Monday, January 10, 2011

Protecting a .ie domain: hacking, hijacking and heedlessness

On a previous post a commenter left an interesting question about protecting .ie domains which I thought merited a post in response. First the question:
I am MD of a company which is hiring a growing number of staff. The security of these jobs is pinned on our continued ownership and control of our .ie domain as this is where the sales come from. But I didn't get a deed or any other legal document for my domain. Can you suggest any additional precautions a company can take to protect a registered .ie domain. (apart from making sure to pay the ongoing registration fee).
This sensible question reminded me that too few Irish businesses have considered the need to protect their domain name - which is often one of their most important assets. In fact, recent comments from the IEDR confirm that many forget even the most basic element of renewing their name on time.

To some extent the risks are less with .ie domains than with e.g. .com domains. As a managed registry with a restrictive registration policy, the .ie namespace makes it more difficult to carry out some of the practices that are common in other TLDs, such as the automatic registration of (accidentally) expiring domains. Nevertheless, there are still numerous risks which domain owners should be aware of, which we can summarise under the headings hacking, hijacking and heedlessness.


The first risk is that of hacking - that an attacker may gain control of the domain by technical or social engineering means. The most famous example is the case (Wikipedia link) in which an attacker used forged documents to persuade Network Solutions to transfer the domain to him, from its rightful registrant. More recently, was stolen (the attacker having compromised the email account on file with the registrar) leading to what may be the first criminal conviction for domain name theft.

While there's little a registrant can do about fraud which takes place at the registrar level (as in the case), other risks can be mitigated by making sure that the computers used to administer the domain name - and in particular the associated email account - are secure. Where a domain name is inactive, it will also be important to have some system in place to periodically monitor the registration details to detect any possible fraud.


The second risk is that of reverse domain name hijacking ("RDNH") where "trademark owners abusively assert their trademark rights to strip domain names from rightful owners". Brett Lewis has a particularly good description of the process:
It is a phenomenon that is all too common: small company registers dictionary word domain name. Big company wants domain name. Big company files UDRP, hoping to intimidate and outspend domain name away from small company. Panelist awards domain name to big company, often without opposition from small company. Small company fumes about unfairness of domain name dispute resolution process and of life in general.
How great a risk is this for .ie domain holders?

On the one hand, the .ie Dispute Resolution Policy might almost be tailor made to encourage RDNH, being even more skewed towards rightsholders than the UDRP on which they are based. (In fact, the .ie Rules of Procedure, unlike the UDRP Rules, do not even mention RDNH. Compare Art. 14 of the .ie Rules with Art. 15 of the UDRP Rules.)

Against that, however, decisions under the IEDRP don't seem to show any evidence that RDNH has been attempted for .ie domains - or that it would be successful if it were. Instead, panelists appointed under the .ie DRP appear to have been more balanced in their decisions than many UDRP panelists. If anything, a number of decisions (1|2|3) show a slight leaning toward registrants as against complainants in borderline cases.

Consequently, reverse domain name hijacking of .ie domains is probably not as great a risk as it is in other TLDs. Nevertheless, it would be foolish not to take the necessary steps to mitigate this risk. Consequently, domain owners (particularly where a domain is generic or where they don't hold a trademark corresponding to the domain) should consider in advance how they might respond if a complaint were filed against them under the IEDRP.


The final significant threat, heedlessness, comes in two flavours. The first - forgetting to renew a domain name - is surprisingly common but easily avoided. To take a belt and braces approach: ensure that the email address on file with the registrar is active, ensure that emails from the registrar can get through your spam filter, enable auto-renew where possible, check that the relevant credit card hasn't expired and diary renewal dates.

The second - heedlessness as to who actually owns or controls the name in the first place - is again surprisingly common. Typically a small business may hire a web developer to register a domain name and create an online presence, not realising that the domain name is registered in the developer's name rather than the business name. (This is less likely in a managed namespace such as .ie, but can still happen.) In this situation, the business may abruptly find out that they were never the registered owner of the domain name. If you are worried that you might be in this position, this excellent guide will explain how to go about checking ownership of a .ie domain.


  1. All good advice TJ. On the last point, it's worth noting that IE domains can be renewed for up to 10 years now, often at a discounted rate (if the registrar supports it). There's some suggestion out there that long registrations may help with SEO too, although as ever SEO claims are difficult to prove.

  2. Good post TJ. As your advice outlines, it's mostly a question of vigilence on the part of registrants.

    The original question posed indicates the ambiguity of domain names as a contractual, quasi-intellectual property right.