April 15, 2014 | White Paper on Regulation
This paper is substantially similar to, though somewhat modified from, testimony I presented to the House Committee on the Judiciary, Subcommittee on Courts, Intellectual Property and the Internet, during a hearing on April 10, 2014.
In March 2014, the Department of Commerce announced its intention to transfer the Internet Assigned Name Authority (IANA) function to the Internet Corporation for Assigned Names and Numbers (ICANN). Any decision to do so should proceed only with great caution, lest the transition destroy the openness and freedom of the network.
In considering the transition we should be cognizant of four basic points: 
The Importance of the Network
Let me begin by setting the scene and reminding the Subcommittee that the question of Internet governance is one of the most significant questions facing the development of cyberspace in the coming few years. The answer we choose to the question of governance will, in the end, affect the whole world. Today, the globe-spanning reach of cyberspace touches the lives of more than 2.5 billion people. The so-called Internet of Things controls more than 1 trillion devices—everything ranging from cars and houses to industrial plants, elevators and even medical devices. Every day (in 2012) we created roughly 2.5 quintillion bytes of data (that is a 1 followed by 18 zeroes). Put another way, 90 percent of the data created since the dawn of human history was created (and passed through cyberspace) in the past two years. As a world community our dependence upon and interdependence with the cyber domain is growing so fast that our conception of its size cannot keep up with the reality of it. How we govern this distributed and dynamic space is profoundly important to the future prosperity of humankind.
And that is why we must be cautious and not rush to change the current structure. The system we have in place, imperfect as it is, has been, by any measure, successful in creating the opportunity for economic growth and intellectual freedom. We must be confident that any changes made will not disrupt the existing status quo adversely. To be sure the IANA function is but a small portion of the broader international internet governance question – but the answer we choose in this transition may well be a model for other aspects of network governance.
ICANN, IANA, and the NTIA
Last month the Department of Commerce announced that the United States would relinquish part of its controlling role in managing the Internet Domain Name System (DNS). In effect, the last remaining legal vestige of American control of the network will vanish next year. Our stewardship of the network will transition to an international nonprofit that may, or may not, have the capabilities required. That is a big deal. To understand why requires a bit of explanation.
The DNS is, in effect, the address book of the Internet. Someone, in the end, has to decide that “microsoft.com” means the big computer software company in Washington. And someone has to decide that in addition to dot-com addresses we will now start recognizing “.bank” and “.xxx” and “.home” as valid global top-level domains (gTLDs). We call this role the Internet Assigned Numbers Authority (IANA)—the right and responsibility to assign names among the domains.
Historically, since the original architecture of the network was developed in the United States, that responsibility was originally given to American institutions—indeed, initially, it was the U.S. government itself. Since the 1990s however, the U.S. government has offloaded much of that responsibility to a third party—it has contracted out the IANA function to a nonprofit group, the Internet Corporation for Assigned Names and Numbers (ICANN).
ICANN is an American nonprofit corporation, headquartered in Southern California. It was, to summarize and simplify, created for the purpose of being able to run the IANA function within a contract. And so for roughly the past 15 years ICANN has entered into a contract with the National Telecommunications and Information Administration (NTIA), a component of the Department of Commerce, to manage the IANA function.
The contract was last let out for bid in 2011, and is due to expire in 2015. (I should add that “let out for bid” is a bit of a misnomer, since the way that the request for proposal was written only one entity, ICANN, could possibly have won the contract.) Boiled down to its simplest form, the announcement last month was a statement by the NTIA that it was not going to enter into another contract—that, instead, it would let ICANN have the responsibility of running the IANA function on its own. The only condition that the NTIA set for the transition was that ICANN develop an internal mechanism for oversight and win the trust of crucial stakeholders around the world.
There is one further piece to the puzzle that one needs to understand about the architecture of the administration of the DNS system and the IANA function. Though ICANN manages the IANA function under contract to the NTIA, it does not actually do the work of implementing changes to the DNS when they are made. That technical work is managed under a cooperative agreement between the NTIA and Verisign, the American company that also manages the dot-com domain (under a separate arrangement with ICANN). Verisign maintains the root zone (that is the core list of the gTLD domains and their operators), for free as a service to the Internet and the world. So, today, when ICANN decides to make a change in the DNS system, the ultimate responsibility for implementing that change lies with Verisign.
