[GNSO-TPR] Notes and action items - TPR WG Meeting #35 - 08 Feb 2022

[Julie Hedlund]

Dear TPR WG Members,

Please find below the notes and action items from today’s call.

The next TPR WG meeting will be on Tuesday, 15 February 2022 at 16:00 UTC.

Best regards,

Emily, Julie, Berry, and Caitlin

Action Items:

ACTION ITEM: Staff to update the document at Working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1RGow_TYPSESvI9DFweF3T_g7vgufg6zCwEdSsUjBfqs/edit__;!!PtGJab4!sQkbkEXuWsv1j2i8mdAbJ0-FrsfcejL9juXDiE61fkUs6GVMlkmVGwlfycuE81PRbvz7SC32Hw$>with the suggestion from today’s discussion for a mandatory 10-calendar-day lock for domain creation and transfer for continued WG consideration.  WG members are encouraged to review and to add comments and rationale in the document.

Transfer Policy Review Phase 1 - Meeting #35
Tuesday 08 February 2022 at 16:00 UTC

1. Roll Call & SOI updates (5 minutes)

2. Welcome & Chair updates (5 minutes)

  *   No updates provided.
  *   Still waiting for input from the Registry Stakeholder Group.
3. Continue discussion of registrar-applied locks upon domain creation and domain transfer (60 minutes) -- Working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1RGow_TYPSESvI9DFweF3T_g7vgufg6zCwEdSsUjBfqs/edit__;!!PtGJab4!sQkbkEXuWsv1j2i8mdAbJ0-FrsfcejL9juXDiE61fkUs6GVMlkmVGwlfycuE81PRbvz7SC32Hw$>

Post-Creation Lock:

  *   Need to come to agreement on what the timeline should be – has to be at least 5 days, if not as long as 60 days.
  *   Try to have consistency with creation locks and transfer locks.
  *   10-day minimum for both could be about right.  5 days could be too short.
  *   Should consider using weeks or hours to be more precise.
  *   In terms of 10 days: what is it about 10 days that allows us to avoid the charge-back issue?
  *   10 days is enough to allow for the various processes based on analysis – time to identify the fraud and take it down.
  *   Paypal disputes are not solved instant, 10 days seems reasonable.
  *   It can differ from country to country.
  *   We are going to have to provide the rationale for the Initial Report in public comment.
  *   What's the point of having a lock at all? Which opportunity does it offer to the Registrar over the registrant?
  *   Also what is the scope of fraud attempts? Is it so much that it justifies a longer lock period, or is it relatively minor?
  *   See: https://docs.adyen.com/risk-management/understanding-disputes/dispute-process-and-flow#defense-timeframes.
  *   No, not only payment issues -- Also domain thefts and a needed time for investigations.
  *   And we are discussing a digital service which can transfer and cannot be compared to buying a TV.
  *   Registrars will argue that 5 days isn’t viable; 7 days also is too short.
  *   Generally the credit card companies are pretty quick to resolve fraud now, but that could change.
  *   We need to factor in the registrars and charge back, and the ease of being a registrant – user experience.  Would like to have the number of days as low as possible.  There are lots of numbers available on line about charge-back.
  *   What is the reason behind the lock?
  *   In our rationale we can discuss a fraud-deterrence element.
  *   Standardizing this would help a lot of registries and registrars.
  *   Let’s focus on the minimum number and the rationale for it.
  *   Going from 60 days down to 10 feels like a Big Change, but the reasoning behind the 10 day period does make sense.
  *   Would be easier for the registrant if those lock periods (post-reg and post-xfer) are the same.
  *   We have two types of locks – post-creation and post-transfer.  Those locks need to be different for different reasons.
  *   Argue against a range of minimum and maximum – hard to explain to the registrant.
  *   The after transfer is more prone to theft.  Not a huge factor on creation, but still happens.
  *   Thought we would have a number for all registrars and registries, with no ranges.
  *   Focus on whether we have an upper limit or whether we just have a minimum.
  *   Group seems to agree that 5 is too short with support for 10 days.
  *   Could be a mandatory 10-day lock with an optional up to X-day lock.
  *   If one of the primary reasons for post-creation lock is to protect registrars from fraud, what about a registrar who isn’t concerned about fraud – could they lower or waive the lock period?
  *   If there is going to be a minimum 10-day lock it would be disappointing if registrars picked a hodge-podge of days above that minimum.
  *   If we went to 30 days that would allow more flexibility.
  *   Discretion defeats the purpose of the policy.  Needs to be the same for everyone.
  *   If we allow any range a lot of registrars will just keep it at 60.
  *   Registrars could still decide whether to have a lock.
  *   If we are going to have a lock we shouldn’t have a minimum, just a mandatory number of days.
  *   Have we heard reasons to allow flexibility in the lock period?
  *   Can you transfer the day after without impacting the grace periods?  The grace periods will be a problem.
  *   Grace Period is a well-defined term. It's not a "arbitrary lock time".
  *   Are we setting an “up-to” date?
  *   There should be a mandatory number – no maximum or minimum.
  *   Could have both a strict number and a max number.
  *   There is a minimum grace period.  We have to respect that.
  *   If you set a maximum then you have to set a minimum.  If you pick one number you don’t have that problem.
  *   Could have 10-day minimum and a 30-day maximum.
  *   Don’t see an argument for 30 days.
  *   Seems like agreement for a mandatory 10-day lock with a rationale for create and transfer.
  *   Make it clear that we are talking about calendar 10 days, not business days, or hours.
Post-Transfer Lock:

  *   Increased probability of fraud with transfers to a 60-day lock is appropriate.
  *   Statistics don’t show the high numbers of domain name theft.
  *   Support for 10-day lock.
  *   With the creation lock hard to envision the creation and then wanting to transfer right away.  One example is that many domain names are purchased on the secondary market and the purchaser in the marketplace will want to move it to their own registrar – lock would prevent that from happening. No reason to save the registrant from themselves if there are two willing parties, so removing the mandatory requirement may be appropriate.
  *   Post creation and post transfer are quite different.  In a post transfer if the name is lost the company could be at risk.
  *   At lot of theft occurs most likely because the thief has control of something.
  *   Think it is a big question as to whether this is common.
  *   10 days seems to be sufficient for both creation and transfer and would be less confusing for a registrant.
  *   The post-transfer lock is exactly the time, you have to rewind the fraudulent transfer. 10 days is far too low to even notice or contact the reseller (chain).  Especially if the FOA to the registrant is dropped.
  *   Concerned that we are making this more strict (there current is no mandatory lock policy) without justification.
  *   Wondering what the industry advantage is of this post lock (creation or transfer)?  Heard about fraud and stolen names, but why wouldn’t a registrar put a no-transfer allowed lock as soon as it comes in?  Whatever process you use for the TAC could include fraud protections/locks.  If you don’t want to lock then that’s your choice.  Registrars can already control this.
  *   One reason is lack of consistency among registrars.
  *   If feels like we are solving a problem of bad actors, not good actors.  So what is the industry advantage.
  *   From prior policy development around transfer we have experienced a 60-day lock for change of registrant (to be discussed later).  We are talking about a mandatory lock of some duration with a release valve to be somewhat involved to achieve.  Having a lock is to mitigate registrar bounces and to have consistency.  There’s mentions of the aftermarket, and that is significant and relevant, but consensus policy doesn’t apply to all participants in the aftermarketplace. The consensus policies apply to the contracted parties.
ACTION ITEM: Staff to update the document at Working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1RGow_TYPSESvI9DFweF3T_g7vgufg6zCwEdSsUjBfqs/edit__;!!PtGJab4!sQkbkEXuWsv1j2i8mdAbJ0-FrsfcejL9juXDiE61fkUs6GVMlkmVGwlfycuE81PRbvz7SC32Hw$>with the suggestion from today’s discussion for a mandatory 10-calendar-day lock for domain creation and transfer for continued WG consideration.  WG members are encouraged to review and to add comments and rationale in the document.

4. Begin discussion on NACKing (15 minutes – time permitting) -- Working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1L2bZnhJUY3VxyAjVCrkyVqdttOPn2EaqBARRRnEPd0Q/edit__;!!PtGJab4!sQkbkEXuWsv1j2i8mdAbJ0-FrsfcejL9juXDiE61fkUs6GVMlkmVGwlfycuE81PRbvx3xnJXDg$>

  *   Pick this up at the next meeting.
5. AOB (5 minutes)

  *   Next call: Tuesday 15 February 2022 at 16:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-tpr/attachments/20220208/b6cf31ff/attachment-0001.html>