Welcome:
Login
|
Sign Up
|
About CircleID
Follow:
|
|
|
|
||
|
||
The deepest problem in the RIR system is not ordinary bad governance. It is not that one board was reckless, one executive was corrupt, or one region was unusually unlucky. The deeper problem is that the institutional shell was built for an earlier world and now governs a different one. IPv4 scarcity, depletion, and transferability changed the nature of the object being governed. What once looked like administrative coordination now sits inside the institutional recognition layer of a scarce economic resource. Once addresses become scarce enough that networks must rely on waiting lists, transfer frameworks, and secondary-market transactions, the registry is no longer merely keeping records. It exercises high-consequence gatekeeping over transferability, recognition, routing credibility, and business continuity. The legal shell remained clerical while the economic substance became strategic. That is the fracture line.
You can see that fracture directly in the contracts. RIPE NCC’s Standard Service Agreement excludes broad categories of liability and limits RIPE NCC’s liability to the member’s service fee for the relevant financial year. ARIN’s Registration Services Agreement caps aggregate liability at the greater of the prior six months of fees or US$100, and permits termination and revocation of included number resources after prolonged nonpayment. AFRINIC’s RSA likewise limits liability to the greater of the previous six months of fees or US$100. These are not the terms of institutions financially standing behind high-consequence governance harm. They are the terms of institutions retaining decisive control while contractually minimizing meaningful downside.
The balance sheets reveal the same mismatch from the other side. RIPE NCC’s 2026 budget shows roughly EUR 41.1 million in expense budget. ARIN’s 2025 financial report shows a target operating reserve of about US$24.7 million and budgeted operating expenditures of about US$32.9 million. AFRINIC’s 2021 annual report showed membership-fee revenue of about US$5.98 million and expenses of about US$4.12 million. These are meaningful administrative budgets. They are not the capital base of institutions designed to absorb liability proportionate to the foreseeable magnitude of governance harm surrounding scarce, high-value number resources. In plain terms, asset-significant consequences are being governed by association-scale balance sheets.
That is why the contradiction is structural rather than managerial. In ordinary commerce, limitation-of-liability clauses can be coherent because risk remains at least roughly allocable: parties can negotiate, switch providers, insure, diversify, or refuse the transaction. That logic weakens sharply here. The registry role is much closer to monopoly-like gatekeeping over a critical coordination layer. Members do not meaningfully negotiate the institutional architecture. The registry can affect continued recognition, transferability, or status of resources, yet the remedy remains symbolic. In a serious capitalist and rule-of-law order, that is not a stable equilibrium. It is an attempt to preserve sovereign-grade practical consequence while retaining service-provider-grade responsibility. That arrangement can be obscured for some time. It cannot be stabilized once the governed resource becomes materially valuable.
This is also why the usual debate over personalities is too shallow. The issue is not whether one CEO is more ethical than another, or one board more competent than another. The issue is that a structure combining high discretion, weak remedy, thin capitalization, and strong member dependence will systematically produce pathological incentives. It will tempt bad actors, degrade average actors, and reward short-term extraction over long-term legitimacy. Once that is understood, the surprising thing is not that abuse appears. The surprising thing is that so many insiders still describe abuse as an anomaly rather than a design output. This is the point many in the RIR world still resist: the present coordination function cannot survive in its current form, because the current form couples consequence-heavy authority with consequence-light accountability. That coupling is the problem.
AFRINIC matters because it is the clearest stress-case showing how the present model behaves under adversarial pressure. AFRINIC itself stated it has already cost the organization millions of dollars in legal fees. Whatever one thinks of AFRINIC’s preferred framing, that admission is enough. The institution is not being examined from a restored equilibrium. It is being examined while unstable, financially strained by legal conflict, and openly struggling to normalize operations. In that condition, power/liability asymmetry becomes exceptionally dangerous because it is no longer merely a hidden design flaw. It becomes usable leverage inside a weakened institution.
At this point, the analysis must become sharper. The asymmetry does not merely create instability. It creates a predatory selection logic. Once insiders realize they possess meaningful discretion while bearing very little practical downside, they do not behave randomly. Low-value targets are not worth the effort. Very large targets may be too dangerous to touch. The structure, therefore, tends to converge on actors valuable enough to matter, but not obviously too large to pressure. That logic can look rational in the short term. In reality, it is among the structure’s most self-destructive features. Because over time, this selection process does not merely produce victims. It tends to produce the institution’s own accelerator of collapse. The identity of the target is contingent. The emergence of such a target is not. Once concentrated discretion and tiny accountability coexist long enough, predatory behavior is not an accidental error. It is a mathematically predictable output of the incentive structure.
