One thing that many small businesses, nonprofits, and political campaigns I have dealt with fail to pay attention to is ensuring that they have direct control over the Internet domain associated with their website and email accounts. Often, the domain is registered by a web consultant in the name of the consultant or consulting firm. Or sometimes, with nonprofits, it’s a volunteer who handles the registration and who winds up with the domain in his or her name. Unfortunately, this can cause the organization that rightfully should own that domain a lot of grief if the intermediary turns out to be unreliable, incompetent, dishonest, or just unreachable at a critical moment.
This is where your website and business email both go dead one day, seemingly without warning, because you never got the notices that your registration was about to expire. Or, you hire someone else to revamp your website, only to discover that you can’t “turn on” the new and improved version because you don’t have the necessary password and aren’t recognized by the domain registrar as having the right to access the account.
See also: My column for Forbes.com on this topic
Your Internet identity is an important corporate asset for you to protect. Failing to do so is the kind of mistake that seems obvious in retrospect but is easily overlooked by an organization focused on getting up and running on the web.
Let me back up and explain the basics of domain registration, because some of the problems stem from misunderstandings the basics. When you type an address such as “www.carrcommunications.com” into your browser, your computer looks up that address in a directory (actually a bunch of inter-connected directories) of all the Internet domains in the world. The first time you look up a new website, your request typically bounces around to a few computer servers until it finds one that can translate that alphanumeric address into a specific Internet address (in my case 188.8.131.52) used to locate the correct web server. If not for the Internet’s Domain Name System, we would have to memorize long strings of numbers for each website we wanted to visit or email server we wanted to connect to. The domain system is organized around registries for top-level domains such as .com, .org, .net and newer ones such as .biz and .name. Firms such as GoDaddy, Register.com, and Network Solutions function as domain registrars, meaning that they sell you the right to use a given domain for 1 to 10 years and take responsibility for recording, tracking, and updating that registry information on behalf of their customers. Each of these firms also provides other services, like hosting (operating the actual computer servers and networks that your website and email rely on), and assistance with constructing your website, but you can also have one company as your domain registrar, another as your web host, a third for email, and so on. But all the other services you associate with your domain are ultimately dependent on that registry record, controlled by whomever has an account with the domain registrar.
The data for a domain registration is recorded in the whois registry record showing who has the rights to that domain (the registrant) and also lists administrative, technical, and billing contacts. The problems come in when you do not have access to the domain registry account and you or your organization is not listed as the registrant.
So you want to be the one with that password, and you want it to be a good password because someone who hacks and hijacks your domain could wreak a lot of havoc. Of all the important passwords you use on the net, this is really the “one ring to rule it all,” so as Gandalf said, “keep it secret, keep it safe.”
Specific situations I’ve seen personally:
- The consultant moves overseas and can’t be reached for weeks on end
- The consultant stops returning phone calls and emails, perhaps because he knows he is about to lose the contract
- An organization winds up setting up a new website and trying to direct people to a different web address because it has lost control of the original domain.
- The volunteer who registered the domain for my neighborhood association website moved to the other side of the state and no longer had the same email address, didn’t remember his password, and couldn’t reset his password because the registrar’s password reset system works over email. Weeks dragged by, and he nearly lost patience with the registrar’s process for proving he was the same person who originally registered the account. I had to keep nagging him to try it again, and eventually we got it resolved.
One story I heard second-hand, for which I’ve been unable to confirm all the juicy details, had something to do with a domain account holder who ran off with a much younger woman, and the user name and password wound up as casualties of all the broken friendships that resulted from that little soap opera. The organization had to go through a mediation process (explained below) to regain control of the domain.
More than web consultant has told me they register the domains in their own name very deliberately, although not necessarily maliciously. One defense of this practice is that unsophisticated clients may fail to respond to domain renewal alerts in a timely fashion, so the consultant takes on that responsibility out of paternalistic concern. On the other hand, some consultants do it specifically because it gives them more leverage over a client in the event of a billing dispute. As someone trying to make a living in this field, I can sympathize with the later motivation. But as a client, I would not want to be at the mercy of a consultant whom I might judge hadn’t earned his fee.
Having direct control of your own domain puts you in the driver’s seat. It gives you the power to take your web, email, and other Internet services away from one provider and give them to someone else. Otherwise, you may be in the position of having to ask your old provider to help you take your business away from them. If you have the password to the domain registrar account, you can redirect your website and email to another firm’s servers. Without it, you can’t.
If you hire someone to create your website, it’s natural to assume that you own the site and the domain associated with it. Actually, you never really own a domain – it’s more like a lease – but you expect it to be under your control as long as you’re paying the bill. Push come to shove, you probably take the issue to court and prove that it ought to be so, after producing a contract showing the website was created on your behalf as work for hire. That’s what I’ve been told by lawyers I’ve spoken with on this issue.
But a solution that relies on you winning a court judgment is not going to be a quick solution. There is also an administrative mediation process set up by the Internet’s administrative governing bodies known as the Uniform Domain Name Dispute Resolution Process (UDRP), but it’s mostly set up for use by corporations to use against “squatters” trying to co-opt their trademarks. So it may or may not be helpful, depending on whether you have trademarked your business name and fit neatly into this legal framework.
In most cases, when dealing with a recalcitrant consultant, you shouldn’t have to go further than having to hire a lawyer to write them a strongly worded letter. I actually think the situations where the official registrant or domain registrar account holder can’t be reached are the most problematic. Some registrars may allow you to make a case that the whois record is inaccurate, for example by showing that the website associated with the domain lists your firm’s contact information and was obviously set up on your firm’s behalf. Others really may insist on seeing something on the order of a ruling from a court or the UDRP before they will allow you to change the domain record.
Here is how you protect yourself
Solution #1: Register it yourself
Registering a domain is not that hard. Despite some of the complexities I’ve sketched here, firms like GoDaddy make their providing a user-friendly front end to the process. So the simplest way of avoiding all these problems is to register the domain yourself or have someone within your organization do it. If the domain is currently registered in someone else’s name, politely but firmly insist on having it transferred into your control.
If the domain will be used by an organization, rather than an individual, the name or the organization should be included in the registrant section of the domain record. Ideally, the email address associated with that registrant record (as well as with the account at the registration firm) should be a general “bucket” address such as firstname.lastname@example.org rather than the email account of an individual who may have left the company by the time the domain comes up for renewal or needs to be updated.
I am specifically advising my clients to register their own domains but day-to-day administration to Carr Communications by setting the name servers to ns1.carrcommunications.com and ns2.carrcommunications.com (see my specific instructions for GoDaddy). This allows me to configure web and email services for your domain, while you reserve the right to take that power away from me whenever you wish.
Solution #2: Trust, but verify
Despite everything I’ve said, I do manage the domains of many of my clients because it’s easier that way for both of us. I’m glad they trust me, and I’m sure there are many other trustworthy consultants out there who you might deal with. If you choose to register your domain through an intermediary, the next best step you can take to protect yourself is to make sure that your name or the name of your organization is included in the registrant section of the domain registration. Write this into your contract with the intermediary you hire to create your Internet presence and then verify that it’s done correctly by looking up the whois record.
Again, the email for your organization should probably be a stable one, perhaps an alias that forwards to more than one person.
If you are listed as the registrant, but someone else controls the domain account, you should be aware that they do have the power to update the whois record, potentially writing you out of the picture. The account holder is also in a position to transfer the domain to another account with another service or to reconfigure the domain so that it no longer points to your web and email servers. You might or might not get email notifications of these changes.
Of course, in business there are lots of people and organizations whom we put our trust in who potentially could do evil to us. We make the best judgments we can about who is trustworthy, and we also trust in our legal system to help us sort things out if we happen to trust the untrustworthy every once in a while. What I’m recommending here should put you in a better situation in the worst case scenario. Even if the account holder changed the registrant information, there would still be an audit trail that the registrar could research to establish that your organization was previously listed as the registrant and did not authorize the change.
I want to drive home the point that this is something many organizations ought to be a little more paranoid about. But if you take a few simple precautions, you can protect your online identity.
I’m in the process of researching a magazine article on this topic and would be interested in talking to anyone who has a story to share about domain registration snafus or tips to share on how to resolve these problems when they arise – email@example.com
I haven’t found many others writing about this issue, but the Rocky Mountain News had a related story, more focused on domain hijacking scenarios, with its own suggestions on ways to protect yourself. See: New Wave of cyber-theft involves the names of Web sites