This paper is substantially similar to, though somewhat modified from, testimony I presented to the House Committee on the Judiciary, Subcommittee on Courts, Intellectual Property and the Internet, during a hearing on April 10, 2014.
Introduction
In March 2014, the Department of Commerce announced its intention to transfer the Internet Assigned Name Authority (IANA) function to the Internet Corporation for Assigned Names and Numbers (ICANN). Any decision to do so should proceed only with great caution, lest the transition destroy the openness and freedom of the network.
In considering the transition we should be cognizant of four basic points: [1]
- First, the transition of the IANA function to ICANN is consequential. The network, as we know it, is a central driver of economic and political freedom around the globe. Any change to its governance comes with significant potential risks (and also potential gains).
- Second, the transition to ICANN raises concerns along three dimensions:
- Technical capability – Can ICANN maintain the IANA function effectively?
- Political/Practical – How will ICANN manage the system to insure its continued openness and independence?
- Financial – Will ICANN use its soon-to-be unregulated monopoly power to engage in rent-seeking behavior?
- This, in turn, suggests that before any transition of IANA governance to ICANN occurs the US government should assure itself that ICANN will establish a new structure that meets three tests:
- Competence – ICANN must demonstrate a technical capacity to manage the IANA function at least as well as it is managed today.
- Candor – ICANN must adopt structures that insure its accountability and transparency, including things like outside audit boards, an internal inspector general and a commitment to FOIA-like responsiveness to the public.
- Control – And the structure developed must prevent the IANA function from becoming subject to the control of other sovereigns, multi-national organizations, or other institutions who might reduce its innovative nature and openness.
- Finally, some transition is likely to happen. Today the network has 2.5 billion users – only a fraction of whom are Americans. At some point their interests will need to be taken into account. As stewards of the network, the US government has an obligation to make sure that the transition to a new governance structure goes well. If we default on that obligation, we might wind up with results that are far worse than those we could achieve through a well-managed evolution.
The Importance of the Network
Let me begin by setting the scene and reminding the Subcommittee that the question of Internet governance is one of the most significant questions facing the development of cyberspace in the coming few years. The answer we choose to the question of governance will, in the end, affect the whole world. Today, the globe-spanning reach of cyberspace touches the lives of more than 2.5 billion people.[2] The so-called Internet of Things controls more than 1 trillion devices—everything ranging from cars and houses to industrial plants, elevators and even medical devices. Every day (in 2012) we created roughly 2.5 quintillion bytes of data (that is a 1 followed by 18 zeroes). Put another way, 90 percent of the data created since the dawn of human history was created (and passed through cyberspace) in the past two years.[3] As a world community our dependence upon and interdependence with the cyber domain is growing so fast that our conception of its size cannot keep up with the reality of it. How we govern this distributed and dynamic space is profoundly important to the future prosperity of humankind.
And that is why we must be cautious and not rush to change the current structure. The system we have in place, imperfect as it is, has been, by any measure, successful in creating the opportunity for economic growth and intellectual freedom. We must be confident that any changes made will not disrupt the existing status quo adversely. To be sure the IANA function is but a small portion of the broader international internet governance question – but the answer we choose in this transition may well be a model for other aspects of network governance.
ICANN, IANA, and the NTIA
Last month the Department of Commerce announced that the United States would relinquish part of its controlling role in managing the Internet Domain Name System (DNS).[4] In effect, the last remaining legal vestige of American control of the network will vanish next year. Our stewardship of the network will transition to an international nonprofit that may, or may not, have the capabilities required. That is a big deal. To understand why requires a bit of explanation.
The DNS is, in effect, the address book of the Internet. Someone, in the end, has to decide that “microsoft.com” means the big computer software company in Washington. And someone has to decide that in addition to dot-com addresses we will now start recognizing “.bank” and “.xxx” and “.home” as valid global top-level domains (gTLDs). We call this role the Internet Assigned Numbers Authority (IANA)—the right and responsibility to assign names among the domains.
