[policy] When Tech Meets Policy...

but today that provision is: If you buy a domain you have 5 days to
'return' it. The reason behind the return could be: "oops, I typo'd" or
"hurray, please refund me for the 1M domains I bought 4.99 days ago!". The
'protect the consumer' problem is what's enabling tasting.

So combine these ideas with the possibility that someone will claim various consumer protection laws apply to these transactions and want to cancel the contract within three days.

The whole "consumer protection" thing is bit of a red herring.

Instead, why don't we have a three day waiting period when the domain is
"reserved" but not active. Grandma could notice her typo, credit card processor's could notice fake card numbers, and so on and rescind the registration.

The typo-or-whatever is likely not to be noticed until the domain is actually in use, assuming
that such a thing ever actually happens.

After three days the sale is "final." Only then the name is made active in the zone files.

Do people really not plan that far ahead, that they need brand new domain names to be active (not just reserved) within seconds?

Yes. Legitimately so, too. Sometimes because of mistakes, sometimes because someone sees
a need for a new domain name, and is ready to use it the same day.

The problem is not instant registrations. The problem is free registrations.

Cheers,
   Steve

Do people really not plan that far ahead, that they
need brand new domain names to be active (not just
reserved) within seconds?

I can say from my experience working in a web development environment,
yes. I can recall several cases where we needed to get a domain online
quickly for one reason or another. Usually it revolves around the
marketing department not being in-touch with the rest of the company and
the wrong/misspelled domain name ends up in a print/radio/tv ad that is
about to go to thousands of people and cannot be changed. We end up
having to go get the name that is in the ad and get it active as quickly
as possible.

Personally I'm all for things working as quickly as possible, and I'm
all for being able to "return" a domain within a reasonable time if
needed. Perhaps it would be better to allow for domain returns, but
shorten the time limit to 24 hours. That should be long enough to catch
a typo, but too short to be much use for traffic tasting.

-Justin Scott | GravityFree
Network Administrator

1960 Stickney Point Road, Suite 210
Sarasota | FL | 34231 | 800.207.4431
941.927.7674 x115 | f 941.923.5429
www.GravityFree.com

"Failure to plan ahead on your part doesn't mean a crisis on my part".

What happened to suits who failed to plan ahead *before* we had the Internet?

Barry Shein wrote:

> > > > > The problems with domain tasting more affect web users, with vast > > number of typosquat parking pages flickering in and out of existence.
> > Domain tasting clearly affects assessments based upon domains. With > millions added and removed daily as part of "no cost" domain tasting > programs, the number of transitioning domains has been increased by > an order of magnitude. Many of these new domains often appear as > possible phishing domains. The high number of tasting domains > obscures which are involved in criminal activities. This high number > also makes timely notification of possible threats far less practical.

This sort of chain of reasoning, one behavior for one purpose might
sometimes be a more insidious behavior for other purposes, makes me
nervous. I just think it's a treacherous way to make policy, except in
extreme cases.

Then again I'm not particularly bugged by people who run these ad-only
sites. Seems to me that's between them and the advertisers who pay
them so long as it's not inherently criminal. And where it is criminal
that should be dealt with, take any advertising medium in existence
and you'll find a percentage of fraud.

The real sin here is indicated by the terminology, "domain tasting".
Domains should be paid for in advance, not necessarily "by law", but
by liability.

That is, if you extend domains on credit w/o any useful accountability
of the buyer and this results in a pattern of criminality then the
liability for that fraud should be shared by the seller.

I am not sure tasting is criminal or fraud.

> This would

not be unique, there are lots of real world examples (e.g., if you
rented cars for cash and asked for no id's and they were often used in
crimes...)

The car rental example falls apart: no ID = no way to track you down if you don't return the car.

I don't believe there are any real world examples, where "real world" deals with anything physical. I think this problem only exists in the electronic world, where what is being bought and sold is just a few bytes in a database.

Carl K

A agree that somehow you have to increase the cost to the 'tasters'
without hurting joe-six-pack. I think I've said that from the beginning.
So, there have been several options discussed do we add that to the ICANN
discussion as options for them to pursue?

-Chris

> I'm really not sure, but I can imagine a slew of issues where 'marketting'
> doesn't plan properly and corp-ID/corp-branding end up trying to register
> and make-live a domain at the 11th hour...

