparts, as well as the courts in many jurisdictions, have instituted multiple actions against domain name registrars for unfair and deceptive practices. Indeed, the FTC itself—concerned about the potential increase in registrar deceptive practices and fraud—has repeatedly asked ICANN “to take additional steps to protect consumers.”

Other than a pro forma creation of an ICANN Data and Consumer Protection Working Group in 2010, however, it is not apparent that ICANN has actually done much of anything to protect consumers against the kinds of rather egregious activities and actions that Kelly’s Case raises. Indeed, until the very recent appointment of a new senior VP for contractual compliance and consumer safeguards, ICANN has been asleep in this area. As part of the group 20 years ago that helped initiate ICANN as a means to help nurture industry self-regulation, I personally find this situation dismaying. It puts the attempt to achieve domain name industry self-regulation at risk. Perhaps now, ICANN consumer protection action will occur—if for no other reason than to ward off government regulatory intervention.

By Anthony Rutkowski, Principal, Netmagic Associates LLC

The author is a leader in many international cybersecurity bodies developing global standards and legal norms over many years.

Visit Page

Filed Under

Comments

A registrar's ICANN accreditation results in the Charles Christopher  –  Mar 27, 2017 3:40 AM

A registrar’s ICANN accreditation results in the requirement that the registrant agree to a terms of service in order to registrar a domain. ICANN has specific requirements as to components of that Terms of Service. In fact these terms are terms ICANN requires of the registrar and registry, which then is required to require the registrant to agree. This gets ICANN, the Registrar, the Registry, and the Registrant all “on the page page” .... Or so that is the idea.

Thus, a registrant can’t register a domain name without agreeing to a Terms of Service (driven by ICANN at a minimum).

Registrars then add the following “These terms may change at any time without notice to you”. And thus the registrar renders the whole agreement meaningless to the registrant. In effect, the registrar is only ever truly bound by the value it places on its Reputation, and nothing more. What can it get away with before profits fall. The marketplace rules .....

Which is why, in this industry, “name and shame” is very powerful. If professional domainers use this registrar, they WILL run if they know this registrar does this. And others will as well as the pros spread the word of this behavior on various forums. And this damage becomes hard to undo, deservedly so.

However, this is another example of what I pointed out in this thread:

http://www.circleid.com/posts/20140314_icann_complaint_system_easily_gamed/

In order for Kelly to have lost her domain, the registrar did not follow their ICANN required policy. You can read a good description of it here:

https://opensrs.com/blog/2016/06/icanns-new-transfer-policy-will-impact-business-customers/

Simply put, the new transfer policy also covers “pushes” (transfers inside a given sponsor) and thus since she did not approve the transfer the registrar in not in compliance of it’s ICANN agreement. Yesteryear “pushes”, where not covered, now they are. No excuses for this happening, period.

So now we have two examples, in two weeks, of registrars not doing what they are require to do, and ICANN not involved with making sure they do. And in both cases, transfer policy requirements are NOT BEING IMPLEMENTED.

Yet again, name and shame.

Especially deplorable and impactful Anthony Rutkowski  –  Mar 27, 2017 9:01 AM

What makes Kelly’s Case especially deplorable and impactful is that her business was modelled after WebMD(TM) for horses.  It is the principal site worldwide for the exchange of near real time horse health information within the equestrian community.  Extensive infographic programming is used to assist novices to detect and understand the nature of the illness or injury.  So the Registrar’s behavior here has far reaching, adverse consumer effects.

