Protecting Internet Freedom and American Interests: Required Reforms and Standards for ICANN Transition

The U.S. National Telecommunications and Information Administration (NTIA) has contracted with the Internet Corporation for Assigned Names and Numbers (ICANN) to manage core functions of the Internet since ICANN was established in 1998. ICANN is a private nonprofit corporation created to manage policy and technical features of the Internet’s domain name system (DNS) in a multi-stakeholder manner.[1] Since the establishment of ICANN, the federal government has expressed its intent to make governance of the DNS fully private—that is, free from government oversight. However, this transition has been repeatedly deferred due to a perceived value in retaining U.S. influence and concerns over ICANN’s ability to fulfill its responsibilities absent the oversight role played by the NTIA. Unexpectedly, on March 14, 2014, the NTIA announced that it did not intend to renew its contract with ICANN and mandated that the organization consult with “global stakeholders” to agree on an alternative to the “current role played by NTIA in the coordination of the Internet’s [DNS].”[2] The existing contract expires on September 30, 2015. However, the contract permits the NTIA to exercise two renewal clauses, each for two-year periods, which could extend the current contract through September 30, 2019.[3]

When making the initial announcement, the NTIA stated it would not withdraw from the process until an acceptable alternative mechanism is developed. This new mechanism, the NTIA stated, must: (1) “Support and enhance the multi-stakeholder model”; (2) “Maintain the security, stability, and resiliency of the Internet DNS”; (3) “Meet the needs and expectation of the global customers and partners of the IANA [Internet Assigned Numbers Authority] services”; and (4) “Maintain the openness of the Internet.” Additionally, the NTIA stated that it “will not accept a proposal that replaces the NTIA role with a government-led or an inter-governmental organization solution.”[4] After concerns were voiced in Congress and the private sector, the NTIA clarified that the U.S. would renew the IANA contract with ICANN should the transition proposal fall short.[5]

The NTIA’s conditions are a good start, but insufficient, giving little practical guidance or details on what is an acceptable new oversight mechanism. The Internet is too important to permit such ambiguity. Congress should work with the Administration to define and detail minimum protections, including protections to preserve freedom of expression and reforms designed to enhance ICANN accountability and insulate it from government capture, which must be in place before the U.S. will agree to the transition. Ensuring that this transition occurs correctly is of paramount importance to the future of the Internet as a free, stable, and dynamic arena for human expression and economic growth. As explained in more detail below, those minimum protections should include procedural mechanisms that:

• Separate policymaking from technical implementation by creating a new IANA consortium with responsibility for technical issues;
• Create a new external, private oversight board for ICANN notionally called the Internet Freedom Panel, that is representative of users and possesses veto power over ICANN policy decisions that threaten the freedom, security, stability, and resilience of the Internet;
• Require ICANN to adopt greater transparency and accountability rules, including, for example, an outside audit requirement and an independent arbitration mechanism; and
• Prohibit any representative of a government, governmental institution, or intergovernmental organization from participating on ICANN’s board or the new Internet Freedom Panel in anything other than an advisory capacity.

The U.S. should not end its role in the assignment of Internet names and numbers before adequate checks and balances are put in place to ensure that the newly privatized system is sufficiently transparent and accountable and is not vulnerable to hijacking by governments or intergovernmental organizations opposed to a free and private Internet.

How the Domain Name System Works

The DNS allows users to type a website name into an Internet browser and connect with that website; heritage.org, for instance, leads to The Heritage Foundation website. The suffix to the right of the “dot” is the web address at the top of the DNS pyramid. These are known as generic top-level domains (gTLDs) and country code top-level domains (ccTLD). Examples include .com, .org, and .clothing for gTLDs and .uk or .ru for ccTLDs.