Historically, since the original architecture of the network was developed in the United States, that responsibility was originally given to American institutions—indeed, initially, it was the U.S. government itself. Since the 1990s however, the U.S. government has offloaded much of that responsibility to a third party—it has contracted out the IANA function to a nonprofit group, the Internet Corporation for Assigned Names and Numbers (ICANN).
ICANN is an American nonprofit corporation, headquartered in Southern California. It was, to summarize and simplify, created for the purpose of being able to run the IANA function within a contract. And so for roughly the past 15 years ICANN has entered into a contract with the National Telecommunications and Information Administration (NTIA), a component of the Department of Commerce, to manage the IANA function.
The contract was last let out for bid in 2011,[5] and is due to expire in 2015. (I should add that “let out for bid” is a bit of a misnomer, since the way that the request for proposal was written only one entity, ICANN, could possibly have won the contract.) Boiled down to its simplest form, the announcement last month was a statement by the NTIA that it was not going to enter into another contract—that, instead, it would let ICANN have the responsibility of running the IANA function on its own. The only condition that the NTIA set for the transition was that ICANN develop an internal mechanism for oversight and win the trust of crucial stakeholders around the world.
There is one further piece to the puzzle that one needs to understand about the architecture of the administration of the DNS system and the IANA function. Though ICANN manages the IANA function under contract to the NTIA, it does not actually do the work of implementing changes to the DNS when they are made. That technical work is managed under a cooperative agreement between the NTIA and Verisign, the American company that also manages the dot-com domain (under a separate arrangement with ICANN). Verisign maintains the root zone (that is the core list of the gTLD domains and their operators), for free as a service to the Internet and the world. So, today, when ICANN decides to make a change in the DNS system, the ultimate responsibility for implementing that change lies with Verisign.[6]
In other words, today there are three parties who work cooperatively to keep the Web address DNS system running: ICANN, the NTIA, and Verisign (the Root Zone Maintainer). Here is how the NTIA describes the workings:
(1) TLD operators submit change requests to the IANA Functions Operator [i.e. ICANN]; (2) the IANA Functions Operator processes the request and conducts due diligence in verifying the request; (3) the IANA Functions Operator sends a recommendation regarding the request to the Administrator [of NTIA] for verification/authorization; (4) the Administrator verifies that the IANA Functions Operator has followed its agreed upon verification/processing policies and procedures; (5) the Administrator authorizes the Root Zone Maintainer [i.e. Verisign] to make the change; (6) the Root Zone Maintainer edits and generates the updated root zone file; and (7) the Root Zone Maintainer distributes the updated root zone file to the thirteen (13) root server operators
So, now we can understand why the changes proposed are of some real significance. Today, by contract, the NTIA has a verification and authorization role over how ICANN performs its functions. In other words, in the end, any changes that ICANN wants to make are subject to review by the U.S. government. After the policy that was announced last month takes effect, the U.S. government will give up that role. And according to the NTIA,[7] this will likely mean that Verisign’s role will have to be modified, as well, if not completely transitioned to another root zone manager.
Three Concerns – Technical, Political/Practical, and Financial
With that introduction, it seems to me clear that this change will have effects along three dimensions whose importance will differ to different constituencies. It is useful to outline them since our consideration of the transition may be influenced by which of the three dimensions predominates our thinking.
- Technical. As should be clear, the most significant danger in terms of adverse consequences is the technical one that the transition might not work at an engineering level. Today, changes to the DNS system are effectuated seamlessly without error. If the transition of the IANA function to ICANN means a change in the technical operating system, we must be sure that the replacement system is equally effective. This is the “if it ain’t broke, don’t fix it principle” writ large on the global cyber stage.
