Opinion: The domain registry system is stacked against victims of domain theft and in favor of the thieves. An opportunity to fix it may be coming up.

I get e-mail every now and then from victims of domain theft. Ive written on the topic, and I suppose that when people find their domains gone they go Googling on the subject and find my articles.

Unfortunately, theres no real good advice I can provide. Even when domain owners are relatively careful, they can often be taken. Take the example of the person who contacted me recently after her registrar refused to acknowledge several attempts to renew the domain. After it expired, it was quickly swallowed up on eNom, one of the domain auction sites. Ive heard several such stories.

I doubt the reader who contacted me has any recourse at all, but shell need a lawyer to get it. Would you be willing to pay a lawyer an unknowable amount of money just to find out if you can recover your domain? Were not talking "" here.

People are often inclined to blame VeriSign, which operates the .com registry. VeriSign is not a registrar of domain names; it operates the central database of .com domain names through which all .com registrars must operate (and the company is very well-paid for this service). But this problem is not at all unique to .com names. Its just more pronounced there because .com names are still the most prized.

Where does the problem lie? The fish rots from the head, as they say, and the head of the domain name system is ICANN, the Internet Corporation for Assigned Names and Numbers. Its ICANN that sets policy for the domain name markets, contracts with operators of the various TLD (top-level domain) registries, such as VeriSign for .com and the General Services Administration for .gov. It also sets rules for registrars to follow, and here is where it has dropped the ball.

/zimages/6/28571.gifClick here to read about the controversy over the .xxx domain.

There is little, arguably nothing, in ICANN agreements to protect registrants from abuse by registrars. (Click here for the ICANN Registrar Accreditation Agreement.) Nothing in the agreement requires them to act fairly with their customers, with some pretty flimsy exceptions ("3.7.3 Registrar shall not represent to any actual or potential Registered Name Holder that Registrar enjoys access to a registry for which Registrar is Accredited that is superior to that of any other registrar Accredited for that registry."—probably meant as a slap at Network Solutions). The only dispute resolution policy is meant for trademark holders and expedites the process down to as few as several months.

Unless you have the legal resources to pursue the matter and a domain valuable enough to protect, its easier and cheaper to let the thief get away with it. And while ICANN dismisses the idea of rogue registrars who act in concert with domain thieves, weve certainly seen examples of registrar negligence that victimized domain owners. The net result is that ICANN policies act to protect domain thieves.

But now the National Telecommunications and Information Administration of the Department of Commerce is holding a public meeting "... on the continuation of the transition of the technical coordination and management of the Internet domain name and addressing system (Internet DNS) to the private sector." If I read things correctly, ICANNs authority over the IANA (Internet Assigned Numbers Authority) is at issue as well as some other matters relevant to the U.S. governments remaining authority over the Internet.

Theyre done taking comment in advance of the meeting, but I got my own comments in. Most of the noise surrounding the meeting will have to do with the silly perception that by controlling the operation of the "root" DNS servers, the U.S. government somehow controls the Internet.

Dont look for the DOC to surrender control of the root to the UN or other such radical news, but perhaps it can take the opportunity to make ICANN more responsive to its many detractors and address the holes in its policies.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer