digital medusa logo

How to multistakeholder wash Internet disconnection: On the multistakeholder Internet governance sanction regime

Demilitarization of the Internet is a goal we should all aspire to. This can be done in various ways, such as effective nongovernmental attribution of cyberattacks, emphasizing the importance of bringing in stakeholders other than governments and the military as well as self-governance.

Recently, some have used the awful war Russia has started against Ukraine to come up with a statement and a solution of how we go about imposing sanctions that can demilitarize the Internet and overcome propaganda. I call that statement multistakeholder washing of Internet disconnection. Multistakeholder washing is the process of taking a process controlled by an elite group, and dressing it up in the clothes of multiple stakeholders. The statement about sanctions is a good case study:

1.  Stages of multistakeholder washing 

First step: In order to multistakeholder wash an idea, a limited set of stakeholders— sometimes excluding affected communities, and frequently including people with a lot of resources and power— get together and come up with their own solution. We can call this group the Wise Ones. They do this initial step behind closed doors, to get the statement out; otherwise it will get too noisy and involve too many people. 

Second step: the Wise Ones publish the statement, and use their connections to promote the idea (e.g. ensuring that media outlets have early access)  The Wise Ones also tell everyone that they are open to feedback while shutting down opposing views and at the same time starting to operationalize their idea. These kinds of approaches are not unknown to those who practice multistakeholderism. Including only “insiders” preliminary stages of statements is a tactic that serves to control the process as much as possible.

Some consortiums or other unilateral processes start first as single stakeholder initiatives and later on try to adopt a multistakeholder approach. That is not the approach used here. In this model, the Wise Ones claim they are multistakeholder already. 

Third step: Save the whole world (which most of the time actually means the West). 

2. Who are the stakeholders?

Part of the legitimacy of the Wise Ones depends on a pose of neutrality and inclusion. Usually, the Wise Ones solutions are proposed for highly contentious issues where there is a lot of disagreement. So, the Wise Ones often claim broad legitimacy from unnamed supporters who, unfortunately, cannot name themselves publicly. This step we can call “inclusion of the unnamed”.

In the current example, for instance, we don’t know who the stakeholders are, other than the ones who signed the statement. The ones on the statement are mostly Western, mostly male, and mostly never lived in sanctioned countries, or operated networks there. 

We can see the action of inclusion of the unnamed in a claim that one of the leaders of this statement, Bill Woodcock, made on LinkedIn:

“Ten days and 87 authors, from every part of the Internet governance community… This is how we do multistakeholderism, and ensure that the Internet is not used as a tool of war or oppression.

There are 36 people who have signed this open letter.  We have no way of knowing who the other 51 are. Perhaps they do bring to the proposal the perspective of people who have lived in sanctioned countries and dealt with the result, but the included list of people who did sign on does not give one a lot of confidence. In this case, Mr Woodcock should have clarified every part of the Internet community that they managed to convince to agree with this initiative! We shouldn’t need to wonder why this document came together so quickly. 

3. That unprecedented challenge we knew about for so many years 

A third element of multistakeholder washing is the assertion that the issue being confronted is entirely new, which requires the heroic intervention of the Wise Ones to confront. For instance, in the present case, the document makes such an assertion from the very beginning. It says: “The invasion of Ukraine poses a new challenge for multistakeholder Internet infrastructure governance.”

The invasion of Ukraine does not pose a new challenge for multistakeholder Internet infrastructure governance. This is a challenge that those working on the statement want to pay attention to only now and want to do something collectively only now. Many people raised the challenges that faced the Internet during conflicts and wars. Afghanistan and Syria are only two wars that raised very similar challenges. 

Let’s reframe this sentence to what it really is about. The invasion of Ukraine reinforced this challenge, which triggered the West to finally pay attention to it in a collective manner. It’s good to have people paying attention to these issues, but only if we actually consider that, like the Internet, this challenge has a global dimension and includes more communities than Western based entities. 

4. Adopting tired, old approaches that have been tried and tested and failed

A peculiar element of multistakeholder washing is that it frequently presents, as new and revolutionary, solutions or approaches that have previously been tried and found wanting. This may be because the Wise Ones group excludes too many participants who would have been able to point out the similarity to previous approaches to a problem.

In this case, for instance, the technocrats who make up the Wise Ones claim,

“The effectiveness of sanctions should be evaluated relative to predefined goals. Ineffective sanctions waste effort and willpower and convey neither unity nor conviction.” and “Sanctions should be focused and precise. They should minimize the chance of unintended consequences or collateral damage. Disproportionate or over-broad sanctions risk fundamentally alienating populations.”

Sanctions have to be effective and precise. This is not a unique and ingenious principle. Governmental sanctions were never adopted without predefined goals. (US sanctions had human rights goals in mind.) They didn’t want to be ineffective either, hence they considered fines. There were attempts to be precise too, so they came up with a list. But these lists have historically affected those vulnerable communities oppressed by dictatorships more than the dictators themselves. Those who have worked on the issue have documented this through years of monitoring and observing the situation. Because businesses want to do business, and don’t want to get fined, they automatically act cautiously where sanctions might affect them. This leads to over-compliance with the sanctions, and on the Internet that means the disconnection of whole communities of people. Despite the fact that the US office of treasury emphasized every step of the way that ordinary people should not be affected by sanctions and that the specially designated national (SDN) list was in effect to come up with proportional sanctions to limit collateral damage, businesses (tech and non-tech) just stopped doing anything with the residents of those based in sanctioned countries. Internet companies sometimes even refuse to provide their products to businesses that are not residents of the sanctioned countries but that provide services to such countries. Read more about that here. None of that is a new development, and if there is something truly new in this sanction proposal it is pretty hard to see what. 

5. Only military and propaganda agencies and their information infrastructure are potential targets of sanctions

Another odd element of multistakeholder washing is that the proposals usually make exaggerated promises of effectiveness. Part of the reason that multistakeholder processes can be frustrating is because they include so many participants, which can slow progress. But that wide inclusion tends to make for an effective system because, as the open source software advocates like to say, with enough eyeballs all bugs are shallow. When an exclusive group pretends to be multistakeholder, the advantage of different perspectives is lost.

In the example of the sanctions proposal under discussion, part of the supposed virtue is the narrow target. But blocking “propaganda agencies” will not lead to demilitarization of the Internet, but to politicization of the Internet. For some, the Voice of America, is a propaganda agency. For others, other countries’ outlets are. What are the parameters to decide what a propaganda agency is? Who decides, and how?

Also, the claim that the sanctions will only target certain entities and networks is naive. One does not even need the experience to see this. Militaries in dictatorships, and especially in sanctioned countries, will use networks of civilians (by force if necessary). They own many channels of communications and sometimes have their representatives in those networks. It was only today that London Internet Exchange announced that it had to comply with sanctions and suspended the membership of two Russian AS numbers that belonged to telecommunication agencies in Russia. This might be because the owners of those ASes were in the legal sanction list. But the disconnection will potentially hamper many more people.  

This is why the “list based approach” never worked when it came to sanctions. Since the powerful in sanctioned countries can navigate around the list, they will not be affected. The sanctions can’t catch the powerful, but they do catch the “small flies” that don’t have the resources of oligarchs or military. 

6. The multistakeholder community is here to save the day

Part of the reason multistakeholder washing is attractive is that the idea of a multistakeholder process conveys a certain kind of legitimacy. In the worst examples, that legitimacy is held up against governments asking them not to impose sanctions! This issue shows up prominently in this principle: “It is inappropriate and counterproductive for governments to attempt to compel Internet governance mechanisms to impose sanctions outside of the community’s multistakeholder decision-making process.”

Governments impose sanctions as a means of implementing their foreign policies. So, sanctions are inherently government action. An optional, non-governmental refusal to interact with someone else is not a sanctions regime. It’s a consumer boycott (in this case a military consumer boycott). Which would have been an interesting regime, and if that is what this group means, they should actually clarify it. 

But learning from the governments’ experiences about sanctions is crucial. Governments have been imposing sanctions on various countries and groups which hampered the access of ordinary people to services on the Internet and Internet infrastructure. You can’t stop them by having a principle that they shouldn’t impose sanctions. And if you provide the governments with a list, governments will add to their sanction list and fine every network that communicates with the sanctioned networks. This is how sanctions work.

The Networks themselves have already been complying with sanctions or enabling customers to comply with sanctions. Networks on the Internet have to follow the laws of the countries they are based in. In fact, Content Delivery Networks and others have allowed for businesses not to serve certain regions or countries and they don’t consult with any imaginary multistakeholder community, because they have to follow the law. The US regularly confiscates domain names because they were owned or related to some military force and had undertaken disinformation campaigns (see one example). What is this multistakeholder community going to do in the future when the US does something like that again, using this new multi stakeholder-approved list? Is that the outcome this group wants? 

The Wise Ones also recommend due process and consensus to come up with the magic list. Due process usually is provided after the fact. This must mean that they will have a list of organizations, IP addresses and domain names and if those people complain, then there will be a process to unblock them. Which is good, but again another tried and tested method that is not efficient nor fair. (you see a lot of “due process” arguments in content take-down that completely ignore the deprivation of access to crucial services to people) What is not well thought out here is how wrongful disconnection is going to be prevented? What are the remedies? These are the fundamental questions that the proposal assures will be solved by consensus among the multistakeholder community. But waving these problems away as a simple matter of consensus is simple wishful thinking. The entire problem of sanctions is a political one of who is to be sanctioned, by whose authority, and with what effect. In answer to that problem, the Wise Ones offer “due process and consensus”. In other words, on the basic central issue, this proposal makes no proposal at all. 

How to move ahead?

Multistakeholder washing creates the illusion of a multistakeholder process when the process is actually exclusionary. It is probably not that surprising that this would be used to build a recommendation for a sanctions regime. For sanctions regimes are inherently exclusionary. They consider nation states as the unit of analysis and if you have decided to sanction some ruling party in a country, you are naturally not going to include them in the discussions. Which is fine, but then your process will not be multistakeholder, you can pick another name for it. You can call it the Networks We Don’t Like!

Many of us agree we need to stop the militarization of the Internet and attempt to demilitarize it. But can we do that with a “sanction regime” and a “list based” approach that can be abused and lead to disconnection of ordinary people from the Internet? The evidence so far would appear to be no, which is what would have been evident to the people who proposed this sanctions model if they had actually engaged the wide range of stakeholders that is a necessary condition to meet all the principles the authors laid out. Businesses, network operators and others are free to take private actions and talk to the networks they like and boycott the networks they don’t. But perhaps it is better to acknowledge that this is not a multistakeholder process and it will not be possible to uphold those principles laid out in the document, i.e. people’s access to the Internet will be hampered. 

 

 

Sanctions, Global Internet Connectivity and Content Delivery Networks

On Friday, Mykhailo Fedorov, Ukraine’s digital transformation minister, asked Cloudflare and Amazon to stop serving Russian web resources and protecting Russian services.

He said in a tweet that Ukraine was “calling on Amazon to stop providing cloud services in Russia.” He also said that “Cloudflare should not protect Russian web-resources while their tanks and missiles attack our kindergartens.”

Content Delivery Networks might already refrain from serving sanctioned countries, including Russia. However, sanctions that affect Internet traffic have been under-discussed for a long time. It is unclear so far the extent to which any sanctions have affected CDN services and traffic either destined for or coming from Russia. There is some evidence that CDN “geoblocking” has affected Russian sites. It is documented in an excellent paper published in 2018 that discusses geoblocking and economic sanctions in CDNs by validating the observations through Cloudflare. But sanctions might affect CDNs and Internet traffic beyond geoblocking. 

In this blog I will provide an analysis of how sanctions may affect Internet traffic. These sanctions have been affecting Internet traffic from countries such as Iran, Cuba, Syria and Russia for a while. 

What is a Content Delivery Network?

A CDN is a system of servers located around the globe that facilitate website performance by delivering the content from the closest servers to the users. It provides various services that affect global connectivity through website operators, IXPs, ISPs, web browsers and others. There are different business models that CDNs use and the differences are important in how sanctions affect their services so all the issues I am raising here might not apply to every CDN. 

Content Delivery Networks or CDNs help generally with Internet performance by keeping Internet traffic contained within a geographic area or network. They often also provide security services (by combating DDoS attacks, for example).  CDNs are very often used by even relatively small website operators. Some of them also provide DNS over HTTPS (DoH) resolution services. They are also often used to make mobile apps work quickly and to provide large-scale software distribution (such as when an operating system update becomes available).

It is important to understand that the consumers of CDN services are ordinary users of the Internet, but that those users are not customers. The customers of CDNs are the website operators, software publishers, and so on who pay the CDNs to distribute content. CDNs nevertheless can have an effect on ordinary Internet users. So, we should examine how CDNs might affect various people around the world.

Not serving people in sanctioned countries at all

It is well known to residents of sanctioned countries that some of the cloud services and CDNs based primarily in the US do not directly serve these residents either as customers or as ordinary users. There was, in fact, an outcry about AWS not serving developers from Iran in 2019. Amazon responded about not providing web services to Iranians:

“We comply with all applicable laws in the countries in which we operate, including any international sanctions and other restrictions that may be in place for certain countries,” an AWS spokesperson told Al Jazeera in an emailed statement. “Because Iran is subject to broad trade restrictions, limiting virtually all business with Iran, we do not serve customers in that country.”

It is not true that sanctions limit virtually all business with Iran and sanctioned countries. Sanctions don’t apply to noncommercial and personal communication. But this over-compliance with sanctions can be observed in many places, and affects not only CDN customers but even ordinary Internet users.

Peering policy and sanctions

CDNs generally benefit from peering, and many of them maintain an open peering policy (Cloudflare is one example). An open peering policy means that any other networks can peer with the open peering network, normally without any monetary cost. But while open peering generally includes any network, it does not mean that networks based in sanctioned countries are not affected by the sanctions. In Cloudflare’s case, for example, if peering is also deemed to be a “transaction”, then sanctions might well affect them. Cloudflare’s policy on peering and sanctions is silent as to their view of these kinds of sanctions, but their policy while allowing open peering also allows them to restrict peering or not peer when they desire to do so. 

Enabling customers to block access to sanctioned countries

CDNs allow their customers to decide “what content” is served to “which users”.  In effect, website operators use the geoblocking features to prevent serving users merely because they are based in a certain country. Often, this is used to enforce various content licenses or to conform to distribution restrictions, such as when a video is available in one country but not another. Sometimes, however, site operators use geoblocking not to serve any content to users in sanctioned countries. It’s a blanket compliance with sanctions that is probably not even required by law. But when users are considered as “legal risks” because of their location, then this discriminatory practice is justified internally. Website operators have already been discriminating based on geographical location for years, including against users in Russia. 

Content Delivery Network not serving a certain region or country

A CDN can decide not to serve a country or a region at all because of sanctions. So, it might adopt a policy, for example, not to allow its DoH resolvers to serve IP addresses based in Russia. This would mean that, for example if the Web Browser uses DoH resolvers of that CDN, users of the web browser based in sanctioned countries won’t be able to look up any website on that web browser without reconfiguring the browser. 

