Who Controls the Internet Address Book? ICANN, NTIA and IANA
It is almost axiomatic in Washington, that the bureaucracy buries news of which it is not proud with a release late in the day on a Friday afternoon. Though it is a bit harsh to say so, one suspects that the Department of Commerce felt that way about its announcement ye
Published by The Lawfare Institute
in Cooperation With
It is almost axiomatic in Washington, that the bureaucracy buries news of which it is not proud with a release late in the day on a Friday afternoon. Though it is a bit harsh to say so, one suspects that the Department of Commerce felt that way about its announcement yesterday that the United States would relinquish part of its controlling role in managing the Internet Domain Name System (DNS). In effect, the last remaining legal vestige of American control of the network will vanish next year. Our stewardship of the network will transition to an international non-profit that may, or may not, have the capabilities required. That's a big deal. To understand why requires a bit of explanation.
The DNS is, in effect, the address book of the internet. Someone, in the end, has to decide that "microsoft.com" means the big computer software company in Washington. And someone has to decide that in addition to dot-com addresses we will now start recognizing dot.bank and dot.xxx and dot.home as valid global top level domains (gTLDs). We call this role the Internet Assigned Numbers Authority (IANA)---that is the right and responsibility to assign names among the domains.
Historically, since the original architecture of the network was developed in the United States, that responsibility was originally given to American institutions---indeed, initially, it was the US government itself. Since the 1990s however, the US government has offloaded much of that responsibility to a third party---it has contracted out the IANA function to a non-profit group, the Internet Corporation for Assigned Names and Numbers (ICANN).
ICANN is an American non-profit corporation with headquarters in Southern California. It was, to summarize and simplify, created for the purpose of being able to contract to run the IANA function. And so for roughly the last 15 years ICANN has entered into a contract with the National Telecommunications and Information Administration (NTIA), a component of the Department of Commerce, to manage the IANA function.
The contract was last let out for bid in 2011, and is due to expire in 2015. (I should add that "let out for bid" is a bit of a misnomer, since the way that the request for proposal was written only one entity, ICANN, could possibly have won the contract.) Boiled down to its simplest form, the announcement yesterday was a statement by NTIA that it was not going to enter into another contract---that, instead, it would let ICANN have the responsibility of running the IANA function on its own. The only condition that NTIA set for the transition was that ICANN develop an internal mechanism for oversight and win the trust of crucial stakeholders around the world.
There is one further piece to the puzzle that one needs to understand about the architecture of the administration of the DNS system and the IANA function. Though ICANN manages the IANA function under contract to NTIA, it does not actually do the work of implementing changes to the DNS when they are made. That technical work is managed under a cooperative agreement between the NTIA and Verisign, the American company that also manages the dot-com domain (under a separate arrangement with ICANN). Verisign maintains the root zone (that is the core list of the gTLD domains and their operators), for free as a service to the internet and the world. So, today, when ICANN decides to make a change in the DNS system, the ultimate responsibility for implementing that change lies with Verisign. (Full disclosure: I have done consulting work for Verisign---though not with respect to its root zone maintenance function.)
In other words, today there are three parties who work cooperatively to keeping the web address DNS system running: ICANN, NTIA and Verisign (the Root Zone Maintainer). Here is how the NTIA describes the workings:
(1) TLD operators submit change requests to the IANA Functions Operator [i.e. ICANN]; (2) the IANA Functions Operator processes the request and conducts due diligence in verifying the request; (3) the IANA Functions Operator sends a recommendation regarding the request to the Administrator [of NTIA] for verification/authorization; (4) the Administrator verifies that the IANA Functions Operator has followed its agreed upon verification/processing policies and procedures; (5) the Administrator authorizes the Root Zone Maintainer [i.e. Verisign] to make the change; (6) the Root Zone Maintainer edits and generates the updated root zone file; and (7) the Root Zone Maintainer distributes the updated root zone file to the thirteen (13) root server operatorsSo, now you can see why this change is a big deal. Today, by contract, the NTIA has a verification and authorization role over how ICANN performs its functions. In other words, in the end, any changes that ICANN wants to make are subject to review by the US government. After the policy that was announced on Friday takes effect, the US government will give up that role. And according to the NTIA, this will likely mean that Verisign's role will have to be modified, as well, if not completely transitioned to another root zone manager. So what are we to make of this transition. Herewith a few thoughts:
- In some ways this is inevitable. It is simply untenable for the United States to continue to be the proprietor of the globalized internet domain. At some point, a transition to an international system was required.
- On the other hand, ICANN may not necessarily be in a good position to take over this responsibility (as anxious as it is to do so). Many are worried that ICANN is beholden to the domain name registry industry, who pay large fees to ICANN for the privilege of managing (and reselling) top level domain systems. When ICANN recently opened up new gTLDs it reaped a huge profit. If you accept the maxim that "he who has the gold makes the rules" the transition to ICANN control may actually be about a transition to corporate control through ICANN.
- ICANN is often thought of as unaccountable. It's multi-stakeholder model of governance attempts to bring all parties to the table. But that's an awfully big table. In the end, the ICANN executive group usually takes the initiative and drives the agenda---and without the check of the NTIA (however modest it has been in the past) they may have greater leeway to do as they please.
- More worryingly, from my perspective, is the question of technical expertise. It is far from clear to me that ICANN is ready and able to take over the implementation role of root zone management. The worst possible result would be a broken DNS system.
- The move by the United States to start this transition now is either very canny or panicked. The optimist in me wants to think that the transition to ICANN management is an effort to forestall an even worse result from takeover of network administration by the ITU, a prospect I wrote about earlier. It may be that allowing ICANN a controlling role will placate our European allies and prevent the ITU meeting in Busan, South Korea this Fall from becoming a debacle.
- The pessimist, however, sees this as a reaction to the Snowden disclosures. All of a sudden American stewardship of the network is suspect. Some, hoping to defuse the anger, may have chosen to rush to give up that stewardship, without thinking through the consequences.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.