123REG Taking Liberties with your .uk domain registration rights

[Edwin]

I suspect Identity Protect Limited is a company owned by 123Reg for their whois protection (total waste of money on uk domains where you can opt-out anyway if a UK individual) is part of that.

Identity Protect Limited's shares are owned by Mesh Digital, which is a group company of the group that includes 123Reg.

 

[aZooZa]

https://www.123-reg.co.uk/terms/

You'll need a bigger shovel than I have to dig very deep...

 

[RobM]

Well it's moot now. Nominet have just said that the registrar has the right to take action on behalf of their customers which includes taking up the rights of registration for them. They only suggest that 'best practice' would be to notify the customer.

 

[Whois-Search]

Well it's moot now. Nominet have just said that the registrar has the right to take action on behalf of their customers which includes taking up the rights of registration for them. They only suggest that 'best practice' would be to notify the customer.

That’s not what their registrant agreement says:

6.1 By registering your domain name you promise that:
6.1.1 you (or your registrar) have the permission of any person whose personal data is to be held on the register in line with condition 8;
https://nominet-prod.s3.amazonaws.c...nd_Conditions_of_Domain_Name_Registration.pdf

Now while 123-reg may have permission of “Identity Protect Ltd” (as it is their company) for the Whois - do they have permission off the customer to register their right to the .uk ?

If this were “Whois privacy” then 123-reg should be using the new Whois privacy framework here:

http://registrars.nominet.uk/namespace/uk/privacy-service-framework

However then you are back to getting permission to upload the underlying registrant data to Nominet.

Also...

If you search DRS decisions for known Whois privacy companies you will note some of them have three strikes already. That means anyone with rights to a term could DRS one of these .uk names and it will be transferred on a summary transfer?

Search for “Identity Protect Ltd” on here:

https://secure.nominet.org.uk/drs/search-disputes.html

or look at D00015336 enterprise.org.uk

 

[RobM]

Well that's what they just emailed me. It's really just a 'go away we're letting 123reg do what they want' email.

 

[simondooner]

The fundamental issue for me in all this is that 123Reg have taken action without my express permission and against my wishes. I’m very uncomfortable about that.

Thanks to 123Reg a company I have no relationship with (Identity Protect Limited) is now the registrant of a domain that is not theirs.

Does this worrying precedent give 123Reg the right to transfer other UK domains held with them as they see fit - all on the premise that they can take action on behalf of their customers?

 

[scottmccloud]

It would be interesting to see if they do anything like this after GDPR comes in next year. I'm in no way a legal expert, but I can't see actions like this being compliant.

 

[Whois-Search]

Two more questions for Nominet....

The 123-reg service “Identity Protect Ltd” has a PO Box according to their website:

https://www.123-reg.co.uk/support/answers/what-is-whois-privacy-462/

PO Boxes are not allowed in .uk registrations ?

See 7 on .uk rules https://nominet-prod.s3.amazonaws.com/wp-content/uploads/2015/10/Rules_June_2014.pdf


And according to the .UK and Data Quality Process Charts for Registrars:

http://registrars.nominet.uk/sites/default/files/registrarprocessmaps-v14.pdf

Chart 3b. Nominet internal process .uk domain name not registered – a right exists ON SAME REGISTRAR TAG

Nominet should check:

Is the applicant the person who holds the rights?

Which looks at:

match of name, address and email
• 100% character match
• Not case sensitive
• Address only looks at address 1, postcode and country codes

How did Nominet match the address and email address of the registrant to that of Identity Protect Ltd ?

 

[RobM]

The fundamental issue for me in all this is that 123Reg have taken action without my express permission and against my wishes. I’m very uncomfortable about that.

Thanks to 123Reg a company I have no relationship with (Identity Protect Limited) is now the registrant of a domain that is not theirs.

Does this worrying precedent give 123Reg the right to transfer other UK domains held with them as they see fit - all on the premise that they can take action on behalf of their customers?

I'd be very concerned about who would be the target if there was any legal action due to the registration.

 

[martin-s]

Are Nominet abiding by their own published terms or not? It's hard to say

 

[invincible]

Two more questions for Nominet....

The 123-reg service “Identity Protect Ltd” has a PO Box according to their website:

https://www.123-reg.co.uk/support/answers/what-is-whois-privacy-462/

PO Boxes are not allowed in .uk registrations ?

