Domain Transfer post-GDPR

Posted on Oct 24, 2018


In our last post, we talked about the GDPR-compliant changes ICANN has made to the WHOIS database. Now, let’s take a look at one of the major impacts of such changes.

GDPR is essentially a data-privacy law, so its biggest concern is how publicly accessible the domain registrant information is. As long as the domain registrant information is not publicly accessible, then they are happy.

As simple as CTRL+A+DEL? Far from it, because many existing domain processes rely on the publicly displayed domain registrant information, and one of which is the domain registrar transfers.

Domain Transfers Pre-GDPR

Let’s backtrack a bit and take a look at how domain transfers are handled pre-GDPR:

  1. The first step is to you contacting your existing registrar to unlock the domain and obtain the domain Auth Code.
  2. Then, you will contact the new registrar to initiate the transfer, which involves them sending the Form of Authorization to the WHOIS-listed domain registrant (or administrative contact) email address.
  3. Now, you have five days to verify the transfer by responding to the Form of Authorization with the correct domain Auth Code. Failure to do so will result in the request being denied and aborted.

But now with the removal of all domain registrant information, the whole process falls apart at Step 2.

Domain Transfers Post-GDPR

So, how are domain transfers handled now?

Well, ICANN and the registries have been working hard to come up with workable solutions, but because GDPR is in direct conflict with the integrity and purpose of WHOIS, nothing has been set in stones yet. Instead, this registry-suggested workaround is the “next best thing”:

Step 1 – The first step remains the same: you will contact your existing registrar to unlock your domain and obtain the proper domain Auth Code.

Step 2 – Next, you will contact the new registrar to initiate the transfer request. You will need to provide the domain Auth Code as well as a domain administrative email address to the new registrar.

Step 3 – The new registrar will submit the transfer request, along with the domain Auth Code and domain admin email address, directly to the registry and complete the transfer process on your behalf.

For many people, this streamlined workaround solution is simple and easy, and does exactly what’s needed – transfer the domain. Hooray!!

But for those who like to be more cautious, this workaround solution poses a big security risk – domains are being transferred without the Form of Authorization.

This workaround solution is built on the assumption that only the authorized domain contact has the ability to unlock the domain and obtain the domain Auth Code. So, what if an unauthorized person submits a domain transfer request for your domain? After all, all that’s required is just the authorization code for an unlocked domain.

Perhaps you’ll be relieved to know that Doteasy and many other registrars have come up with ways to better protect your domains:

1. Locking all domain names.
By locking all domain names, it allows the registrar to further verify domain ownership and/or authority before the domain is unlocked and the domain Auth Code released.

2. Transfer-away approval email.
Many registrars are opting to send a transfer-away approval email to the domain registrant that is listed in the raw domain registration records. Remember when you purchased your domain name, you were required to submit your information for the application process. While the information is no displayed on WHOIS, it is still on your account in our system. Every registrar will have the raw domain registration records for all the domains purchased/registered through them.
If there is no response to the transfer-away approval email within a specified timeframe, the transfer-away is deemed “approved”. This gives the domain owner one last chance to deny any unauthorized transfer requests.

We strongly believe that domain owners should be able to choose their registrar and move between registrars at their discretion. It’s our priority to ensure sufficient security measures are in place to protect against domain theft and educate our customers. However, because ICANN is still working on a workable transfer policy, our best option now is to follow the suggestions and modifications proposed by the registries until ICANN’s further instructions. If you have any concerns or questions about domain transfers, please feel free to contact us and we will do our best to ensure domain transfers remain simple and authorized.