>So the Registrar's behavior here has far Charles Christopher  –  Mar 27, 2017 2:36 PM

>So the Registrar's behavior here has far reaching, adverse consumer effects. In my view, all the more reason to "Name and Shame". And once she gets the domain back, and she will if she fights this correctly, be sure to place a detailed page on the site regarding what happened. Impact this registrar's top line and that will be more incentive to change than any likely ICANN actions ever will. The "Name and Shame" should never disappear from that web site, NEVER. Long ago I predicted ICANN would seek supranational status once it gained monopoly control over the root, which nTLDs did. What I never thought through, and what this and the other article are pointing to, is Registrar's in effect using that ICANN supranational status to hide themselves from accountability to registrants. We are quickly going downhill. Anthony, feel free to contact me directly (CircleID internal messaging system) as I can put you in touch with one of the worlds best lawyers on such matters. He is also a good friend of many years. We should all take this very personally. The internet is too precious a tool of humanity to let this continue, and likely get far worse.

Something is fishy... Andrew Allemann  –  Mar 27, 2017 3:08 PM

Something is fishy about this story. Did you use whois history to verify that the domain name didn’t expire?

Good question.From the article "built a business" Charles Christopher  –  Mar 27, 2017 3:34 PM

Good question. From the article "built a business" and "Suddenly she found the domain was not functional". There should be a gap between expiration (as defined by the registrar, there is a grey area here, i.e. TOS) and the moment of transfer to another party. That gap should change the DNS so as to signal the registrant their domain expired, or some other problem. So if those two quotes are in fact true, and the domain did expire, there is still a problem, but it's a different problem and one that I think remains outside of policy I am aware of. That is to say what "DNS communication" is acceptable to signal a registrant their domain is about to be lost do to expiration. Failure of any notification of significance is still worthy of "Name and Shame" as emails change and credit cards expire, this is the problem with renewing out many years .... A classic case of poor domain management, and yet the registrar industry is mature enough to understand this and use "DNS signaling".

I read that, and it doesn't add Andrew Allemann  –  Mar 27, 2017 3:46 PM

I read that, and it doesn’t add up to me. That’s why I suggest that perhaps it expired. It’s odd that the author didn’t reveal the domain or the owner, as it’s not a very confidential issue.

I know of no registrar that would do this unless the domain actually expired. I’d rake them across the coals if they did, but I doubt it’s what happened.

That said, I’d like to give the author the chance to explain this.

Nothing fishy; it is all quite accurate Anthony Rutkowski  –  Mar 27, 2017 3:56 PM

It is factually accurate, and I have personally verified all the records.  The domain was on autopay and fully paid with a receipt.  It ensued as described, and the registrar staff did verbally apologize for the company’s behavior.

It also appears from cursory searching that the registrar involve has exhibited the same egregious behavior with other parties, and one notable Internet figure who is a longtime friend a cohort in Ira Magaziner’s formative group, even conceded the such behavior is not uncommon for some registrars.  He also asserted that ICANN doesn’t have “enforcement” power to prevent it.  I argue to the contrary - that ICANN should step up to be the industry “governance” body that it proclaims it is - and clearly has the resources to achieve.

And then there is also the “Name and Shame” avenue which I expect Kelly will also pursue.  She is a gutsy young lady who passionately has tried to use the Internet to bring healthcare and better treatment to animals worldwide.  Part of this shame, however, is that of ICANN which seems feeble in the area of consumer protection, as well as the industry generally and even organizations like ISOC that are effectively complicit and allow the known bad apples to persist with their behaviors while taking the money provided.

>He also asserted that ICANN doesn't have Charles Christopher  –  Mar 27, 2017 4:23 PM

>He also asserted that ICANN doesn't have "enforcement" power to prevent it. What part of the Tucows link describing the NEW transfer policy does this person not understand? I can dig around for the docs on ICANN's site ... But I liked the Tucows articulation as more people will understand it. Transfers now REQUIRE action on the part of the losing registrant. The registrar is out of compliance, enter ICANN. Did this domain transfer/loss occur BEFORE that policy change? >Part of this shame, however, is that of ICANN which seems feeble in the area of consumer protection Yes they are. They do not directly receive payments from registrants, "follow the money". However the CURRENT name transfer policy DOES address some consumer protection issues, specifically the one you present. That was part of the motive for the change, remove "excuses".

So the domain was fully paid and Andrew Allemann  –  Mar 27, 2017 4:14 PM

So the domain was fully paid and the registrar just took the domain?