Domain and website operators

Cloudflare offers a free tier customer account that helps with better access to services that are not large enough to afford full paid service. Residents of sanctioned countries might use these services (especially since they are free). However, these customers might want to hide their origins not to be blocked from the service, and might therefore use various VPNs to hide their actual origin IP address (because they can otherwise be blocked). But this technique also effectively moves the customer’s geolocated IP address, so such customers might also not be served with the most efficient routing service. For example, if Cloudflare thinks a connection is coming from  North America, it is likely to use a North American server to answer queries. In reality, the customer might be in Russia. As a result, the website might load at a lower speed for the Internet user.

Internet, sanctions and global connectivity 

When it comes to compliance with sanctions, many industries over comply. Services and products related to the Internet, be it the New gTLDs, Content Delivery Networks and other services, are not exempt. But over compliance with sanctions at the Internet infrastructure level can have a devastating effect on ordinary people’s access to the Internet while not having the optimal deterrent outcome on States and their decision-makers. Perhaps we need to rethink the sanction regime for the Internet to keep the Internet global and open, facilitate free flow of information and discuss meaningful remedies during wars and conflicts.   

 

Internet Governance Revenge Fantasy or Helping Ukraine?

To the Internet community:
We must empower Ukraine to operate and defend itself on the Internet, and stop arguing over dubious actions against Russia that don’t even affect the perpetrators of this war—the Russian ruling party.
In this blog, I will tell you why many of the ideas about limiting access to Internet infrastructure in Russia won’t work and won’t be effective.

1. Taking the Country Code Top Level Domain (ccTLD) .RU down
In a letter, the Government Advisory Committee Ukraine representative at ICANN has asked ICANN to remove .RU (Russia’s ccTLD) from the root zone. This means that any of the second level domains in that space (example.ru) won’t be accessible. This is a bad idea:
-This does not ‌help Ukraine’s Internet in any way. Russia is not undertaking the cyberattacks through .RU.
-Ordinary people and institutions that run their domain names in that space will lose access.
-Those who have the economic power (eg.. the government and the oligarchs) can register other second level domains while ordinary people with established businesses might have less access to alternatives.
-It sets a bad precedent that can affect future ICANN actions. If ICANN takes action‌, it should also take action when there are claims against other ccTLDs. The precedent, for example, can help attach ccTLD to those who claim it is an asset and have a writ of attachment against a ccTLD.

2. The Autonomous Systems: lets not respond to the Russians
When ISPs and Internet Exchange Points and other network operators want to talk to each other, they talk through Autonomous System Numbers (ASNs or ASes). ISPs on the RIPE mailing list were discussing whether they should respond to announcements coming from Russian ASes.  Remember that these ASes connect people to the global Internet. So, if Network Operators don’t respond and connect—if‌ these Russian ASes are “shunned”— the shunned ASes will be effectively cut off. Remember, the Internet doesn’t work like a telephone system: sometimes ASes get their connections through connecting to ASes in other countries. It is not all territorial. It is also not so clear-cut to understand which AS is run by the government and which is run by others. And governments, especially autocratic ones, try to have a hand in every private affair. Also, not all parts of the government are providing services in favor of war against Ukraine. Some provide critical services to the population, and they do interconnect with networks outside of Russia to provide those services.
Removing Russian ASes (that in itself is a debatable concept) from the routing table only makes it less efficient for these ASes to communicate. It is unlikely to create a disconnection. It only creates latency for ordinary people who connect through the ISPs.

Ripe NCC Executive Board announced that it will not take any action with this regard. Note that the community can take some collective action on its own. But RIPE NCC Executive Board as an institution announced will not take any action.

3. Root servers  
The Ukrainian GAC member to ICANN requested removal of Russia-located root server instances. ICANN, which operates the “l” root server cluster, has a few root server instances in Russia. So do some other root server operators, and ICANN cannot control them. Even if ICANN shuts down the root servers, other actors root servers can effectively be used. Shutting down the root servers is in any case also not an effective way to disconnect, since Internet service providers in Russia can get access to the root zone in other ways and find other ways to connect. More importantly, in no way does removing root servers from Russia help Ukraine not to be attacked or to have better access to the Internet.

Effective sanctions and punishment can work and should be used to stop the perpetrators of this war. We should wake up from this Internet revenge fantasy that does not help anybody! Instead, let’s help Ukraine’s interconnection and access to the Internet. This is not the time to try and prove our “theoretical” ideas might have some merit!

.ONEWORLD .SOMEINTERNET: New gTLD registries and sanctioned countries

Imagine that you run an organization out of a building. Imagine that the landlord comes one day and says, “Oh I didn’t know you are a resident of country X or dealing with anybody from country X. I have to close this place down right now.” And then you are done. You don’t have an organization anymore. 