"Failure to plan ahead on your part doesn't mean a crisis on my part".

that's fine in theory, in practice it just doesn't work so well

What happened to suits who failed to plan ahead *before* we had the Internet?

less spectacular failure? I really don't know, I imagine this sort of
thing happened with 1-800 numbers for customer support type things. Say,
speaking of 1-800 things, how does that system work? why don't the
equivalent 'domain tasters' on the phone side exploit the ability to sign
up 1-8XX numbers like mad and send the calls to their ad-music call
centers?

There's a case to be made that a policy which results in organizations registering and owning domain names which are close to the intended domain anme but represent a common typographical transition is desirable from a security standpoint . . .

Yes, if grandma ordered a sign printed one way, and proofread it, and agreed to pay for it, and the printer printed it, then the printer is normally going to want money to make another different sign. If grandma, or anyone else, orders a domain, and confirms that’s the domain they want, and get’s it activated, then they should pay at least the first years fee, no matter what…

Or perhaps domains can be on-line instantly for a $100 non-refundable “rush” fee, or be cheaper and more refundable if you don’t mind waiting longer (long enough to fix the tasting issues) And yes, I suppose ICANN or similar would have to collect or mandate the costs for it to affect all areas of the problem?

> Do people really not plan that far ahead, that they

need brand new domain names to be active (not just
reserved) within seconds?

I can say from my experience working in a web development environment,
yes. I can recall several cases where we needed to get a domain online
quickly for one reason or another. Usually it revolves around the
marketing department not being in-touch with the rest of the company and
the wrong/misspelled domain name ends up in a print/radio/tv ad that is
about to go to thousands of people and cannot be changed. We end up
having to go get the name that is in the ad and get it active as quickly
as possible.

Been there. But it's rare enough in real life that I'd happily waive the right for full refund return for immediate domain publishing. Maybe marketing would learn to spell after a few costly mistakes.

Any other domain registrations getting a 3 day wait before publishing can have a more lenient return policy, maybe with a small processing fee. That's not unreasonable, and has something for the registrars.

And grandma would be able to correct her typo, and the regstrars would have time to check grandma's credit card, since she's so typo-prone.

1. Maybe they do.

  ;>

2. People tend to be much more careful about punching numbers into a telephone than typing words on a keyboard, I think. There's also not a conceptual conflation of common typo mistakes with common telephone number transpositions, I don't think (i.e., I'm unsure there's any such thing as a common number transposition, while there certainly is with linguistic constructs such as letters).

A question to the registrars here: What fraction of legitimate
domain registrations are reversed because the customer
didn't know how to spell, and noticed that within the five
day "dictionary time"?

From what I've seen here, most customers notice within minutes or (in the worst cases, hours), not days. And these are the same customers that might go 6-12 months without noticing that their domain has expired.

I suspect that most of the suits from the late 1960's have retired or
worse by this point, regardless
of their foresight-fulness.

Regards
Marshall

Carl Karsten wrote:

That is, if you extend domains on credit w/o any useful accountability
of the buyer and this results in a pattern of criminality then the
liability for that fraud should be shared by the seller.

I am not sure tasting is criminal or fraud.

You got what you ordered. You used it. You pay for it. It's that simple.

Ken Eddings wrote:

Do people really not plan that far ahead, that they
need brand new domain names to be active (not just
reserved) within seconds?

I can say from my experience working in a web development environment,
yes. I can recall several cases where we needed to get a domain online
quickly for one reason or another. Usually it revolves around the
marketing department not being in-touch with the rest of the company and
the wrong/misspelled domain name ends up in a print/radio/tv ad that is
about to go to thousands of people and cannot be changed. We end up
having to go get the name that is in the ad and get it active as quickly
as possible.

Been there. But it's rare enough in real life that I'd happily waive the right for full refund return for immediate domain publishing. Maybe marketing would learn to spell after a few costly mistakes.

Any other domain registrations getting a 3 day wait before publishing can have a more lenient return policy, maybe with a small processing fee. That's not unreasonable, and has something for the registrars.

And grandma would be able to correct her typo, and the regstrars would have time to check grandma's credit card, since she's so typo-prone.

I am not sure if this is what you are saying, but here is what just came to mind:

2 choices, same price:

1. instant, no refund.
2. 3 day hold, not active, but refundable till the point it goes live.

I also just noticed something that doesn't seem to have been brought up: by registering, wait, refund, repeat - you can sit on a name for free. (under both current and my proposed.) To prevent this we need a small processing fee.

