Authority Has Outpaced the Structures That legitimize it.

Internet governance today is no longer defined only by ideological disagreement over principles, nor by competing visions of openness versus control. It is also defined instead by a quiet but consequential acceleration of power. Decisions that determine access, continuity, and control of the network are increasingly taken in venues optimized for urgency rather than deliberation: national security councils operating under emergency logic, cybercrime enforcement frameworks designed for speed and compliance, sanctions regimes, supply-chain security doctrines, and intergovernmental coordination bodies tasked with alignment rather than contestation. These spaces are not illegitimate by design; they exist precisely because time is scarce, threats are framed as immediate, and political risk is treated as intolerable. The structural problem is deeper and more unsettling: authority has moved faster than the institutions designed to make it legitimate, and if authority will be equivalent to might, might shall unmake the right.

For nearly two decades, global Internet Governance rested on a fragile but workable alignment between authority and legitimacy. Institutions such as the Internet Governance Forum (IGF), ICANN, and the Number Resource Organization (NRO) did not govern through command or enforcement. They governed through processes. Outcomes endured not because they could be imposed, but because they were procedurally intelligible, contestable, and grounded in participation rather than coercion. The legitimacy of the Internet’s coordination layer was not derived from sovereignty or force, but from the recognizability of the machinery itself.

That alignment has now weakened. Authority is increasingly exercised upstream of multistakeholder processes, while legitimacy remains downstream. The result is not institutional collapse, nor the sudden end of the multistakeholder model, but a systemic tension: decisions with deep technical and economic consequences are taken in spaces where technical legitimacy is not structurally present. In contrast, technical institutions are left to stabilize and normalize outcomes that they no longer fully shape. This is not a crisis of intention, but of architecture.

N.B. This is not a claim that multi-stakeholder governance has failed, but that its operating assumptions no longer align with where authority is now exercised.

What “Multi-stakeholder” Was Designed to Do

Multi-stakeholder Governance is often described as inclusion, balance, or dialogue. This framing is comforting, but incomplete. Multistakeholder was never intended as a moral ornament or a symbolic commitment to diversity of voices. It was designed as a legitimacy technology: a governance mechanism capable of coordinating a global, borderless technical system without subordinating it to sovereign command or geopolitical bargaining.

The World Summit on the Information Society (WSIS) articulated this function with unusual clarity. The Tunis Agenda defined Internet governance as the shared development and application of principles, norms, rules, decision-making procedures, and programs by governments, the private sector, and civil society, each operating within their respective roles.

Just as important was what the same document deliberately refused to do. It specified that the Internet Governance Forum would have no oversight function and would not replace existing arrangements.

This absence of enforcement authority was not a weakness but a design feature of legitimacy. Multistakeholder governance generated compliance through predictability, transparency, contestability, and restraint. More precisely, to an extent that is bottom-up, transparent, and inclusive. Decisions were not held not because they could be enforced, but because those affected could recognize the process as fair and the outcome as procedurally earned.

Institutions such as ICANN and the Regional Internet Registries (RIR) were engineered around the same logic. Their authority was constrained by mission, accountability, and community processes rather than expanded through regulatory power.

Multistakeholder, properly understood, was never about slowing states down. It was about preventing the coordination of the Internet from becoming hostage to unilateral discretion. That function is now under strain, not because it was wrong, but because authority has migrated elsewhere.

From Structural Limits to Structural Rupture

The present moment is not defined by the exhaustion of multi-stakeholder Governance, but by a decoupling of authority and legitimacy. Security-driven governance operates under different constraints. Speed is treated as a virtue, uncertainty is framed as risk, and discretion expands under pressure. Emergency powers, cybercrime cooperation frameworks, sanctions logic, and alliance-based coordination increasingly define the outer boundaries of Internet access and control before technical communities are meaningfully involved.