This very scenario happens on the Internet. ​​Residents of sanctioned countries cannot register a domain name in some new generic top-level domain space. These new gTLDs (like .MARKET) do not serve residents of sanctioned countries and if the registry finds out that a domain name registrant is domiciled or serves residents of sanctioned countries, the registry will inform the registrant and suspend their domain name. 

You might argue that displacement of this sort happens every day in this world, not just on the Internet. That might be true to a certain extent, but it is still a discriminatory practice. Also, what happened to our “one world one Internet” and “Internet is for everyone” values? Confiscating people’s domains merely because of their nationality goes against the values of the Internet we cherished. But there are solutions to overcome this injustice, if only Internet governance institutions and actors truly want to uphold the value of global interconnectivity. In this blog, I will tell you how we can uphold those values. 

Whose access? 

Note that in this blog and wherever else I talk about sanctions and access, I do not mean at all those entities and individuals that can be found specifically named in lists such as the US OFAC’s specially designated nationals list or similar. I restrict this discussion to the access by the ordinary residents of sanctioned countries. These are people and organizations that are deprived of access merely because of their nationality or place of residence, and not entities and individuals mentioned in designated sanction lists.

A background

Readers of this blog are probably familiar with ICANN, but it’s worth a quick recap. The Internet Corporation for Assigned Names and Numbers coordinates the development of policies around allocation and assignment of domain names at the top level of the domain name system (the “root zone”). One of its core commitments is to provide global interoperability and global coordination (See ICANN Bylaws). While ICANN does not have a direct authority over what is happening outside the root zone, they sometimes have policies that affect things outside the root, because they impose those policies as a prerequisite for permitting entry in the root. For many years, the Domain Name System root (the top-most part of the domain, like “com” or “org”) was stable, but starting in 2001, ICANN started making it bigger. This gathered speed in 2012 with the main round of “new gTLDs”. The new gTLDs had a community developed guidebook that came up with some restrictions and policies about names such as geographic names, names that targeted a certain community, brand names and others. If this seems arcane, it all becomes relevant below. 

Why do sanctions affect access to register domain names? 

ICANN is incorporated in the US and is bound by US jurisdiction, so it must also comply with US laws. But contrary to common beliefs, it does not seem that ICANN’s incorporation under US jurisdiction causes these problems on its own. The problems (to my knowledge) are:

  1) There is inefficiency in applying for and receiving a license to provide services to sanctioned countries;

The Work Stream 2 (WS2) on Accountability working group recommended to ICANN in 2018 to start applying for an OFAC license (after some risk analysis). The license would not have solved all the problems, but at least we would have had clarity on what problems might lie ahead. ICANN has not started implementing most of the work stream 2 on accountability recommendations since 2018. 

  2) One of ICANN’s new gTLD policies creates a direct relationship between registrants and registries. The policy might make the registries liable and increase their risk.

This policy is called Specification 12. It addresses “community” new gTLDs, and it creates a direct oversight role for the registries to ensure they enforce certain conditions on the registrants. Such conditions can include certain eligibility criteria, name selections, and content and use restrictions. (See .RADIO’s agreement for an example.) Because of this direct role, many registries that have adopted Spec 12 prohibit their registrars from serving sanctioned countries. 

When doing research about sanctions, one might form the impression that the sanctions would only affect registries that are based in the US and have to follow US OFAC restrictions. This is, however, not the case. Registries that have adopted specification 12, even in a non-US jurisdiction, over-comply with OFAC. For example, .ASIA’s  Paragraph 11.1 (A) of End User agreement requires each registrar to warrant that it is not “directly or indirectly in or from any country that is subject to comprehensive U.S., EU and or UK export or sanctions restrictions (currently including but not limited to Iran, Sudan, Syria and North Korea)”, “nor [that the registrar] intends to transmit or sell domains to such countries unless specifically licensed for such export.”

  3) Registries’ internal policy 

It is possible that a registry not bound by Spec 12 still adopts a risk-averse policy to avoid transacting with residents of sanctioned countries. The rationale seems to be similar to other tech-companies’ rationale when dealing with sanctions: it is simply too expensive to risk getting fined by OFAC, and it is simply too complex to apply for a license. Even if a firm such as a registry applies for a license, third parties will rarely serve the firm’s customers because the third parties also comply excessively with sanctions. 

The solution?

It seems like the solution lies in discarding Spec 12. This clause in a way is against ICANN’s mission, which is to ensure interoperability of the DNS globally and coordinate the allocation at a global scale. Note that it needs to coordinate the allocation at a global scale, not to eliminate allocation of some domains to facilitate coordination.

Another solution is for ICANN to implement the WS2 on Accountability recommendation, undertake research and apply for an OFAC license. 

When it comes to registries, all we have left is to raise awareness about the issue, and in some instances try and apply for OFAC licenses to pave the way, thereby easing sanctions on ordinary people who live in or are from sanctioned countries.

Plans for the new year: defeating Digital Perseus

I officially launched Digital Medusa in September 2021. It has been challenging but also very fulfilling, and any step towards defeating digital Perseus is worthwhile. Below, I summarize some of what Digital Medusa has done over the past four months and a limited list of what will happen in the new year:

Social Media Governance 

  1. I joined the co-chairs of the Christchurch Call Advisory Committee— a civil society group that advises the New Zealand and France governments on the Christchurch Call commitments, which aim to moderate terrorist, violent extremist content. 
  2. We (Jyoti Panday, Milton Mueller, Dia Kayyali and Courtney Radsch) came up with a framework on analyzing multistakeholder governance initiatives in Content Governance. The framework will be published as a White Paper of Internet Governance Project. Let us know if you have any comments. 
  3. I joined a panel of the Paris Peace Forum on Christchurch Call. Read all about it. Watch.
  4. My research on Telegram governance became more popular after the Capitol riot in January 2021. NYT piece mentions my research
  5. I found an amazing network of people who work on prosocial design. Prosocial design and governance are alternative approaches to heavy content moderation and punitive measures for platform governance. We plan to discuss prosocial governance more in 2022. 

Internet Infrastructure

  1. I joined a group convened by Mark Nottingham to discuss how legislative efforts can hamper interoperability of the Internet, and the available remedies. 
  2. Because of the Taliban reign in Afghanistan, I wrote about how sanctions will affect Afghanistan’s access to the Internet. We also had a webinar (thanks to Urban Media Institute) with the Afghan colleagues to discuss the developments/setbacks. The video will be available on this website
  3. Fidler and I published an article in the Journal of Information Policy about Internet protocols and controlling social change. We argue that to understand Internet protocols’ effect on society we need to put them in context. Implementation matters and making Internet protocols aligned with human rights without considering context might not bring the social change needed. A lot of discussion went on about this paper on the Internet History mailing list, and there are some very interesting insights (the thread is filled with ad hominem attacks against the authors but even those attacks are good anthropological research materials.)

 

What will happen in 2022?

 

  1. I am helping draft an Internet Governance syllabus that the community can use to convene Internet governance schools and trainings. I am doing this work for the Internet Governance Forum, and it will be in a consultative manner. The plan is to come up with a global syllabus, including core modules but also modules that are elective. There will be a lot of focus on what Schools on Internet Governance (SIGs) do and helping developing countries to more easily convene schools and training on Internet governance. 
  2. Digital Medusa will do more vigorous research about sanctions that affect access to the Internet.
  3. Along with the Christchurch Call Advisory Network members, Digital Medusa is planning to be very active and find effective ways to contribute to CCAN and the Christchurch Call community. 
  4. Digital Medusa will undertake research and advocate for prosocial governance instead of just focussing on “content moderation” in Social Media Governance

 

Digital Medusa, for now, includes my (FB) activities. Hopefully, in the new year we can go beyond one Digital Medusa and attract more partners. 

Happy new year to all! To a year with fewer Digital Perseus moments and fresher digital governance point of views. 

 

Peripeteia with a song: Afghanistan’s access to IP addresses

As I mentioned in the two previous posts about .AF and generic domain names, sanctions might affect Afghanistan’s access to Internet infrastructure. In this last part of the trilogy, I am going to discuss Afghanistan’s access to Internet Protocol addresses. As a concluding remark, I invite all of us (the Internet community) to address these hurdles to the global Internet more systematically.

Part III: Afghanistan’s Internet Protocol Addresses 

Computers on the Internet address each other through long strings of numbers. Those numbers are Internet Protocol addresses (IP) and Autonomous System (AS) numbers. Sanctions that curtail the distribution of IP addresses might have a much bigger and deeper effect on Afghanistan’s access to technology and the Internet than any sanction on for example domain names. When a domain name goes offline, you can’t get to resources in that domain name, but the computers affected can get out to the Internet. If IP addresses are removed, then they do not work on the Internet at all, which means whole Internet Service Providers can be taken offline.

IP addresses are assigned to those requesting the addresses in blocks. The block assignments are managed by Regional Internet Registries (RIRs), who work in different geographic regions of the world: ARIN for North America and the Caribbean, LACNIC for Latin America, RIPE NCC for Europe and the Middle East, AFRINIC for Africa, and APNIC for Asia-Pacific.  Each of these organizations has a legal corporate existence somewhere. The party who receives the assignment is usually called a Local Internet Registry or LIR.

Suppose that the Taliban are the government of Afghanistan and the entire country comes under economic sanction from other countries. In that case, it may be challenging for an RIR (in this case, APNIC) to deal with people inside Afghanistan. We have seen this already in the RIPE region, which includes Iran and Syria.

RIPE NCC has been dealing with political and now bigger legal problems, because it serves countries sanctioned by the government of the Netherlands. RIPE NCC is an association under Dutch law, and so it has to obey sanctions under those laws. That is bad news for Internet operations in Syria and Iran.

APNIC is incorporated in Australia, so it needs to follow Australian laws. If the government of Australia (or the UN Security Council) decides to impose sanctions against Afghanistan, then APNIC will be restricted in the services it can provide to entities in Afghanistan. So, entities in Afghanistan seem likely to have a hard time getting new blocks of IP addresses, and it is even possible that the maintenance of existing blocks could be affected. You can see from this list that Australia already has sanctioned the Taliban when they were in power (or followed the UN rules about that), and in the past had even sanctioned ministries (commerce and agriculture for example).