That distinction matters. A confrontation between a registry and a powerful, persistent, well-resourced member may later be narrated as though the member caused the crisis. Analytically, that is false. The underlying cause remains structural. The confrontation is the structure meeting one of its own predictable outputs. What appears from inside the institution as a tactical pressure opportunity may, from the outside, be the moment the institution shortens its own future. This is why some systems decay quietly for years and then suddenly enter an accelerated crisis. The defect was always present. What changed was that the defect finally selected a target capable of turning latent contradiction into organized counter-force. That is not a random institutional mishap. It is what such a structure becomes likely to generate over time.
Once conflict begins, the pathology usually worsens. Instead of rebalancing power with responsibility, remedy, and restraint, the institution and its allies tend to seek greater insulation from consequence. That can take the form of broader procedural shielding, broader claims to immunity, or broader political sponsorship. But all of these are variations of the same mistake: preserving or enlarging power while moving responsibility even farther away. That does not cure the disease. It deepens it. The right question is never how to protect the registry from the consequences of its own design. The right question is why any registry should continue to hold such consequence-heavy authority without corresponding liability, capital, and external discipline.
The ICANN/Smart Africa sequence is important because it shows this pathology reproduced at a higher layer. ICANN’s own November 2025 statement says that under its MoU and Project Agreement with Smart Africa, ICANN contributed US$40,000 to the IG Blueprint effort and provided administrative support for Smart Africa’s regional dialogues at ICANN meetings. The 24 November 2025 letter from ICANN CEO Kurtis Lindqvist likewise acknowledges the US$40,000 project funding and states that CAIGA was included in the broader Blueprint, while also stressing that ICANN did not pre-endorse CAIGA and would not participate in “governmental override mechanisms.” The pattern is unmistakable: enablement first, formal distance later. Power exercised through funding, venue, and procedural oxygen; responsibility disclaimed through legal and institutional distance.
The public event trail reinforces that reading. The ICANN83 Prague agenda included an introduction by ICANN, opening remarks involving the ICANN CEO and the Smart Africa CEO, an item on agreement for the creation of CAIGA, and another on finalization of CAIGA documents for official launch. Smart Africa later stated that seven out of eight coalition-endorsed candidates had won AFRINIC board seats, that it had acted under the mandate of its Heads of State and Governments, and that it would continue advancing CAIGA in line with orientations already endorsed by its member states. Whatever euphemisms are preferred, this is not a movement toward tighter alignment between authority and liability. It is a movement toward adding more politics to a layer already suffering from too much power relative to responsibility.
Governments tempted to “solve” registry instability by inserting more direct state power should understand the category error they are making. A state can survive predation longer because it has territory, tax capacity, police power, and ultimately coercive force. A registry has none of those buffers. Its real capital is shared recognition, procedural credibility, and operational continuity. That means every attempt to use a registry as a political instrument, an extraction machine, or a low-accountability zone of influence does not strengthen it. It burns the only trust substrate on which its existence depends. If the answer to registry fragility is to make the institution more political while keeping it undercapitalized and weakly liable, then the answer is simply another stage of the same disease.
This is why the current style of “fix” is so unintelligent. More immunity is not a cure; it widens the gap between power and consequence. More governmental control is not a cure; it converts a registry crisis into a sovereignty contest while leaving the liability structure unresolved. More formal denial of responsibility by outside enablers is not a cure; it merely reproduces the same asymmetry one level higher. None of these moves rebalances the equation. All of them push it farther away from solvability. The correct analogy is not institutional reform. It is an aircraft already near stall whose pilots mistake the temporary feeling of climb for proof that they should keep pulling the nose up. Each extra pull feels like control. In reality, it pushes the aircraft closer to irreversible loss of lift.
The conclusion is harsh because the structure is harsh. The present RIR coordination model cannot survive in its current form once the number of resources becomes economically serious. A system built on concentrated registry authority, symbolic liability, thin capital, and weak remedy can survive only while no one seriously tests it and while insiders remain disciplined enough not to exploit its asymmetry too aggressively. AFRINIC shows what happens when that discipline fails and when the underlying design is pushed under stress. The answer therefore, cannot be better messaging, more insulation, or more political muscle. Those are all attempts to preserve power while pushing responsibility still farther away. They make the equation less solvable, not more.
There are only two coherent end states. One is decentralization: lower single-point discretion, more distributed trust, and less dependence on one fragile institutional gatekeeper. The other is radical reconstruction: split the current shell into separately accountable layers for technical registry functions, dispute resolution, and economic rights or transfer entitlement. Everything else is merely an attempt to keep the old structure alive by feeding it a stronger dose of the pathology that is killing it.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
A World-Renowned Source for Internet Developments. Serving Since 2002.
