Meditations on Domain Name Transfers: Final Call for Comments To ICANN

Today I submitted comments on behalf of my company (Leap of Faith Financial Services Inc.) to ICANN regarding proposed changes to domain name transfer policy. You can read those comments in this PDF, or at ICANN’s public comment forum along with those of others such as the Internet Commerce Association. If you’d like to submit your own comments, the deadline is Tuesday August 16, 2022 at 23:59 UTC.

I’ve written multiple blog posts in the past few weeks, warning about the negative ramifications should their recommendations be adopted. See here, here, here, here and here for those past articles on the topic.

The comment submission reiterates and expands on those past articles. I also took a deep dive into each of the recommendations. It was a considerable effort (at least 40 hours, if not more) in a compressed time frame. It was truly stressful given the deadline would not be extended to mid-September (or beyond) as requested, to be a more reasonable schedule for the amount of work involved. As I note on page 5 of the submission, I could have used more time to reorganize, restructure and condense the material (which amounts to 60 pages!). Consider this a “draft” that wasn’t intended for publication, but is as good as it’s going to get in the time that was provided.

As I note in the conclusion, the most important section is Section E (generate a transaction ID at the gaining registrar, to input at the losing registrar; this way, we can eliminate the TAC). Also, retaining the “Losing FOA” (Section F), at least on an opt-in basis, to preserve the ability to ACK/NACK a pending transfer is critical. Those are the two big counterproposals, although lots of other stuff was important and needed to be said.

The unbalanced nature of the working group composition (registrars dominating) should concern everyone, as registrants’ interests are not being protected.

XPRIZE-style Competition To Improve Domain Name Transfer Security

I’ve written extensively in the past couple of weeks regarding the ICANN transfer policy review’s initial report.   You can read these past articles here, here, here and here. There has also been discussion at the NamePros forum. ICANN has been obstinate in their refusal to extend the comments deadline to mid-September (or beyond) as requested (comments are due August 16, 2022, less than a week from now). [Please do keep trying to get it extended, though! Many folks I’ve talked to are only now beginning to understand the negative ramifications of the report, and need more time to compose a thoughtful response.]

Domain name security, including security of the transfer process, is important enough that it calls for fresh ideas. I propose that ICANN issue a widely publicized and open “Call For Papers” or a competition of some sort, like the “XPRIZE” but for domain name transfer and security procedures. This would encourage academics, security researchers, security practitioners, “white hats” and others to take a deeper dive into the domain name transfer system. They would be encouraged and invited to come up with new ideas that would improve security of hundreds of millions of domain names, which are at the foundation of the multi-trillion dollar online economy.

ICANN agreed to receive a controversial $20 million from Verisign upon renewal of the dot-com contract. It was intended to improve security.

I suggest that a portion of it, perhaps $250,000 to $500,000, be used to fund the total prizes and/or honoraria for an XPRIZE-style competition or call for papers. This is a small fraction of the $20 million.

Such funding would provide an economic incentive to draw new ideas and new eyeballs into the ICANN ecosystem, particularly from academia, rather than from “the usual suspects” who’ve dominated ICANN for the past 2 decades. Transfer security, and overall domain name security, is too important an issue to leave to those ‘usual suspects’.

[To make it clear that I personally would not financially benefit from such a competition, folks should be able to have any prizes/honoraria be directed to charities, rather than to themselves, as I would do to eliminate any conflicts of interest that might be seen from making this proposal.]

Making Domain Name Transfers More Secure

As previously discussed, there’s an initial report published by an ICANN working group that is making various recommendations regarding domain name transfers. One of the recommendations would eliminate the important “NACK” safeguard, which allows a registrant the ability to reject an unauthorized transfer attempt. My first blog post discussed why that’s a bad idea. A newer blog post highlighted the fact that the “AuthInfo Code” (to be renamed the “TAC” — Transfer Authorization Code) is the key to the kingdom” and thus its security is paramount. I compared it to the lack of security of a “bearer bond” (vs. a wire transfer).

Can we do better? I’ve come up with two different ideas.

Continue reading “Making Domain Name Transfers More Secure”

Connect.com domain name acquired by Hubspot for $10 million

[NB: As I’ve noted on Twitter,

I don’t appreciate folks who are not citing my work. So, I’m “on strike”. That being said, I’ll make an exception for an eight-figure domain name transaction.]

