Home / Blogs

Extending the JPA is the Right Thing to Do

Internet governance is getting a thorough look under the hood, thanks to the National Telecommunication and Information Administration. NTIA recently concluded its public comment period under a Notice of Inquiry (NOI), which asked for public comments regarding the future of the Joint Project Agreement (JPA) between the Department of Commerce and ICANN. At its core, the NOI asks whether the White Paper’s original vision of privatizing the technical coordination and management of the Internet is working.

For reasons I will explain, it would be deeply unwise for NTIA to terminate the JPA just yet.

The JPA forms what NTIA calls one of two “distinct legal arrangements” defining the relationship between ICANN and the United States government. The other one is the IANA Contract between ICANN and the Department of Commerce, under which ICANN administers the technical functions necessary to maintain the accurate assignment of names to addresses within the DNS. It reads like a standard government services contract and contains no provisions addressing ICANN as an institution. The JPA, on the other hand, is a much shorter document that prescribes certain institutional principles by which ICANN is to be governed as the private entity to which the technical coordination and management of the DNS is to be transitioned.

The JPA’s key provisions fall in Annex A, entitled “Affirmation of Responsibilities for ICANN’s Private Sector Management.” There ICANN’s Board of Directors affirmed ICANN’s commitment to ten institutional principles, including the principles of “security and stability”, “transparency,” and “accountability.” These principles are stated broadly, resembling a corporate mission statement.

In sum, then, the JPA sets forth broad principles of institutional governance for ICANN to follow as it assumes responsibility for Internet governance, while the IANA Contract sets forth technical work requirements for carrying out the IANA function. Seen from this perspective, the NOI asks the Internet community whether ICANN has achieved sufficient institutional credibility that the JPA should be allowed to expire this September.

ICANN certainly believes so. Its response to the midterm review of the JPA in 2008 boldly stated: “The JPA is no longer necessary.” In the view of ICANN’s Board, “Concluding it is the next step in transition of the coordination of the [DNS] to the private sector.” Indeed, ICANN emphasized that “This step will provide continuing confidence that the original vision laid out in the White Paper is being delivered.”

Only last year NTIA disagreed. Last July NTIA declared in a letter to ICANN that, based on public comments regarding the JPA’s mid-term review, “there was general consensus that while ICANN had made significant progress in several key areas, important work remains.” In particular, the NTIA noted that stakeholders believe that ICANN still needs “[t]o increase institutional confidence” by “implement[ing] effective processes” covering several areas of concern. These included “long term stability; accountability; responsiveness; continued private sector leadership; stakeholder participation; increased contract compliance; and enhanced competition.” Id. Significantly, in congressional testimony earlier this month, Fiona Alexander, NTIA’s Associate Administrator in the Office of International Affairs, echoed these same concerns by referring to the “important institutional confidence issues associated with the JPA.” More directly, she testified that “The Department’s commitment to preserving the security and stability of the Internet DNS and the public record developed as a result of the comment process will inform any decision made about the JPA’s future.” Such a decision, she said, could see the JPA “terminated, modified, or extended.”

Both the NOI and its recent testimony make it clear that NTIA continues to be concerned about ICANN’s performance under the JPA. In my view, the JPA should be extended for at least three reasons.

First, it reflects broad corporate good governance principles policed with the lightest regulatory touch. It does no harm and probably does some good by reminding ICANN and the rest of the Internet community that the IANA function must be administered by a private organization whose institutional credibility is sound.

Second, ICANN’s institutional credibility remains, to be charitable, a work in progress. NTIA’s concerns about ICANN’s shortfalls regarding stability, accountability, responsiveness, leadership, participation, contract compliance, and competition should be taken seriously. If ICANN’s contracting partner says that ICANN hasn’t yet met its goals, that fact should weigh heavily in deciding whether the JPA should be terminated yet.

Third, the cost of letting ICANN govern the Internet without complete confidence in its institutional credibility is incalculable. Internet retail sales totaled $31.7 billion in the first quarter of this year, a 20% increase from 2006. Letting ICANN govern the technical infrastructure that supports that magnitude of economic power without the mildly restraining force of the JPA would be foolish, when ICANN hasn’t yet earned the trust of those who rely on the Internet the most.

Let’s hope that NTIA sees it that way too.

By R. Shawn Gunnarson, Attorney at Law, Kirton & McConkie

Filed Under


Questions on the JPA/IANA Contract Distinction The Famous Brett Watson  –  Jun 24, 2009 4:10 PM

Mr Gunnarson, thank you for writing this article, which is outstanding both in terms of its informative content and its moderate tone, particularly relative to some other recent writing on the subject of ICANN at CircleID. The clarification on the difference between the JPA and the IANA contract is appreciated, particularly as Dr Twomey used this distinction in his congressional testimony. In light of that distinction, I would like to pose some questions.

Consider the following extract from the hearing (as transcribed by me).

From June 4, 2009 ICANN Hearing - Panel Questions Part 1

[Dingell 15:43] Um, now, recently in view of… of, uh, reports that US government has been subject to cyber attacks from abroad, does the depart… uh… do you believe that upon expiration of the JPA the US government will have adequate input into ICANN’s efforts to ensure the stability and the security of Internet. Again, yes or no, ah, if you please.

[Alexander 16:11] Thank you very much. Security and stability is what will guide the… the Department of Commerce in all of these areas.