You or Kelly should contact me about this.

[thumbs up] Charles Christopher  –  Mar 27, 2017 4:25 PM

[thumbs up]

I need to recant some of my Charles Christopher  –  Mar 27, 2017 7:46 PM

I need to recant some of my comments. I am wrong about the handling of INTRA-registrar transfers, in the sense that registrars can game their TOS around the policy. Andrew has good details here, and as usual John Berryhill gives great “color commentary” in the comments section.

http://domainnamewire.com/2016/12/01/new-domain-transfer-policy-goes-effect-today-heres-need-know/

More details would help Thomas Barrett  –  Mar 27, 2017 7:49 PM

Anthony,

It might be enlightening if you can determine the answer to some questions:
1. what was the date that this occurred?
2. was the domain expired?
3. was the domain still listed for sale at the auction house since her original enticement?
4. was the registrant offered any funds from the auction?

There are two pertinent ICANN policies that all Registrars need to follow:

1. Post-expiration policy. (see https://www.icann.org/resources/pages/errp-2013-02-28-en)
If the domain was expired, then Registrar MUST disrupt the DNS before taking further action on the domain.  This policy has been in place since 2013

2. Change of Registrant policy.( see https://www.icann.org/resources/pages/ownership-2013-05-03-en)
This is a brand-new policy effective December 1, 2016.  This policy is designed to prevent domain name hijackings.

This policy should apply to auction houses as well, although there is an exemption called “designated agent” that the auction house may be using if the domain name was listed for sale at the auction house and never removed.  But this is pure speculation and would only be applicable post-December, 2016.

I would be happy to help out offline if you prefer.

More details Anthony Rutkowski  –  Mar 27, 2017 8:50 PM

Many thanks for all the many people who are providing support and assistance.  The domain is horseDVM.com - a site dedicated to the exchange of horse health information among equestrians and which maintained the HorseDVM(TM) brand for nearly five years.  The site (and brand) included especially innovative and evolving infographics for inexperienced horse owners though her coding and embedded databases.

1. The transfer occurred this past Friday, 24 March at about 04.00 Eastern time
2. The domain name had not expired.  It was on autopay and checked regularly   It was renewed on 3 March and a receipt was provided by the registrar.
3. She asked the auction unit in 2012 to terminate her account, and never heard further from them since that time, until Friday morning when they told her that the domain was sold. 
4. She received no offer, but the registrar automatically transferred a portion of the bid proceeds (about $105) to a PayPal account for which has no access.

During the several followup emails and telephone calls that she immediately initiated, some of the registrar staff admitted verbally that the auction unit “seemed to have screwed up,” but that they viewed their obligations to the business unit and that the matter was final.  Other staff were simply arrogant and unhelpful.

The registrar also would not assist in identifying or any communication with the acquiring entity - which appears to be some kind of IPR agent for Chinese clients whose phone number is not functional, and there is no answer to emails.

The website content continues to be hosted and available at http://www.horseDVM.com, even though Kelly’s ownership of the domain has been taken as reflected in the Whois record.  Although this helps the equestrian community that relies on the site, it further exacerbates the hijacking and IPR theft.

This is an opportunity for the registrar community to demonstrate they can really govern their own affairs, as well as for the registrar itself to rectify the matter before the incident details become more public and gets appealed to industry and governmental oversight authorities.

Well from whois, and the registry, HorseDVM.com Charles Christopher  –  Mar 27, 2017 9:22 PM

Well from whois, and the registry, HorseDVM.com is currently sponsored by GoDaddy. This reminds me of: "GoDaddy goes to great lengths to hide its expired domain warehousing operations." http://domainnamewire.com/2008/12/03/standard-tactics-llc-how-godaddy-profits-from-expired-domains/ http://domainnamewire.com/2008/12/11/domain-name-wire-on-go-daddy-radio-show/ And to be clear, I have no relationship with Andrew. But credit where credit is due, he covered this well 10 years ago, and I recall it happening and watching the details unfold. Which it why I knew where to dig up the skeletons ...

