2024-01-09 Transfer Policy Review PDP WG Call

Notes/ Action Items

 ACTION ITEMS/HOMEWORK: None captured.

Notes:

1. Welcome and Chair updates

• Make sure everyone has had a chance to get caught up.
• Continue with CoR to wrap up soon.
• Steinar: What is the status in the questions on the metrics? Compliance is still working on them.

2. Recap COR Security Measures discussion (preliminary recommendations) – see attached slides.

a. Improper CORs --- start at slide 2.

Discussion:

Slide 4:

• Need to agree on the definitions.
• Not surer what we’ve decided overall, so hard to say.
• Need to be updating the working document: https://docs.google.com/document/d/1gu4sXGvyJeWJIfvaK_I7GKA6lAdfKFPQKaN4UMgzmcE/edit [docs.google.com]
• We are talking about what makes a COR. Is it change of control?  We will cover today.

Slide 5

• Looks pretty good.
• Update the title – does this need a note that if the previous and new registrant are the same we don’t need this.
• Do you have to do it before COR? Notifications will be sent at the time of change – 24 hours for registrants who have manual processes.
• Notification is after the COR is completed.
• Sarah (from chat): with brackets as suggested by Zak. “Preliminary Recommendation 1: The Working Group recommends that, following a Change of Registrant,* the Registrar MUST send a notification** of the Change of Registrant to both the Prior Registrant (as listed in the Registration Data immediately prior to the Change of Registrant) and the New Registrant, without undue delay [but no later than 24 hours after the Change of Registrant occurred.]”

b. COR + TAC requests

Slide 6:

• This is the culmination of a lot of discussions.
• This where we left a couple of weeks ago – bullet 2 is whether there is a COR or not there is a 30-day lock.
• Could use a reminder of the enhanced security around the TAC from Group 1a. Could add a one pager (ACTION).

Slide 7:

• Language provides flexibility for how this is done operationally.
• Due diligence won’t be applied every time – should be able to be automatic and at scale.
• That’s why we don’t say what is “due diligence”.
• What’s important here is that something is going to be necessary, if not a MUST.  Helpful to identify what types of due diligence.
• We need to make sure we agree on what due diligence means.
• 39 min
• Need to be careful on how specific we get – different registrars will have different models.
• Maybe use more precise wording instead of “due diligence”.
• Don’t know what to do if we don’t know what is meant by “due diligence’.
• Sarah from the chat: “When a TAC request follows a recent Change of Registrant*, Registrars MAY utilize the five calendar day (120 hour) period for TAC issuance to review and validate any recent COR changes.’
• This is tied to removing the 60-day lock.
• Not sure how this would be enforced.
• Registrars already do this so it should be a MAY.
• Think we still need to call it out.
• Pretty clear SHALL has to be a MAY.
• Owen from the chat: “I also have no idea how a registrant could quantify with facts/details that a registrar did not use “due diligence”. Any registrant that loses a domain name will make such a claim, even if the registrar 100% complied with contractual obligations”
• Staff sees this as something in the policy but not stated.  This relates to the definitions discussion.

Slide 8 – alternate to removing 60-day lock:

• Consumer unfriendly and arbitrary.
• Like the potential for the removal of the lock but not sure it’s needed.
• Sometimes complicated to determine if agreement exists.  Registrar should not be part of any agreement.
• Consistency across policy was definitely something that we've always talked about, which is something we will continue to try to strive for.
• Speaking as a registrant, if I want to transfer the domain and there's a lock on it, I should be able to remove that lock and not go back to the registrar and hash it on with them.
• So what I'm hearing is that the original preliminary recommendation 2 is something that the group is more supportive of than this idea. Removing the 60 day lock completely and making the change of registrant and the transfer request or TAC request two separate processes, and keep them separate on purpose. So removing the 60-day lock achieves that idea to of separating those two concepts

3. Definitions discussion: Change of Registrant vs Control – Start at slide 10:

Discussion:

• This is something we need to agree on and move forward so that we know what we're doing. Are we leaving at a change of control and tweaking what a material change is, or change of registry and tweaking? Do we need to make a difference between those? Are we just going to say if emails changed then that's what we're talking about. If they change their name we don't care?
• The original context for material change was domain name theft.  Now the only change that’s relevant in this process it the email address. And if that email address changes, then that needs to be a process which we already sort of defined with notification, etc.
• Privacy proxy is probably not an issue.
• The question is, is this an actual change of registrant? Or is this just an update that removes the privacy proxy data? I don't think that we, as a transfer group, should be defining privacy proxy and their role in the in the ecosystem at the moment. There are other groups that have done that and succeeded partially at least.
• There's very little policy at ICANN on privacy proxy providers as of now. A change from John Smith to a proxy provider, that's going to constitute a change of registrant and trigger notification requirements, trigger locks, if there's locks, etc.
• If there is a change of registrant, where the organization name changes to a new entity, which then becomes the owner of the domain name, or if John Smith sells it to Barbra Hanson, those are all changes of registrants and domain name gets a new owner. But do we need special policy around it? I think we have laws in place that already cover such things. So that is not an issue.
• So back in the day everyone would have their information out public. Those that utilize privacy proxy before you could transfer to another registrar, you had to remove the privacy proxy so that the gaining registrar could pull the Whois data and bring that into the system. So I think certainly privacy proxy providers should be exempt from any type of change of registrar type policy because of those complications. Then also just to highlight, that if it's using a privacy provider that is not changing a registrant. But if I have a domain name registered in my name, and then I put on a proxy provider, and that is 100% a change of registrant just because the proxy provider then becomes the registrant.

4. AOB