Domain Watch - Is Nominet Overreaching Their Powers Here?

[Hook]

Hi,

Thank you for your email.

The domain has a very high chance of Phishing and fraud due to the brand holder being targeted with domain registrations on a daily basis.

The domain indicates that it would be used as a "{removed}" and therefore we will need to show the brand holder and also UK Law Enforcement that we have taken every step to verify this.

Therefore we would require copy of ID and a 'selfie' of you holding the ID so we can match the details. This would be for any action the brand holder would need to take as they are very prortective over their trademark.

If you are looking to then sell the domain on, it means that there is a risk that a threat actor will buy this and circumvent all of the security in place to stop fraud.

I would recommend reaching out to the brand holder for their authorisation to register a domain with their mark in it. Just so they are aware of the registration incase they do take action against it.

Kind regards,
Nominet UK

Registry Compliance Advisor

A client of mine has a domain suspended with Domain Watch, for potential phishing/fraud, the email is as above - does this seem to be an overreach of powers?

I have read the ToS and couldn't find anything related to this, is this a new policy?

My client intended to use the domain for PPC traffic, which was explained to by them however Nominet still want ID verification.

 

[GreyWing]

In my opinion, possibly, but there are genuine reasons for it. On one hand Nominet want to promote a safe environment for users, and on the other hand they genuinely don't want to get involved in disputes.

The middle ground for them appears to be asking for ID and confirming that the individual is real and not just some bogus name to delay law enforcement. If ID can be provided and they are satisfied, they usually allow it back on and let the brand holder etc take action.

It isn't great either way, but since they have started doing it, a lot of the loan fraud sites have disappeared. My personal view, having seen the damage rogue sites can do in the loan industry, on balance, it's probably justified. I don't see whatelse they could do to be honest.

I think (not sure) the part of the terms they would use is that because of the alerts flagged up by Domain Watch. they suspect the whois-details to be wrong, and this allows for a check. If someone can't show ID, they'll use the incorrect whois detail clauses to take the domain down.

 

[Hook]

In my opinion, possibly, but there are genuine reasons for it. On one hand Nominet want to promote a safe environment for users, and on the other hand they genuinely don't want to get involved in disputes.

The middle ground for them appears to be asking for ID and confirming that the individual is real and not just some bogus name to delay law enforcement. If ID can be provided and they are satisfied, they usually allow it back on and let the brand holder etc take action.

It isn't great either way, but since they have started doing it, a lot of the loan fraud sites have disappeared. My personal view, having seen the damage rogue sites can do in the loan industry, on balance, it's probably justified. I don't see whatelse they could do to be honest.

I think (not sure) the part of the terms they would use is that because of the alerts flagged up by Domain Watch. they suspect the whois-details to be wrong, and this allows for a check. If someone can't show ID, they'll use the incorrect whois detail clauses to take the domain down.

Good point, and it is great to have people verify their ID, but why stop at just these domains? Why not ensure all who register domains, verify with ID?

I get these are the most problematic, but doesn't it seem quite arbitrary? and if what they are trying to do is stop bogus whois details, why not make all registrants do it?

The issue was not that the whois-info is incorrect, because if it was - they'll have flagged all the names by the registrant?

And it also doesn't fix the glaring loophole - after the name is registered, they have no fraud to check to ensure that the name doesn't get passed onto a 3rd party bad actor, as they said in the email - so it isn't completely effective.

 

[GreyWing]

but why stop at just these domains? Why not ensure all who register domains, verify with ID?

I'm just guessing here. I think there has been discussions about it before, and I only have a vague memory of it. I believe Nominet decided that there were risks to ID's being requested as standard. Most end users don't know who Nominet are, so they make think a company they have no business with asking for ID is a scam. Could send to Registrars, but would some registrars get hacked? Then a load of passports are compromised. Would it turn users off .uk, sending in passports compared to a new extension where you don't. Some may just choose the easy life and then .uk misses out on some nice revenue.

The issue was not that the whois-info is incorrect, because if it was - they'll have flagged all the names by the registrant?

They may do it if the person can't prove their ID. I think a bit of this is just for show. They need to show the Gov etc that when there are concerns, Nominet have done all they can to detect it, shut it down and kick the can to someone else.

And it also doesn't fix the glaring loophole - after the name is registered, they have no fraud to check to ensure that the name doesn't get passed onto a 3rd party bad actor, as they said in the email - so it isn't completely effective.

One of mine got locked in the same way as what you are describing, about 6 years ago. It's massively up there on the at risk register, it's right up there next to HMRC.co.uk DVLA.co.uk on the risk scale. Even though I was a Nom member etc, I had to do certain bits and provide explanations for what it was to be used for. They were ok with my explanation and unsuspended it shortly after. I doubt they were happy with doing so, but to be fair to them they did stick to their own rules.

I had a few decent offers to sell it over the years, it's a lot less valuable now than it was because of the time that's lapsed. I always refused to sell it because I always believed that Nominet would be all over a name change on the registry, and if I ever tried to transfer it, they'd suspend it again.

I wouldn't take it as gospel that they wouldn't start the validation process all over again if they detected a name change on the whois. I strongly suspect that they would if I ever was to change registrant details on mine. I honestly don't understand why they said that, as you hinted it, it doesn't make any sense.