[Dingell 16:16] Next panelist.

[Twomey 16:18] Yes, comprehensively, because it’s not covered within the JPA to st… detail to start with.

[Dingell 16:23] Thank you. Next panelist.

[Silva 16:25] I don’t know the answer to that definitively, but I would have… I would share those concerns.

[Dingell 16:29] Next panelist.

[Jones 16:30] Yes, we would continue to have concerns there.

[Dingell 16:33] Thank you. Next panelist.

[Deutsch 16:35] Uh, we would as well.

[Lenard 16:38] Ah, I agree, we would have concerns.

The question is whether “upon expiration of the JPA the US government will have adequate input into ICANN’s efforts to ensure the stability and security of Internet.” Ms Alexander’s answer does not address the question, Dr Twomey states that the JPA is irrelevant to the issue at hand, and the other four panelists express some concern that the expiration of the JPA would have a negative impact.

In your understanding of the JPA, is Dr Twomey’s testimony accurate? His answer gives me the impression that the issue is more a matter of the IANA contract details than the JPA. Is this fair characterisation, or misleading?

I do note, however, that regardless of the statement’s technical accuracy, the four parties with concerns may have a valid but somewhat indirect basis for their reservations. Even if the JPA is technically irrelevant to the matter of stability and security, does the JPA perhaps provide political leverage over ICANN which would allow US government input into “stability and security” matters beyond the standards set in the IANA contract? What remedies are incorporated into the JPA in the case that ICANN is found to be deficient? That is to say, what if ICANN maintained security and stability to the standards required by the IANA contract, but some new set of circumstances (such as a direct attack on US network infrastructure) threatened “security and stability” in the more nebulous terms of the JPA? Is the JPA seen as a potential source of discretionary power for the US government in ICANN issues?

That aspect of US government oversight raises another question. It’s all very well to accuse ICANN of rampant non-accountability and non-transparency, but what sort of oversight has the US government been exercising if the accusations are true? Surely “oversight” involves more than passive observation? The problems of ICANN are not only the responsibility of ICANN executives, but also the Commerce Department which is supposed to oversee them. What is the point of renewing the JPA (on the basis that ICANN is not yet ready to operate independently) if all we can expect is more of the same? Clearly this is not an argument for allowing the JPA to lapse, but simple renewal will be just as ineffective.

Of course, if the JPA really does provide the kind of political leverage that I have suggested above, then the US government faces a fundamental conflict of interest: its goal is ostensibly to move ICANN towards independence, but it will sacrifice a strategic advantage if it succeeds in doing so. Consequently, it may be politically expedient to allow ICANN to fail in an ongoing sense: the US government can thereby sustain its traditional strategic advantage using the pretext that further oversight is still necessary for the good of all.

It seems that ICANN not only needs more accountability, but the US government needs to find some internal accountability for the effectiveness (or lack thereof) of its oversight.

The JPA and US Oversight R. Shawn Gunnarson  –  Jun 24, 2009 5:27 PM

Mr Watson:

Thank you for your thoughtful commentary and questions.

First, I agree that the United States can improve in its oversight of ICANN. Given the curious legal framework on which its relationship with ICANN is built, however, it’s difficult to see how improvement will come unless the JPA remains part of the structure. As I explained above, the IANA Contract says nothing about ICANN as an institution. It is a simple government services contract, as if Company XYZ had agreed to supply widgets or data entry services or whatnot to the U.S. government. What some observers fail to mention is that the IANA Contract and the JPA are really interlocking agreements; it was anticipated that the institutional principles in the JPA would enable ICANN to remain strong and sound enough to be entrusted with the critical technical services supplied under the IANA Contract. So my first point is that allowing the JPA to terminate would remove any institutional benchmarks from the legal framework, leaving the IANA Contract to be carried out by ICANN regardless of its institutional trustworthiness.

Even with the JPA in place, you’re certainly correct that the United States has done less than it could to exercise oversight. Part of that shortfall I attribute to the uncertainties of overseeing a private nonprofit corporation responsible for carrying out the core technical function of the Internet. There is no regulatory regime that gives the Department of Commerce authority to direct ICANN’s activities in the manner that the Securities and Exchange Commission has rulemaking and enforcement authority over publicly traded companies. Having said that, the U.S. should step up the level of its engagement with ICANN. The Notice of Inquiry that the Department of Commerce just completed is a good start. But more should be done to ensure that ICANN is living up to its responsibilities under the JPA.

Second, you ask whether Dr. Twomey was correct in suggesting that, in the event of a cyber attack following expiration of the JPA, the U.S. government would have “adequate input into ICANN’s efforts to ensure the stability and security of Internet.” I disagree. Without the JPA, there is only the IANA Contract, and that document says nothing about the stability and security of the Internet, as a whole. It only requires ICANN to take steps to ensure the stability and security of its own systems. Only the JPA makes the safety and security of the Net a principle for which ICANN is responsible. As long as ICANN carries out its technical function under the IANA Contract, it is not then held responsible for the Net’s safety and security.

Third, you ask on a related point whether the JPA contains any remedies in the event that ICANN fails to carry out its responsibilities. Unfortunately, it does not, and I don’t know enough to comment on its effectiveness as a source of indirect political leverage over ICANN.

Thank you again for responding to my article.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign