Proposed ICANN "Expedited Transfer Reversal Policy" could disrupt secondary market

[GeorgeK]

[I tried posting this in the "News" forum 12 hours ago, but it still hasn't shown up]

ICANN, in typical fashion, released an important policy report yesterday (a Saturday during the US Memorial holiday long weekend) that folks might not notice until it's too late. It's regarding the work from the Inter-Registrar Transfer Policy Working Group, and the report is at:

http://www.icann.org/en/announcements/announcement-2-29may10-en.htm

What's especially of concern is the proposed "Expedited Transfer Reversal Policy" (ETRP, see Annex C of the PDF, page 49) which would permit the registrant at the "losing" registrar to undo a transfer for up to 6 months after a transfer. There is currently no mechanism to dispute the proposed ETRP.

This proposal would create great uncertainty in the secondary market for domain names, as it means a "transfer" isn't considered final for up to 6 months after a purchase, assuming one changes registrars during a transaction, which is almost always the case.

Here's the typical pattern of a purchase. Example.com is registered at RegA, and you want to buy the domain name, but transfer to RegB during the transaction (RegB might be your "home" registrar (Tucows for me), or might be Moniker who does escrows, etc.). At present, the seller would get paid immediately after the domain name transfers from RegA to RegB, and you'd have control of the domain name at your preferred registrar (RegB). If there was a dispute, it would go to court, etc., and RegB would await a court ruling. The good faith buyer is definitely protected.

Under ETRP, though, it would be a nightmare. How would the buyer know for sure that he/she has control and ownership of the domain name, when the seller could simply undo the transfer for up to 6 months??!!?? The seller would end up with both the cash AND the domain name, and the domain name would be at RegA (a registrar you don't want the domain name to be at). You as the buyer would then need to take the seller to court, and the relevant jurisdiction would no longer even be that of RegB (your preferred registrar), but would be that of RegA.

A Moniker or other company that uses their own registrar to ensure a secure transfer would not be able to help at all, because they are "RegB." All the power reverts to RegA (the original "losing" registrar). Not only that, the registrant at RegA indemnifies RegA itself, so RegA doesn't even care if they are "stealing" back a legitimately purchased domain.

One approach to try to "solve" this problem, as a legitimate buyer, would be to transfer the domain name at RegA first. So, for example, if the domain name is at GoDaddy or NSI, you would do an internal change of registrant transfer, keeping the name at that registrar. However, then you are stuck for 60 days, as most of these registrars have been trying to hold the domain name hostage for that amount of time, to get extra renewals, etc. So, for 60 days you are in limbo at a registrar that you don't like, and one that is probably not in the legal jurisdiction you want to be in (e.g. GoDaddy = Arizona jurisdiction, which would not be good). During that 60 day period, do you really have full control of the domain name? I would say "No", because you (as the legitimate buyer) would face the possibility of the transfer being undone by a registrar that you don't want to be at.

Anyhow, this is a very messed up proposal. If you look at DailyChanges.com or RegistrarStats.com, you'd quickly see that transfers make up roughly the same number of daily transactions as new registrations. So, it's very important that any changes that would have such a major impact on the secondary market for domain names be well thought out.

If one looks at the composition of those who were on the workgroup:

https://st.icann.org/irtp-partb/index.cgi

(see the bottom) it appears most do not even understand the grave impact such changes would have on the secondary market (which is probably greater in economic value than the primary market). I'm all for fighting domain hijacking, but this "solution" is far worse than the problem it is trying to solve. There needs to be a secure and predictable procedure for the irrevocable transfer of a domain name to a legitimate buyer, yet ICANN is now making the process less predictable and more risky for the buyer. The legitimate buyer would face at least 60 days (and up to 6 months) of risk without due process if the proposal is accepted.

What's even more appalling is that ICANN didn't even open up a comment period yet, so that folks could get their opinions on the record! The comment period won't begin until July 5th, and will last only 20 days. This is silly, given that it costs $0 to open up the comment period now.

In the meantime, I encourage folks to contact their registrars to make sure that your voices are heard, and perhaps blog about the issue if you have a blog, etc.