The Internet is not a centrally controlled system. It is a network of operators coordinating with one another to provide global connectivity. Through interconnection and peering, operators routinely make decisions that affect reachability and traffic flows. This distributed nature is inherent to how the Internet operates, and the Internet Number Registry System represents another form of operator coordination that enables global connectivity. Policies are developed by the multistakeholder community through open processes, and the Regional Internet Registries implement those policies. The RIRs do not create policy authority—the community does. The registries implement that direction.
Accountability in this system is not based on liability. It is based on governance. RIRs are membership organizations governed by the very parties they serve. Members elect the governing bodies, oversee the organizations, and shape their direction. The same community that develops policy also provides mechanisms to ensure that it is implemented faithfully. If an RIR fails in that role, its community has recourse through its governance structures. This community-based model is not universally popular, as it serves the collective goal of global connectivity rather than economic or political ends, but any claim that it lacks accountability is not well-founded.
It should be noted that membership-based accountability is a more direct and operationally relevant form of accountability than the liability model suggested in the article. Liability is external and after the fact. The RIR system provides continuous, built-in accountability through participation, transparency, and member control. The ongoing ICP-2 update process, through extensive community engagement, has produced a draft RIR governance framework that both reaffirms and clarifies this core model: community-developed policy and member-based accountability.
The RIR system has demonstrated its effectiveness over time. It has supported decades of Internet growth and stability, while evolving to meet new needs such as the introduction of IPv6, now prevalent in core Internet infrastructure, and the accommodation of IPv4 transfers. There is certainly room for continued improvement, as in any system. But meaningful discussion of that evolution needs to start from an accurate understanding of how the system actually functions, both structurally and in its accountability.
John,
I agree with your first sentence and reject the conclusion you attach to it. The Internet is indeed a distributed system of operators coordinating with one another. That is exactly why the registry layer should be analyzed clearly. Peering is reciprocal coordination among operators. A registry is not that. A registry sits at an exclusive recognition and contract layer for number resources, with the ability to suspend services, terminate agreements, and revoke resources under its agreements. That is not merely “another form of operator coordination.” It is gatekeeping over a scarce and economically meaningful resource.
The same problem appears in your move from “community-developed policy” to “therefore the RIR lacks independent accountability issues.” Even if one grants the policy-development premise, it does not answer the power question. The chokepoint is not only who drafts policy text. The chokepoint is who holds the registry, who applies policy in practice, who controls contractual status, who controls recognition, and who can suspend, terminate, revoke, or deregister resources while disclaiming meaningful downside. ARIN’s RSA caps liability at the greater of the prior six months of fees or US$100, and after termination ARIN may immediately revoke the included number resources and “will have no liability for doing so.” RIPE likewise limits liability to the member’s service fee for the relevant financial year and provides for termination and deregistration without damages to the member. That asymmetry is not theoretical. It is written into the contracts.
Your second move is to treat governance as a substitute for liability. It is not. Internal governance is one accountability mechanism. It is not the same thing as external accountability proportionate to consequence. In ARIN’s own materials, representatives of General Members in Good Standing elect the Board and Advisory Council, while ARIN also states that membership is not required to obtain number resources and is not required to participate in policy development. That means the set of actors affected by registry power is not identical to the set of actors exercising electoral control over the institution. Even perfect internal elections would not erase the underlying mismatch: a body can still hold consequence-heavy authority over scarce assets while carrying consequence-light downside.
There is also a deeper problem with the word “community” in this debate. Too often, “the community” does not mean the Internet. It means a small recurring process class. ARIN’s Advisory Council consists of 15 elected members. ICANN’s ALAC, which describes itself as the primary organizational home for the voice and concerns of the individual Internet user, is also a 15-member body. with then said to represent the whole “community”. Small committees are not illegitimate simply because they are small. But small committees are not the same thing as “the community,” still less the same thing as all operators, all affected parties, or the Internet as such.
That representational inflation matters because it is exactly how procedural systems start overstating their own legitimacy. When a handful of recurring participants in a room write text, interpret process, and then call that “community authority,” the word starts doing more work than the facts can support. The problem is not open participation in principle. The problem is the constant rhetorical jump from “a small number of engaged participants took part in a process” to “the community has spoken” and therefore “accountability is solved.” It is not solved. Participation is not the same thing as authorization, and procedure is not the same thing as responsibility.
Your historical point also does not answer the present argument. My claim is precisely that the stakes have changed. IPv4 scarcity, transferability, and secondary-market value changed the nature of the object being governed. A clerical shell sitting above a low-value administrative function is one thing. A low-liability registry layer sitting above scarce, transferable, financeable assets used in production networks is another. “The model supported growth in the past” is not a sufficient answer to “is the present power/liability structure stable now?” Systems can function tolerably in one economic phase and become structurally unstable in another.
