digital medusa logo

Peering and Sanctions

Farzaneh Badiei and Angie Orejuela

When individuals want to use services on the Internet—for example, browse a website or send an email—various networks handle these requests. The requests go through networks in the form of packets, and that makes up what we call Internet traffic. Network operators are in charge of carrying this traffic. Through Internet peering, networks agree on helping one another to handle the traffic.
Economic sanctions can potentially impact actors involved with Internet peering. In this blog, we outline the potential impact of sanctions on Internet peering and the various actors involved. This piece is a work in progress, and as a part of the SancNet project, we are always open to feedback, corrections, and additions. A link to an online form for feedback can be found here and in the concluding remarks of this blog.

Revocation of membership from Internet Exchange Points/De-peering
When specific sanctions apply to individuals with formal roles in telecommunication services (for example, the CEO of a telecom operator), the Internet Exchange Point subject to the sanctions regime in question, will have to terminate the network operator’s membership. This‌ can have the following consequences:

  • De-peering has consistently been recognized as an extreme step, as it means customers might not reach specific sites on the Internet. (Werbach, Kevin. “Only connect.” Berkeley Tech. LJ 22 (2007): 1233.)
  • If the network operator is large and serves smaller network operators, those network operators are also affected. This will affect the quality of access and create latency. Some argue (as reported in  Russian state-owned media) that it does not impact their services. Such network operators claim they can have access to global traffic through Asia. But there are restrictions. For example, it is difficult to peer with Chinese operators due to their domestic restrictions on Internet traffic.
  • Network operators that are sanctioned might carry Internet traffic of other non-sanctioned countries. In such a case, the sanctions (and revocation of membership from IXPs) can affect other network operators based in other countries.
  • When revocation of membership from a well-established Internet Exchange Point happens, the individual members of that exchange point will likely stop peering with the sanctioned network bilaterally.

Peering and Sanctions in the US and EU
In the US, the Office of Foreign Assets Control (OFAC), in its FAQ, has clarified that sanctions in case of peering do not apply to the Cuban telecommunication operator. This is because of a specific regulation that authorizes “the exportation, reexportation, directly, or indirectly to Cuba of services incident to the exchange of communications over the Internet.” (31 CFR (Electronic Code of Federal Regulation) § 515.578 Exportation, reexportation, and importation of certain internet-based services; importation of software.)

For peering and transit in the EU, some advocated an “Internet carve-out” from EU 269/2014 that would blunt the effects on the Internet. The council adopted an amendment decision and inserted Article 6c, which provides that

“Article 2 shall not apply to funds or economic resources that are strictly necessary for the provision of electronic communication services by Union telecommunication operators, for the provision of associated facilities and services necessary for the operation, maintenance and security of such electronic communication services, in Russia, in Ukraine, in the Union, between Russia and the Union, and between Ukraine and the Union, and for data centre services in the Union.”

While some interpretations might make this amendment applicable to peering, other perspectives might differ. Legal counsels might argue that this Internet carve-out is not specific enough to include all the services, including transit and peering. Also, because peering usually involves many jurisdictions, providing carve-outs for just one or two countries (like the case of Cuba) or even a region does not solve the problem.

Cache Servers
Cache servers are a means by which much of the most popular content available on the Internet is always “close” in a network sense. These services enable the web, in particular, to satisfy enormous demands. Cache servers do not necessarily serve a peering function, but they are essential for cloud providers and peering locations, as well as for the quality of access to the Internet. They are even sometimes critical for having meaningful access to the Internet. A cache server temporarily stores information on a local network, making browsing faster. Cache servers are usually installed in data centers, ISPs, and peering locations. Trade restrictions, export, and import controls, and sanctions could impact the availability of these servers. There were two reported cases of Google shutting down its caching servers in two Russian ISPs. Google (reportedly) stated that the reason was a change in legal practices and compliance with sanctions. There are reports about Cache servers being unavailable in Afghanistan as well.

The Transborder Effect of Sanctions
Sanction regimes are designed in a way that could impact and apply to third parties that are not in sanctioned and sanctioning jurisdiction. This can especially apply to network operators that are located in areas with neighboring sanctioned countries.

