[This fragment is available in an audio version.]
A friend of mine pinged me online, said “Hey, remember that thing we were talking about doing a couple years ago? I still have one of the domain names, gonna let it go unless you want it.”
I said “sure, I’ll take it”.
Him: “Let me look up how to transfer it.”
Me: “I’ll look up how to receive it. There’s always some bureaucracy and ceremony. But all my domains are at R these days and they’re pretty good at making easy stuff easy.” (“R” refers to a well-known top-25 registrar, whose name I’m withholding to protect the guilty.)
Him: “WAIT. STOP.”
Him: “I’m at R too. Hold on… this looks easy.” [A minute of silence…] “OK, look and see if you got it.”
So I sign into R and list all my domains. “Holy crap, there it is. That was easy.”
So I told him thanks. But that evening, the transaction kept rattling around in my mind, and I was getting less and less comfortable.
Because I was thinking, maybe a bad actor could use this to SWAT me. Suppose the bad actor has an account at R, held by some anonymous tax-shell company in a remote jurisdiction, and they own plenty of domain names, maybe innocuous, maybe horrific, suggesting torture, suffering children, revenge video, death camps… Suppose they posted truly horrific (and violently illegal) stuff at some IP address on a “bullet-proof” overseas server, pointed one of their names at it, transferred the name to me, and then tipped off law enforcement about this horrific abuse being hosted by some guy named Tim. How long till my front door gets broken down?
That evening, I mentioned it to my spouse who is also my business partner and she said “Oh yeah, I wondered what that was about, I got an email from R saying your buddy had transferred a domain name to you.”
I inquired if they’d asked her to do anything to accept the transfer and she said “No, but it did have a number to call if this wasn’t kosher.”
Which might help avert the nightmare SWAT scenario, assuming you are the kind of person who diligently keeps up on your email inbasket and promptly reads bureaucratic-sounding emails from domain shops.
And anyhow it seemed too obvious; surely there must be some policy or regulation in place to keep this kind of awfulness from happening?
Well, I hang around the IETF (I’m currently co-chairing a very minor working group.) And in the IETF are people who know people who Really Know Their Stuff about how domain names work and are regulated, in practice. So I found one of those people.
I told him the story and asked “Is what happened there legal, and could a bad actor make it look like I operated a bad domain?”
Him: “Dunno about ‘legal’ because I learned what IANAL means about 35 years ago. But, yeah, a bad actor could make you look bad because when the police look at the WHOIS data for the domain name, your info would be there, and it would be assured by your registrar, who is also the registrar for other domains that you own.”
Me: “So, are there any regulations or policies or, you know, laws, that apply here?”
Him: “There are definitely contractual agreements between ICANN and every registrar. Looking at ICANN’s official transfer policy, what happened seems to fall well outside of Section II.C.1.2, which clearly says that R must ‘Obtain confirmation of the Change of Registrant request from the New Registrant, or a Designated Agent of the New Registrant’ before R ‘process[es] a Change of Registrant from the Prior Registrant to a New Registrant’. Sending a message afterwards doesn’t seem to pass the sniff test for that, at least to this non-lawyer.”
Me: “Practically speaking, what do you think might happen if the bad guy made this move and tipped off the right law-enforcement agency?”
Him: “It really depends on how savvy that LEA is. These days, one would hope LEA officers would at least look at who owns the domain name, but you just said that the registrar transferred it to you and changed the WHOIS data to use your full name and address. I don’t see how they could distinguish this from you registering it yourself unless they notice that the name had transferred recently.”
Me: “So, what should we do about this?”
Him: “Tell ICANN. They’ve got a compliance department who deals with registrars and registries who don’t follow the contracts. You could instead just tell R, but I can’t really imagine a scenario where even a great tech support person would both understand the problem and be able to get it to the right people on their legal team in an reliable fashion.”
“Me: OK, will do. It seems likely that if R is doing this, some of the other thousands of registrars are too. Hey, there’s a blog piece in this, and maybe another when it gets resolved.”
Credits · This is actually co-authored by me and one of the friends who appears in the conversations above, who prefers to remain un-named.