- Political/Practical. The naming function itself remains important, but at a practical level its importance is decreasing somewhat. These days the name assigned to a domain is less determinative of its nature and success than is its prominence in search engines. As Martin Libicki of Rand remarked the other day, “If you are looking for a new pair of socks you don’t look to ‘socks.com.’” Instead, you type “socks” into your search engine and go wherever that leads you. So in practical terms the gTLD naming function is less influential on network behavior than the search engine function—put colloquially, Google matters more than ICANN. That said, domain names continue to retain some real significance as indicators of content. That is why some nations, for example, objected to new gTLDs like “.islam” and “.gay” during the last expansion. Thus, one potential adverse result of the transition might be a limitation on gTLD names that is inconsistent with our commitment to the openness of the network.
- Financial. Finally, as with most things, in the end this transition will likely be mostly about its economic effects. The opening up and provisioning new gTLDs is a big money endeavor. In effect, whoever manages the IANA function has a monopoly over the distribution of a valuable resource whose provisioning will affect brands and trademarks across the globe. Already we have seen domain name holders in the “.com” global domain expending significant capital to reserve (and take out of use) their equivalent name in the “.xxx” domain, simply to protect their brand. We would, likewise, anticipate the same economic effect whenever the IANA manager decides to provision the new gTLD “.stinks” or similar names. In the United States we have a tradition of regulating monopolies to prevent them from engaging in monopolistic price setting. To some degree the contract with the NTIA may have served as a checking function on ICANNs pricing models—a checking function that will need to be replaced in the transition.
Two Questions – Legality and Wisdom
With those dimensions of concern in mind, let me now turn to two important questions.
-
Is It Legal?
One lingering question of particular interest to this Subcommittee should be the legality of the proposed transition. As The Wall Street Journal noted last month,[8] this is an as yet unanswered question. A study from the Office of the General Counsel at the Government Accountability Office (GAO)[9] back in 2000 (when ICANN had only recently been incorporated and when GAO was still the General Accounting Office) had this to say:
The question of whether the Department has the authority to transfer control of the authoritative root server to ICANN is a difficult one to answer. Although control over the authoritative root server is not based on any statute or international agreement, the government has long been instrumental in supporting and developing the Internet and the domain name system. The Department has no specific statutory obligations to manage the domain name system or to control the authoritative root server. It is uncertain whether transferring control would also include transfer of government property to a private entity. Determining whether there is government property may be difficult. To the extent that transition of the management control to a private entity would involve the transfer of government property, it is unclear if the Department has the requisite authority to effect such a transfer. Since the Department states that it has no plans to transfer the root server system, it has not examined these issues. Currently, under the cooperative agreement with Network Solutions, the Department has reserved final policy control over the authoritative root server.
To this I would actually add an antecedent question: What is the legal basis for the initial assertion by the NTIA and the Department of Commerce of the authority to control the IANA function? To be sure, the history of the IANA function is that it was developed as part of research that was principally funded by the Federal government. But it is unclear to me whether the funding mechanisms used to develop the network’s functions were of the sort that would result in federal ownership of the resulting domain. We don’t, for example, think that the U.S government takes an ownership control of any product whose development it subsidizes. Of course, if the U.S. did not own it in the first place, then there is not much of a legal barrier to giving it up now. But if the U.S. does own it, then we must determine the legality of the transfer. If I were Congress and this Subcommittee, I would ask the current general counsels of the Department of Commerce and of the GAO to make a determination of that question.
-
Is It Wise?
Assuming that the proposed transition is lawful, we are then left with the more interesting question of whether it is good policy. I will acknowledge, at the outset, that reasonable minds can disagree on this question. That said, my topline analysis is that the proposal is acceptable, if and only if the structure of the organization to which the IANA function is transferred is such as to give us good confidence that it will support values of freedom and openness to which the U.S. is committed. I take the NTIA at its word that it will insist upon such a structure as a condition of finalizing the transition. The corollary of that, of course, is that the NTIA must be equally clear that its decision is contingent and that it will not complete the transfer if the proposed structure is unacceptable.