See 7 on .uk rules https://nominet-prod.s3.amazonaws.com/wp-content/uploads/2015/10/Rules_June_2014.pdf

Perhaps refer to question 34 at: http://registrars.nominet.uk/namespace/uk/launch/q-and-a#faq-id-749

And according to the .UK and Data Quality Process Charts for Registrars:

http://registrars.nominet.uk/sites/default/files/registrarprocessmaps-v14.pdf

Chart 3b. Nominet internal process .uk domain name not registered – a right exists ON SAME REGISTRAR TAG

Nominet should check:

Is the applicant the person who holds the rights?

Which looks at:

match of name, address and email
• 100% character match
• Not case sensitive
• Address only looks at address 1, postcode and country codes

How did Nominet match the address and email address of the registrant to that of Identity Protect Ltd ?

Trying to exercise a .uk ROR via the WDM using a different registrant name returns the error “Domain not created - V334 Your request for domain '{domain}.uk' has failed because the 'account-name' for the registrant does not fully match any registrant which has rights for this domain” so perhaps they registered it first and then transferred it to their privacy service after.

 

[Edwin]

If they transferred it to their privacy service afterwards, then the way they’ve done it means they’ve taken legal ownership of something that belonged to someone else (because they didn’t use the Nominet privacy framework that retains underlying ownership info)

How can it be legal to summarily appropriate millions of other peoples’ domains? That’s much worse than what I initially thought they’d done, because the original registrant is no longer recorded anywhere “official” (ie Nominet run) as owning the .uk version of their domain.

 

[RobM]

If a single person has had a .uk registration made on their behalf without permission please contact nominet. A person there has just told me that when a tagholder submits a registration request they are required to have the authority of the registrants to do it. I see the only way to get round this is to claim the registrant has given authority but if that's not the holder of the rights to the registration that means the RoR is irrelevant.

 

[rwinslow]

Having looked at this in a little more detail it would appear that my .UK domain right of registration has been exercised by a company called Identity Protect Limited. This is not me, I do not know this company, nor do I have any contractual relationship with them. Legally It would appear that I am no longer the registrant of these .uk domains.

My right of registration has been taken from me and exercised without my express permission, against my wishes, by a company I have no contractual relationship with.

This isn’t the Wild West. How is this allowed to happen?

Once registration is completed domain activation can be set through the control panel which will allow the normal editing of domain whois details, DNS etc. It was thought best to put domains through using the privacy service without charge, so as not to populate the public database with registrant information. The privacy service in the background has the actual registrant information for the qualifying .co.uk.

 

[martin-s]

The privacy service in the background has the actual registrant information for the qualifying .co.uk.

Can we trust you to police yourselves though?

 

[rwinslow]

Can we trust you to police yourselves though?

Emails (and control panel pages) have been sent to all ROR applicable holders explaining that these domains are registered on the registrants behalf, for two years.

 

[simondooner]

@rwinslow

I'll reiterate for the sake of clarity... The fundamental issue for me is that 123Reg have taken action without my express permission and against my wishes.

 

[RobM]

Emails (and control panel pages) have been sent to all ROR applicable holders explaining that these domains are registered on the registrants behalf, for two years.

Why? Could it be to take advantage of auto-renewals not being cancelled on RoR date. I can't really understand why you think it's ok for people to do this. What's next - pointing nameservers to something else and 'sending an email' to point them back if you want? 'Dear Sir, we noticed you have no nameservers set for your domain so we have provided the service of pointing them to our page. If you don't like this just log in, go through all the spam, find the domain, and change it back. No worries. PS if you're still using this in a while we'll charge you for the service.'

 

[Nigel]

Yes I agree with that point about the nameservers. Hundreds of thousands (I assume - going by 123reg share of .co.uk market) of .uks are being registered with no nameserver listed and privacy set. I can't imagine that was the plan when this was set in motion by 123-reg. So what is your plan for these nameservers? Will they start advertising 123-Reg or are they going to be monetized? Or are you going to leave them with no nameserver for the next 2 years?

 

[RobM]

Just to reiterate that the nameservers thing was a sarcastic example of people using your domains to do what they want to profit themselves. That's not what the original point is about.... oh hang on yes it is.