BTW, even if you became your own registrar, this policy change would still affect you as a buyer (as the registrant at the losing "old" registrar has all the power, and the transfer is done by the registry operator, even over the objections of the new registrar).

It also means people moving domains from less secure to more secure registrars are also not protected!

The right "solution" to the problem of domain hijackings, by the way, is to raise the level of security at all registrars, e.g. two-factor authentication, executive lock, Verified WHOIS, having a WHOIS history archived at the registry level (so one can do a proper "title search"), etc. Registrars should "know their customers", and refuse the transfer if there's any doubt. Once the transfer has taken place, it should become irrevocable. VeriSign has 2 services for additional locks, see:

http://www.icann.org/en/registries/rsep/

(#2009005 and #2009004) albeit they should have been offered on a competitive basis, instead of being another monopoly service that is not price regulated.

Instead, this proposed policy excuses the "weak" registrars, and punishes the strong registrars. It will actually incentivize registrars to lower security, instead of improving it, because "Hey, you can always challenge the outgoing transfer later." This perverts the incentives.

The onus should be on the current registrant (a future seller) to move their domains to a secure registrar -- there are enough options out there that if your name isn't already at one, it's your own fault for not moving it there by now.

 

[tekz999]

Put back the monkeys back to the zoo. Outrageous.

 

[GeorgeK]

Note this has a grave impact on sellers, too, not just buyers. Suppose you are the seller, and I'm the buyer. You want to sell me Example.com.

Under this proposed policy, the domain name can't be properly delivered/transferred to me without maintaining a huge liability, i.e. the seller maintaining the option to "undo" the transfer within 6 months. That liability tarnishes the domain name, it makes it less desirable, because I as a buyer can't gain clear title to the domain name through an irrevocable transfer. This means if I want to buy the domain name, I'm going to offer you less money.

As a seller, you can argue until you're blue in the face that you'll never undo the transfer, but as long as that policy becomes in place, the risk exists that you will undo it. That risk can be represented by legal costs in terms of defending that domain transfer (of course, by then, the buyer would have lost the cash and the domain name, and be on the hook for major legal costs if the transfer is undone). That legal cost is going to hit less valuable domain names even harder. On a $300,000 domain, I might factor in potentially $25,000 or $50,000 or $100,000 in legal costs. On a $100 domain, or a $5,000 domain name? The legal costs alone to defend the transfer start to become far in excess of what the domain name is worth. So, the rational legitimate buyer will just walk away, and not bother to buy the domain at all.

This also affects big companies. For example, routinely big firms do stealth acquisitions through companies like Marksmen, Sedo, Moniker, and others to acquire good domains (e.g. Microsoft acquiring office.com, kin.com or docs.com). Now, if the seller realizes after the fact they've just sold a domain name that ends up at Microsoft for $50,000, instead of $1 million, they'll have the opportunity to renege on the deal and undo the transfer. Of course, then Microsoft/Marksmen/Sedo/Moniker would have to sue to defend the transfer. Those legal costs to sue will always have to be factored in as a buyer. What if the buyer has the domain name at a Chinese or Indian registrar (which is where it will end up with if the "undo" happens)? Good luck finding a Chinese or Indian lawyer, if you're in Canada, USA, or Europe.

This is why there's no "undo" for real estate transactions....i.e. there's a clear way to transfer title irrevocably. Heck, even in the shipping industry, there's a notion of "FOB" (Free On Board)

http://en.wikipedia.org/wiki/FOB_(shipping)

which delineates exactly where the liability starts and ends for the delivery/transfer/shipping of goods. When I'm a domain buyer, I want to be able to say "You get paid when the domain name is delivered to me at Tucows. Period." Under this proposal, there'd be a 6 month period where the seller can't make that clear delivery/transfer. Or alternatively, they can deliver, but only at a registrar I don't want to be at (e.g. internal transfer at NSI/GoDaddy, etc.). In either scenario, you're not making the delivery I want, and so I'm going to have to pay you less for the essentially "damaged" goods (i.e. damaged in the sense that they carry a huge potential liability with them, until the title passes irrevocably).

---------- Post added at 07:48 AM ---------- Previous post was at 07:33 AM ----------

It also obviously has a huge impact on escrow companies (e.g. Moniker.com, Escrow.com, Sedo) in addition to the "stealth" acquisition firms, and other brokers/middlemen, as there's a huge ongoing liability if the transfer cannot be done in an irrevocable manner.

