Go Daddy’s New gTLD Domain Registration Bug Discovered By Customer

Last week I wrote about a Go Daddy customer that was complaining that he registered 2 .xyz domains in June and Go Daddy removed the 2 domains from his account in July and registered the domains under some other name.

Yesterday the Go Daddy customer posted a couple of comments giving out some more details about what happened. Apparently he lost 3 domains in total. It seems that he found a bug that is triggered when you try to register more than 1 New gTLD domain name at Go Daddy and the domains have matching trademarks in the Trademark Clearinghouse. Go Daddy is supposed to give you a trademark notice for all domains but somehow it doesn’t. That results in the domains being in limbo for a few weeks. The domains don’t appear registered but are not available either. When the pending notice expires then the domains become available for everyone to register.

This is how he lost the 3 domain names and my comments:

I’m the guy who lost the 3 domains… yes, they actually took a third domain a week later. My complaints led to a call from the CEO’s office to finally take action.

I spoke to the CEO’s liaison for over an hour and it was somewhat productive. I outlined at least 4 specific flaws that had to be fixed immediately or more domains would be lost.

I was able to show them exactly what circumstances trigger the flaws, and specific failsafe steps they need to insure that domains are never taken by means of an automated system without confirmed notification, regardless of whether it was because of a potential system glitch or not.

They said they confirmed the existence of the actual bug I described that triggers the glitch and were working on the fix. They also said my other 3 suggestions made sense, especially the concept that a domain can never be removed without confirmed notification (certified mail, phone calls, etc.). In the event that a domain is flagged, it should also be put in a suspended status for a period until such notification is confirmed and the owner has time to respond.

I also argued that their filters should exclude “common words and phrases”, so that unlike a brand, words like “April” shouldn’t be triggered in the first place.

The reason they never discovered the bug until I reported it was that they rarely had as many generic terms like “April” being registered, until the new TLDs arrived. Pretty much every word in the English dictionary were registered as .Com, .Net, etc over a decade ago.

The first part of the bug only rears it’s head if you purchase more than 1 potential Trademark domain in the same shopping cart. Their process to acknowledge the Trademark had not provision to spot more than one per order, so the acknowledgement and notification step was skipped… leaving them open for removal about 3 weeks later.

The reason you don’t see the original June 20 registration dates or a record of my original ownership was because of one of the bugs. They were in a state of limbo inside their reservation system, awaiting acknowledgement of the Trademark. Since no notification was sent, their hold status eventually expired and they went into general availability.

To be clear, these were not pre-registrations. They were confirmed orders, long after .xyz was under general availability, but GoDaddy is obligated to confirm the buyer acknowledges the potential Trademark before their hold status expires.

The funny thing, the day after the CEO’s office called, he called a second time, this time to warn me that after his people looked at the causes, they discovered 3 more domains that were just days away from being taken away for the same reason, but he managed to show me a hidden screen that lets me monitor missing acknowledgments like this to prevent further losses.

He suggested that until they know for sure the system is fixed, I check it daily because the fixes may only prevent problems on new registrations.

Daniel Negari, the CEO of .XYZ was instrumental in getting GoDaddy to work on a fix… he kept in contact with me through the whole thing. He didn’t have the authority to get my domains back, but he sent me a swell T-shirt.

Lastly… I should mention that I’ve got about 700 domains… 99.9% of them are .com. I’m not a fan of all these new TLDs, but I’ve scooped up a bunch just in case they catch on. I realize .xyz sounds like the least attractive of the new TLDs, but it’s actually the most popular one right now with 20% of new TLD registrations.

I like their angle, that it’s got a great shot of catching on simply because it means nothing. So, like Nintendo calling their game unit Wii, so they can use the same name in every language, .xyz has that potential in any language too.

My reply was:

A few things:
1. Thanks for the update and thanks for finding the bug.
2. The trademark notices only apply to new gLTDs.
3. “I also argued that their filters should exclude “common words and phrases”, so that unlike a brand, words like “April” shouldn’t be triggered in the first place.” This is not going to happen because Go Daddy and all registrars are obligated by ICANN to serve these notices on any New gTLD domain that matches a mark in the Trademark Clearinghouse.
4. Don’t believe all this .xyz hype. Most of the .xyz domains you see registered were given for free to Network Solutions customers that didn’t opt-out of them.
5. Daniel Negari has become the joke of the the domain name industry.

And then today he wrote this comment:

I understand the requirement… I disagree with using an automated system to make the final decision. Because of their bug, there are specific cases where the buyer does not get the required ICANN notification.

One of the troubles with automation is the potential for a bug, and this is a bad one. Here’s the scenario that can trigger this specific bug:

If somebody orders a domain such as “Joe.xyz”, which actually is a violation of the Trademark “Joe”, they will be given a check box to acknowledge it. If you failed to check it, you can’t order it.

However, if you ordered “Joe.xyz”, then in the same shopping cart, you ordered “Tom.xyz”, “Dick.xyx” and “Harry.xyx”, all of them are Trademarked… you will get exactly one checkbox, for whichever was first, “Joe.xyz”… if you check the box, the shopping cart continues… but the other 3 are in a hold status, awaiting the Acknowledgement check…. that never shows.

The trouble is their automated system does not send ANY notification… until it’s voided about 3 weeks later.

If you go to your account any time within the 3 weeks, you can go to a literally buried page, find the 3 domains, then check the required ICANN box, and they are taken back out of hold, and your domains are safe.

If you don’t do it within the 3 weeks, the hold expires, the transaction is voided, and somebody else gets the domains.

With or without the bug, it still stands to reason that before anyone loses a domain because of a Trademark, or any technical issue, a verified notification should be documented, and sufficient time to comply. This means certified mail, or a confirmed telephone communication.

