@rlm you asked about hijacking and in particular "how often has CIRA been aware of or was asked to intervene in a .CA hijacking case? Does CIRA have any policy regarding what CIRA would do in the event of a hijacking case? What course of action would CIRA recommend to the disputed owners?"
First, allow me to provide a little extra clarity so we are speaking about the same things. "Hijacking" in my vernacular is when a domain has been hacked, the nameservers have been changed and the website has been replaced by something else. While inconvenient, the current registrant should have no difficulty returning the nameserver settings to their original values and the website should then resolve properly.
Second, if a domain is "stolen", or the registrant has changed without the agreement of the original registrant, requires a deeper hacking where the "thief" has somehow acquired the domain authorization code (transfers cannot happen without it). In this kind of case, CIRA does not have a policy nor are we equipped to adjudicate on the merits. While on the surface it might seem obvious, the details may paint a different picture.
CIRA relies on the integrity of the authorization code as a means to prevent unwanted transfers. To that end, all registrants are encouraged to have, at a minimum, 2FA access to your registrar and email account(s). And guard access to those accounts carefully. I have pointed out in other threads that, for example, setting your domain registrant information to a privacy service means you are giving "ownership" away to that service. By having full control of the registrant and admin email addresses, those entities can transfer "your" domains away at will without any recourse (not that I am saying they would but that is the reality). CIRA would have no ability to defend the action where the authorization code was sent by request to the domain registrant we have on file.
I am not aware of any case where a registrant has reported to us that their domain was transferred to someone else without their approval. Usually, the circumstances are more likely to be where a registrant has forgotten to renew the domain, it expires and goes to TBR and is picked up by someone else. One would think that offering a 75 day renewal recovery period would be enough but occasionally renewals are missed. Even in these circumstances, once the domain enters pending delete there is nothing we can do.
The action we can currently take when a domain transfer has occurred without the knowledge/approval of the registrant is to launch a Registrant Information Validation (RIV) where the validity of the gaining registrant can be challenged. Our experience is that "bad guys" rarely register their domains with "real data" and so the RIV process will fail allowing the domain to be returned to availability. Usually, the registrant data we have already appears suspicious and so launching a RIV is completely justified.
