"domains that have expired and are in the auto-renewal period are still eligible for transfer to another registrar except under nine limited circumstances...."
There is a fundamental problem here, though. If I enter into a service contract on 20 September 2007 with Tom, and the contract specifies that I am to receive the contracted service for one year, then Tom's obligation to me ends on 20 September 2008. Now, our contract may include a number of voluntary renewal provisions and may limit Tom's obligation to perform specific services for a longer period than one year, however when I enter into a contract for services for a term, then I am entitled to know when that term ends. Both parties are entitled to clarity as to term. This reduces to a Groucho Marx quiz question: 1. "How long does a one year contract last?" It doesn't require a lawyer to answer that question. But I would put the following question to the advocate of nebulous "extra-term obligations": 2. Specifically how long is a registrar obligated to provide services under a one year registration contract? A year plus 30 days? A year plus 45 days? If one cannot define the term of obligation, then I think more than one registrar is going to have its accountants and auditors slitting their wrists if they cannot assign a fixed term of obligation to a registration contract. Post contract-expiration terms can be permissive, but I cannot see how they can be made mandatory - at least not in the US since passage of the 13th Amendment. On the "whois change" matter, I believe Tim Ruiz may have a few words about voluntary and non-onerous security measures. I can say that in hi-jacking situations, if the name hits GoDaddy, then one has at least 60 days to catch up with it there. When a domain can be subject to two registrar transfers in rapid succession, then the Transfer Dispute policy breaks. The TDRS is premised on a one-hop unauthorized transfer. In a two-hop hi-jack, the second hop is formally "authorized", and the first hop cannot be remedied because the intermediate registrar cannot transfer the domain name back even if the first hop WAS unauthorized.