So the disagreement is not about whether the Internet is distributed, whether policy processes exist, or whether membership governance matters. It is about whether those facts exhaust the accountability question. They do not. Once registries sit above scarce and valuable resources, internal participation and process transparency are not enough on their own. Governance is necessary, but it is not a substitute for liability, capital, or enforceable external discipline. Once registry power becomes asset-significant while registry downside remains trivial, the system has already moved out of the world of mere clerical coordination and into the world of low-liability gatekeeping.
The issue here is not whether accountability matters. It is how accountability actually operates in this system. In the Internet number registry system, authority does not originate with the registries. It originates with the Internet number resources community, which develops policy through open, multistakeholder processes. The registries implement those policies under the direct oversight of that same community. Accountability, therefore, is not absent -- it is continuous, participatory, and built into both policy development and organizational governance.
You are correct that the registry function concentrates certain operational responsibilities, including the application of policy and the maintenance of registration records. But that concentration exists under the direction and supervision of those who hold and depend upon number resources -- including, but not limited to, RIR members. The same actors who rely on the system for global interoperability are the ones who define its rules, participate in its processes, and hold the institutions accountable through their governance structures. That is a fundamentally different model than an independent actor exercising unconstrained authority over a resource, as you seem to imply in your reply.
The suggestion that governance is insufficient because it is not liability-based misunderstands the nature of accountability in a multistakeholder system. Liability-based accountability is inherently external and after the fact, whereas the RIR system operates through continuous oversight. Rather than relying on ex post remedies, the community instead relies on ongoing, member-based governance. In practice, those who rely on number resources for global connectivity prioritize accurate registry operations and timely operational remedies when issues arise. This reflects the system's emphasis on maintaining stable, functioning coordination in real time, rather than relying primarily on punitive ex post liability mechanisms -- and the potential stability risks any such mechanisms would entail.
It is also important to be precise about how policy is actually developed, as your description again reflects some significant misunderstanding. ARIN's Advisory Council does not "represent the community" or create policy; it administratively shepherds the policy development process. Policy is developed through open participation, where anyone may contribute and all contributions are considered on their merits. The number of participants is not the measure of legitimacy; rather it is the openness of the process and substantive consideration of inputs that provides the basis of legitimacy. It is true that proposals focused primarily on narrow economic advantage tend not to gain consensus, but that reflects the system's orientation toward global interoperability rather than any failure of governance.
I would also note that the recent ICP-2 update consultation addressed many of the same questions regarding RIR accountability, and after broad community input and review, the work has converged on strengthening governance, auditability, and process accountability -- not on adopting liability-based frameworks. While no contributions called for a liability-based approach to accountability, the resulting RIR Governance Document (once adopted) will strengthen the governance of the Internet number registry system regardless -- and even help provide for fair consideration of your proposed approach if at some point in time you care to raise it for consideration in each RIR community.
John,
Thank you. Your latest reply makes the disagreement clearer.
I do not dispute that the RIR policy process is open, or that participation exists, or that governance structures exist. My point is that none of those facts answers the accountability problem created once registries sit above scarce, transferable, financeable resources with very large real-world consequences.
You say authority “originates with the community.” But that phrase is doing too much work. “Anyone may participate” is not the same thing as “all affected parties are represented.” Openness is a procedural property. It is not the same thing as authorization, and it is not the same thing as accountability proportionate to consequence. A door being open does not mean the people inside the room somehow represent everyone whose businesses, assets, and continuity depend on the outcome.
You also say the registries operate under the direction and supervision of those who hold and depend upon number resources, “including, but not limited to, RIR members.” But that again collapses several distinct categories into one word: participants, members, affected operators, and “the community.” They are not the same set. The fact that an open process exists does not erase the question of who actually exercises decisive control through the registry layer, through contracts, through recognition, and through the operational implementation of policy.
That is why I keep returning to the same point. The issue is not whether policy text can be discussed openly. The issue is that the registry remains the chokepoint for contractual status, registry recognition, and the continued administrative standing of the resource. Once that chokepoint sits above scarce and valuable assets, the structure is no longer equivalent to low-stakes coordination among operators. It becomes gatekeeping, whether one likes that word or not.
You describe governance as “continuous” and liability as merely “external and after the fact.” But that framing avoids the real issue. Liability is not important because it is punitive. It is important because it forces institutions to internalize at least some of the downside of the power they exercise. If an institution can materially affect assets with large operational and economic consequences, while its own downside remains trivial, then governance alone does not solve the asymmetry. And in its current insider-club form, it does not even mitigate the risk in any meaningful way.