The U.S. government has contracted with ICANN to administer this system—known broadly as the IANA—since 1998. This responsibility focuses primarily on the updating, expansion, and maintenance of the DNS root zone, essentially the address book of the Internet. The root zone is maintained on 13 sets of root servers. These 13 sets are not housed in 13 distinct locations, but are comprised of hundreds of root servers at over 350 sites in many different countries.[6]

ICANN’s policy process for changing the DNS begins with consultation with the multi-stakeholder community. To change the root zone, a registry operator notifies ICANN of the proposed change. In order for a change to be made to the root, it must be in line with the consensus policies developed as a part of the multi-stakeholder process. ICANN, through a series of administrative and technical checks, makes the initial decision to make or reject the change. In most cases, changes to a root zone are routine maintenance and are non-controversial. More controversial issues—such as the creation of new gTLDs or ccTLDs—are opened for public comment and discussion until a consensus is reached.

ICANN’s proposed changes to the root zone are sent simultaneously to the NTIA for authorization and to the root zone maintainer. The NTIA very rarely rejects decisions reached by ICANN, leaving Internet governance almost entirely to the private sector.[7] It has, however, served an important role in ensuring that proper processes are followed. U.S. oversight has been light-handed, focusing on maintaining and developing Internet stability and reliability. This has allowed the Internet to grow and develop at a fantastic pace.

Once a root zone change is authorized by the NTIA, Verisign, a private company that has an agreement with the NTIA to act as root zone maintainer, performs technical checks on the proposed change, implements them and generates the updated root zone. Once the new updated root zone has been validated, it is distributed to the root servers. Typically a new root zone is propagated within minutes. A new root zone file is generated and propagated roughly every 12 hours.

Threats to Internet Freedom

The NTIA proposal to withdraw from its oversight role is in accordance with the federal government’s long-standing goal of privatizing Internet governance. As early as 1997, the Clinton Administration issued a directive instructing the Commerce Department to “support efforts to make the governance of the domain name system private.”[8] Every Administration since has supported that goal, recognizing that the Internet, and the DNS system, is too important to be subject to government control.

Fulfillment of the goal of privatization, however, has been repeatedly delayed. As the Internet has grown in importance, concerns have arisen over what would fill the vacuum following the U.S. federal government’s exit from the field. Many nations, such as China and Russia, have made no secret of their desire to limit speech on the Internet that is critical of or damaging to their interests. Even some democratic nations have supported limiting undesirable speech,[9] or limiting economic freedoms online. And international organizations such as the International Telecommunication Union (ITU), an arm of the United Nations, have expressed a strong interest in playing a role in Internet governance.

It should be stressed that ICANN presently has very limited power to actually “govern” the Web. Its job is focused on proposing and facilitating changes to the DNS. But even that power could be abused, by limiting or favoring certain domain names, or even by neglecting service of domain names of politically disfavored groups. Moreover, any government limits on Internet freedoms imposed through ICANN could serve as a precedent for limits elsewhere.

Putting Meat on the Bones of NTIA’s Principles

The Obama Administration implicitly recognizes that the decision to end the NTIA’s contractual role with ICANN poses a risk that the current system could be replaced by a less benign, government-led or intergovernmental-organization-led solution. The principles outlined by the Administration are basically guidelines for how to avoid that result. By their nature, however, they fall far short of the detail necessary to ascertain what would or would not be deemed acceptable alternatives.

The absence of clear, well-defined standards, checks, and requirements runs the risk that the NTIA will complete the transfer without adequately addressing these very real concerns because of a “pre-commitment” to a specific result or the natural momentum of the process. To ensure that adequate safeguards are adopted, Congress should work with the Administration through consultation and hearings to define and detail protections, checks, and balances required to pass muster under each of the broad principles identified by the NTIA. To guarantee that these protections are heeded by the Administration in deliberations over whether to renew or extend the ICANN contract, Congress should give them the force of law and make the expiry of the NTIA contract with ICANN contingent on their implementation.

Principle #1: The NTIA will not accept a proposal that replaces the NTIA role with a government-led or an intergovernmental organization solution.

