But owner information often is incorrectbecause the owner wanted it that way. The WHOIS database is one of the great farms from which spammers harvest e-mail addresses, so many domain owners intentionally put in false contact information. Even the other contact information is often false out of privacy concerns. This information is usually separate from the registrars billing database; while false information in the contact records usually violates registrar policy, as long as they get paid they usually look the other way. And its not illegal to put false contact information in a WHOIS record, although there has been some talk in Congress of making it so. The real answer seems to be domain locking, which it now appears all registrars support. Locking puts a "Status: REGISTRAR-LOCK" in your WHOIS record and prevents a default transfer of the type just instated by ICANN. GoDaddy, for example, has put a notice up warning all customers that they better lock their domains if they want to be sure of protecting them.I havent seen a single definition, but it appears that "REGISTRAR-LOCK" doesnt just prevent unauthorized transfers, but any other change in the domain record too. The only way to make a change is to log in to the master account and use the registrars interface. If this is universally the case, its the solution to the problem. Its just up to you to secure your master account information.Taking ICANN at its wordthat there was a problem with expediting legitimate transfer requestsI can see the reasonableness of the new policies. It does make competition more practical by denying registrars the ability to stall. What we need now are policies and technologies that make contact records more secure and eliminate all this ridiculous false information. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. But beyond locking, I like the approach as that used by Domains By Proxy. Instead of your contact information referring to you, it refers to Domains By Proxy. You can tell them to forward contact requests on to you, or not. They only work with a small number of registrars? Why shouldnt all registrars offer this? In fact, why shouldnt it be part of the standard? Come to think of it, isnt the whole idea that domain contact information needs to be public kind of quaint and antiquated? If you want to make your domain contact information public, put up a Web server and write a page for it. This looks like a job for ICANN. In the end, if there are many attempts to steal domains and users have to utilize the (4,449 word) Dispute Resolution Policy to resolve them, its still a failure even if it works every time. The system needs to protect domain owners from having to engage in the process too. I havent yet seen where ICANN has helped this. Check out eWEEK.coms for the latest security news, reviews and analysis.