You also suggest that those who rely on the system prioritize accurate operations and timely remedies over ex post liability. Of course they do. That is true in almost every critical system. But preferring timely remedies does not prove that liability is irrelevant. It only proves that prevention is better than cleanup. A stable system should aim for both: sound operations and accountability proportionate to consequence. It should not have to choose between them.
On the Advisory Council, I accept your clarification that the AC does not itself create policy and does not “represent the community” in a formal sense. But that clarification does not answer my point. My point was never that the AC alone creates legitimacy. My point was that a relatively small and recurring process class can shepherd, frame, interpret, and influence a system, and that the existence of an open process does not automatically convert that process into a sufficient substitute for responsibility. The phrase “the community has decided” still often hides a much narrower operational reality than the phrase suggests.
Finally, you note that the ICP-2 consultation has converged on stronger governance, auditability, and process accountability rather than liability-based accountability. But that only proves the limits of the present process, not the soundness of the underlying model. I called for number portability. Others from the industry submitted comments under their real names and job titles. Yet proposals that touched the real allocation of power were dismissed either as “out of scope,” reframed as mere policy issues, or casually discounted as AI-written—as if the use of AI assistance somehow voided the substance of an argument. That itself raises a deeper legitimacy question: if a process claims openness, but treats serious outside input as procedurally disposable the moment it challenges institutional assumptions, then “community accountability” starts to look less like accountability and more like controlled self-reference. If insiders want only procedural legitimacy while rejecting real community input on the grounds that it is inconvenient, out of scope, or insufficiently native to their own process culture, then they may as well simply write whatever they intended from the start and stop pretending the outcome meaningfully reflects the broader community.
So the disagreement remains straightforward. You argue that open participation plus continuous governance is sufficient accountability for the registry layer. I do not. Once scarce and valuable assets depend on registry recognition and contractual status, openness of process and internal governance are not enough on their own. They are necessary. They are not sufficient. That is the point. And even those, as I have pointed out, have already degenerated into an insider club that consistently rejects outsiders and buries itself in a language only it speaks—as if the door were technically open, but anyone wishing to enter had first to master a language spoken by almost no one on earth except the people already inside.
Let me be more precise in replying. First, you assert that "Openness is a procedural property. It is not the same thing as authorization, and it is not the same thing as accountability proportionate to consequence. A door being open does not mean the people inside the room somehow represent everyone whose businesses, assets, and continuity depend on the outcome."
Alas, I'll disagree -- it is indeed the case that "the people inside the room" (i.e., those who choose to participate) must represent the entire community. For those whose businesses, assets, and continuity truly depend on the outcome, participation in the process -- either direct or through representatives -- is a burden they indeed should carry as a consequence of utilizing a multistakeholder-governed system.
You suggest that the nature of the registry system has changed, and that it can now "materially affect assets with large operational and economic consequence." Actually, that has always been the case. Those who focus on the financial merits of Internet number resources can easily forget that the strongest value is their operational use, and any mistakes with number resources in operational use have long carried the potential for significant operational and economic consequence.
What is new is your cries for "accountability" -- by which you mean financial liability proportionate to consequence. The RIRs take care in their actions and promote responsible use of Internet number resources through established policies and best practices, but nothing in this world is infallible. If an event were to occur that caused harm, the question becomes whether such harms should be capped, and to what extent. That is not a trivial matter, as it could result in an RIR mishap leading to damages that impact its continued operation and, in turn, the broader community. As it stands, each RIR has a member-elected governing board responsible for considering such questions and determining the appropriate balance of risk, responsibility, and sustainability. If a community feels as you do, then such an outcome is straightforward for you to pursue through the election of similarly minded board members.
Regarding the ICP-2 update process, you note that you called for number portability and infer from the outcome that the process is therefore limited or dismissive of substantive input. That conclusion does not follow. The ICP-2 process was focused on updating the framework for RIR recognition and governance, not on establishing new number resource policies outside of the established policy development processes. It is therefore entirely reasonable that proposals which would effectively introduce new number resource policy (such as "number portability") could have been considered out of scope, rather than being advanced through what would amount to a backdoor mechanism. Such matters are properly addressed through the formal RIR policy development processes within each region. If you believe there is support for portability, the appropriate course is to raise it within the (admittedly open) policy development processes and see whether it gains traction in any RIR community.
John,
Thank you. Your latest reply helps clarify the core of our disagreement.
You state that those whose businesses, assets, and continuity depend on the outcome "must participate" and therefore represent the community. That is precisely where we diverge. Participation is a mechanism. It is not authorization. A system in which only those who enter the room are deemed to "represent" all affected parties is not representation; it is self-selection. If legitimacy depends on participation, then the system is not representing all affected actors -- it is describing a subset of participants who are willing, able, and sufficiently specialized to engage in its processes.