 

[tekz999]

Why is this policy so idiot? Just same as ebay removing seller's rights to leave negative feedback on buyers. It favors one side and creates imbalance.

 

[GeorgeK]

This isn't just "reputational" damage, though, Tekz. It directly affects all buyers and sellers monetarily, even if you have no intention of ever using the undo. Because of the existence of that ability to undo, your ability to pass clear title to the domain name is now impaired. That means your domain name is damaged when you're selling it, and damaged when you're buying it. In other words, the domain name is worth less whether you are a buyer or a seller.

You live in Hong Kong, and know how the Chinese real estate market is --- suppose they created a law that let the seller of a house "undo" the sale within 6 months. What would happen? It would be chaos. No sane buyer is going to want to touch a property/asset where the seller could simply undo the transaction at whim, unless that "risk" is accounted for. And the only way that the proposal is allowing people to "account for" that risk is for the buyer to take the seller to court (and that jurisdiction will be in the jurisdiction of the original registrar, where you intentionally did not want to have the domain name be at). That's a bad risk. Unless you're a lawyer, who will love the extra "volume" of cases to handle.

 

[Gerry]

Yup, sell now + get higher offer later = undo transfer.

A person could get rich owning just one domain name.

 

[DomainsInc]

doesn't icann realize they make most of their money from people speculating on domains?..

 

[GeorgeK]

After 10 hours of reading, I've digested all of the workgroup's emails and teleconferences (weekly meetings for a year). I'm not very impressed that they missed so much, or sensed that there were problems but couldn't enunciate what should be very obvious to anyone with experience in the industry. They'll use the old excuse that "they're just volunteers", but the community really deserves better when they're proposing huge changes without fully considering the implications (both legal and economic).

Anyhow, I've applied to join the workgroup, and will keep folks abreast of when they'll have an opportunity to input. If anyone else wants to join, you'd need to email [email protected] (who handles ICANN GNSO mailing lists, etc.), and also catch up on the work they've done to date.

 

[Theo]

Thanks George, I wonder if ICANN committee members drink first and come up with these ideas later, so that we have to drink after reading them

 

[Gerry]

Thanks George, I wonder if ICANN committee members drink first and come up with these ideas later, so that we have to drink after reading them

Would that be an OPA! moment?

 

[draggar]

Assuming most domain sales use PayPal - doesn't that only have a 30 day window? So a seller could sell a domain, wait 45 days, then take it back and sell it again, wait 45 days then take it back.

Sounds like ICANN is trying to support fraudsters with policies like this.

Another workaround would be to have a secondary registrar so you buy the domain and transfer it to registrar B (secondary) then 60 days later transfer it to registrar C (your primary)?

 

[GeorgeK]

Assuming most domain sales use PayPal - doesn't that only have a 30 day window? So a seller could sell a domain, wait 45 days, then take it back and sell it again, wait 45 days then take it back.

Sounds like ICANN is trying to support fraudsters with policies like this.

Another workaround would be to have a secondary registrar so you buy the domain and transfer it to registrar B (secondary) then 60 days later transfer it to registrar C (your primary)?

Most big sales don't take place using PayPal, they happen through escrow services, direct wire transfers, etc. Even small sales, they go through sites like Sedo, auctions through Moniker, NameJet, SnapNames, etc. The "30 day window" you're talking about refers to payment issues. That's entirely outside ICANN policy making and domain names (ideally, folks should be paying using some irrevocable method like wire transfers through escrow, etc., but that's entirely irrelevant). This is about undoing a domain transfer.

The workaround you suggest doesn't work at all, and adds even more complexity/irrationality to the issue. One wants the transfer to be irrevocable/irreversible, except with due process (court, etc.). Transferring to yet another registrar doesn't stop it from being irreversible at all. There needs to be a clear demarcation point as to when title passes to a new registrant, period. Not this never-ending "I want to have a do-over, please."

At some point, ICANN has to say "this is outside our policymaking, there are other more proper venues to handle the perceived problem" (e.g. courts). This is one of those times, at least with this ill-advised proposal, which would raise new problems far worse than existing ones.

It's not as if these issues are new, by the way. There is a wealth of knowledge in other industries (online banking, land registries, even webmail security practices) to draw upon, much that were already spoon-fed through past ICANN Security reports (that appear to have mostly gone unread or were ignored).

 

[Gerry]

Here's an example of the absurdity of this proposal.

A while back I sold a domain on Sedo.

The buyer never changed the DNS so the name still points to my Sedo account.

Because it is still listed with Sedo, I still get offers on this name.

This name happens to be very popular among Blackberry users but was never intended to be such. It is a generic name used to describe a popular collectible (think lapel pins). It is nine years old and contains two words. But, depending on how you read it and put the word break, it is either a collectible or a popular Blackberry term.

Now, take a look at this:

Domain Statistics

Visitors to this Sedo offer page:
3 (previous 31 days)

Visitors to this domain’s website:
240 (previous 31 days)

Search engine rankings:

View Ranking Report

Previous offers for this domain:
6

This is why I said earlier on (in jest) that a person could get rich owning just a few names and pulling a scam.

I could have sold and resold this name many times over.

The traffic and interest is there. As you can see, three people have visited the offer page within the past month or so.

Ethical? No.
Possible? Yes.

Each time I simply open up a new account somewhere under a different WHOIS contact data, and keep "repossessing" the name.

 

[GeorgeK]

The ITRP just had a conference call, and I was basically ganged up on for pointing out all the flaws in the proposed ETRP (Expedited Transfer Reverse Policy).

How's your business going to be affected when folks can simply undo a legitimate transfer "at will", without due process, within 6 months? How will an escrow work if the prior owner can simply claim "hijacking" and undo a transfer, when it's simply a case of seller's remorse?

I'm totally appalled at how they want to create a huge loophole in policy, that will have collateral damage which is much bigger than the "problem" they're trying to solve.

A transcript of what went down should be available later at:

http://brussels38.icann.org/node/12502

 

[GeorgeK]

BTW, I came up with a possible solution, namely an "Irrevocable Transfer Procedure." That would give people a choice, see:

http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00334.html

 

[whitebark]

BTW, I came up with a possible solution, namely an "Irrevocable Transfer Procedure." That would give people a choice, see:

http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00334.html

As I was reading this thread that was just what I was thinking would be a good second option. Otherwise this is a scammer's wet dream!

 

[Theo]

The entire ICANN proposal is unnecessary and it complicates any transaction. There is no legitimate benefit for either party, seller or buyer, to reverse transactions; the claim that it would protect against hijackings is ludicrous. It will simply increase the volume of litigation due to reversals. ICANN needs to find something else to do with the money it pays its board members. Knitting lessons comes to mind, if they ran out of ideas.

 

[GeorgeK]

I agree with you, Acro. It's a totally flawed proposal. If they're not going to fix it, we need to at least retain the existing system of irrevocable transfers for those who *need* it, those who are prepared to make the choice to use it.

The key idea is "irrevocability". i.e. at what point transfers are "final" and "undoable"? A simple analogy might be payment systems, comparing wire transfers to credit cards / cheques. For a wire transfer, the payment is essentially irrevocable. It's considered the safest form of payment, especially for large amounts, for the recipient of the funds. When we're doing domain name transfers today, they're also irrevocable, like wire transfers.

Now, what they're proposing with the ETRP is akin to compelling everyone to switch from using wire transfers, to instead using credit cards or cheques for payments. With a credit card, there's a risk of a chargeback for months. With a cheque, similarly the funds can take a long time to "clear". In cases of both credit cards and cheques, the merchant (i.e. the recipient of the funds) is bearing all the risk. For domain transfers to be subject to "chargebacks" or to long "cheque clearing periods" (where the funds are "on hold at your bank" until they clear) is truly a step backwards.

What's hilarious is that registrars *hate* cheques and credit cards, especially for large amounts. They'll want folks to pay by wire transfers, to ensure that they (as recipients of the funds) are not at risk. So, they implicitly understand the concept of irrevocability, and its hypocrisy that some of them think switching to a system where that irrevocability is lost is somehow better than what we have now. It's not.

