The Evolution of the Domain Transfer Process

ICANN’s Inter-Registrar Transfer Policy (IRTP) defines the procedures and rules for domain name transfers. When it was first introduced in 2004, the Policy was limited to inter-registrar transfers. Over the years, it has been revised by Policy Development Process (PDP) Working Groups and expanded to include governance of domain ownership transfers and a transfer dispute process. But the original rules for inter-registrar transfers remained mostly unchanged until May 2018, when the Temp Spec came into effect, modifying the process for a post-GDPR world where Whois data, which had long been the primary means of transfer verification, was no longer publicly available.

But the Temp Spec is temporary. So what’s the long-term plan?

The last few months have been interesting. First, we’re now in the gap between the Temp Spec’s expiration and any formal update to the Transfer Policy. ICANN’s Expedited Policy Development Process (EPDP) team has recommended continuing to use the process outlined in the Temp Spec in the interim. The EPDP team also made several recommendations as to how the Transfer Policy should be modified, which we can expect to see reflected in those updates.

Secondly, and much to the delight of domain policy enthusiasts (we exist!), the Transfer Policy came due for review by the GNSO Council. This is a standard practice for all ICANN Consensus policies: once a policy has been in place for a number of years, ICANN Staff compiles a report on its effects, which the GNSO Council uses to decide if the policy needs to be modified. This time around, the decision is a pretty clear one—the fact that we’re still following the Temp Spec method instead of the pre-GDPR transfer process points to the need to update the Policy. The Revised Inter-Registrar Transfer Policy Status Report is almost a formality, given the circumstances, but it includes some findings and related suggestions which will hopefully spark data-driven improvements to the Transfer Policy alongside the necessary GDPR-motivated updates.

 

Recent Transfer Policy changes

It’s been just over a year since OpenSRS made necessary changes to our domain transfer process, and domains are still moving into and out of our platform smoothly. The biggest difference between our pre- and post-GDPR transfer process is that we are no longer able to use a “Form of Authorization” to confirm a domain owner’s transfer request. Instead, the authcode is used to verify that the request is valid and to initiate the inbound transfer within the registry system. We also now direct all transfer-related messaging to the registrant contact, since we no longer use an administrative contact for gTLDs.

These changes are in keeping with the Temp Spec and with what we anticipate to be the future of the Transfer Policy. They’re also aligned with the work being done by the registrar and registry joint TechOps team: developing a more streamlined, user-friendly transfer process that remains secure against domain theft.

 

Transfer Policy Status Report

The Report discusses the impact that the Temp Spec had on the inter-registrar transfer process, but its overall scope is broader, with a focus on three main goals that transfer-related PDP working groups have been considering since they first began exploring how to improve the transfer process in 2005:

– Portability

– Preventing abuse

– Providing information1

The related central questions are:

– Can registrants easily transfer their domain names?

– Are processes standardized and efficient for registrars?1

 

Takeaways from the Report

The Report shows ICANN Compliance has noted a steady decline in the rate of transfer-related Compliance tickets, suggesting that there are fewer overall concerns about the process, perhaps because domain owners have gained experience with it. However, ICANN’s Contractual Compliance metrics do show that transfer issues remain the second-most common reason for people to contact ICANN Compliance, following only Whois inaccuracy concerns. This suggests that there’s room for simplification and further education around the transfer process.

Another takeaway from the Report is that there was a significant spike in inter-registrar transfers in late 2016, likely caused by registrants changing their registrar just before the new Change of Registrant (COR) process and related lock came into effect. The Report also notes that immediately following the introduction of the COR lock requirement, ICANN Compliance began to receive a significant number of complaints about it.2 This tracks with our own customer service data which indicates frustration and confusion about COR locks generally, and we will be interested to see how COR lock complaint numbers change over time.

As acknowledged in the Report, ICANN cannot directly track abusive transfers, as such situations are not reported consistently and cannot be independently verified.

 

ICANN’s suggestions for improvement

ICANN provides four suggestions for how to enhance the Transfer Policy moving forward, and we have some thoughts on each of them.

ICANN Suggestion 1: Require registrars to log when a domain owner obtains their transfer authorization code.2

Our perspective: Logging when an authorization code is retrieved by an end-user is a great idea, although implementation would be complicated. In many domain management interfaces, this code is visible by default on the domain name details page—there is no affirmative request to retrieve the code. So for many resellers and registrars, this requirement would involve significant development work, but that work is well worth doing.

ICANN Suggestion 2: Provide a process or options to remove the 60-day COR transfer lock to better serve registrants’ needs.2

Our perspective: The 60-day transfer lock has indeed proven to be a nuisance to both registrars and registrants, and there is some confusion as to whether and how it may be removed after it has been applied. We welcome clarification of the requirements but expect it to be a long process including consideration of whether alternative verification safeguards would become necessary.

ICANN Suggestion 3: Clarify the Transfer Policy section about when a transfer can be denied due to non-payment.2

Our perspective: This change would be a useful clarification. The section of the Policy where this is laid out can be confusing and difficult to parse, so making it more straightforward should help registrars more easily understand their rights and obligations in this regard.

ICANN Suggestion 4: Clarify if the Change of Registrant process is applicable when the real underlying contact info is updated on a domain with an active Whois Privacy service.2

Our perspective: This has been a topic of discussion between us and ICANN for quite some time. We believe that, if the underlying ownership data on a privacy-protected domain changes, that’s a Change of Registrant. If the purpose of the COR process is to protect domain owners against hijacking, this is just as important for domains using Whois privacy as it is for those without. ICANN, however, argues that privacy-protected domains are effectively owned by the privacy service, and so COR is not applicable. We want this issue to be clarified, but at this point it’s a question of contractual interpretation, which always needs to be approached with care.

We appreciate that ICANN’s Contractual Compliance team has provided these suggestions and, if the GNSO Council decides that the Transfer Policy needs to be updated, which certainly seems to be the case, we look forward to working with the multistakeholder community to review these and other possible changes to the Policy.

The future of the IRTP

We always advocate for processes that keep things simple for the registrant while maintaining a high level of security and accountability. Tucows staff are part of the TechOps team, participating in the group’s efforts towards streamlining the transfer process to make domain transfers easier for domain owners while maintaining security against unauthorized transfers. Our hope is that the transfer process in use today under the Temp Spec will simply be turned into official policy. After all, it’s been in effect for over a year with no demonstrable detriment to domain owners.

Our Support metrics show that domain transfers make up a significant portion of Support interactions, with most questions focused either on ccTLDs with special processes, or general transfer status requests (“When will my transfer be complete?”). We’re working on providing more information to our partners via our Knowledge Base, which we hope will help our resellers in supporting their clients through this process.

The work that we do in the ICANN community is complex, as is its impact on registrants and resellers. It’s important to make sure the decisions we’re making are data-driven, rather than based on gut feelings that could turn out to be incorrect or only accurate for a small portion of users. This report is a great start; we’re glad to see critical review and engagement with the process and hope that the data provided in the Inter-Registrar Transfer Policy Status Report will be taken into consideration as part of future efforts towards updating the Transfer Policy.

 


  1. ICANN Org. “Revised Inter-Registrar Transfer Policy Status Report .” Icann.org, ICANN, Mar. 2019, 4.
  2. ICANN Org. “Revised Inter-Registrar Transfer Policy Status Report .” Icann.org, ICANN, Mar. 2019, 31-32.