In other words, today there are three parties who work cooperatively to keep the Web address DNS system running: ICANN, the NTIA, and Verisign (the Root Zone Maintainer). Here is how the NTIA describes the workings:
(1) TLD operators submit change requests to the IANA Functions Operator [i.e. ICANN]; (2) the IANA Functions Operator processes the request and conducts due diligence in verifying the request; (3) the IANA Functions Operator sends a recommendation regarding the request to the Administrator [of NTIA] for verification/authorization; (4) the Administrator verifies that the IANA Functions Operator has followed its agreed upon verification/processing policies and procedures; (5) the Administrator authorizes the Root Zone Maintainer [i.e. Verisign] to make the change; (6) the Root Zone Maintainer edits and generates the updated root zone file; and (7) the Root Zone Maintainer distributes the updated root zone file to the thirteen (13) root server operators
So, now we can understand why the changes proposed are of some real significance. Today, by contract, the NTIA has a verification and authorization role over how ICANN performs its functions. In other words, in the end, any changes that ICANN wants to make are subject to review by the U.S. government. After the policy that was announced last month takes effect, the U.S. government will give up that role. And according to the NTIA, this will likely mean that Verisign’s role will have to be modified, as well, if not completely transitioned to another root zone manager.
Three Concerns – Technical, Political/Practical, and Financial
With that introduction, it seems to me clear that this change will have effects along three dimensions whose importance will differ to different constituencies. It is useful to outline them since our consideration of the transition may be influenced by which of the three dimensions predominates our thinking.
Two Questions – Legality and Wisdom
With those dimensions of concern in mind, let me now turn to two important questions.
Is It Legal?
One lingering question of particular interest to this Subcommittee should be the legality of the proposed transition. As The Wall Street Journal noted last month, this is an as yet unanswered question. A study from the Office of the General Counsel at the Government Accountability Office (GAO) back in 2000 (when ICANN had only recently been incorporated and when GAO was still the General Accounting Office) had this to say:
The question of whether the Department has the authority to transfer control of the authoritative root server to ICANN is a difficult one to answer. Although control over the authoritative root server is not based on any statute or international agreement, the government has long been instrumental in supporting and developing the Internet and the domain name system. The Department has no specific statutory obligations to manage the domain name system or to control the authoritative root server. It is uncertain whether transferring control would also include transfer of government property to a private entity. Determining whether there is government property may be difficult. To the extent that transition of the management control to a private entity would involve the transfer of government property, it is unclear if the Department has the requisite authority to effect such a transfer. Since the Department states that it has no plans to transfer the root server system, it has not examined these issues. Currently, under the cooperative agreement with Network Solutions, the Department has reserved final policy control over the authoritative root server.
To this I would actually add an antecedent question: What is the legal basis for the initial assertion by the NTIA and the Department of Commerce of the authority to control the IANA function? To be sure, the history of the IANA function is that it was developed as part of research that was principally funded by the Federal government. But it is unclear to me whether the funding mechanisms used to develop the network’s functions were of the sort that would result in federal ownership of the resulting domain. We don’t, for example, think that the U.S government takes an ownership control of any product whose development it subsidizes. Of course, if the U.S. did not own it in the first place, then there is not much of a legal barrier to giving it up now. But if the U.S. does own it, then we must determine the legality of the transfer. If I were Congress and this Subcommittee, I would ask the current general counsels of the Department of Commerce and of the GAO to make a determination of that question.
Is It Wise?
Assuming that the proposed transition is lawful, we are then left with the more interesting question of whether it is good policy. I will acknowledge, at the outset, that reasonable minds can disagree on this question. That said, my topline analysis is that the proposal is acceptable, if and only if the structure of the organization to which the IANA function is transferred is such as to give us good confidence that it will support values of freedom and openness to which the U.S. is committed. I take the NTIA at its word that it will insist upon such a structure as a condition of finalizing the transition. The corollary of that, of course, is that the NTIA must be equally clear that its decision is contingent and that it will not complete the transfer if the proposed structure is unacceptable.
Assessing the Policy Choice
Let me expand upon that topline analysis with these thoughts:
Defining a Successful Transition
As I have said, given the magnitude of the proposed change, the Administration needs to proceed with some caution, and with a willingness to pull the plug if the transition looks like it will go awry. How, then, to define “awry”?
Department of Commerce Definition of Success. In announcing the proposed transition, the Department of Commerce insisted that it would only cede control if ICANN could demonstrate the ability to maintain the network, consistent with five principles: They insisted that ICANN would have to
A More Detailed Definition of Success. But those principles, while salutary in nature, are (save for the last one) more in the nature of aspirations than concrete requirements. It is useful, I think, to ask the question with greater specificity and granularity: What affirmative commitments should the U.S. government require from ICANN before finalizing its transition of control of the IANA function?
To answer that question, we must first consider what our concerns with the transition might be. It is useful to lump those concerns into three distinct buckets:
If we contextualize our concerns along those lines, then we can begin to think of some of the commitments that ought to be required of ICANN.
