Re: [registrars] Outstanding issues on Registrar Transfers

[Larry Erlich <erlich@domainregistry.com>]

Elana Broitman wrote:
> 
> Mike and all - I am pleased that we were able to reach agreement on many
> issues, such that the RC now has a single document setting out Registrar
> Transfer principles and practices to consider.  Despite our efforts to
> bridge all gaps, we were left with a few difficult, but crucial, issues to
> determine.  Some of these go to the heart of defining minimum consumer
> protection standards.  Below, are the issues and our positions on such
> issues.  Because they are critical, the RC should vote on them in addition
> to the document:
> 
> 1)      Definition of individual who has the apparent authority to legally bind
> the Registered Name holder.
> 
> The Registry Agreement and ICANN's statements do not clarify this term.
> Yet, it is often the crux of the issue and there is often a difference among
> registrars regarding the definition of "apparent authority."  Some
> registrars consider only the registrant or administrative contact to be
> authoritative. Others may allow billing, technical, or other contacts to
> serve as authorized representatives for the purpose of granting apparent
> authority.  Yet others allow resellers to provide apparent authority.  We
> could draft a list of authorized contacts, but that runs the risk of
> unnecessarily limiting some registrar's legitimate definition or business
> model.

It all really depends on the amount of RISK that
is being assumed in the transaction (the transfer)
by the gaining registrar. 

The problem is that the transaction is very small in dollar amount, 
and you are just not going to be able to have all the safeguards
that you need to protect (say) a $10 transaction and still
allow the $10 transaction to happen.

A simple analogy might be with a FEDEX delivery.
The FEDEX delivery person makes deliveries and
will give the package to anyone who appears to 
be an employee of the company that they have
a delivery for. Of course, it could easily be a person in the
waiting room who claims to be an employee, and signs
for the package while the receptionist is in
the rest room. Or, it could be to a person in the
parking lot who claims to be from the company.
I have done this several times and always
get the package from the driver - no ID necessary. 
FEDEX assumes this risk because it is not practical to ask
for drivers license, verify employment etc,
and still operate profitably. (They did alter
their practice of leaving expensive electronics and other
valuables at houses without a signature.) Further, they don't
even verify that you are who you say you are,
that is, the receptionist could sign "George Bush" and they don't
verify that he/she is "George Bush", let alone an employee
of the company. 

> 
> However, there clearly needs to be some standard, so that we do not have a
> situation where conflicting transfer instructions are sent on behalf of a
> registrant. 

I agree in theory, but I don't think
it will be possible.

> Just as the IRDX document has a procedure pursuant to which a
> gaining registrar refers to the Whois of the losing registrar in order to
> verify a transfer request, similarly the gaining registrar must refer to the
> apparent authority recognized by the losing registrar in the initial
> registration process in order to obtain authorization for the transfer.

This would be difficult in that the registrant
could be a person -or- a company. That would allow a 
losing registrar to specify that only, say, "Joe Smith" the
admin contact for GM.COM, has the apparent authority to
bind GM. This would normally not be the case. There
would probably be multiple people at GM that would
have the apparent authority.

(Of course, there may be cases where GM.COM might want
the extra level of protection over their domain (if it
was not already locked.) In this case the whois record
could simply state something like: "Transfer requests are
only valid with a notarized document from the legal
department of General Motors" or something
like that. Maybe the whois just needs an extra display field
to handle transfer security.)

>  In
> other words, if an admin contact was the apparent authority during
> registration, then the individual holding that position should authorize the
> transfer or at the very least authorize the new "authority."  This would
> allow for an objective standard while retaining flexibility.

Not practical. You know that people are always
changing at organizations, and that having them
change the current contact can be a real problem
at certain registrars. (And should be in many cases,
since once again if it is easy then it provides 
no security at all.)

> 
> RECOMMEND: "apparent authority, as defined by the Losing Registrar's
> practices"

Suggested: Apparent authority, as defined by GAINING registrar,
UNLESS losing registrar's whois contains explicit
restriction(s) on transfers.

Such as: "no reseller transfers", "transfers
only by notarized documents", "transfer must be
authorized by company officer on company
letterhead", "transfers must be authorized
on company letterhead by IT department", etc.

> 
 
> 3)      Gaining Registrar transferring domain names back to the Losing Registrar
> in a case where it has been demonstrated that the Gaining Registrar did not
> act in accordance with the practices and processes contemplated by this
> document.  Gaining Registrar's indemnification of the Losing Registrar
> against legal recourse in such cases.

Agree.

> 
> This is a matter of making all parties whole after erroneous transactions.
> If registrars are to trust each other's processes so that they make changes
> without requiring confirmation by their customers, they and their customers
> must be made whole if transfers were not authorized. A gaining registrar
> that initiated and completed the transfer of a domain name without proper
> authorization must transfer the name back, and indemnify the losing
> registrar against any potential liability associated with this transaction.

Agree.



Larry Erlich

http://www.DomainRegistry.com
-- 
-----------------------------------------------------------------
Larry Erlich - DomainRegistry.com, Inc.
215-244-6700 - FAX:215-244-6605 - Reply: erlich@DomainRegistry.com
-----------------------------------------------------------------