[This fragment is available in an audio version.]

A friend of mine pinged me online, said “Hey, remember that thing we were talking about doing a couple years ago? I still have one of the domain names, gonna let it go unless you want it.”

I said “sure, I’ll take it”.

Him: “Let me look up how to transfer it.”

Me: “I’ll look up how to receive it. There’s always some bureaucracy and ceremony. But all my domains are at R these days and they’re pretty good at making easy stuff easy.” (“R” refers to a well-known top-25 registrar, whose name I’m withholding to protect the guilty.)

Him: “WAIT. STOP.”

Me: “?”

Him: “I’m at R too. Hold on… this looks easy.” [A minute of silence…] “OK, look and see if you got it.”

So I sign into R and list all my domains. “Holy crap, there it is. That was easy.”

So I told him thanks. But that evening, the transaction kept rattling around in my mind, and I was getting less and less comfortable.

Because I was thinking, maybe a bad actor could use this to SWAT me. Suppose the bad actor has an account at R, held by some anonymous tax-shell company in a remote jurisdiction, and they own plenty of domain names, maybe innocuous, maybe horrific, suggesting torture, suffering children, revenge video, death camps… Suppose they posted truly horrific (and violently illegal) stuff at some IP address on a “bullet-proof” overseas server, pointed one of their names at it, transferred the name to me, and then tipped off law enforcement about this horrific abuse being hosted by some guy named Tim. How long till my front door gets broken down?

That evening, I mentioned it to my spouse who is also my business partner and she said “Oh yeah, I wondered what that was about, I got an email from R saying your buddy had transferred a domain name to you.”

I inquired if they’d asked her to do anything to accept the transfer and she said “No, but it did have a number to call if this wasn’t kosher.”

Which might help avert the nightmare SWAT scenario, assuming you are the kind of person who diligently keeps up on your email inbasket and promptly reads bureaucratic-sounding emails from domain shops.

And anyhow it seemed too obvious; surely there must be some policy or regulation in place to keep this kind of awfulness from happening?

Well, I hang around the IETF (I’m currently co-chairing a very minor working group.) And in the IETF are people who know people who Really Know Their Stuff about how domain names work and are regulated, in practice. So I found one of those people.

I told him the story and asked “Is what happened there legal, and could a bad actor make it look like I operated a bad domain?”

Him: “Dunno about ‘legal’ because I learned what IANAL means about 35 years ago. But, yeah, a bad actor could make you look bad because when the police look at the WHOIS data for the domain name, your info would be there, and it would be assured by your registrar, who is also the registrar for other domains that you own.”

Me: “So, are there any regulations or policies or, you know, laws, that apply here?”

Him: “There are definitely contractual agreements between ICANN and every registrar. Looking at ICANN’s official transfer policy, what happened seems to fall well outside of Section II.C.1.2, which clearly says that R must ‘Obtain confirmation of the Change of Registrant request from the New Registrant, or a Designated Agent of the New Registrant’ before R ‘process[es] a Change of Registrant from the Prior Registrant to a New Registrant’. Sending a message afterwards doesn’t seem to pass the sniff test for that, at least to this non-lawyer.”

Me: “Practically speaking, what do you think might happen if the bad guy made this move and tipped off the right law-enforcement agency?”

Him: “It really depends on how savvy that LEA is. These days, one would hope LEA officers would at least look at who owns the domain name, but you just said that the registrar transferred it to you and changed the WHOIS data to use your full name and address. I don’t see how they could distinguish this from you registering it yourself unless they notice that the name had transferred recently.”

Me: “So, what should we do about this?”

Him: “Tell ICANN. They’ve got a compliance department who deals with registrars and registries who don’t follow the contracts. You could instead just tell R, but I can’t really imagine a scenario where even a great tech support person would both understand the problem and be able to get it to the right people on their legal team in an reliable fashion.”

“Me: OK, will do. It seems likely that if R is doing this, some of the other thousands of registrars are too. Hey, there’s a blog piece in this, and maybe another when it gets resolved.”