First, the multi-stakeholder model developed by ICANN for management of the IANA function should (as the Administration notes) prohibit any governmental, inter-governmental or U.N. control. Indeed, sovereign or quasi-sovereign multilateral organizations should have only an advisory role in any process. Instead, the multi-stakeholder control system should reflect the interests of those who develop and use the network—a representative sampling of large, medium, and small businesses and industry groups should either manage the IANA or have authority to veto ICANN decisions that threaten the openness or viability of the Internet. There will be difficulties (and politics, with a small “p”) in defining the composition of the new institution, but at a minimum it needs to be broadly representative and peopled only by those with a demonstrable and verifiable commitment to a free and open network.
I should note here that in this regard my recommendations diverge somewhat from the reported position of the Administration. According to news reports, during the recent ICANN meeting in Singapore, the Department of Commerce appeared to accept the idea that governmental organizations would have some formal membership role in the new IANA management structure to be created by ICANN. That would be consistent with ICANN’s expressed view that “all” stakeholders should have a say in the management of the domain. I think that would be a mistake. If the premise of our decision to give up NTIA control of the IANA function is that governmental management is suspect, then that should be equally true of a governmental role (even a broader based one) in the new IANA management structure. My recommendation would be that the governmental role in any new structure be limited to an advisory one – with no formal, or informal right of control over the process.
Second, ICANN will need to be fully accountable for its actions and its operations. It will need to accept the establishment of an independent auditing body comprised of government, business, and nongovernmental organization representatives to monitor its finances and activities. The authority to manage the IANA function brings with it significant financial benefits. We should not allow ICANN to, in effect, develop a taxation authority over network expansion without, at the same time, demanding a public accounting of how the money received is spent. ICANN should, likewise, be required to establish an independent Inspector General–equivalent body with authority to discipline its own officers and employees—for there is no other institution to which that authority could be given and the lack of an internal checking mechanism would be problematic. And, as well, the new IANA management function should be transparent to the general public—a requirement that necessitates some form of Freedom of Information Act–like obligations to disclose ICANN records. More to the point, since personnel is always policy, there will need to be some vetting mechanism (about which more below) to insure that those given the responsibility for managing the IANA policy are committed to principles of network freedom and openness.
Third, before the root zone management function is transitioned to ICANN (or to a subcontractor employed by ICANN) it will need to demonstrate to American satisfaction its technical capability to manage the root zone. This will mean a highly technical examination of ICANN’s capabilities, including, for example, the process controls it requires before implementing any root zone change, and the security and redundancy of its root zone facilities. Indeed, one thing ICANN might do to reassure the world of its commitment to managing the root effectively would be to commit to maintaining the current technical aspects of the system unchanged, unless and until any proposed change is fully approved and technically vetted.
Fourth, we should proceed cautiously without any fixed deadlines. It is more important to get the transition right than it is to do it quickly. The expiration of the current contract to manage the IANA function in 2015 should not be seen as a deadline. If necessary it would be far better for that contract to be renewed (subject to termination when and if ICANN satisfies the NTIA that it has a good replacement model in place) rather than for us to see the termination date as an artificial deadline.
Finally, we need to think of a mechanism for locking in any mandatory requirements. After all, they would be useless if six months after committing to them ICANN were free to disregard the obligations it had undertaken. Since the most obvious means of enforcing such commitments (through a contractual obligation to the U.S. government) is, per force, no longer on the table, other, more creative binding mechanisms need to be developed.
That is easier said than done. Indeed it may not be possible at all—and that thought is itself concerning. For, as I have noted, though the U.S. influence over the network has not been wholly benign, I am convinced it has been a net positive. In the absence of that influence, we will have to trust that the governance architecture we develop to constrain ICANN is effective. And that is a bit of a risky bet.
I offer three thoughts (not fully developed) for how ICANN’s commitments could be manifest and locked in.
All of these sound cumbersome and perhaps they may be unwise, but they are the best ideas I have right now. And we do need good ideas. Put simply, not only is this transition a “big deal” but it is also a vitally important one. It may, indeed, prove to be one of the most consequential decisions this Administration has made. It would be terribly tragic if the decision proved to have been a mistake — if, in retrospect, the openness of the Internet were to suffer or if control of the network function were to devolve to irresponsible (or, worse, venal) hands. Caution is required. More importantly, the Administration needs to clearly articulate its objectives and set a red line standard that ICANN must meet before the transition occurs.
One final point bears mention: The alternative to the transition to ICANN may not be status quo. There is a realistic possibility that the alternative to ICANN governance of the IANA function would be a transition to governance of IANA by the ITU, which is part of the U.N. I think we should systematically prefer governance by ICANN and the IETF over that of the ITU for reasons beyond questions of national interest. We should do so because it makes good economic sense. The world economy and humanity’s overall general welfare would be better served by ICANN’s adherence (albeit imperfect) to a deregulated, market-driven approach to the development of cyberspace. This approach compares favorably to the turgid, ineffective process of the international public regulatory sector. If you consider that American or European regulatory processes are slow, you must realize that the problem will only be magnified in the international sphere.