Assessing the Policy Choice
Let me expand upon that topline analysis with these thoughts:
- In some ways this transition is, in my view, inevitable. This is a conclusion with which some of my colleagues may disagree. But in my view, it is simply untenable for the United States to continue to be the proprietor of the globalized internet domain interminably. At some point, a transition to an international system will be required. However, there is no reason that 2015 must be the date that the transfer occurs. It is better to do this well than to do it on time.
- On the other hand, ICANN may not necessarily be in a good position to take over this responsibility (as anxious as it is to do so). Many are worried that ICANN is beholden to the domain name registry industry, who pay large fees to ICANN for the privilege of managing (and reselling) top-level domain systems. When ICANN recently opened up new gTLDs, it reaped a huge profit. If you accept the maxim that “he who has the gold makes the rules,” the transition to ICANN control may actually be about a transition to corporate control through ICANN.
- ICANN is often thought of as unaccountable. Its multi-stakeholder model of governance attempts to bring all parties to the table. But that is an awfully big table. In the end, the ICANN executive group is often perceived by outsiders as taking the initiative and driving the agenda—and without the check of the NTIA (however modest it has been in the past), they may have greater leeway to do as they please.
- More worryingly, from my perspective, is the question of technical expertise. It is far from clear to me that ICANN is ready and able to take over the implementation role of root zone management. The worst possible result would be a broken DNS system.
- The move by the United States to start this transition may be a reasonable diplomatic move. The optimist in me wants to think that the transition to ICANN management is an effort to forestall an even worse result from takeover of network administration by the International Telecommunications Union (ITU) (a prospect I discuss in more detail below). It may be that allowing ICANN a controlling role will placate our European allies and prevent the ITU meeting in Busan, South Korea, this fall from becoming a debacle.
- I am hopeful that this proposal is not a reaction to the Snowden disclosures. The pessimist in me fears that American stewardship of the network is suspect and that some, hoping to defuse the anger, may have chosen to rush to give up that stewardship, without thinking through the consequences.
Defining a Successful Transition
As I have said, given the magnitude of the proposed change, the Administration needs to proceed with some caution, and with a willingness to pull the plug if the transition looks like it will go awry. How, then, to define “awry”?
Department of Commerce Definition of Success. In announcing the proposed transition, the Department of Commerce insisted that it would only cede control if ICANN could demonstrate the ability to maintain the network, consistent with five principles: They insisted that ICANN would have to
- Support and enhance the multi-stakeholder model”;
- “Maintain the security, stability, and resiliency of the Internet DNS”;
- “Meet the needs and expectation of the global customers and partners of the IANA services”;
- “Maintain the openness of the Internet”; and
- The NTIA also clarified that it would “not accept a proposal that replaces the NTIA role with a government-led or an inter-governmental organization solution.”[10]
A More Detailed Definition of Success. But those principles, while salutary in nature, are (save for the last one) more in the nature of aspirations than concrete requirements. It is useful, I think, to ask the question with greater specificity and granularity: What affirmative commitments should the U.S. government require from ICANN before finalizing its transition of control of the IANA function?
To answer that question, we must first consider what our concerns with the transition might be. It is useful to lump those concerns into three distinct buckets:
- Competence: Can ICANN do the job?
- Candor: Is ICANN sufficiently transparent and accountable?
- Control: Do the mechanisms ICANN puts in place support its independence from authoritarian control?
If we contextualize our concerns along those lines, then we can begin to think of some of the commitments that ought to be required of ICANN.
First, the multi-stakeholder model developed by ICANN for management of the IANA function should (as the Administration notes) prohibit any governmental, inter-governmental or U.N. control. Indeed, sovereign or quasi-sovereign multilateral organizations should have only an advisory role in any process. Instead, the multi-stakeholder control system should reflect the interests of those who develop and use the network—a representative sampling of large, medium, and small businesses and industry groups should either manage the IANA or have authority to veto ICANN decisions that threaten the openness or viability of the Internet. There will be difficulties (and politics, with a small “p”) in defining the composition of the new institution, but at a minimum it needs to be broadly representative and peopled only by those with a demonstrable and verifiable commitment to a free and open network.