Credits · This is actually co-authored by me and one of the friends who appears in the conversations above, who prefers to remain un-named.


Comment feed for ongoing:Comments feed

From: Nathan (Jun 02 2022, at 12:23)

I guess now you find out how many people are willing to pay to register an awful-sounding domain and then transfer it to you for the sake of a joke that only one person will notice.


From: Colin Dean (Jun 03 2022, at 07:47)

It feels like this is a great case for private registrations, as seems to be common for many TLDs these days. However, those are not impenetrable: a motivated LEO can follow the process even if their inquiry and action wouldn't likely withstand the first judge in a country with protected speech like the US.

This is definitely a problem, though, and I thank you for writing about it. The consent of the recipient is very often overlooked.


From: Some Concerned Rando (Jun 03 2022, at 09:35)

I have a domain that I have owned for some time, which is basically my last name. I transferred from "R" (I think its that one) to "GD" (also name shortened to protect the innocent, but reasonably inferable). I now spend $20 a month to this new vendor to "keep" the domain. Is there a cheaper way to maintain ownership of my domain without needing to shill out every month to this "holder of records"?


From: Josh (Jun 03 2022, at 12:48)

I think a bigger problem here is that /law enforcement/ often acts without liability for their mistakes. The only controls on abuse of their authority is that there must be evidence and the issue must lie in their jurisdiction, both legally and physically. There is no legal framework, like there is in medicine or finance, for you to redress damages and grievances, although some individuals do successfully litigate.

That you are concerned a militarized troop force would bust down your doors for having your name on a domains' registration says a lot less about you and a lot more about the propensity of government today to send militarized troop forces into people's homes for any and every reason they see fit(while still managing not to protect us).

/Law enforcement/ needs to stop. I know this is a very politically charged subject but we need to directly address the fear and the elephant and not ignore it while discussing these somewhat more trivial flaws in the way the business called "the web" works. We should start acknowledging this fact whenever we talk about anything involving LEA.

The end to law enforcement means the constabulary must rely on the guardsmen for incidents of violence, and means your life would not be in danger just because someone thinks you broke a law and you would not be arrested by force unless force was required. It is time to break up the police.

Can I get an AMEN?


From: Technical Director (Jun 04 2022, at 15:22)

There are reasonably few circumstances where holding a domains in itself is a criminal offence, the majority of these being restrictive ccTLD for white collar intellectual property crimes.

Can you find any case where holding a domain alone (newly registered or transferred) has resulted in an aggressive visit from LEA? It's the content that's usually the crime, which is where they focus on the IP/networks/hosting and providers behind.

Quangos such as https://www.internetjurisdiction.net/ are doing a reasonable job of keeping LEA abreast of the difference between registry, dns and content abuses.

If "R" is allowing the pushing of domains between user accounts without picked up users acceptance I see other attack vectors such as DoS by transfer (send someone your unwanted expiring domains, does auto-renew persists, and can that cause the targets billing and own renewals to fail (also try convincing R to reverse that registration and refund you)).


From: Rob (Jun 05 2022, at 15:02)

It took over 30 years of working in not infrequent proximity police and observing them in their natural environment, doing their natural thing, to wash the last vestiges of the copaganda that pervades our culture from my mind.

Legalities are only relevant for survivors, if then. In the real world, the only thing that protects us from the grotesque stupidity and paranoid and very petty maliciousness (a terrifying combination) of the police is their extraordinary stupidity and jaw-dropping laziness. Civilians, unless they have have spent any time in copland, rarely understand just how pervasive and deep the laziness and stupidity are.

The common assumption is still that the events in Uvalde are an exception, not the rule...

But that's cold comfort if you do happen to somehow or other stumble onto their radar.


author · Dad · software · colophon · rights
picture of the day
June 02, 2022
· Technology (90 fragments)
· · Internet (116 more)

By .

The opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.