Sharks and Saints - Domain Rights on .co.uk and .uk

One of the many services that Onega offers clients is assistance with domain registrations and acquisitions. This can be a minefield but there is usually a common sense solution and balance in this; as to which are the appropriate domains for an organisation to own or register and to protect branding and reputation alongside trademarks etc.

We recently helped a client to buy a domain that matched the initials of their company name from a broker, to go alongside their other domains. In this case it was a four letter .co.uk domain that we helped to purchase.

This all went smoothly, transacting via undeveloped.com and the timeline on this was as below:

Negotiation - 7th Jan 2016 - Several offers and counter offers back and forth, thankfully managing to secure the domain in a small but happy spot where the offer was just affordable to our client and just acceptable to the seller, so all could proceed.

Purchase - 7th Jan 2016 - We paid for the domain directly so that things could move ahead and to seal the deal. Thus the .co.uk domain was now secured for our client's company. The purchase was for a .co.uk domain for which no .uk had been registered (so rights were still vested in the .co.uk domain for this).

Transfer - 27th Feb 2016 - This was the date that the domain came across to our client in the form of a transfer to their GoDaddy Domain Registration account, and from where we immediately updated the contact details to be correct for their company contacts, to ensure a valid Nominet registration.  The delay was partly down to us as the broker process was a little different from some others in this case (we normally do a Nominet tag change to the ONEGA tag as we are a member and registrar / tag holder with Nominet); whereas in this case a GoDaddy account transfer was the process used which was fine and smooth when done.

So far so good.

Fast forward a few weeks. We then came to register the .UK domain as part of good management and to realise the new and trendy higher level domain registration for our client.

It is worth explaining here for anyone unaware, that as a holder of a .CO.UK domain, you have a 5 year 'sunrise' right to register an equivalent .UK domain. Thus if you have (in our case) onega.co.uk then you also have rights to onega.uk. Here at Onega, we primarily use our onega.net domain but hold the .uk domains for secondary purposes and domain protection alongside our UK registered trademark of 'Onega'. After the 5 years which starts from the .uk domain launch date to the 'fully open' period, then anyone can potentially register an equivalent .uk address. This 5 years started on 10th June 2014 so protection ends and open season begins at 10am on 10th June 2019. Thus we recommend that clients with an active .co.uk domain exercise their right and protect their .uk domain with a long registration now (the cost is trivial) . It's also good contemporary branding to do this and use the domain.

Back to our narrative... we found that when we came to register the domain for our client as per best practice, that now it transpired from the .UK Whois data that the .uk domain had been registered by the seller of the domain under their own details on the same day as the transfer finally occurred (17th Feb)... hmmmmm....

It was our understanding and is common practice that when the domain of the .co.uk was purchased, that this would include the rights to register the .UK address. We were a little disconcerted to say the least when we discovered this registration, as we'd consider the domain and related rights effectively owned from the point of agreement and payment - the transfer being a formal process in the completion as would occur in the land registry work related to conveyancing and sale of a house.

Next course of action was to read up on the rules and check our position. Nominet has a good Q&A on the .UK domain rules, which we consulted; we also checked the Terms and Conditions of the domain broker. The Undeveloped Ts&Cs did not contain anything mentioning related domain rights. Nominet's Q&A is well written although it did not have anything specific on this case, but it did remind us that .UK registrations should normally be available for the .co.uk owner (who was our client at the time of the seller's registration though not reflected in Whois yet), also that these registrations can be referred to the Nominet Dispute Resolution Service if there is a disagreement on a registration. 

The majority of domain disputes are amicably settled but having a fair procedure for resolution as a formal path available is a good comfort should it ever be needed. Our next action at this point was to get in touch with the domain broker, through whom the purchase had been agreed, to raise the issue with them and also to contact Nominet DRS informally to ask about case history and precedent on this.