Charles, to be clear, this isn't a Andrew Allemann  –  Mar 27, 2017 9:33 PM

Charles, to be clear, this isn’t a case of GoDaddy warehousing domains.

In this case, the domain owner apparently listed the domain with a buy now price on either GoDaddy premium listings or Afternic. Someone bought the domain at the buy now price, so the domain was instantly transferred.

The domain owner believes they canceled that listing many years ago.

Agreed. I see the crack in the Charles Christopher  –  Mar 27, 2017 9:56 PM

Agreed. I see the crack in the floor. >The domain owner believes they canceled that listing many years ago. The conflict of interest remains, and its especially problematic for non-domainers who have no understanding of the secondary market. Thus I thought your articles appropriate, I apologize if I am mistaken.

To be clear, it is an unfair and deceptive business practice Anthony Rutkowski  –  Mar 27, 2017 10:02 PM

Apart from the facts here that the registrar appears to have erred, there some fundamental juridical and public policy issues here.  The concepts of transparency and notice are universally accepted.  The rejection of unconscionable agreements is also firmly established in our legal systems.  The registrar’s behavior here is almost certain to be held unconscionable is any judicial litigation.

Registrars owe an obligation first to their domain registration customers and the integrity of the domain name system.  The creation of registrar business units that auction domain names to third parties is inherently subject to abuse and conflict of interest.  There is a duty of care to the registrant - especially when the relationship has existed for five years.  To the extent an auction operation is allowed, there needs to be special care to ensure transparency and notice to the parties, including approval of transactions.

Keep in mind that the system worked Andrew Allemann  –  Mar 28, 2017 12:04 AM

Keep in mind that the system worked how it’s supposed to work, and how it works to the benefits of hundreds of people that buy and sell domain names every day:

A domain owner lists a domain with a buy now price on the system. Someone buys the domain name and it’s instantly transferred to their account.

The issue here is that the seller listed the domain name for sale before they developed the site, and obviously did not intend to sell it many years later. The seller says they somehow canceled the domain from being for sale, perhaps by not renewing the GoDaddy Auctions membership. But not renewing the membership does not remove domains from being for sale. (I’ll disregard the GoDaddy phone rep’s comments about a mistake, because they try to appease customers and work within a silo at the company.)

So, regardless of whether the listing was every canceled or not, I think this can be a learning opportunity for GoDaddy. It can be rather confusing. GoDaddy should send out an email once a year reminding customers of their fixed price listings. This wouldn’t be too difficult to automate, and would have avoided this unfortunate situation.

Worked for who? Anthony Rutkowski  –  Mar 28, 2017 1:06 AM

You can always create a construct where some system “worked.”  In the financial industry during the “big short” era, the system worked for the benefit of the large financial institutions who were feathering their own beds to the detriment of their customers.

Registrars exist for the purpose of providing DNS related services and owe an obligation to the vast preponderance of customers who are purchasing those services. They are being sold the protection of their domain names and associated resolver support services.  Indeed, the successful operation of the entire DNS infrastructure is dependent on that trust and the resiliency provided.  The system is supposed to “work” for them - not the gaming operations being run on the side by the registrars and those customers.

It is not apparent why an instant transfer without ensured notification to and explicit approval of the domain owner is tenable under any circumstances given the adverse consequences.  Furthermore, in the instant case, the seller explicitly cancelled service and GoDaddy auctions plainly knew or should have known that there was no basis for them selling the domain.  Under any construct, it was unconscionable for them to do so.  It was not their domain to sell.

It is also apparent that this not an isolated incident of this deceptive “system,” and class action litigation is a real possibility.  This is in addition to embarrassing publicity, as well as administrative actions via the FTC and ICANN. 