Concluding Remarks
These are only a few preliminary and potential findings about the effect of sanctions on the operation of Internet Exchange Points and the provision of peering. If you would like to reach out and tell us about the problems you have faced, please do so by filling in this form. You can remain anonymous.

Sanctions and the Internet: Project Update 

Farzaneh Badii, Angie Orejuela


A few months ago, RIPE NCC announced that they have commissioned Digital Medusa to undertake a research project based on the issue of sanctions and the Internet. We aim to include the RIPE community for consultative insights that the design of the projects will benefit from. More details about SancNet can be found on Digital Medusa. This blog discusses the direction of the project and briefly discusses future endeavors. We welcome input on what can be added or redirected in this study. We will also do a presentation about the project next week during a BoF session in Belgrade, Serbia. We look forward to seeing you in person or online. The session will take place on Tuesday, 25 October, from 17:30 to 18:30 (UTC+2).
To date, we have been conducting mixed research methods for the project. These include desk research and interviews with industry, operators, and policy actors. We plan on undertaking 10 to 15 interviews, and have completed 5 so far. If you want to talk to us about sanctions and their impact on your work, please reach out to Digital Medusa. In addition to conducting formal interviews, we hope to collect your feedback on the design and other aspects of the project.

Below is an outline of the work so far:


There are various types of sanctions that are usually imposed by nation states on specific nation states or certain activities (which includes sanctions on non-state actors). Sanctions include: trade restrictions (or more broadly economic sanctions), travel bans, the freezing of assets and arms embargoes. The focus of this research is strictly economic sanctions, because those are the primary kinds of sanctions that affect Internet resources. We also focus on access to critical properties of the Internet, specifically access to IP addresses. While we might learn from other compliance and policy practices related to other Internet services, our focus is primarily on access to IP addresses.

A brief history of sanctions related to the Internet

While the history of anything that can be called “sanctions” is long, the sanctions regimes that are common today derive mostly from ideas that emerged around the time of World War I and that were refined during the Cold War. The United States in particular embraced sanctions in an effort to confront political developments contrary to its interests and as an alternative to direct military engagement.
For better or worse, the Internet was largely designed to disregard jurisdictional borders. In keeping with that, nations and even regions were mostly ignored when allocating numbers and talking to other networks. Since the Internet Assigned Numbers Authority in particular (in the person of Jon Postel) was based in the US, this was a decision of some consequence, as every decade the US list of sanctioned countries expanded. It was not possible to have a global interconnected network based exclusively on US relations with other nation states. By 1990 it was already clear that handling all number registrations in a single registry was not able to keep up with the growth of the Internet, and the Internet Activities Board recommended to the US Federal Networking Council that mechanisms of delegation be embraced.  By 1993, the emergence of regional allocation authorities was already acknowledged, and by 1996 the use of Regional Internet Registries (RIRs) was already a best practice.
In the early to mid-90s, the Internet was still in its infancy, and in the US, it was not even clear that commercial traffic was permitted on the Internet (or the parts connected to the National Science Foundation’s NSFNet). Commercial pressures towards institutionalization were new, and organizations such as the RIRs had to feel their way through the implications of international sanctions regimes. Perhaps the regional division also made it easier for these organizations not to be affected by sanction regimes they were not based in. This, however, did not last long. By the end of the 90s and especially after 9/11, the US sanction regime underwent an evolution. The US Treasury office redesigned the system so that the private and especially the financial sector globally became entangled with the US sanction regime. Read Treasury’s War: Unleashing of a New Era of Financial Warfare by Juan Zarate to know more about that development. Later on, the EU and Australia also put in place their own sanction regimes.
The twin pressures of simultaneous expansion of the Internet, and the expansion of various sanction regimes, meant that inevitably the allocation of Internet resources became subject to sanctions. This sometimes happened directly, as RIRs were unable to provide services to sanctioned countries or persons. It sometimes happened indirectly, as the financial services necessary to pay Internet registries’ service fees were unavailable. It also affected the development and partnership of network operators.

Sanctions Timeline

This timeline is a work in progress. It is evolving as we continue our research and it is not fully representative of all the sanctions instances. We very much welcome your feedback on the timeline as we would like to present something comprehensive and more global in nature at the end of the research project. Click here for the PDF version.

