This is going to play out in an interesting manner.

Although this was implemented to solve one problem (namely a situation where a registrant may be unable to transfer a domain away from their current registrar), it creates a new set of issues.

This new transfer policy has the potential to play out exactly way that long distance carrier slamming did in the 90’s over the next few months.

The new ICANN Transfer policy, while streamlining one’s ability to transfer names under one’s own management to the registrar of their choice, does in fact create a more open opportunity for someone to transfer a name away from you.

Basically, the status-quo transfer policy is explicitly one where a transfer must be opted into, and works like this:
1] Transfer request made by gaining registrar via RRP/EPP the registry level.
2] IF a domain is on registrar-lock, the gaining registrar’s RRP/EPP request is immediately denied at the registry level, STOP HERE.
3] IF the domain is not locked, the gaining Registrar’s RRP/EPP Transfer request proceeds with the next step of the transfer request at the registry.  The domain is now in pending transfer status at the registry (the status is in place for 5 days), but no transfer has occurred.
4] The losing registrar has 5 days to ACK the transfer so that it can proceed.  At this point, most losing registrars notify their registrant is emailed by losing registrar notifying them of the transfer request and that they need to acknowledge that this is what they want.
5] Either a response of NO (NACK) or the absence of a response from losing registrar registrant within that 5 day period = Transfer Declined. STOP.
6] If the transfer request was explicitly acknowledged in some manner by the losing registrar, the transfer proceeds at the registry.
7] The gaining registrar becomes the registrar of record, and one year is added to the registration term.  FINIS

The new transfer policy is such that the first two conditions remain the same with regard to registrar-lock. 

The key difference is that a transfer must be explicitly declined within that 5 day period, or else the domain gets transferred away from your current registrar.

While it is a good scenario for those who have the best of intentions in transferring their own domain to the registrar of their own choice, the new policy creates opportunity for those with less altruistic intentions for your domain name to potentially take it from you.

I personally use over 80 Registrars’ interfaces to manage a variety of domain names.  I have been frantically working to get all of my various names registrar-locked since this policy was approved. 

For the most part, there has been success, as most of the top registrars have interfaces in place to allow names to have their registrar lock status be controlled by the user, per name.  While these registrars may not add this registrar lock by default, a registrant can modify their settings themselves to their preference.

Many of the smaller registrars who either don’t have an interface or lease their connection threads to (pool/drop) registrars simply may not have any form of management panels where a registrant may self manage this status.

It is not clear that names in these registrar’s care are not exposed to potential rogue transfer requests.

The best and only protection one has against having a domain name transferred out from under them is to have their domains in registrar-lock status.

It is simple to check if a domain is on registrar-lock status by looking at the results of a registry whois for the name. 

The registry will identify that the name is on registrar-lock or not.

I have also found monitoring sites that watch domain names (i.e. DomainsBot, Godaddy, eNOM, Whois Source, more...)

I encourage domain holders who are not certain that they have their portfolios locked down to do so and validate their settings, just to have peace of mind.

I anticipate that we will be hearing of folks whose names are transferred away from them in the coming weeks, and I hope that it is not anyone in this readership.

-j

What I would be very concerned about is the likes of DROA. As things stand “companies” like them tend to prey on the not so technically literate clients. What will happen now? Will we see a situation where more of these scammers gain ground in the marketplace at the behest of our unsuspecting clients?
It is at times like this that I am extremely happy that ccTLDs like IE are fully managed.

Domain Adminstrators, Be alert!

I had the first opportunity to block an unauthorized transfer request on a domain name on 11/17 (exactly 5 days into this new policy).

An unauthorized transfer on a domain was initiated by BulkRegister.com (allegedly by a rogue member/reseller).

This new transfer policy is a completely subutopian in the way that the burden of responsibility has been shifted to the domain owner.