You also suggest that the system has always carried significant operational consequence, and therefore nothing fundamental has changed. I agree that operational mistakes have always had impact. But the nature of the object has changed. There is a difference between coordinating something that is operationally important but not economically scarce, and controlling recognition over assets that are scarce, transferable, financeable, and embedded in contracts and balance sheets. A hobbyist mailing list or a volunteer-maintained routing registry can function with loose, participation-based governance because the downside is limited and diffuse -- failures are inconvenient. But when the underlying resource carries explicit financial value and is relied upon in production systems, failures become economically destructive. A governance model that works for low-value coordination does not automatically scale to high-value asset control.
On liability, your argument is more revealing than you may intend. You note that increasing liability could threaten the continued operation of an RIR and thereby harm the broader community. That is a valid concern. But it also makes the tradeoff explicit: the system is choosing to limit institutional downside even where institutional power can materially affect high-value assets. In other words, when symmetry between power and consequence would place stress on the institution, the asymmetry is preserved and the residual risk remains with operators. That is not neutral. It is a structural allocation of risk. And in doing so, you effectively confirm my point: the system depends on maintaining that asymmetry in order to remain stable, which raises the question of how long such a structure can persist once the assets beneath it continue to grow in value and importance.
The consequence has always existed. The real question is who bears it. The operator? The members of an RIR? The registry itself? Or a system in which consequence is not concentrated at a single recognition chokepoint, but distributed by design? Only the last direction offers a path to long-term stability. Concentrated control with limited downside does not.
You then suggest that if one disagrees, the appropriate path is to elect different board members. That again shifts a structural question into a procedural one. The issue I am raising is not which individuals sit on a board, nor which specific policy is adopted. It is whether a system in which a registry holds the recognition and contractual chokepoint over scarce assets, while carrying only limited downside, can be considered fully accountable simply because governance processes exist. Elections do not change the nature of the underlying asymmetry. Replacing individuals within the same structure does not resolve a structural imbalance -- suggesting otherwise is akin to believing that replacing one leader with another would solve systemic conditions without changing the system itself.
Regarding ICP-2, my point is not about scope in a narrow procedural sense. It is about how scope is used. When a proposal challenges the underlying allocation of power, it is labeled "out of scope." When it does not fit the established procedural framing, it is redirected into other processes. The result is that only arguments expressed in the system's own language, within its predefined boundaries, are treated as valid input. In that sense, the process is formally open but substantively gated: the door is open, but meaningful participation requires fluency in a specialized internal language and acceptance of the system's own framing. That is not broad-based input. It is filtration.
So the disagreement remains straightforward. You are describing a system in which openness of participation and continuous governance are taken to constitute accountability. I am describing a system in which participation is not the same as authorization, governance is not the same as responsibility proportionate to consequence, and openness does not resolve a structural mismatch between control and downside.
You are not describing accountability. You are describing participation as a substitute for accountability.
Ultimately, this will not be decided in theory. It will be decided by operators and the companies that run networks. Their legal and risk teams will evaluate a simple reality: a system in which control is concentrated at the registry layer while liability remains minimal is not a balanced arrangement -- it is an asymmetry. Operators, who build the networks, deploy the capital, and bear the operational and commercial downside, are not logically positioned to accept a structure in which they carry the greatest exposure while the controlling layer carries the least. That is not a preference question. It is a structural inconsistency.
In practice, this means the decision is not between different "governance philosophies," but between accepting asymmetric risk or moving toward mechanisms that align control with consequence. Once that asymmetry is made explicit, the direction of travel becomes predictable. My role here is simply to make that asymmetry visible.
John,
I'm not sure why the editor turned my previous reply into a single block, and I can't find a way to edit it. So I'll restate the core points briefly.
Participation is not authorization. An open process does not mean those who show up represent all affected parties -- it means a subset participates.
The issue is not policy process. It is structure. Registries sit at the recognition and contractual chokepoint of scarce, valuable resources, while carrying limited downside. That is not balance -- it is asymmetry.Saying "those affected must participate" does not resolve this. It shifts responsibility to participants without aligning control and consequence.
The consequence has always existed. The only question is who bears it. Today, operators bear the downside, while registries retain the control.
That is not accountability. It is participation used as a substitute for accountability.
Once operators recognize this asymmetry, and once a path toward more balanced accountability exists, the outcome is not difficult to foresee. The question is no longer whether the RIR model will fail, but when -- and what will replace it.
It is likely that the disagreement ultimately comes down to how you are conceptualizing the registry itself. You are treating the registry as a distinct, independent actor sitting above operators, exercising control over scarce resources. I do not see it that way. The registry is an institutional mechanism through which its members – the operators and resource holders – collectively carry out coordination. It is not separate from them in the way your argument assumes; it is an instantiation of their joint activity, operating under policies they develop and governance structures they elect.
