Why the 60-Day Lock Is Essential
Recently, two writers at Tech Broiler apparently decided they could drive traffic to their website by criticizing the legitimacy of Go Daddy’s 60-day lock process. Kevin Murphy, of Domain Incite, noticed this and took it upon himself to correct some of the errors in the Tech Broiler post. We thank him for that. In addition to Mr Murphy's defense of Go Daddy's compliance with ICANN rules, we feel compelled to respond, because we use the 60-day lock to benefit domain name registrants every day, and will defend it against all critics.
To readers who are not familiar with the process, the 60-day lock is a security measure implemented by Go Daddy to guard against domain name “highjackings,” the industry term for the fraudulent transfer of domain names away from their rightful registrants. In sum, the process is that if a domain name registrant’s first name, last name, or organization name is changed, Go Daddy “locks” the domain name for 60 days following the change. The only effect of the lock is that it prevents the name from being transferred to another registrar during the next 60 days. Any other desired change to the domain name, for example, making an update to the DNS, can continue to be made during this period.
The 60-day lock is activated if, and only if, the registrant is changed. Registrants can and do change any of the other registrant fields, including email address, telephone number, and mailing address, or any of the fields for the administrative, technical, or billing contacts, without triggering the lock. So, although Mr. Raymond of Tech Broiler claims that a 60-day lock was placed on his unidentified domain name following his email address change, he fails to mention that he must also have changed either the registrant or organization name prior to his transfer attempt.
Go Daddy has established the 60-day lock process for one reason and one reason only – and it’s the same reason Go Daddy does lots of things. Simply put, it’s the right thing to do. In our long experience of registering domain names, we have found that that a high percentage of highjackings take place in the context of a change to the registrant’s name or organization information, followed by a transfer to a different registrar, often followed by multiple changes and transfers after that. By the time the rightful owner determines that the domain name has been highjacked, the domain name may have been transferred or sold several times over. It is incredibly difficult to recover a highjacked domain name, particularly where the name has been transferred to a rogue or offshore registrar.
When a customer notifies Go Daddy of a highjacking-in-progress, and the domain name is within the lock period, we can investigate the issue in-house and ensure that the rightful party retains the rights to the name. Preventing names from being transferred for a limited 60-day period following a name or organization change puts Go Daddy in a MUCH better position to help wronged registrants and to return highjacked names as quickly as possible, without the added complication of a potentially uncooperative registrar.
Here’s one true-life example. A Go Daddy customer was recently the victim of a phishing scheme/email compromise by a domain name hijacker. Through fraudulently-obtained information, the hijacker was able to access the customer’s account. The highjacker then moved 41 of the customer’s domain names to a new account and updated the registrant name, which initiated the 60-day lock. The highjacker also transferred 5 additional domain names to an offshore registrar without changing the registrant domain name. Thanks to the 60-day lock, the 41 domain names that were stolen and moved to another account did not leave Go Daddy, and were returned to the customer in short order. Weeks later, we are still waiting for the other 5 domain names to be returned.
Go Daddy advises its customers of the 60-day lock process right up front, prior to the customer making any change to the registrant name or organization field. When a customer attempts to update this information, conspicuous language is displayed, reminding the customer that the domain name may not be transferred for 60 days following the change. The customer must affirmatively check two boxes stating that he still wishes to make the change. The lock is triggered only in the event that the customer chooses to proceed. Should the customer not agree with the terms of the lock, there is an easy solution. He may simply transfer the name to another registrar, and THEN change the registrant name or organization. The vast majority of legitimate names changes and transfers are handled in this way.
Go Daddy’s practices with respect to the 60-day lock have been thoroughly examined by ICANN in relation to the ICANN Inter-Registrar Transfer Policy and the 2008 Advisory interpreting that Policy. The lock doesn’t implicate the Policy or Advisory in any way. Under the Policy, WHOIS updates are allowable at any time, and are not grounds for denying a transfer. The fields addressed by the 60-day lock,registrant name and organization, go beyond a simple WHOIS update. Instead, they act to essentially reassign the domain name registration to a new responsible party, the newly-named registrant.
The 60-day lock is just one of many measures Go Daddy has implemented to preserve the security and integrity of our customers’ domain names, and it is a big part of the reason we are so successful in doing so. Time and again, the 60-day lock has proven to be an effective tool in assisting us to thwart hijacking attempts and to recover hijacked domain names, and we have done so thousands of times already this year. No, fellow bloggers, the lock is not a devious ploy to keep domain names registered at Go Daddy. We have no interest in holding customers or domain names hostage. We prefer to rely on our low prices and industry-best service. Oh, and the world-class security practices that protect our customers from the threat of domain name hijacking.
We here at the Rudy Syndrome enthusiastically encourage Messrs Raymond, Perlow and/or Murphy to dispute the foregoing. But, inasmuch as it is purely based in fact, we doubt they will bother to submit a post.