To clarify the issues APNIC might be grappling with in the future, it helps to break down the nature of services that APNIC offers to the Local Internet Registries:

–  Membership contract: the RIR signs a contract with LIR and charges them an annual fee. This relationship might be categorized as “transactional”. Transactional relationships, especially when banks are involved, are likely to be subject to sanctions.

–  IP addresses as assets: the UN sanctions against Taliban has provided a list which imposes sanctions on some Taliban entities and individuals’ assets. If IP addresses can be categorized as assets, then according to the sanction’s rules APNIC has to freeze them (repossess them in this instance). RIRs generally try to treat IP address assignments as something other than assets. Courts have not always followed that lead, and there is a robust “secondary transfer market” in IPv4 address space.

–  Maintaining registration of IP addresses: it is unclear whether maintenance of the registration service is providing services and affected by sanctions. Since maintenance of registration requires some sort of financial and membership relationship, it may well be classified as an ongoing service and affected by the sanctions.

There are ways to resolve these problems through, for example, asking the UN to delist entities that are not terrorist organizations anymore. The Australian government also allows applications for a permit to serve those countries. Yet even a permit from Australia or being delisted from the UN sanction list might not fully solve the problem.The location of APNIC might not shield them from difficulty if the US decides to impose sanctions independent of any other country (and Taliban is already in the sanction list). Unfortunately, the US sanction system affects a host of intricate networks from banks to transactions with third parties. Many commercial parties are risk averse, and simply close their services to sanctioned countries’ residents even when sanctions do not apply to those residents. It is entirely possible that banks won’t allow transactions with Afghanistan, because no bank in the world can afford to forego operations in the US.

There are other third party problems that might arise. For example, the IP addresses could be reallocated to sanctioned entities via third parties.  This is much similar to working with informal financial organizations that facilitate transfer of money from sanctioned entities. One answer to this might be that APNIC will not be responsible for third party action, but successful investigations might oblige APNIC to repossess the registered IP addresses.

Concluding remarks:

We have known about the problem of sanctions and how they affect access to Internet infrastructure for many years. But we have never addressed it systematically.  Neither have we tried to create a coalition that can help to ensure all people’s access to infrastructure. We need a holistic plan to work with governments in order to overcome these risks, perhaps through granting of general licenses or through transnational solutions. What we must not do is solve these issues one by one anymore.

 

Tragedy part II: the fate of .AF

In the last post I discussed Afghanistan’s access to generic domain names. In this post, I will talk about how the Taliban takeover can affect access to .AF, Afghanistan’s Country Code Top Level Domain Name. 

Country code TLDs (or ccTLDs) were originally assigned on the basis of an International Standards Organization (ISO) standard, ISO 3166. The Internet Assigned Numbers Authority made this decision before ICANN came into existence. The idea was that there was already an existing process in the world that decided what a country was and how it should be identified, so the Internet community did not have to solve that problem. A few years ago ICANN extended the meaning of ccTLD to include internationalized versions of country names (that is, labels that are written in characters other than the ASCII that ISO 3166 uses). Those assignments still rely on the existence of an entry in the ISO 3166 standard, however. The country code TLD for Afghanistan is AF.

One interpretation of ICANN policies is that sanctions will not affect the ccTLDs, therefore they might not affect the redelegation of .AF. In delegation and redelegation of ccTLDs, ICANN has traditionally maintained a neutral role, and it normally does not adjudicate directly. It prefers to rely on decisions made by local actors. IANA resolutions that declare the delegation or redelegation of a ccTLD are generally rubber-stamping local decisions. IANA has a standard process for this, documented at this link. It does have certain requirements that might not be purely technical (for example, it requires multi-stakeholder support for the redelegation), but it does not proactively negotiate with the parties or facilitate the redelegation. Sometimes if it cannot evaluate the multistakeholder local support, it still goes ahead with the approval of the delegation. Over the years, the operators of ccTLDs ensured this neutrality and hands-off approach so that ICANN and its Government Advisory Committee would not get too involved in delegation and redelegation decisions. Given that the Afghan Ministry of Communications runs the .AF registry, if the Taliban takes over the ministry of communications, there is a possibility that they will thereby receive control of .AF. 

It is also possible that, even if there is a legal dispute against Afghanistan in the US, .AF won’t be affected. There is jurisprudence about the delegation of ccTLDs. Once, in the US, terrorist victims wanted to attach .IR to the victims as an Islamic Republic asset, but the court ruled against the attachement (see Weinstein v. Islamic Republic of Iran et al., No. 14-7193 (D.C. Cir. 2016).  Also see Mueller and Badiei paper about the attachment of .IR

There are, however, other scenarios to think about:

Issue 1: If the operator of .AF is in the Specially Designated Nationals (SDN) list, the legal arguments that worked to protect the .IR operator might not work in this case. At the time of the court ruling, the Iranian registry operator was not in the SDNl list. It is unclear whether the .AF operator will be on the SDN list. But if the Taliban operator is on the SDN list, claimants can use it as a legal argument in court to remove the delegation of .AF. However, it  is unclear whether the court admits such an argument.