Because of that, the question of accountability cannot be framed as though there is one group exercising control and some other that is bearing the consequence. The same community that depends on the system is the one that defines its policies, elects its governing board, and determines how risks – including liability – should be handled. As you note, operators will ultimately decide what arrangements they accept. That is precisely what the member-based governance model enables in practice, rather than in theory.
On liability, the answer is not binary. It is not a choice between no liability and unlimited liability imposed on an external actor. It is a question for the community, acting through its governance structures, to determine what level of liability appropriately balances incentives, risk, and the continued viability of the registry as a shared system. That balance necessarily reflects the fact that the registry is a collective undertaking, not a separate entity from which accountability must be extracted.
If one starts from the premise that the registry is distinct from the community, then the asymmetry you describe appears inevitable. If one instead recognizes the registry as a mechanism of the community itself, then the question becomes how that community chooses to organize responsibility within its own shared system. I do recognize this can be challenging to comprehend, since for those outside the system, it amounts to a decision on whether to embrace and join that community – sharing in the benefits of the registry system that result from it, or not participate at all.
John,
This is precisely where we fundamentally disagree.
You are asserting that the registry is “of the members” and therefore not distinct from them. That may be a useful conceptual framing for describing governance, but it does not hold at the level that actually matters: legal structure, contractual control, and consequence.
The registry is a legal entity. It signs contracts. It enforces status. It can suspend, terminate, and revoke resources under those contracts—subject, in principle, to legal scrutiny and enforceability. As I have explained here on my note(https://heng.lu/on-why-the-present-registry-model-becomes-impossible-once-ipv4-becomes-a-real-asset/), that model becomes increasingly difficult to sustain once the underlying resources are scarce, transferable, and economically significant. These are not abstract community functions. These are actions taken by a distinct entity with operational authority.
Members, operators, and affected parties are not the same set. Not all resource holders are members. Not all affected parties participate. And not all participants have equal influence over outcomes. Collapsing all of these into “the community” does not resolve the problem—it obscures it.
More importantly, when a registry exercises its authority, the consequence is not borne collectively in practice. It is borne by the specific operator whose resources, business, and continuity are affected. The downside is localized. The control is centralized. That is exactly the asymmetry I am describing.
Saying the registry is “of the members” does not change that. It is similar to claiming that a system is “of the people.” That may be true on paper, but it does not eliminate the reality that control tends to concentrate in the hands of those who operate and direct the governing structure. History has repeatedly shown that asserting representation “on behalf of the people” does not resolve structural imbalances between where power sits and where consequences fall.
This is also why your framing ultimately makes participation a condition for legitimacy. You are effectively saying: if you depend on the system, you must join and participate, and through that participation the system becomes accountable. But that is not accountability. That is conditional inclusion.
This becomes even more problematic when meaningful participation requires fluency in a highly specialized, insider language that few outside the process can realistically acquire. In practice, that raises the barrier to entry to a level comparable to requiring advanced credentials simply to have a voice. It then shifts responsibility onto those excluded, suggesting that lack of participation justifies lack of representation. That is not a neutral system—it is a form of procedural elitism combined with closed-circle dynamics.
Accountability cannot depend on whether the affected party has entered the system. It must exist regardless of participation.
So the disagreement is not about governance existing. It is about whether governance, especially when exercised through a distinct legal entity with concentrated control, is sufficient to replace accountability proportionate to consequence.
I do not believe it is.
Lu,
I think we’ve clarified the core of our disagreement, but it may be useful to separate two different questions that are getting conflated.
First, I agree that governance via the Multistakeholder Model (MSM) is not immune to implementation challenges. Member control over governing boards can be imperfect. Boards may, at times, drift from the community mandate. Participation barriers and process complexity can limit effective engagement. None of that is unique to this system – it is inherent in any governance model that relies on collective decision-making. The relevant question is not whether such challenges exist, but whether the structure provides mechanisms to address them.
In the RIR system, those mechanisms do exist. In well-designed implementations, the community can raise governance concerns for discussion and review, and if not addressed, the members (who ultimately determine the institution’s direction) can replace boards, change bylaws, and ultimately reshape institutional behavior through legally enforceable governance structures. That includes the ability to determine how accountability – including questions of liability – should be handled. There is nothing inherent in the model that prevents a community from deciding that greater liability, different risk allocation, or alternative accountability mechanisms are appropriate. If such a consensus existed, the structure allows it to be implemented.
That leads to what I think is the more fundamental point. Your argument now appears to be that, even with these mechanisms, the model is categorically insufficient – that multistakeholder governance, by its nature, cannot provide accountability proportionate to consequence when scarce and economically significant resources are involved. If that is your position, it would be helpful to state it directly, because it moves the discussion from how the system functions to whether the model itself is viable.
