Dear Go Daddy: ICANN haz new policy?

60-day domain transfers will be a thing of the past if ICANN has anything to say about it. And they do.

In my previous article, I wrote about my situation with Go Daddy regarding their onerous domain transfer policy, as well as their business practices. It turns out that ICANN might have accepted the loophole they found in the policy by creating a forced "opt-in" requirement for domain registrant changes, but not for much longer.

Also See:

After the article was posted, I received several interesting responses. One was from Kevin Murphy of DomainIncite, who pointed out that Go Daddy was compliant with ICANN policy due to their opt-in solution.

I was forced to concede the point, although Kevin did agree with me that the Go Daddy policy is unfair and violates the "spirit of the law". He also suggested that the ICANN policy was implemented specifically to stop the Go Daddy policy. And I contended that Go Daddy implemented their opt-in solution to circumvent it.

I was also contacted by Go Daddy's PR department. They seemed honestly determined to help make things right for me:

"Hi Scott.

I saw your article on ZDnet -

https://www.zdnet.com/blog/perlow/godaddy-still-violates-icann-policy-and-still-sleazy/18518?tag=mantle_skin;content

I am sorry to hear about your experience. I read that you needed to change the email address to be able to transfer the domain name - modifying the email address alone for this purpose will not impose a lock.

I'd like to have some of our support staff reach out to review this and help determine why a lock was imposed - can you give me some account info and your contact details so I can have our Office of the President reach out?

Once your account is taken care of, I'd also like to set up an interview for you about this particular issue. Let me know if you'd like this.

Thank you,

Luke Hintze Go Daddy Public Relations"

I gave Luke more details about the situation in my response, and was willing to work with him:

"There's really not much to say. I selected the edit all option, changed my email and removed the organization since it no longer existed. I did not change my name. I was required to agree to the 60-day lockout period or I couldn't change the information.

When I first called support, was told this was an ICANN policy. That was a lie. This actually is in violation of ICANN's official policy. When I called back and informed support of this, I was told that it was corporate policy, that it wasn't going to be changed, and no, I was not allowed to speak to a supervisor.

No one on your support staff would even acknowledge that this violates ICANN policy, and simply kept repeating that since I "opted in" it would not be unlocked.

I think it's incredibly unfair to the rest of your customers that a PR representative is compelled to try to make things right simply because I have a bigger soapbox and an audience. I do not deserve special treatment.

My account number is #######.

--Scott"

Admittedly I was incorrect about the violation of ICANN policy. That's definitely my mistake. Also, I had changed the registrant info by removing a company name from the WHOIS information. That was what triggered the 60-day transfer lock. I have heard nothing from Luke or the Go Daddy PR department since.

While Luke was trying to make things right for me, at the same time a blog post from Christine Jones, Executive Vice President, General Counsel & Corporate Secretary of Go Daddy was posted on her personal blog.

In it, she confused my article with another writer's work, Kevin Murphy over at DomainIncite, which actually takes a contrarian view to my previous piece on Tech Broiler. This required issuing a correction on her blog.

In her blog post, Ms. Jones provides an interesting "true-life" example of why the Go Daddy 60-day policy works for their customers:

"Here’s one true-life example. A Go Daddy customer was recently the victim of a phishing scheme/email compromise by a domain name hijacker. Through fraudulently-obtained information, the hijacker was able to access the customer’s account. The highjacker then moved 41 of the customer’s domain names to a new account and updated the registrant name, which initiated the 60-day lock. The highjacker also transferred 5 additional domain names to an offshore registrar without changing the registrant domain name. Thanks to the 60-day lock, the 41 domain names that were stolen and moved to another account did not leave Go Daddy, and were returned to the customer in short order. Weeks later, we are still waiting for the other 5 domain names to be returned."

There's just one small flaw with the example above. They haven't gotten those 5 domains back. That's a loophole in their policy. A domain hijacker could take all of the domains, and then change the registrant info after it's been transferred to a new registrar. It renders the 60-day transfer lock useless because it's not triggered.

Christine continues to elaborate:

"Go Daddy’s practices with respect to the 60-day lock have been thoroughly examined by ICANN in relation to the ICANN Inter-Registrar Transfer Policy and the 2008 Advisory interpreting that Policy. The lock doesn’t implicate the Policy or Advisory in any way. Under the Policy, WHOIS updates are allowable at any time, and are not grounds for denying a transfer. The fields addressed by the 60-day lock,registrant name and organization, go beyond a simple WHOIS update. Instead, they act to essentially reassign the domain name registration to a new responsible party, the newly-named registrant."

There's a big problem with this, because the registrant info is actually part of the WHOIS information. They are not two separate blocks of data.

But this is a debatable point, as it entails interpretation of ICANN policy. What concerned me most about how Go Daddy responded to my initial article was this:

"This blog is published by Christine Jones, General Counsel and Corporate Secretary for The Go Daddy Group, Inc. It represents her personal views only and does not reflect the official corporate views of GoDaddy.com or The Go Daddy Group, Inc."

If her blog is not supposed to reflect the official corporate views of Go Daddy, then why is she specifically discussing corporate policy on her blog instead of on the main Go Daddy website? I find this underhanded duplicity of Go Daddy's executive staff pulling this nonsense while their PR team is trying to make things right self-defeating.

It just serves to enforce my belief that while Go Daddy may be the biggest domain registrar, their business practices are still questionable.

When I originally reported my complaint to ICANN, I hadn't really expected much of a response after I read Kevin Murphy's blog post. But it turns out that there was a response yesterday from the Contractual Compliance department of ICANN. I was informed that there is a Board-approved change to the policy forthcoming:

The ICANN Board has adopted the IRTP Part B recommendations (see http://www.icann.org/en/minutes/resolutions-25aug11-en.htm#1.2), one of which is intended to address ambiguities that could arise from the current language of reason #6 for denying a transfer request under the transfer policy. Below are the current and the new language (which will become effective once implemented in the next few months):

Current: Express written objection to the transfer from the Transfer Contact. (e.g. - email, fax, paper document or other processes by which the Transfer Contact has expressly and voluntarily objected through opt-in means.

New: Express objection to the transfer by the authorized Transfer Contact. Objection could take the form of specific request (either by paper or electronic means) by the authorized Transfer Contact to deny a particular transfer request, or a general objection to all transfer requests received by the Registrar, either temporarily or indefinitely. In all cases, the objection must be provided with the express and informed consent of the authorized Transfer Contact on an opt-in basis and upon request by the authorized Transfer Contact, the Registrar must remove the lock or provide a reasonably accessible method for the authorized Transfer Contact to remove the lock within five (5) calendar days.)"

I wasn't exactly sure of what the wording of this new policy draft actually meant, so I asked for clarification:

"Are you saying that if a domain owner objects to the 60-day lockout period, they can request that the lock be removed within 5 days, even if they agreed to the opt-in?"

And this was the response:

"NOT under the existing transfer policy but will be the case once the #6 reason has been changed, hopefully the implementation will be complete in the next few months."

I was floored. After years of circumventing the policy, any registrar that implemented their own domain lockout policy like the one Go Daddy created would be negated by this new policy from ICANN. Regardless of the registrar's own policy, if the domain holder demands that the transfer lock be removed, it has to be done within 5 days of the request.

Of course, this new ICANN policy is still several months away from being implemented. It does show, however, that ICANN is responding to the concerns of domain holders, and gives them more freedom and control over their domains. 60-day transfer lock, your days are numbered.

The folks at ICANN also want everyone to know that they are accessible to the public for concerns or issues with their domain registrations, and have provided a website to send them reports. I highly recommend it.