 

Issue 2: If there are technical issues or a redelegation request does not provide ICANN with the correct documentation, it is possible that .AF goes dormant, i.e. no one will operate it. In fact .AF went dormant between 2000 and 2003. ICANN in several cases has not delegated or redelegated the ccTLDs due to incomplete requests or simply due to the fact that there was no local person that responded to ICANN and provided documentations. For example, it was not until 2007 that ICANN assigned North Korea’s ccTLD. Their application in 2004 was not complete. In 2007,  a German affiliate of the Korea Computer Center submitted a request for delegation which the Board decided to approve. 

 

All in all even when it comes to ccTLD redelegation, which is supposed to be a more or less straightforward process, the situation is complicated and .AF’s fate is unknown. 

In the next and last part of the trilogy, we will discuss Afghanistan’s access to Internet Protocol addresses.

A Trilogy: the tragedy of Internet infrastructure in Afghanistan

The US and other countries have imposed economic sanctions against certain target countries, such as Syria and Iran. These sanctions have had negative consequences for access by the residents of those target countries to a variety of Internet services. Over the years these  sanction laws applied to the Internet more fiercely. The dream of an open, interconnected Internet is fading. Now that the head of the newly established Taliban government is on the UN sanction list, it seems likely we are now going to add another sanctioned country to the list: Afghanistan. 

There are a few infrastructure elements in Afghanistan that sanctions can affect: generic domain names, country code domain names, and Internet protocol addresses. I will cover these areas in three different blogs. For now, we can talk about what will happen to access to Generic Top-level Domain Names.

Part I. Generic Top-level Domain Names 

The Internet uses a system called the Domain Name System (DNS) to make things on the Net accessible to humans. (If you are reading this blog, you likely already know this, but I’ll include it for completeness.) Computers on the Internet address each other through strings of numbers, which are hard for humans to remember. So, for convenience, the DNS maps those numbers to easy-to-remember names like “digitalmedusa.org”. The DNS is hierarchical, so that different people can administer different parts of it. Each “dot” in a domain name is a place where a new person can take over administration in a new “zone” (this is optional, not required). The part at the end (each part is called a “label”) is called a “top-level domain name” because it is at the “top” of the hierarchy. Because on the Internet nobody likes to speak in words when a bit of jargon can make things harder to understand, “top-level domain name” (for example .ORG) is usually shortened to “TLD”.  All the TLDs are in a special zone called the root zone, and this zone is administered by the Internet Corporation for Assigned Names and Numbers, or ICANN, as one of the functions of the Internet Assigned Numbers Authority (IANA).  ICANN is incorporated in the US, which is significant for this topic.

Generic domain names are domain names that are not assigned on the basis of country. Some have been around for a long time, such as .COM. Others are pretty new, such as .MARKET. While the original TLDs were created before ICANN came into being, the new TLDs were all created according to ICANN processes.  Those processes imposed common contractual terms on the registry operators, as well as on the accredited registrars for registering names beneath these TLDs.

Afghan domain name registrants will most likely face the same problems people in Iran and other sanctioned countries face. Problems that I elaborated some years ago, such as confiscation of domain name or forcing a well established business to move, or just ending the domain name with no proper notice. New generic domains registries often have a direct relationship with the registrants, and so  have to apply sanctions to those registrants. Sometimes the legacy domain names (such as those ending in .COM) also are taken down through court order . 

Unfortunately, due to what might be called private sector over-compliance, the issue is not just limited to the US government block list (or specific sanctioned entities and individuals). Businesses are so risk averse that they don’t even give a chance to normal people living in sanctioned countries to operate their domain names.

Who is going to be cautious from now on dealing with Afghan residents? .NGO, .ACADEMY, .MARKET and a whole host of registrars.

We could have solved this problem by receiving a license from the Office of Foreign Assets Control (OFAC). But unfortunately, many actors I have talked to pass the ball to someone else until it finally gets to ICANN. We asked ICANN in a consensus report to file for a license a few years ago, but nothing seems to be happening on that front.

This was the first of the trilogy. Next time we will talk about the .AF fate.

Farzaneh Badii

US tech sanctions leave all Iranians in the dark

“Sanctions on digital products and services make the ‘foreign enemy’ syndrome more severe and a more effective tool for isolating the country even further. It is the foreign enemy that doesn’t want you to talk to your kids abroad on Google Talk, it is not the government,” said Farzaneh Badiei, director of the Social Media Governance Initiative at Yale Law School.

“Another problem is these kinds of sanctions legitimize the concept of a national internet. The government can argue that we need to be able to assert sovereignty over the internet so that we’d be self-sufficient and not need them. In reality, they want to create a national internet so that civil society’s access to a global internet diminishes,” she told Asia Times.

Kurosh Ziabari

Asia Times

About The Author

Farzaneh Badii

Digital Medusa is a boutique advisory providing digital governance research and advocacy services. It is the brainchild of Farzaneh Badi[e]i.Digital Medusa’s mission is to provide objective and alternative digital governance narratives.