Hubspot disclosed in a SEC filing (see p. 20) that they acquired the Connect.com domain name for USD $10 million:

In the three months ended June 30, 2022, the Company purchased the rights to the domain name “connect.com” for $10.0 million.

I’d write a longer analysis, but as I said, I’m on strike. People should appreciate that very few are actually doing original research. If you use their hard work , then you should cite and link to it, rather than just taking the results of that research to generate page views, attention, or advertising revenue (remember, this site has no ads). Don’t be a parasite or a ‘taker’. Be a giver.

There’s an important ICANN comment period about transfers policy, where I’ve asked for a deadline of mid-September in order to complete my own comments in a thorough manner. Ensuring domain names aren’t stolen should be everyone’s priority, but that working group would lower security by eliminating an important safeguard (namely the ability to “NACK” a transfer before it has completed). The Internet Commerce Association submitted a comment a couple of days ago,  echoing some of the concerns I expressed on my blog. But, my concerns and comments go far deeper, and I need the time to write them all up.

If you appreciate this work, why don’t you take a moment and contact them to reiterate the need for a mid-September deadline? (see their contact info in my previous blog post here)

Update: Elliot Silver reported on the change of ownership of of the domain name in an April blog post (although, at the time the price was not known). DomainGang also recently reported on a matching TM filing. (these articles didn’t impact my research, but are worth mentioning regardless)

Die Hard Opposition To Reduced Security For Domain Name Transfers

A few days ago, I wrote about a dangerous proposal at ICANN to reduce security of domain name transfers. They extended the public comment period by 2 weeks (which is still insufficient for me), so they’re now due August 16, 2022.

Here’s a simple metaphor to understand what’s really going on. Under the current system, it’s like owning a savings account at Citibank (where it’s protected by 2FA, etc.).  You want to transfer that to Wells Fargo (where it would also be protected by 2FA, etc.). You request the transfer (between banks) and they coordinate it securely (with checks and balances throughout). It’s a safe process, a verified process.

Instead, under the new “faster and easier” proposal, to make things “better”, they want you to convert your savings account into a BEARER BOND at your Citibank Branch (i.e. the new TAC, transfer authorization code, formerly known as the AuthInfo code is essentially the ‘keys to the kingdom’ so that anyone holding that code controls the future of that domain), and then walk it across the street or across town to deposit it at your Wells Fargo account. What could possibly go wrong?

Maybe if it’s a $10 ‘asset’, converting it into a bearer bond (or cash, for a less interest metaphor, with a less creative blog post title) is no big deal. But, if it’s a $1 million asset or $640 million asset**, you start to get a little bit worried! So, I’ve been vehement that there are inherent risks carrying around a bearer bond, even for a short time! No, no, they say….this is BETTER! LOL You’re crazy, George, bearer bonds are the way, they say! Can’t you see it?

So, I’m trying to argue for at least a “certified cheque” with my name on it, or better yet a WIRE TRANSFER between banks (secure, just a little bit slower). But, they insist on BEARER BONDS as being the future!

Frustrating!

P.S. **Credit to “Die Hard” for the Bearer Bonds idea.

Double Red Alert: Domain Registrars Seek Power Grab To Deny Outgoing Transfers Of Legal Domains They Dislike

As I noted in a prior post on the weekend, there’s an important ICANN public comment period that ends on Tuesday August 2, 2022 regarding the transfers policy. It contains serious security flaws that would make domain name hijacking easier, by removing the ability to NACK the transfer after the transfer request has been initiated. I won’t be able to submit comments by Tuesday, and have asked that they extend the deadline.

However, in my research I came across another startling power grab by registrars (who dominate the composition of that working group), that was inserted into the recommendations.  Recommendation #19 at the bottom of page 32 of the report contains the following text:

ICANN Transfers Policy Rec #19

They propose to broaden the discretion of registrars to block an outgoing domain name transfer, from the limited “evidence of fraud” to the far broader “Evidence of fraud or violation of the Registrar’s domain use or anti-abuse policies.”

I had tweeted about this on the weekend:

https://twitter.com/GeorgeKirikos/status/1553576661995626496

and noted that it was “ripe for misuse”, since a use that one registrar forbids (politics, porn, casino, crypto, etc.) that isn’t illegal everywhere (like FRAUD) would trap a domain at that registrar (and ultimately lead to its deletion, if it couldn’t be renewed). A registrant couldn’t transfer the domain name to a registrar where that use is legal.