The institutionalization of the IGF within the United Nations system after WSIS+20 reflects this shift. Permanence delivers continuity, but it also reclassifies function. A forum designed to convene without concluding becomes a consultative layer within a governance hierarchy where binding decisions occur elsewhere. Participation remains visible and often vibrant, but its causal role weakens. The machinery still turns; it simply no longer drives.

This is not a takeover in the dramatic sense, more likely an architectural inversion. Authority consolidates upstream; legitimacy is processed downstream. Over time, participation risks becoming explanatory rather than constitutive, something that follows decisions rather than shaping them. The danger is not silence, but the ritual.

When Authority Becomes a Routing Event

The consequences of this shift surface first at the operator layer, where governance stops being abstract and becomes physical.

When governments intervene in the name of security or public order, directives do not land on institutions or frameworks. They land on network operators, often under license threats, spectrum threats, physical-access threats, or renewal pressure. Compliance is rarely optional. It is existential.

Shutdowns, censorship, throttling, forced filtering, DNS interference, and compelled routing actions are executed as operational commands. Even when framed as temporary, these interventions leave lasting technical residue: brittle configurations, degraded resilience, weakened trust assumptions, and higher upstream risk premiums. Networks learn to behave unnaturally. Technical debt accumulates not through poor engineering, but through political volatility.

This analysis does not deny the existence of urgency. It examines how urgency is defined, by whom, and under what procedural constraints¹ in practice. Urgency is not a neutral technical condition; it is a governance determination. When assessments of necessity or public order are made without contestability, proportional review, or defined limits, urgency becomes unconstrained. In networked societies where Internet access underpins economic activity, public administration, and civic participation, unconstrained urgency does not reduce systemic risk. It displaces it into operators, infrastructure, and end users who absorb the operational and societal consequences of decisions taken elsewhere. (Ref 1, Ref 2, Ref 3)

The Internet Society has documented that shutdowns undermine not only rights, but network resilience, investment confidence, and long-term economic activity.

In networked systems, legitimacy failure does not remain political; it becomes operational.

The New Governance Stack: Security, Law, and Implementation Gravity

Three forces now shape the Internet governance stack, and together they explain why the shift feels irreversible.

First, IGF permanence without authority expansion. WSIS+20 reaffirmed the IGF as a permanent forum, but did not alter its non-decision-making mandate. Continuity was secured, but agenda-setting power was not meaningfully expanded.

Second, the emergence of permanent UN cyber mechanisms. The Open-Ended Working Group on ICT security has evolved toward structures of continuity that institutionalize state-centric cyber governance, embedding security logics more deeply into the multilateral process.

Third, cybercrime law as an accelerator. The UN Convention against Cybercrime, adopted in December 2024, marks a transition from norm-setting into implementation. It is at this stage that compliance expectations begin to attach directly to intermediaries and infrastructure operators, translating legal language into operational obligation.

This is where gravity lies. Treaties do not govern by text alone; they govern by how obligations are interpreted, delegated, and enforced through regulators, often under emergency or security logic. Implementation, not aspiration, is now the decisive terrain.

Might: When Control Becomes Normalized: A Global Pattern, not a Regional Exception.

These dynamics are most visible in Africa. This is not because African states are uniquely predisposed to control, but because African networks operate with thin institutional insulation between political authority and technical operation. Africa does not represent a different Internet, but an earlier one, where authority reaches infrastructure before legitimacy mechanisms have been structurally embedded to absorb it. Licensing regimes are often discretionary, regulators are politically exposed, and judicial review is slow or inaccessible. When access restrictions are ordered, refusal is frequently existential. Operators comply not because measures are technically sound, but because survival demands it.

However, this pattern is not confined to Africa. It is global, unevenly distributed, and increasingly normalized.