I should note here that in this regard my recommendations diverge somewhat from the reported position of the Administration. According to news reports,[11] during the recent ICANN meeting in Singapore, the Department of Commerce appeared to accept the idea that governmental organizations would have some formal membership role in the new IANA management structure to be created by ICANN. That would be consistent with ICANN’s expressed view that “all” stakeholders should have a say in the management of the domain. I think that would be a mistake. If the premise of our decision to give up NTIA control of the IANA function is that governmental management is suspect, then that should be equally true of a governmental role (even a broader based one) in the new IANA management structure. My recommendation would be that the governmental role in any new structure be limited to an advisory one – with no formal, or informal right of control over the process.
Second, ICANN will need to be fully accountable for its actions and its operations. It will need to accept the establishment of an independent auditing body comprised of government, business, and nongovernmental organization representatives to monitor its finances and activities. The authority to manage the IANA function brings with it significant financial benefits. We should not allow ICANN to, in effect, develop a taxation authority over network expansion without, at the same time, demanding a public accounting of how the money received is spent. ICANN should, likewise, be required to establish an independent Inspector General–equivalent body with authority to discipline its own officers and employees—for there is no other institution to which that authority could be given and the lack of an internal checking mechanism would be problematic. And, as well, the new IANA management function should be transparent to the general public—a requirement that necessitates some form of Freedom of Information Act–like obligations to disclose ICANN records. More to the point, since personnel is always policy, there will need to be some vetting mechanism (about which more below) to insure that those given the responsibility for managing the IANA policy are committed to principles of network freedom and openness.
Third, before the root zone management function is transitioned to ICANN (or to a subcontractor employed by ICANN) it will need to demonstrate to American satisfaction its technical capability to manage the root zone. This will mean a highly technical examination of ICANN’s capabilities, including, for example, the process controls it requires before implementing any root zone change, and the security and redundancy of its root zone facilities. Indeed, one thing ICANN might do to reassure the world of its commitment to managing the root effectively would be to commit to maintaining the current technical aspects of the system unchanged, unless and until any proposed change is fully approved and technically vetted.
Fourth, we should proceed cautiously without any fixed deadlines. It is more important to get the transition right than it is to do it quickly. The expiration of the current contract to manage the IANA function in 2015 should not be seen as a deadline. If necessary it would be far better for that contract to be renewed (subject to termination when and if ICANN satisfies the NTIA that it has a good replacement model in place) rather than for us to see the termination date as an artificial deadline.
Finally, we need to think of a mechanism for locking in any mandatory requirements. After all, they would be useless if six months after committing to them ICANN were free to disregard the obligations it had undertaken. Since the most obvious means of enforcing such commitments (through a contractual obligation to the U.S. government) is, per force, no longer on the table, other, more creative binding mechanisms need to be developed.
That is easier said than done. Indeed it may not be possible at all—and that thought is itself concerning. For, as I have noted, though the U.S. influence over the network has not been wholly benign, I am convinced it has been a net positive. In the absence of that influence, we will have to trust that the governance architecture we develop to constrain ICANN is effective. And that is a bit of a risky bet.
I offer three thoughts (not fully developed) for how ICANN’s commitments could be manifest and locked in.
- First, ICANN currently has a written affirmation of commitment that it makes to the United States regarding its obligations to maintain the openness and freedom of the network. That affirmation could be renewed as part of the transition and opened to signature by any nation or organization that wishes to put itself in the position of a guarantor of ICANN’s fidelity to its commitments. While the affirmation of commitments is, to be sure, more symbolic than it is practical and binding, the sheer weight of support would, I think, contribute to creating an atmosphere of obligation that would be welcome.