Nominet DRS were very helpful on our call and we learned that this issue has come up a small number of times already and is likely to come up again in the future as the .uk domains become more established. No cases of this type have yet to get to binding adjudication, but some have been through the DRS procedure which commences with mediation on the issue and thus far all have been settled at this stage. The outcome has so far been, in all cases that we are aware of where the complaint has been followed up in the DRS case, that the .uk domain has ended up being transferred to the complainant (who is normally the .co.uk rightsholder). Resolution at this stage avoids costs escalating for all parties in the process.

This was useful to be aware of and to better understand the position and case histories. At this time we heard back from the sales domain broker and they reasonably disclaimed involvement in a case not exactly related to the actual domain purchased and recommended that we contact the seller directly.

We did contact the seller with a professional, respectful while reasonably formal mail on the subject at hand - setting out the brief case and asking for an amicable agreement on this.

I'm delighted to be able to say that in this case, the seller called back within the hour and the domain has now been transferred to our client at no cost. The seller had apparently sought to register the domain to protect it from abuse by anyone else, though arguably that should not have been an issue as only the .co.uk owner can make the .uk registration. In any case, the situation has been resolved without further escalation. The seller was delightful to deal with and I'm happy that this was just a simple miscommunication issue rather than anything more.

What have we learned or been reminded of from this?

1) Don't make assumptions - in this case there was no discussion either way on the question of .uk domain rights in the negotiation process. It would have been better in retrospect if we had have explicitly said 'for the .co.uk domain in question and any rights vested in that registration' so that we made sure we were specifically reserving these rights.

2) Ideally domain brokers should be clear in their terms as to whether any rights vested in a domain are included in the sale or not. It would be fair and reasonable for a seller of a .co.uk domain to sell the .co.uk domain but reserve the rights and register in advance the .uk domain if they explicitly state that they reserve this right.

3) Most disputes are amicably dealt with and it is always best to try this route before looking at invoking a formal process.

4) The online reputations of Domain Sellers and Brokers are very important to them so as far as possible most will adhere to best practices.

If you need any help on domain matters please don't hesitate to Get In Touch and we'd be happy to discuss how we can help. 

Thanks to Ryan Espanto for the circling sharks photo.

Are you logged in with admin level credentials on your computer right now?

If you are reading this then there is a fair chance that you're categorised as a 'power user' or a full administrator on your IT systems. There is also a fair chance that right now, you may be logged in with an account that has admin rights to your local machine.

If you ask someone: 'Do you need admin rights on your computer?'; the answer, 90% of the time, is: 'Yes, I could not work without this'. Psychologically, we all like to have the power of full admin control to our own computers all the time. If you are used to having full admin rights to a local machine then this is hard to give up, and giving this up can be akin to giving up smoking, gambling, etc. Admin rights are addictive!

There is a strong case for best practice (basically not disputed) for having permissions set on the basis of least required permissions. Part of this is making sure that you only use the login / admin / access rights that you need at the time. For normal day to day use, we should only be logging into a computer with 'user level' access.

The reasons for this are many and whilst you probably already know these, the key ones are worth reiterating:

1) Reduced Malware Surface and Risk - By using a user level permission account in day to day use, you minimise the impact of any malware that you may inadvertently come across while browsing the web etc. Whilst there may be some malware that can very cleverly bypass permissions on a computer, or exploit zero day flaws, assuming your computer is up to date, then you reduce the attack surface (and hence risk of contracting malware, Viruses and APTs (Advanced Persistent Threats) on your computer by about 95% by using user level rights most of the time.

2) Regulatory Compliance- Nearly every IT security and relevant industry regulation standard specifies that organisations should adopt the principle of 'Least Privilege' . This includes UK PCI DSS standards, ISO27001, Sarbanes Oxley, UK Financial Conduct Authority (FCA was FSA) etc. This covers not only compliance from the security stand point, but also in compliance with company IT policies - for example, with company software licencing and authorised software. If a user does not have admin rights then they can't install a bit of software which is not approved or licenced. Thus, administrators and company managers can be confident that there are not any hidden liabilities around and that change control is maintained. We've seen many occasions when a user might install a piece of software that either 1) has a hidden (and very undesirable payload) or 2) causes unexpected repercussions if, for example, it installs DLLs that then cause other software to run less reliably - which may not be easy to diagnose as the problems might not appear straight away and sometimes are only cured by a restore from image backup or at worst require complete PC rebuild.