Carl K

J Bacher wrote:

Carl Karsten wrote:

That is, if you extend domains on credit w/o any useful accountability
of the buyer and this results in a pattern of criminality then the
liability for that fraud should be shared by the seller.

I am not sure tasting is criminal or fraud.

You got what you ordered. You used it. You pay for it. It's that simple.

That doesn't make anything criminal or fraud any more than free samples. If a registrar wants to give a refund, I don't see anything wrong with that.

It is not even close to that simple,

Carl K

Tracking domain related crime is hindered by the millions of domains registered daily for "domain tasting." Unregistered domains likely to attract errant lookups will not vary greatly from unregistered domains useful for phishing. The large flux in domain names significantly inhibits anti-phishing efforts.

Although some may see delays in publishing as problematic, often domain facilitated crime depends upon the milli-second publishing rapidity used to evade protective strategies. A publishing process that offers notification will allow protection services a means to stay ahead of criminals. Exceptions could be granted on an exigent or emergency basis, where of course additional fees might be required.

Just as background checks are normally part of the hand gun trade, a background check should be normally part of the domain trade. Many are deceived by "cousin" domains frequently used in crimes netting billions in losses. Money garnered by capturing errant domain entries can not justify criminal losses that are likely to have been otherwise prevented. Domain tasting is worse than a disgrace.

For domains to play any role in securing email, a published MX record should become a necessary acceptance requirement. Using MX records also consolidates policy locales which mitigates some DDoS concerns.

-Doug

As John Levine once said - its like running a wholesale ketchup
business by picking up all the tiny plastic packets of ketchup at fast
food stores ..

That doesn't make anything criminal or fraud any more than free
samples. If a
registrar wants to give a refund, I don't see anything wrong with that.

It is certainly fraud to take an entire pile of free samples. Domain tasting
is more like buying a plasma TV to watch the big game and then returning it
to the store on Monday.

However, when it's as blatant and obvious as it is now (more tasted domains
than legitimate registrations), and no policies are made to stop it despite
it being so easy to do so (simply limit the number of refunded domains to
10% of registrations or charge a 20 cent fee for refunded domains), you can
argue that it's now an understood and accepted practice.

It's not fraud if both parties know it's going to happen, can easily act to
stop it, and neither one chooses to.

DS

Douglas Otis wrote:

I am not sure tasting is criminal or fraud.

Tracking domain related crime is hindered by the millions of domains registered daily for "domain tasting." Unregistered domains likely to attract errant lookups will not vary greatly from unregistered domains useful for phishing. The large flux in domain names significantly inhibits anti-phishing efforts.

doesn't make it criminal or fraud, unless you can prove the intent was to hinder law enforcement. good luck with that.

Although some may see delays in publishing as problematic, often domain facilitated crime depends upon the milli-second publishing rapidity used to evade protective strategies. A publishing process that offers notification will allow protection services a means to stay ahead of criminals. Exceptions could be granted on an exigent or emergency basis, where of course additional fees might be required.

"exigent or emergency" sounds like someone would have to approve/deny the request. One of 2 things will have to happen:

1) spikes in number of requests per day will overwhelm the staff, and "emergency" requests will go unanswered for days.

2) a huge staff will have to be paid to be standing by and normally not doing anything, just to cover the spikes. and the chance of only having just enough to cover the spikes is slim to none, so either #1 will happen anyway, (just not as often) or the staff will be extra huge such that it is always underulitized, even during the highest spikes.

Just as background checks are normally part of the hand gun trade, a background check should be normally part of the domain trade.

see my other post (doesn't scale)

Many are deceived by "cousin" domains frequently used in crimes netting billions in losses. Money garnered by capturing errant domain entries can not justify criminal losses that are likely to have been otherwise prevented. Domain tasting is worse than a disgrace.

you lost me on this one.

This is sounding like "People Vs Larry Flint" where he says "you don't have to like my magazine, but you do have to let me publish it." I am not saying tasting is a free speech thing, but I do see it as something currently legal, and don't see a way to make it a crime without adversely effecting the rest of the system.

For domains to play any role in securing email, a published MX record should become a necessary acceptance requirement. Using MX records also consolidates policy locales which mitigates some DDoS concerns.

I think it is too late to try to reform e-mail. but I am curious how you think this would be implemented in the existing system.

Carl K