And then lastly, there is the premise for this article - it adversely affects the self governance of the entire industry and the stature of the other registrars and organizations who appear to be willingly complicit to known inappropriate if not unlawful behavior occurring in the industry.  Think of a media special entitled “The Internet Big Short.”  It is fairly apparent there is a sufficient ensemble of irate and motivated people here to take whatever steps are necessary to bring about corrective action.  I am still waiting for Nima Kelly to respond to my communications - if nothing else as a matter of professional courtesy.

>You can always create a construct where Charles Christopher  –  Mar 28, 2017 2:03 AM

>You can always create a construct where some system "worked." >It is not apparent why an instant transfer without ensured notification >to and explicit approval of the domain owner is tenable under any >circumstances given the adverse consequences. Pondering this policy itself is creating a problem, which in turn a registrant is given a method to opt out of that policy because of "problems" the policy creates. There is ignorance (ignoring something) and there is nescience (having no reason to know something). A carpenter has no reason to know how to wire a house, and an electrician no reason to know how to frame a house. Todays policies are creating more and more "signaling" (detailed domain status communications and involvement of them in changes that occur) to retail customers so they can have confidence in the status of their domain, and that the domain will not disappear on them. Without such confidence, understanding, and simplicity, retail customers would be less likely to take risk such as working on a website for 5 years. The value extends beyond the domain name itself. For a professional registrant, the "signaling" creates busy work that they would like to avoid. The professionals position is, if they have the money, transfer it and give me the money. I don't care about much else and I don't need to hear all the details except when the money deposit is made. Running those two on the same system will cause problems and an additional policy is unlikely to ever solve it without causing more problems for the retail customer, or the professional customer. The retail customer, again with more and more "signaling" being provided, can't comprehend the idea that checking this box means your domain could disappear at any moment without any communications or notice. And further know what hoops might be required to make this type of state go away so the domain may be considered secure, all the "signaling" returned. To me this is a natural gray area of life and business, you mix those to into one place and there will be lots of problems. When the problem happens the situation should be fairly clear, retail registrant had one (or a few) domain they were nescience that things would now happen without any involvement of them or any notice to them. If they have 100 domains in their account, all on the sales platform, then they were ignorant, they are pros, cut them no slack. Can I reasonably assume in good conscious a retail customer knows what they are getting into when they enter a fast transfer sales system? And this happens in an policy environment that is trying to give registrants more and more information to protect them? No. We take for granted that the registrar has "belief" the retail customer knowingly entered a service agreement, and we reject the registrants belief they terminated that agreement. Name and shame still seems like the solution, but the problem needs clear articulation. The ability to opt out of the assumed to happen signaling (policy) seems like the problem to me, and that option is created by the pros desire to avoid all the signaling on the shared platform (but know what that means).

The owner of ShadesDaddy.com pulled out all Louise Timmons  –  Apr 1, 2017 3:37 PM

The owner of ShadesDaddy.com pulled out all the stops to get his trademark name for his successful business, after the domain was stolen, by:

corporate lobbying
pushing in all directions
including talking to FBI agents
filing a federal lawsuit

Ref:
ALERT: Multi-million dollar business domain ShadesDaddy.com has been stolen!
http://domaingang.com/domain-news/alert-multi-million-business-domain-shadesdaddy-com-stolen

Verisign returns ShadesDaddy.com to lawful owner with executive decision
http://domaingang.com/domain-news/verisign-returns-shadesdaddy-com-lawful-owner-executive-decision

ShadesDaddy founder offers advice on Domain Name Hijacking recovery
http://domaingang.com/domain-crime/shadesdaddy-founder-offers-advice-on-domain-name-hijacking-recovery

ShadesDaddy case was picked up by Forbes and the Wall Street Journal.

Your friend needs to do all of the above:

alert the FBI
file a Federal lawsuit

Here is a list posted by Pablo Palatnik, owner of ShadesDaddy:

Understanding the role of the company that operates the domain hierarchy
Alerting the domain Registrar immediately
Hiring an attorney
Speed up the process by filing a motion at court
Go public about the incident

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

NordVPN Promotion