This is what happens when the working group is dominated by participation of registrars, without considering what the impact is for registrants. It’s one-sided and unbalanced.

Indeed, the transcript of that working group’s May 24, 2022 call is quite telling. [I literally stumbled upon that randomly this morning, while looking for something else]

On pages 15-16, Owen Smigelski of NameCheap (formerly of ICANN, and before that Sunrider — interesting lawsuit here that mentions him and also here) states:

But the rationale behind broadening the reasons for this denial is because evidence of fraud—fraud has a very specific definition. It means deceit of some type or trying to scam somebody or an illegal activity in there. It could be considered a very narrow definition. There are certain scenarios that might come up where a registrar might want to block the transfer for violation of terms of service.

So for example, Namecheap doesn’t want our services being used for hate speech but somehow somebody registers a domain name that’s hosting a Nazi website or a Holocaust denying website. Technically, that’s not fraud and we wouldn’t be able to block such a transfer. But if we wanted to, under our terms of service, which
says, you can’t post hate speech, we decided we want to block that transfer, we’d be able to do that as a material violation of our agreement as opposed to being forced to let somebody put something out there that us as a company does not want to escape further into the wild.

This is incedibly poor reasoning, indeed dangerous for registrants. It’s one thing to say “we don’t want you as a client”, but another thing to say “we’re going to prevent you from taking your domain elsewhere” over a dispute of the terms of service (as opposed to actual criminal activity).

While despicable, hate speech is legal in the United States. (Inciting violence isn’t legal, but hate speech itself is legal) Same goes for Nazi and Holocaust denying websites, at least in the United States (where NameCheap is based, and the jurisdiction of its registration agreement).

Volker Greimann immediately pushed back against that in the working group, saying (page 16 of the transcript):

I agree in principle but I think the language is a bit
too broad because simply put, a registrar can make anything a material violation of the registration agreement. We certainly have non-payment of fees in there. We have provision of incorrect registration data in there. We have all kinds of things that we consider a material violation of our registration agreement. And we might not want to have all of them be a reason for blocking a transfer. So I think we need to be a bit more specific. It’s hard [inaudible].

On pages 17-18 of the transcript, Mr. Smigelski brought up the concept of “guardrails”:

And Volker, I agree that that’s a concern and that’s why I want to put those guardrails in there and implementation note, which would be in a report and then, carried forward into an eventual policy to give some more guidelines on that. Happy to consider other wording to put that in there. I was just trying to give some flexibility to the registrars who might want to block for whatever reason. But also, at the same, making [inaudible] you didn’t cross a T properly, so we’re going to deny the transfer.

Yet, if you go back to the actual text in Recommendation #19 above, there are no guardrails! It’s just a pure power grab. Indeed, Mr. Smigelski literally said above “I was just trying to give some flexibility to the registrars who might want to block for whatever reason.”

Read that again! “…who might want to block for whatever reason.”

Zak Muscovitch (of the Internet Commerce Association, which is pro-registrant, but representing the Business Constituency (BC) in his participation in the working group; the BC  is essentially captured by trademark holders — i.e. it’s mostly a clone of the Intellectual Property Constituency) entered the debate on page 20 of the transcript:

This isn’t a hill that I would come close to dying on, but I’m just wondering, if there is a registrant that is violating a registrar’s domain use or anti-abuse policies or Namecheap’s anti-hate speech policies, that’s one thing. But let’s imagine a registrar that—because registrars can write in anything they bloody well want into a registration agreement. They can say that you’re not allowed to use a domain name for anything about the color blue. And so, someone’s using it for the color blue and maybe the registrar has the right to disable them from using the domain name at their registrar.

But if that registrar [sic — should be “registrant”] wants to move it to another registrar, that doesn’t have this policy, there’s another willing registrar, what’s the problem with the registrar of records saying, yeah, get the hell out of our registrar with that blue-related use of your domain name. If you could find someone else that doesn’t have that policy and tolerates it, by all means, it’s out of our hair. I think there’s an important distinction between permitting a registrant to use a domain name not one that’s registered in violation of one’s policies, but getting them out of there is a different thing.