3) Evidence Proves the Point - Analysts such as Gartner have proven that statistically, if you remove admin rights from most users, then you reduce security breach incidences, but also save money and wasted time in IT support. Having least privilege makes for a more supportable, reliable, productive and hassle free environment, and with lower support cost through both reduction in direct support costs, and lost time in productivity if a user is unable to work for a while..

If you want a second, third or fourth opinion on this, Google 'IT security best practice for least permission' or look at other blog entries like http://blogs.gartner.com/neil_macdonald/2011/08/23/the-single-most-important-way-to-improve-endpoint-security/  - who make the point well also.

So how do we address this practically?

The first thing is to admit that we have a problem and accept that you may be an 'adminrightsoholic' personally or indeed even suffer from endemic CEPS - Corporate Elevated Permission Syndrome to coin a phrase or two.  You know you have admin rights, that others have full admin rights, and that you should give these up in every day use - you could give them up but you choose not to. Maybe you should stand up right now and state to the office that 'I'm an adminrightsoholic and I'm admitting this as the first step to changing my ways. I know it is not going to be easy and I'm going to ask for your support as trusted colleagues in getting through this tough time for the benefit of myself and the company. Will you join with me in this righteous journey?'

The key is to take things one step at a time, and learn to live with user permissions one day at a time.

The first steps:

We can address this personally and across a company. In taking Gandhi's words to heart that you should 'be the change you want to happen' the first place to start is on your own desktop or laptop computer.

If you are an administrator in a company, or genuinely (in this word is a world of debate and access to regression) need access to admin functions on your computer, then the best thing will be to create (if you don't have one already) a separate local admin account on your computer e.g. if you are BobP and this is your normal login, then you could perhaps create an account called 'bobpadmin' or suchlike. Both your new and normal accounts should have secure (complex passwords which are not easy to guess or Password123 etc.). Give the new admin account full local machine admin rights. Then log out of your normal account and log in with the admin account. Remove admin rights from your normal user account (on the local machine, such that you are only a User (or any other special groups you need). Then log out of the admin account and back in with your now only regular user level account. Congratulations; you just went cold turkey on desktop admin access on your Windows PC. Continue to work as normal and you can feel smug that you've given up your full admin permissions in day to day use. If and when you need to install software on your machine then you can;  but run the installer as your admin account.

You'll find that actually everything works fine. In reality we don't install software very often so you'll only rarely need to enter the higher level account details for elevated permissions. If you're still considering all this, ask yourself when you (knowingly) last installed a piece of software on your computer.

As I type this I can admit that 'I used to be an adminrightsoholic' and now I've turned a leaf. It was hard to do it but now I'm glad I have and like many things, this is something I should have done long ago. I can now be the most annoying type of reformed addict who can evangelise to the world about the benefits of giving up.

At the wider corporate level though, it is important that users and rights are documented and set on the principle of least permission. Some users may genuinely need admin rights but best if the dual account method is used here to minimise use of elevated rights, which includes for very senior network admins who should likely also have both a user level and an admin account so that things are done the right way and in the right place. If you are an Onega client then you'll have access to our Policies and Procedures Wiki Site where you can see formal policies for some of these. see http://intwiki.onega.net and the relevant section on this. If you don't have access to this and are a current client then feel free to contact us by any means at http://www.onega.net/contact.  If you're not a current client, we'd love to chew the fat and talk IT and about you becoming one :-)

Some advanced solutions exist to manage elevated permissions and remove various back door risks and human risks including  Avecto and  ViewFinity. However, beginning with the simple steps above is a good start. If there is enough demand, we'd be happy to run support group sessions for recovering adminrightoholics where you'll be amongst friends.

Wishing you happy and safe computing but bear in mind that, just like all the best fictional characters, IT superheroes should remember that whilst it is great to have superpowers, you should: only use them when you really need to, only use them for good and keep them hidden at all other times.