If not multistakeholder governance, then what alternative do you believe is appropriate for coordinating globally unique number resources? A purely contractual model between private parties? Some form of distributed or market-based coordination? Each of those approaches carries its own tradeoffs in terms of authority, enforceability, fragmentation risk, and global interoperability. The multistakeholder model is not perfect, but it exists precisely because those alternatives have limitations that are, in many cases, more severe.
So I think the real question is not whether the multistakeholder model for governance is always implemented perfectly – it is not (and I may take some time later to write more about various categories of implementation risk) – but whether there is a viable alternative that provides better alignment of authority, accountability, and global coordination without introducing greater risks. If you believe such a model exists, it would be helpful to see it described more concretely.
John,
Thank you. Yes, that is my position, and I am happy to state it directly.
Once scarce and economically significant resources sit beneath the system, multistakeholder governance in its present registry form is not sufficient, because process participation and member elections do not, by themselves, align authority with consequence. You are right that this moves the discussion from implementation questions to model viability. That is where I believe the discussion now belongs. My argument is not that coordination can disappear, nor that collective governance is always impossible. It is that a low-liability registry sitting at the recognition chokepoint of high-value assets is not a stable design, even if the process is open and even if members can, in theory, replace boards.
The issue is therefore structural rather than procedural. A system in which operators bear concentrated downside while the controlling layer bears limited consequence is not made stable merely because governance mechanisms exist. The fact that members may eventually elect different directors does not resolve the underlying design problem. If the structure concentrates recognition power while externalizing most of the downside, the asymmetry remains.
For that reason, I do not think the answer is a stronger version of the present registry model. The direction should be the opposite: the recognition layer should be decentralized as far as possible, the base truth layer should be hard-coded and non-discretionary, and only the minimum coordination necessary to preserve global uniqueness and interoperability should remain. In my view, that points to a distributed-ledger-style recognition layer, or something functionally equivalent. Where states do not agree with one another, yet at the same time cannot afford to lose the Internet, the only stable equilibrium is a base layer that is neutral, portable, and institutionally thin.
Everything else should be pushed outward. Abuse management, discretionary enforcement, politically sensitive coordination, and any function involving coercion or sovereign judgment should not sit inside the registry layer itself. Those functions belong either in contractual arrangements among the relevant parties or in external sovereign structures that actually possess coercive power and corresponding accountability. If force is involved, it should sit with institutions designed to bear the consequences of force, not with registries that present themselves as coordinators while disclaiming meaningful downside.
I therefore do not see the choice as one between the present multistakeholder model and no coordination at all. I see it as a choice between thick, discretionary, low-liability coordination and thin, neutral, minimum coordination. The former expands the registry layer into a role for which it is not institutionally suited. The latter constrains it to the narrow role that global interoperability actually requires.
This is also why I think several current reform directions are moving in the wrong direction. As I argued in my article, the ICP-2 revision path, immunity-seeking logic, and broader attempts to consolidate institutional position all move toward self-destruction rather than preservation. A system already suffering from a control-versus-consequence mismatch does not become healthier by making the controlling institution harder to challenge. It becomes more brittle. Insulating a structurally misaligned institution does not resolve the underlying problem. It increases the cost of the next failure.
There is an additional risk that follows directly from this. If one succeeds in making the institution too insulated, too immune, and too difficult to challenge, then the stakes of a single bad election, a single captured board, or a single bad actor inside the institution become correspondingly larger. In that world, risk has not been reduced. It has been concentrated. Once concentrated in this way, the long-term outcome becomes increasingly predictable in mathematical terms. If sufficient authority is gathered into one institution while effective challenge, exit, and correction become progressively harder, then the probability that a sufficiently damaging failure eventually occurs does not trend toward zero. Over time, it trends toward certainty. The remaining variable is timing. A system made resistant to correction does not become safer. It becomes a structure in which one future failure can be substantially more destructive because the mechanisms that would otherwise limit damage have already been weakened or removed.
So I agree with you that the real question is whether there is a viable alternative that better aligns authority, accountability, and global coordination. My answer is yes. But that alternative does not look like a perfected version of the current registry structure. It looks like a thinner one: less discretionary, less centralized, less dependent on insider process, and less willing to confuse procedural legitimacy with consequence-bearing accountability.
That is why I think the central question is no longer whether the present model has implementation risks. You have already acknowledged that it does. The more important question is whether operators should continue accepting a system in which high-value assets depend on a governance structure that remains substantially more comfortable with process legitimacy than with consequence-bearing accountability. I do not believe they will. That is why the relevant future question is no longer whether the present model is under strain, but what replaces it.