As for the common words, I understand they can’t eliminate the ICANN requirement entirely, but if their automated filters spot common words, they clearly need this verification before cancelling a domain. Had the Trademark filters picked up “Doritos.xyz” or something unique, I could be convinced that an automated filter wouldn’t be doing any harm by removing it without notice, but for those common words, they MUST give the owner a chance to check the ICANN box before it’s taken by automation..

As for why this mainly applies to the new TLDs, most common words and Trademarked words are already registered using the old TLDs… so these triggers are going to see a lot of action as each new TLD opens.

Lastly, I agree, .xyz, and most of the new TLDs are far from a guarantee to succeed. GoDaddy made a big point in their last conference to explain why they are investing in creating a new Registry because they feel the new TLDs have opened up the domain marketplace to a broader audience.

I’m aware of Network Solutions opt-out .xyz domains that have skewed the registration statistics, and I literally laughed at .xyz when I first saw it was approved.

I have about 700 domains, and most are .COMs, so I mainly picked up some as a hedge, in case Daniel manages to gain public acceptance. The only reason I think it may have any chance is because it means absolutely nothing, but it means nothing in every language, so it has the potential to catch on in multiple countries at the same time.

If it doesn’t I’m out a few hundred dollars, but they sent me a swell XYZ T-shirt…. so I’ll still have that. :)

And my reply today:

There is no decision involved. You get the trademark notice, you agree and the domain is registered and yours.

What you suggest “certified mail, or a confirmed telephone communication.” is not really possible for thousands of domain names that are registered around the globe.
Go Daddy had/has a bug and that will soon be fixed. ICANN and the Trademark Clearinghouse do give you 3 weeks to check the box. It is Go Daddy’s fault that it did not present that to you. Trademark Clearinghouse is sending these notices informing the registrants. If you want to register April.xyz you can see in what trademark classes you can’t use it. They can’t filter out the common words as you say. Even single letters such as “e” are registered trademarks. This is more of a trademark problem than a domain name problem. Most of the 30,000 marks in the Trademark Clearinghouse are common words.

And then he said:

To clarify…

I know they can’t entirely eliminate the common words from their system. They are required by ICANN. But, if people are registering domains, and they fail to check the box, they MUST notify the owner at least once or twice in the 3 weeks. Even if you log in to your account, there is ZERO notifications or alerts telling you to follow up on any Clearinghouse issues. Zero.

It’s not unusual for a registrar to send expiration notices to customers via email… but they aren’t sending ANYTHING to people who failed to check the box. As you know, in my case it was because of the bug that omits the Clearinghouse confirmation in cases where more than one domain in the shopping cart has a match.

What I suggested to GoDaddy was that if they put an additional filter on common words and phrases, they would have a much shorter list of people to contact before voiding their purchases.

For example, assuming you ordered “Cheerios”, and you were not given the Trademark Clearinghouse prompts… For the next 3 weeks, because of the bug, you would have no idea that you were violating the Trademark, and the transaction will eventually be voided… then the first notification you actually got, was that it was cancelled… would you be pissed? Only a bit, because odds are you would’ve lost it eventually.

Next, assuming you ordered something generic like “ShoesBox”, which is Trademarked by a gazillion people… assuming the same scenario, would you be pissed? Odds are you’d be even more pissed because unlike the first case, where you clearly were violating a brand’s right to a very unique brand, this was a common word.

So, I proposed to GoDaddy that in cases where they are using an automated system, they screen for the common words, and in those cases make sure they send notification, because these are likely to be easily defended by the owners and they should at least be aware of their obligation to click the Clearinghouse link.

Above all, the main reason I’ve been so vocal about this issue is that they are voiding transactions with absolutely ZERO notification. Simply stated, if you buy a domain like April, you won’t know it’s Trademarked… you won’t know you needed to find their obscure page to go through the Trademark Clearinghouse… and you will lose it in about 3 weeks.

Unless they improve this system, people need to be aware that they need to find that link… and check it the next day… and I’ve also discovered, to be completely safe, you need to check it daily, because I found 3 more domains were scheduled to be voided even after GoDaddy told me everything up to that date was cleared.

All registrars require that you check the box before you make any orders.
What you suggest is not necessary as all registrants are supposed to get the notice.

Go Daddy has messed up once again. Go Daddy is not a good registrar. You should find a new one and avoid the headaches.

And here:

Yes… they are required to prevent orders from going through if you don’t check the box.

Their bug is what is at issue. It allows orders to go through without checking it, in cases where there are multiple domains that require clearance.

My solution was that before they allow their automated system to void transactions, they simply contact the owners. It’s not a lot to ask.

To me a Registrar should always make verified contact with a domain owner before they take away a domain… for any reason. There should be no exceptions. This would not be as many calls, emails or certified mails as you may think. The only people who would require notification are the ones that fall between the cracks for one reason or another.

As I said, this is especially important when the only reason for voiding the transaction is a Trademark of a common word…. making that small list of contacts even smaller.

On a positive note, a week after losing the first 3 domains, I did get a phone call from GoDaddy warning me about the other 3 that were about to be voided. That was all it took to get an already pissed customer to think they were potentially heard.

I’ve been looking for other Registrars, I need to find one that’s relatively inexpensive, because with over 700 domains, paying an extra $3 or so per domain adds up.

Who do you suggest? I am definitely shopping around for a more secure experience. This isn’t the first time GoDaddy has screwed something up.

Sold.Domains

About Konstantinos Zournas

Konstantinos studied Computer Engineering and Computer Science in London and lives in Athens, Greece. He works on domain names, websites and software development. Has been online since 1995 & domaining since 2002.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.