High Noon Coming For ICANN and Registrars

Opinion: After years of apathy, ICANN is taking on one of the "rogue registrars" they said couldn't exist. Will they really follow through? Can they?

Ive been writing for years on the problems for ordinary consumers in the domain name market. They have been the victims of thieves and unethical domain registration companies and the agency of supposed authority in this space, ICANN (Internet Corporation for Assigned Names and Numbers), has generally denied that it has a place in putting things right. But one incident was so bad that ICANN seems to have been forced into action.

The RegisterFly scandal, still below the radar of serious IT news, is just one of a few recent stories of problems with registrars and the domain market. Now it looks like well find out whether ICANN has any teeth at all in its rarely used jaws.

/zimages/7/28571.gifA recent protocol change is designed to increase security of domain transfers. Click here to read more.

RegisterFly is a domain registrar and hosting service with a shaky recent legal history. The RegisterFly story got its first serious attention in late February when ICANN sent them a letter threatening them with termination of their accreditation as a registrar due to violation of the agreement covering that status, specifically that RegisterFly was mishandling domains, losing registrations, failing to carry out transfers and renewals, really gross incompetence. Its easy to see how business isnt getting done right at RegisterFly, what with the owners of the company in court over accusations of misappropriating company funds.

ICANN actually investigated reports of "stolen names" in April of 2006 and they filed an audit request in May, which wasnt satisfied for more than four months. Pretty soon complaints about RegisterFly were coming in from other registrars, ICANN board members and the U.S. Department of Commerce. This kind of noise can awaken even an old boys club like ICANN.

The death sentence was handed down late last week: ICANN formally terminated RegisterFlys Registrar Accreditation Agreement. Their last day will be March 31, 2007. Now we can expect interesting things to happen. For instance, as of Monday, March 19, the RegisterFly site still uses the ICANN Accredited Registrar logo on its home page even though they were notified days ago that they were no longer authorized to use it.

In the meantime, RegisterFly is obligated to help customers transfer away, including providing the "AuthInfo" codes which are now necessary in order to transfer a domain (it seems RegisterFly has not been providing these). And if that fails, according to ICANN, "[w]when the Agreement is terminated, ICANN can approve a bulk transfer of all current RegisterFly domain names to another ICANN accredited Registrar."

Customers are panicking and its hard to blame them. One blogger claims to have found the secret 15 step process by which RegisterFly lets you have an AuthInfo code and then accept your transfer.

Lets assume what seems reasonable at this point, that RegisterFly doesnt meekly comply and surrender its business. Can ICANN actually "bulk transfer" away all of their registrations? Im not convinced its possible. For one thing, RegisterFly has a Domain Privacy Protection service which hides information about the actual owner of the domain from outside eyes, including ICANNs. You just cant transfer these domains without RegisterFlys cooperation. (Incidentally, this incident should give pause to those—including me, I guess—who advocate making such privacy the normal course of business for domain registration.)

Things are bad for RegisterFly customers now, but I have to think theyre going to get worse. If threatening letters dont work, then ICANN probably has to go to court to enforce the agreement, and who knows how long that could take, assuming its even successful. In the meantime, RegisterFly is hardly the only sleazy and incompetent registrar out there. The problem didnt begin with RegisterFly and its only getting attention now because large customers are affected; small customers have been screwed by sleazy registrars for years.

Lawsuits wont make things any better; unfortunately, a more active form of regulation needs to be instituted for domain names. It may raise costs and it may slow things down, but it needs to be done.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer