There was no fanfare on Friday, November 12, 2004,
but in the world of domain names, something very significant happened. The Internet Corporation for Assigned Names and Numbers, better known as ICANN
, changed its rules for transferring domains between registrars. Under the new process for transferring domains, you may lose control of a domain that you have registered if someone else puts in to transfer it to a different domain registrar. Maybe they think you aren't using it anymore or they just like the sound of your domain. If you don't actively block a transfer, your domain could slip through your fingers.
I'm not saying ICANN's new system is necessarily a bad one, but it's a radical change from the old way, and it's going to embarrass and inconvenience some people. Plus, ICANN has certainly done a poor job of alerting people about the change and the potential dangers of domain loss. I'm prepared to bet that some people will lose their domains, and others will lose their jobs for letting domains slip away.
Domain registrars--the companies that let you register domain names--are obliged to follow ICANN's guidelines. Because ICANN wields all the power in the domain space, its rules aren't really guidelines--they're law. It was given such power in the late 1990s when it was formed to break up a government-approved monopoly called Network Solutions. In the early days of the domain name space, Network Solutions was the only registrar, and when the market opened up to include new registrars, ICANN managed the system for handling registration, including an accreditation process for new registrars and the all-important process of allowing consumers to transfer their domains from one registrar to another. For the past six years, domain owners have had a virtual bazaar of price-cutting and service-packaging suppliers from which to choose, and up till November 12, they had a safety net for that process.
Some people will lose domains, and others will lose their jobs for letting domains slip away.
The old way worked like this: You register for a domain at a new registrar, and that registrar sends a request for approval to the old registrar. The old registrar then e-mails you (via the administrative contact e-mail listed on your site) and asks for the OK to go ahead with the transfer. In the past, you or your domain's admin contact then had five days to give the go-ahead. If five days passed and there was no reply, the transfer failed.
The new way is different only at the last step: If there's no reply after five days, the transfer goes ahead. In other words, your silence becomes a yes answer instead of a no.
The fatal flaws
Right off the bat, I can think of four scenarios in which this new approach is a recipe for disaster. If you happen to be on vacation for five days after someone starts an illicit transfer and you don't answer your e-mail, you lose. (Just wait until after Thanksgiving: I bet there will be much wailing and gnashing of teeth.) If you pass over the "shall we transfer?" message because your mailbox is deluged with a tide of spam, you lose. If your spam filter is overvigilant and diverts the registrar's message, you lose. And if you have changed e-mail addresses and haven't updated your domain's admin contact information, you lose.
There is a single protective measure that can help prevent unauthorized transfers: domain locking, also known as domain protection.
Except for landgrabs under the laws of eminent domain, I can't think of another area in which something as valued as a domain can be swiped from under your feet without your express consent. And although domain theft can be rectified under the ICANN grievances procedure, there's no guarantee of success. And besides, it's a pain in the neck to lose your domain for any length of time, especially if it's hijacked by some low-rent, pop-up merchant who uses your visitors to get a few quick bucks in advertising at the expense of your reputation.
Your only hope
There is a single protective measure that can help prevent unauthorized transfers: domain locking, also known as domain protection. You can apply a domain transfer lock to any domain of yours at any registrar. It's a simple administrative procedure at most registrars, and some of them do it by default. But many of them don't, and there's a possibility that some smaller registrars may charge you for the feature. I checked the 10 domain registrars with the biggest market share (Network Solutions, Tucows, Register.com, Melbourne IT, GoDaddy.com, Enom.com, Bulkregister, DirectNIC.com, DotRegistrar, and Dotster), and they all provide domain protection as a free option. Rest assured that I've turned on protection for all my domains. I strongly suggest you do the same.
Now that I've put on the domain deadbolt, do I feel better? Actually, no, I don't. I'm still fuming at ICANN for making this unnecessary and customer-unfriendly change in the first place. If a new registrar comes online now with bigger, better services, lower prices, or a better way of doing domain administration, we all have yet another hoop to jump through to take advantage of its services. Once again, we have a case of incumbents enjoying an advantage that keeps the newer arrivals with fresh ideas at bay. For an organization that was designed to promote competition in the domain space, ICANN seems to have botched it up royally. So much for bureaucratic solutions.
Are you as mad about ICANN's new rules as Matt is? Tell him what you think in the TalkBack below.