- Second, we might have an official checking function on the technical side of the IANA process to audit ICANN’s activities. To some degree that system already exists, as ICANN’s implementation work is subject to review by the Internet Engineering Task Force (IEFT), a non-governmental consortium of internet technicians. Their role could be further expanding and formalized so that they become, in effect, part of a dual-key authority to modify the IANA function. In other words, require both IETF and the new IANA organization to concur in any significant technical modifications.
- Third, we need a mechanism to guard against the more likely twin dangers of political capture and/or economic capture of ICANN itself. Today, ICANN’s board is nominated by various constituencies, and that is a good thing. To assure that those nominated are fundamentally committed to internet freedom we might consider the creation of an external board of guarantors who would have a veto power over nominees to the ICANN board of directors and who have a vested interest in the network’s openness and transparency. The composition of that board of guarantors is something I’m working to conceive, but it might include, for example, neutral freedom-loving nations like Switzerland and Costa Rica, as well as civil liberties NGOs.
All of these sound cumbersome and perhaps they may be unwise, but they are the best ideas I have right now. And we do need good ideas. Put simply, not only is this transition a “big deal” but it is also a vitally important one. It may, indeed, prove to be one of the most consequential decisions this Administration has made. It would be terribly tragic if the decision proved to have been a mistake — if, in retrospect, the openness of the Internet were to suffer or if control of the network function were to devolve to irresponsible (or, worse, venal) hands. Caution is required. More importantly, the Administration needs to clearly articulate its objectives and set a red line standard that ICANN must meet before the transition occurs.
The Alternative
One final point bears mention: The alternative to the transition to ICANN may not be status quo. There is a realistic possibility that the alternative to ICANN governance of the IANA function would be a transition to governance of IANA by the ITU, which is part of the U.N. I think we should systematically prefer governance by ICANN and the IETF over that of the ITU for reasons beyond questions of national interest. We should do so because it makes good economic sense. The world economy and humanity’s overall general welfare would be better served by ICANN’s adherence (albeit imperfect) to a deregulated, market-driven approach to the development of cyberspace. This approach compares favorably to the turgid, ineffective process of the international public regulatory sector. If you consider that American or European regulatory processes are slow, you must realize that the problem will only be magnified in the international sphere.
Recall, again, the size and scope of the network. Given the scale of the enterprise, the mechanisms for multinational cooperation are too cumbersome, hierarchical, and slow to be of much use in the development of international standards. Acceptable behavior in cyberspace mutates across multiple dimensions at a pace that far outstrips the speed of the policymaking apparatus in the public international system (which, to cite just one example, has yet to conclude an updated trade treaty despite nearly two decades of effort). We should all be concerned that there is no surer way to kill the economic value of the cyber domain than to let the public international community run it.
Conclusion
In the end, we should strive to instill confidence in ICANN and the IETF as stewards of cyberspace. To do so, it may be necessary to further broaden influence over these organizations beyond the current framework. But we must also recognize that the non-state structure currently in place is less subject to political manipulation than the alternatives. These international institutions are multi-stakeholder groups where individuals, technologists, political organizations, innovators, and commercial entities all have a voice. The product of their consensus is more representative and more moderated than any system respondent to only sovereign interests can hope to be.
And so, for me, the bottom line seems relatively clear—despite the strum und drang of recent months, the United States has been a fundamentally good steward of the network. It has fostered innovation, openness, freedom, and growth. Not perfectly to be sure and not always without a healthy dollop of self-interest, but at its core the U.S. management of the network has been more benign than venal, with the result that we have today—a vibrant network with more good than bad in it.
The transition to ICANN management may well upset that happy vision. While I am more optimistic about ICANN than I might be about the ITU as a new steward, the capabilities and political strength of the institution are unproven and remain a question mark. The Administration has made a cautious first step down the road to a transition that may be inevitable and is probably good policy, but it is important that Congress (and the American public) pay attention to the transition process to insure that the end product meets our requirements. In short, the NTIA needs to clearly define what a successful transition will look like, vet that vision with Congress and American stakeholders, and then insist that ICANN’s proposed transition achieves that vision.