With all due respect to Zak, it might be a “hill worth dying on” (although there are so many bad things coming out of ICANN, it’s tough to pick and choose!). It’s a very dangerous proposal. It’s being sneaked into the transfers policy recommendations, which few people are monitoring (because it’s supposed to be a “technical” working group), instead of having a broader debate in an anti-abuse working group (where the definition of “abuse” is very carefully monitored).

Let’s take a look at NameCheap’s registration agreement to see precisely what they consider to be undesirable:

You agree not to use the Services provided by Namecheap, or to allow or enable others, to use the services provided by Namecheap for illegal or improper purposes. As such, you agree not to:

  • violate the laws, regulations, ordinances or other such requirements of any applicable Federal, State or local government, including those that relate to privacy, data collection, consumer protection (including in relation to misleading and deceptive conduct) and applicable consumer laws in respect of fair lending, debt collection, organic farming (if applicable), disclosure of data and financial regulation;
  • transmit any unsolicited commercial or bulk email, not to be engaged in any activity known or considered to be spamming or Mail Bombing;
  • cause repetitive, high volume inquiries into any of the services provided by Namecheap (i.e. domain name availability, etc.);
  • infringe any copyright, trademark, patent, trade secret, or other proprietary rights of any third-party information;
  • use the Services for content that will profess hatred for particular social, ethnical, religious or other groups;
  • use the Services to distribute viruses, malware, abusively operating botnets, phishing, Trojan horses, worms, time bombs, corrupted files, or any other similar software or programs that may damage the operation of a computer or a person’s property;
  • contain warez; contain any kind of proxy server or other traffic relaying programs; promote money making schemes, multi-level marketing or similar activities; contain lottery, gambling, casino; contain torrent trackers, torrent Portals or similar software;
  • redirect to another website without their permission and/or to impersonate another person or company;
  • use for the purposes of impersonating another person or entity such as redirecting a domain to another website without permission and/or using a domain to send fraudulent or abusive emails;
  • use the Services in a manner that is violent or encourages violence;
  • violate the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 or similar legislation, or promote, encourage or engage in the sale or distribution of prescription medication without a valid prescription;
  • use the Services for fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law.

One can see immediately that it’s very broad (like most registration agreements at registrars). Note how the very first sentence states that it’s not just “illegal” purposes, but also “improper“, which is extremely broad and subjective. Indeed, NameCheap (or any other registrar granted such discretionary powers to block outgoing transfers) would presumably be judge, jury, and executioner, and wouldn’t rely on an actual court to make a decision.

I’m not going to go through every point in their agreement (since I already made the “hate speech” arguments above), but let’s take a look at the “spam” language, namely “transmit any unsolicited commercial or bulk email”. The word “any” is quite powerful (i.e. just 1 message is enough! How would domains of political parties ever survive, given how often their messages are marked as spam?), especially when combined with the fact that it’s not just your own behaviour as domain name owner that matters — one also needs to police “others” as per the very first line above.

Would a domain name like Gmail.com pass that test, given it allows others to send messages? Gmail.com is used by a considerable number of spammers. Of course, Google takes anti-spam measures seriously, but one could easily interpret that domain as being in violation of NameCheap’s agreement. Google is very powerful and would fight back, so NameCheap would never use that weapon against someone like them. Instead, they would tend to use that weapon against the less powerful. However, the less powerful are those that most need to be protected against misuse of such discretionary powers. Raise your hand if you’re less powerful than Google…(of course, Google doesn’t have Gmail.com at NameCheap).

How about the part about “redirect to another website without their permission” — would the famous Loser.com domain be trapped by such a policy? It has been redirected to numerous sites (like that of Al Gore), presumably without permission.

Actually, going back to the “hate” text, their terms are “profess hatred for particular social, ethnical, religious or other groups;” Would it be a violation of their agreement to say that you “hate spammers” or  “hate the New York Yankees and their fans” or “hate dumb lawyers in ICANN working groups with too much time on their hands”? Spammers, New York Yankees fans and dumb lawyers in ICANN working groups with too much time on their hands are certainly “groups” and thus fall under “other groups“.

How about the part about “infringe any copyright”? Any site with user-generated content regularly has challenges in that regard. But, you’re at NameCheap’s discretion. They simply want the power to go after the “bad guys”, to trust them not to misuse their discretionary power.

I think that the people we should mistrust are those who seek extraordinary and one-sided powers in the first place.

In conclusion, this report is replete with dangerous proposals that will harm registrants. An extension of time is needed so that the public can fully digest the report and submit high quality comments.