According to sources:

• Across Africa, some governments have repeatedly ordered nationwide or regional shutdowns during elections, protests, or periods of political tension. In addition to Tanzania, prolonged or repeated shutdowns have occurred in Ethiopia (during internal conflict), Sudan (following the 2021 military coup), Uganda (during national elections), Senegal (amid protests in 2023), and Nigeria (through targeted platform restrictions, Twitter-X). In each case, operators implemented access controls under direct government instruction, often without transparent legal process or meaningful avenues for challenge.
• Similar dynamics are visible in the Middle East. Iran has repeatedly imposed nationwide shutdowns and throttling during protests, most notably in 2019 (Bloody November protests) and again during the 2022—2023 protests, where connectivity was selectively restricted while state-aligned services remained reachable. Iraq and Syria have regularly ordered nationwide shutdowns during school examinations and security operations, embedding access control as an administrative routine rather than an exceptional measure.
• In South and Southeast Asia, India has become the world’s most frequent user of internet shutdowns, with hundreds of government-ordered disruptions over the past decade, and Sri Lanka have similarly ordered shutdowns or platform blocking during elections, demonstrations, or security incidents.
• Europe is not exempt. While full nationwide shutdowns are rare, governments have increasingly relied on platform-level restrictions and service blocking justified by public order, disinformation, or sanctions enforcement. During periods of unrest in France, authorities have publicly discussed temporary social media shutdowns. In the context of the Ukraine war, multiple European states have mandated blocking of Russian media platforms and services, shifting censorship from content moderation to network-level enforcement through ISPs.
• In East Asia, China’s comprehensive access-control architecture represents the most fully developed model of state-led network control, while other states have adopted partial or episodic versions. Myanmar’s military government has imposed prolonged nationwide shutdowns and mobile data bans since the 2021 coup, using network disruption as a core instrument of governance.

What unites these cases is not ideology or culture; it is the institutional fragility expressed through the network. Control is justified as temporary, exceptional, or security-driven, but repetition normalizes discretion. Over time, shutdowns and access restrictions cease to appear extraordinary, hence they become operational tools.

In each case, the burden falls on network operators, who are compelled to translate political directives into routing changes, filtering rules, DNS interference, or traffic throttling. Governance fragility is thus externalized into the control plane, absorbed by infrastructure, and ultimately experienced by users as unreliability rather than overt repression.

Africa remains the stress-test not because it is alone, but because it is early. It reveals, in compressed form, what happens when authority outruns legitimacy and operators are left to absorb the consequences.

Structural Legitimacy as a System Requirement

What has failed is not law, nor multistakeholder-governance itself. What has failed is structural legitimacy, the alignment between authority and the mechanisms that render it acceptable and stable.

Any governance layer exercising authority over the network must satisfy minimum conditions of structural legitimacy, including traceability, proportionality, contestability, and effective correction.

Structural legitimacy also requires separation between convening and enforcement power, upstream participation by technical actors, and review mechanisms that do not depend on political escalation. Without these properties, authority may remain legal, but it will not be stable. In networked systems, loss of trust manifests not as protest alone, but as degraded routing confidence, higher resilience costs, and brittle infrastructure.

Where Legitimacy Is Meant to Live

The unresolved question is no longer whether authority will act over the Internet; it already does, but where legitimacy is meant to be generated when it does. At present, no layer of Internet governance clearly owns that responsibility. Security and legal institutions exercise binding power without embedded procedural constraint, while multistakeholder bodies retain legitimacy without corresponding causal authority over outcomes. This gap is no longer theoretical. It is structural and increasingly operational. Until legitimacy is generated within the same layers where authority is exercised, governance will continue to drift toward discretion, and participation will continue to function as explanation rather than constraint.

Naming the Break While It Is Still Forming

The Internet is not becoming unfree in a single stroke, and it is becoming conditional through repetition. Authority has accelerated beyond legitimacy, and the gap is now visible in live network behavior.

Multistakeholder governance was never sacred; it was functional. If it is to endure, it must be well defined and structurally re-engineered to operate where authority now resides, not defended nostalgically where it no longer does.

The future of the Internet will not be decided by who controls it in moments of crisis, but by whether control itself remains constrained by legitimacy under pressure.