Recall, again, the size and scope of the network. Given the scale of the enterprise, the mechanisms for multinational cooperation are too cumbersome, hierarchical, and slow to be of much use in the development of international standards. Acceptable behavior in cyberspace mutates across multiple dimensions at a pace that far outstrips the speed of the policymaking apparatus in the public international system (which, to cite just one example, has yet to conclude an updated trade treaty despite nearly two decades of effort). We should all be concerned that there is no surer way to kill the economic value of the cyber domain than to let the public international community run it.
In the end, we should strive to instill confidence in ICANN and the IETF as stewards of cyberspace. To do so, it may be necessary to further broaden influence over these organizations beyond the current framework. But we must also recognize that the non-state structure currently in place is less subject to political manipulation than the alternatives. These international institutions are multi-stakeholder groups where individuals, technologists, political organizations, innovators, and commercial entities all have a voice. The product of their consensus is more representative and more moderated than any system respondent to only sovereign interests can hope to be.
And so, for me, the bottom line seems relatively clear—despite the strum und drang of recent months, the United States has been a fundamentally good steward of the network. It has fostered innovation, openness, freedom, and growth. Not perfectly to be sure and not always without a healthy dollop of self-interest, but at its core the U.S. management of the network has been more benign than venal, with the result that we have today—a vibrant network with more good than bad in it.
The transition to ICANN management may well upset that happy vision. While I am more optimistic about ICANN than I might be about the ITU as a new steward, the capabilities and political strength of the institution are unproven and remain a question mark. The Administration has made a cautious first step down the road to a transition that may be inevitable and is probably good policy, but it is important that Congress (and the American public) pay attention to the transition process to insure that the end product meets our requirements. In short, the NTIA needs to clearly define what a successful transition will look like, vet that vision with Congress and American stakeholders, and then insist that ICANN’s proposed transition achieves that vision.
 Much of this paper is derivative of several prior works: Brett D. Schaefer, James L. Gattuso, Paul Rosenzweig, and David Inserra, “Important Work to Be Done Before the U.S. Relinquishes Stewardship of ICANN,” Heritage Foundation Issue Brief No. 4175, March 21, 2014, http://www.heritage.org/research/reports/2014/03/important-work-to-be-done-before-the-us-relinquishes-stewardship-of-icann. I have also relied on the contents of four blog posts that I wrote for the Lawfare Blog (http://www.lawfareblog.com) where I am a contributing editor: “The Continuing Struggle for Control of Cyberspace—And The Deterioration of Western Influence,” January 13, 2013 ; “Who Controls the Internet Address Book? ICANN, NTIA and IANA,” March 15, 2014; “Legal Limits on the Transfer of Control to ICANN,” March 19, 2014; and “Defining Success for the ICANN Transition,” March 24, 2014.
News release, “NTIA Announces Intent to Transition Key Internet Domain Name Functions,” National Telecommunications and Information Administration, March 14, 2104, http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions (accessed March 28, 2014).
Federal Register, Vol. 76, No. 38 (February 25, 2011), p. 10569, http://www.gpo.gov/fdsys/pkg/FR-2011-02-25/html/2011-4240.htm (accessed March 28, 2014).
By way of disclosure, the Subcommittee should be aware that I have done consulting work for Verisign on matters unrelated to its root zone maintenance function.
National Telecommunications and Information Administration, “IANA Functions and Related Root Zone Management Transition Questions and Answers,” http://www.ntia.doc.gov/files/ntia/publications/qa_-_iana-for_web_eop.pdf (accessed March 28, 2014).
L. Gordon Crovitz, “America’s Internet Surrender,” The Wall Street Journal, March 18, 2014, http://online.wsj.com/news/articles/SB10001424052702303563304579447362610955656?mod=WSJ_Opinion_LEADTop&mg=reno64-wsj (accessed March 28, 2014)
Robert P. Murphy, General Counsel, “Department of Commerce: Relationship with the Internet Corporation for
Assigned Names and Numbers Government Accountability Office,” July 7, 2000, B-284206, http://www.gao.gov/new.items/og00033r.pdf (accessed March 28, 2014).
News release, “NTIA Announces Intent to Transition Key Internet Domain Name Functions,” supra.
Kieran McCarthy, “What the US Government Said About IANA in Singapore,” Circle ID, March 26, 2014, http://www.circleid.com/posts/20140327_what_the_us_government_said_about_iana_in_singapore/ (accessed March 28, 2014).