The goal of reform should be an Internet that is free from governmental control, either individually or through inter-governmental bodies. Other nations have sought repeatedly, for example, to work through U.N. organizations such as the ITU to exercise greater authority in Internet governance. These countries can be expected to intensify their efforts in the wake of the U.S. government’s own withdrawal. Policymakers must ensure that ICANN, and any new bodies created in response to the NTIA withdrawal, represent private-sector users, with no government involvement beyond an advisory role. It is necessary that:

• No governmental or intergovernmental body be allowed to exercise control over the management of the DNS. Government participation should be limited to an advisory role through such institutions as the Governmental Advisory Council (GAC) (an existing body that currently provides a forum for advice to ICANN by governments), and to participation as a user to the same extent and to no greater extent than non-government users.
• No ICANN officer or voting member of the board of directors be selected by, or represent, a governmental or intergovernmental body. The board of directors and ICANN senior officers should represent the interests of the private-sector users of the Internet, not governments or intergovernmental organizations.
• ICANN’s bylaws be amended to lock in current status of the GAC as an advisory body and its current practices in proffering advice. The stated purpose of the GAC is to “provide advice to ICANN on issues of public policy, and especially where there may be an interaction between ICANN’s activities or policies and national laws or international agreements.”[10] ICANN bylaws specifically state that GAC advice is not binding for ICANN or the board.[11] The U.S. should insist that ICANN bylaws preserve the current advisory role of the GAC and, because the GAC operating principles can be revised at any time by a majority vote of participating governments, amend the ICANN bylaws to allow receipt of GAC advice only if consensus, as defined by the GAC as “the practice of adopting decisions by general agreement in the absence of any formal objection,”[12] is achieved.

Principle #2: Maintain the openness of the Internet.

The Internet provides an unequaled forum for the exchange of ideas around the globe. Protecting the freedom of users to express their opinions or conduct online activities of their choosing should be a paramount goal of U.S. policymakers. Such free expression, however, is viewed as a threat by many authoritarian governments such as those in Russia and China. Domestically, these nations have long adopted policies limiting Internet freedom. The urge to censor is not limited to non-democratic regimes and institutions. The European Union, for example, recently required search engines, upon request, to remove links to categories of personal information, such as prior bankruptcies, which are considered no longer relevant or lack a compelling public interest meriting disclosure—in effect forcing search engines such as Google to censor content.

As a private corporation, ICANN does not have the power to directly limit speech globally. But freedom of expression could be hindered in more subtle ways. It could, for instance, refuse to allow specific domain names, such as “.falungong” or “.islam” to be entered into the root. More directly, governments can—and do—use the domain name system to shut down individual websites.[13] Perhaps most troubling of all, an unfettered ICANN could include contractual terms in its agreements with registrars of domain names that would contractually oblige the registrars to limit Internet freedom or have that effect.

ICANN should, to the greatest extent possible, avoid content-based judgments in the administration of the DNS. To date, it has generally done so, with the prominent—and understandable—exception of steps to protect intellectual property. Having ICANN headquartered in the U.S. or subject to U.S. law does not itself establish an obligation by ICANN, which is not and will not be a state institution after the transition, to protect freedom of expression. To ensure that maximum freedom of expression continues, the Administration and Congress should insist on the following protections:

• Incorporate freedom of expression into the bylaws of ICANN. ICANN’s bylaws should be amended to specifically commit the organization to oppose efforts to constrain free speech, online discourse, or assembly. This commitment should incorporate the strictest standard for freedom of expression and association, at least as comprehensive as that applied under the First Amendment.
• Separate the policy functions of ICANN from root zone management functions, which should be relegated to a new IANA consortium. IANA governance, often seen as a single process, actually refers to a number of quite distinct responsibilities, including making the policy decisions regarding the treatment of top-level domain names, the management of the content of the root zones, and the actual editing of the root zone files (a role now performed by Verisign under contract with the NTIA). The second two functions (the so-called IANA functions) are largely administrative functions. To reduce the possibility of political interference, the IANA functions should be separated from ICANN, leaving ICANN only with the policy role, acting through the consensus-based multi-stakeholder process. The non-policy functions would be overseen by a new, private organization, which would take over the current role of ICANN and the NTIA. As outlined in a recent white paper by Milton Mueller and Brenden Kuerbis for the Internet Governance Project,[14] this new body could be a consortium representing the most direct users of the process—the operators of the 13 root zone servers and the various registries.[15] The root server operators and the registries, including ccTLD registries, have a strong interest in ensuring that the DNS remains accurate, stable, and responsive. The new IANA consortium should be a private nonprofit company financed and managed by the TLD registries.
• Establish an “Internet Freedom Panel” to oversee ICANN’s remaining policy function. This private-sector board would, under ICANN’s bylaws, have the authority to review and, if necessary, veto ICANN proposed changes to the DNS deemed to threaten the freedom, stability, or security of the Internet. This board should include no government members, but represent the users of the Internet. It could be structured in a number of ways, including having the non-government board members for the new IANA consortium serve concurrently on the ICANN Internet Freedom Panel.
• Require ICANN to enter into a new legally binding global Affirmation of Commitments (AOC) with the Internet Freedom Panel that includes clear protections for freedom of expression. Under the current AOC, an agreement with the Department of Commerce, ICANN and the U.S. government agree to abide by specified procedures and to foster certain principles and objectives.[16] If the anticipated transition occurs, ICANN will no longer have an AOC partner. Therefore, prior to the expiry of the current NTIA contract, ICANN should be required to enter into a new, legally binding AOC with the Internet Freedom Panel. Moreover, protections for freedom of expression in the current AOC are insufficient and should be expressly stated in the new AOC which, along with other provisions, should be enforceable as a private contract under U.S. law.

Principle #3: Support and enhance the multi-stakeholder model.

Under the multi-stakeholder model, ICANN should be responsible to and accountable to the users of the Internet, and not to any governmental body. To ensure this accountability, policymakers should:

• Amend ICANN bylaws to define a supermajority vote as four-fifths of voting members. The bylaws currently define a supermajority vote as a “vote of more than sixty-six (66) percent of the members present at a meeting of the applicable body” and a Generic Names Supporting Organization (GNSO) supermajority as “(a) two-thirds (2/3) of the Council members of each House, or (b) three-fourths (3/4) of one House and a majority of the other House.”[17] With NTIA oversight receding, the threshold for approving major decisions should be increased to four-fifths of all members, not just those present. This change should also be applied to all decisions currently requiring a 66 percent or two-thirds vote in the bylaws.
• Require a supermajority of the board, as newly defined, to change ICANN’s bylaws and the articles of incorporation. With few exceptions, ICANN’s articles of incorporation and ICANN’s bylaws may be altered, amended, or repealed, and new ones adopted by a two-thirds vote of all 16 voting members of the board. As ICANN’s autonomy increases, the need to have firm rules increases. The threshold for changing or replacing the articles of incorporation and the bylaws should be raised to four-fifths of all voting members.
• Establish term limits for ICANN senior officers. ICANN’s bylaws limit members of the board of directors to three three-year terms. However, each senior officer (the president/CEO, the secretary, and the CFO) “shall hold his or her office until he or she resigns, is removed, is otherwise disqualified to serve, or his or her successor is elected.”[18] Mandating periodic turnover of senior officers would help guard against self-interest. Senior officers should serve a maximum of nine years, as is the case for directors, and face a supermajority vote of confidence, as newly defined, every three years.
• Simplify the process of selecting members of ICANN’s board of directors. The current process for selecting members of ICANN’s board is byzantine, involving multiple bodies established by separate articles of the bylaws, each with detailed rules and processes. The relationships among these bodies are complicated, with representatives from one body sometimes populating others.[19] The complicated nature of the process is a barrier to transparency and invites manipulation by those most familiar with the process. The ICANN bylaws should adopt a more transparent and direct process for selecting ICANN directors. One option, for instance, would be to eliminate the nominating committee and charge the various advisory bodies to select directors independently, as they currently do for some directors, and enter into arrangements with Internet organizations, coalitions, or user groups focused on specific aspects of the DNS (such as the Internet Engineering Task Force, the Internet Society, TLD registrars, and private-sector interests like the Software Alliance) to select the balance of the board members.

Principle #4: Maintain the security, stability, and resilience of the Internet DNS.