Why they can't understand why domain buyers *need* domain transfers to be irrevocable is simply unreal. When they eventually post the transcript/audio, you'll get an idea of how they tried to silence me. They even actually *muted* me several times, as I was trying to make points to counter some of the BS that was flying. There was an Adobe Acrobat chatroom that many of us were in at the same time, and I was pointing out repeatedly how others were able to jump back in the queue and respond (e.g. Rob Hall of Pool/Momentous), but I wasn't given the same treatment.

You can understand why Pool would want the ETRP, as they'd routinely have valuable domain names *leaving* them (i.e. names caught on drops), and they might want to reverse those transactions from time to time. But, the ETRP is the wrong way to do it. If they want to improve security, they can do the due diligence *before* allowing the outgoing transfer (e.g. confirm payment by wire, or authenticate the transfer by talking to the registrant over the phone, etc.; lots of *proactive* security policies can be in place). However, once the name leaves them, it should be gone for good, and not be able to be "clawed back."

For that workgroup to pretend that the only kind of fraud is by domain hijackers is ludicrous. There are lots of bad sellers out there, too, that wouldn't hesitate to undo a transfer by crying "wolf" and falsely saying their domain was stolen, if it meant they could make more money selling it to someone else (recall the whole camroulette.com lawsuit), or if they get cold feet / seller's remorse (e.g. they find out the real buyer was Microsoft, say for a kin.com or a docs.com), or like the TrademarkLawyer.com and other names at Sedo where they seller simply backed out before completing the sale at auction. There are lots of TM holders who engage in reverse domain name hijacking attempts. We shouldn't permit a new method of reverse domain name hijacking to exist, via a fresh loophole. Otherwise, it would create uncertainty over the true "title ownership" of a domain name......this would hurt all registrants.

Just to be clear, this hurts both domain buyers, and domain sellers. If you're a domain name seller, you need to convince the buyer that you won't do a ETRP. But, how do you do that, when it's ICANN policy? i.e. you can jump and down all day saying "I'm a good guy, I'm not going to do it", but when all is said and done, as a buyer I have to pay you less, because the risk will always exist that you as seller will undo the transfer. Thus, I have to factor in the legal costs I'll have to spend if you invoke the ETRP, and also the damages I would suffer on my website from the time you invoke the ETRP to the time I can recover the reverse-hijacked domain through the courts (which might be years).

So, this is not a policy that just hurts buyers. It hurts sellers too. It means that all domains that are transferred are "tainted" for 6 months. When a buyer is buying a tainted asset, he is forced to pay less. When a seller is selling a tainted asset, he/she can't get the same price as he/she would if it was untainted.

 

[GeorgeK]

The comment period is now open:

http://www.icann.org/en/announcements/announcement-05jul10-en.htm

I'll likely have my comments in sometime next week.

 

[GeorgeK]

Now things are getting interesting. As you know, we're getting swamped with ICANN comment periods right now. But it appears that the members of the transfers workgroup are reconsidering extending the public comment period by two weeks! What a joke. One can see my response at:

http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00415.html

and you can see related discussion at:

http://forum.icann.org/lists/gnso-irtp-b-jun09/

It's all too typical of ICANN politics....folks generally want more time, but on a specific issue when they feel that the public will oppose a given issue, they won't extend deadlines at all, in order to get the fewest possible comments.

The public comment period is currently set to end on July 25, and there are many other comment periods that need to be dealt with. All the documents are at:

http://www.icann.org/en/public-comment/#irtp-b-initial-report

(and as I've previously discussed, the proposed ETRP would have a huge impact on the secondary market if sellers were able to simply undo a transfer at will anytime within 6 months; it would cause havoc due to "seller's remorse", affect escrows, and affect overall domain name valuations by creating uncertainty over true "title" over domains; the current proposal lacks any due process whatsoever to prevent "gaming" and "abuse" of this clawback procedure)

Anyhow, if you feel as I do that there should be more time, you might want to let them know. One can send a comment to the public comment site at:

[email protected]

Or contact members of the workgroup, listed at the bottom of:

http://st.icann.org/irtp-partb

You can see from the results of the Doodle Poll so far, that they're currently voting NOT to extend the comment period! Ridiculous!