The United States, as well as the Internet community at-large, has an interest in ensuring that the Internet remains secure, stable, and resilient and does not suffer disruptions due to the transfer. To help ensure that outcome, the U.S. should insist the following be part of the transition:

• Depoliticize the technical aspects of the DNS. The entity charged by the IANA consortium with the actual editing of the root zone files should have a clear non-discretionary obligation to implement policy decisions adopted by ICANN unless they are vetoed by the Internet Freedom Panel. This task, currently performed under contract by Verisign, should not be transferred to any new contractor for implementation unless and until the new private IANA consortium overseeing the process is satisfied with the technical competence of the new contractor and approves the transfer.
• Require ICANN to remain subject to U.S. law. ICANN has opened two hub offices in Singapore and Istanbul that are intended to handle ICANN responsibilities. There has been speculation that ICANN could relocate its headquarters to one of these hubs or another location. If accountability and transparency measures are to be effective and enforceable, it is important that ICANN remain subject to U.S. law. ICANN’s bylaws should be changed to require that ICANN remain subject to the jurisdiction of U.S. courts and subject to U.S. law.
• Grant the U.S. sole ownership and exclusive use of the “.gov” and “.mil” TLDs. The U.S. government developed the Internet without anticipating that it would become a global medium. As the U.S. government increased its use and presence on the Web, it used these two gTLDs as the default. Allowing other governments or the private sector to use these gTLDs poses security risks. ICANN should be required to acknowledge sole U.S. ownership and use of these gTLDs and exempt them from the requirement to publish registry information (known as WHOIS) that is applied to other gTLDs. In addition, sole U.S. authority should be acknowledged for decisions relating to changes to the root servers managing the “.gov” and “.mil” TLDs that could impact its security concerns.

Principle #5: Meet the needs and expectations of the global customers and partners of the IANA services.

It is often argued that ICANN is a monopoly. That is not strictly true. There are a number of small niche “alternative” DNS systems that operate at the margin of ICANN’s market power. Perhaps more importantly, ICANN’s market power is significantly curtailed by other Internet services that allow consumers to locate specific websites. For instance, while the domain name heritage.org is of particular value to The Heritage Foundation, it is not essential in a world dominated by search engines. Even without a memorable domain name, Internet users would have little problem navigating to The Heritage Foundation’s website through various search engines or links on other websites. Nonetheless, ICANN’s role as a user-run cooperative with sole power to allocate and regulate new gTLDs justifies safeguards against market power abuses. The U.S. should, as a condition of ending the current arrangement, require ICANN to:

• Conduct and publicly release a five-year forensic audit. Before entrusting ICANN with greater autonomy, it should provide evidence that its financial and management decisions have been sound and comport with accepted business practices.
• Conduct an annual outside audit. ICANN and the new IANA consortium overseeing technical implementation should be required to contract with an internationally recognized auditing firm (such as Deloitte, Dettica, PricewaterhouseCoopers, Ernst & Young, or KPMG) to conduct and publicly release an annual audit of their respective organizations. The costs should be paid by ICANN and the new IANA consortium and the auditing firm should be eligible only if it does not have a pre-existing contract with ICANN.
• Enhance transparency in its deliberations. ICANN board meetings should be broadcast live on the Internet and archived along with meeting minutes and associated materials.
• Limit agreements with partners. Neither ICANN nor the new IANA consortium should be permitted under their bylaws to enter into contracts imposing conditions unrelated to DNS management, such as regulating content, on the registrars with whom they conduct business. Moreover, such agreements should not be open to unilateral amendment by ICANN or the new IANA consortium, and they should be subject to legal recourse in U.S. courts.
• Require a supermajority of ICANN’s board, as newly defined, to approve changes in prices and fees of ICANN. Although it is registered as a nonprofit corporation, ICANN’s approved budget has grown substantially over the past decade from $8.3 million in 2004 to over $200 million in 2014.[20] ICANN raises revenues to pay for its operations by charging fees on every domain name that is added, renewed, or transferred. ICANN also charges for applications for new gTLDs and, if the application is approved, additional annual fees and transaction fees. ICANN has the ability to adjust, increase, or levy new fees. ICANN has a vested interest in enhancing its financial position and, as a dominant market player, has a unique opportunity to take actions to realize that outcome. Currently, a majority decision of the board approves changes in ICANN fees. To better ensure that changes in fees or pricing are consistent with user interests, approval by a supermajority, defined as four-fifths of all directors of ICANN’s board, should be required before implementation.
• Establish a joint inspector general (IG) office for ICANN and the new IANA consortium. The IG should be appointed by the board for a non-renewable fixed term and granted full access to ICANN and the finances, documents, and activities of ICANN and the new IANA consortium. The IG’s reports should be made publicly available and not be subject to approval or edit by ICANN officials, ICANN’s board, or the new IANA consortium.
• Require ICANN to adopt an independent dispute resolution process. Currently, ICANN contracts with the International Centre for Dispute Resolution (ICDR)[21] for independent review of contested board actions and as a dispute resolution service provider for objections to new gTLD expansions. That role should be expanded and formalized (either under ICDR or another independent body) to establish a comprehensive independent dispute resolution system for all matters relating to ICANN’s operation.
• Require ICANN to adopt a more open disclosure policy process at least equivalent to the U.S. Freedom of Information Act (FOIA). The multi-stakeholder community should have far greater access to ICANN documents, internal deliberations, and other materials related to its activities and decisions. ICANN currently has a Documentary Disclosure Information Policy that is “intended to ensure that information contained in documents concerning ICANN’s operational activities, and within ICANN’s possession, custody, or control, is made available to the public unless there is a compelling reason for confidentiality.”[22] While superficially similar to the FOIA process, ICANN’s defined conditions for nondisclosure are sweeping, allow broad discretion, and have been used by the organization to block transparency. The breadth and arbitrary character of these exceptions is excessive for a body not dealing with national security issues.[23] It is particularly problematic in a multi-stakeholder institution that is seeking sole authority over its activities. Moreover, unlike the U.S. government, whose FOIA denials can be challenged in court, those requesting information from ICANN have no option for independent appeal. To address this issue, ICANN should implement an appeal procedure involving the independent dispute resolution process.

The Need for Safeguards in the Internet Governance Process

To continue the vitality and freedom of the Internet, ICANN should be insulated from political pressure from governments, either directly or through intergovernmental organizations such as the U.N. or the ITU. Instead, it should be accountable to individuals and businesses that use the Internet as a vehicle for discourse, commerce, education, research, news, and other purposes. The Obama Administration has rightfully recognized the need for safeguards to be in place before any transition of ICANN is implemented. While unobjectionable, the Administration’s principles for what these safeguards should be lack the specificity to inform multi-stakeholder deliberations and fall short of the specificity needed to objectively determine if a proposal will or will not be acceptable. The Administration and Congress should address this ambiguity with legislation that establishes clear standards for each of the Administration’s announced principles, as discussed.[24]

In addition, to address outstanding questions about whether the NTIA has the authority to decline to renew the current contract with ICANN absent congressional consent, Congress should tie these standards to a specific instruction to the NTIA to retain its current authority over the contract until an acceptable proposal is reached.

In the near future, this would involve exercising renewal clauses in the current contract. Under the terms of the NTIA’s current contract with ICANN, “The Government may extend the term of this contract by written notice to the Contractor [ICANN] within 15 calendar days before the expiration of the contract; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 30 calendar days before the contract expires.”[25] The NTIA must provide notice to ICANN by August 31, 2015, of its intent to extend the contract. In legislation identifying required standards, checks, and other changes necessary to assuage congressional and private-sector concerns about the transfer, Congress should instruct the NTIA to provide notice of extension of the contract before this deadline, should ICANN’s proposal prove inadequate.

—Paul Rosenzweig is a Visiting Fellow in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation. Brett D. Schaefer is Jay Kingham Fellow in International Regulatory Affairs in the Margaret Thatcher Center for Freedom of the Davis Institute. James L. Gattuso is Senior Research Fellow for Regulatory Policy in the Thomas A. Roe Institute for Economic Policy Studies, of the Institute for Economic Freedom and Opportunity, at The Heritage Foundation. David Inserra is a Research Associate for Homeland Security and Cybersecurity in the Allison Center.