Effect of sanctions on the operation of Regional Internet Registries

Legally, whatever can be categorized as a “transaction” may be subject to sanctions. RIRs’ services can be affected because of the jurisdiction in which they are located as well as third-party service providers’ jurisdiction. At a minimum, the following can be affected:
Inter-RIR transfers
Transfers can be recognized as a transaction and since IP addresses are economic resources, then transferring IP addresses from one RIR to another might face issues because of sanctions.
Payment systems
Payment systems such as banks, credit card companies and financial entities may not provide services to entities that have members from sanctioned countries, refuse to provide service to those members directly, or both.
Software providers
Software providers that RIRs procure to provide services such as dual factor authentication might refrain from providing their services to members from sanctioned countries.

RIRs New membership, assignment, allocation or transfer requests (including End User requests)

RIPE NCC has been clear about the need to undertake due diligence in case of several services that it provides to the members, namely new membership, assignment, allocation or transfer requests.

Inequitable access to number resources because of indirect consequences of sanctions

Using compliance processes, RIRs can do the minimum to stay in compliance with sanction regimes and provide their services legally to the sanctioned countries. However, there is only so much they can do compliance wise. When the impact of sanctions is indirect and entangled with other industries, then inequitable access to number resources might emerge. The inequitable access can happen because nationals of sanctioned countries (that are not themselves the target of sanction regimes) might not be able to register new number resources because banks are not willing to facilitate their transactions. The issue goes beyond that, sometimes countries that are not sanctioned but are transacting and sharing IP blocks with sanctioned countries might be affected as well.

Impact of sanctions on network operators

This category of impact on Internet resources goes beyond RIRs’ mandate but affects the communities RIRs serve. Most network operators want to connect indiscriminately and based on technical considerations such as overcoming latency and not based on nationality, creed, or related matters. It is this value of global interconnectedness that made the Internet global. However, network operators are also institutionalized, and many cannot simply connect with other networks without considering sanctions. Besides, sanctions might impact peering and collaboration among ISPs and Internet Exchange Points. This was evident in the case of Serbia in 1998 and then Cuba. American sanctions against Cuba (combined with restrictive national Cuban measures) stifled the development of networks in that country for a long time. Network operators might also be impacted in “sanction-locked” countries. Countries surrounded by sanctioned countries especially might be impacted because the network operators in sanctioned countries cannot peer with others effectively.

Current and future policy solutions. Tell us what you think

Our study so far has highlighted the following policy solutions to maintain the Internet global and interconnected. At this stage, we are only briefly mentioning each, it is by no means exhaustive and we can change the list based on your feedback. If you would like to add to the list please contact us.

A balanced, transparent compliance process: RIRs (specifically RIPE NCC) have been transparent about their compliance process and the initiatives they took to comply with sanctions but, at the same time, not affect access to IP addresses. However, there are shortcomings in compliance processes in sanction regimes. The list-based approach (which is an effective compliance approach) has affected access to Internet services in the past for nationals of sanctioned countries. But they seem to be still fairer than blanket-blocking a whole country because of sanctions. Investigating various compliance solutions in this space might help with easing access to Internet resources.

Sanction waivers, exceptions and regulations for access to essential properties of the Internet: This is also another approach to seek some relief from sanctions when it comes to access to the Internet. We need to explore the effect of waivers and licenses on sanction relief. There have been some cases in the past where specific licenses and waivers have been obtained for certain services on the Internet which can help us understand how the processes work and how we can use these processes to successfully seek relief.

Convening intra-industry coalition to provide services to facilitate access to critical properties of the Internet: This suggested approach convenes the finance industry and other industries and organizations that have a key role in facilitating access to Internet critical resources to work on their compliance, obtain specific licenses if needed, and undertake other efforts of this nature to mitigate the adverse effect of sanctions on access to essential properties of the Internet.

Changes in governance structure of the RIRs: this might come across as controversial but needs to be discussed. RIRs are regional for historical reasons. If there were technical reasons to prefer geographic distribution rather than using some other criteria, those reasons are not clear in the historical documentation. In the future, should we consider changing RIR’s governance structures, or creating some Internet registries along non-regional lines to preserve access to Internet resources?

Arguing for a global Internet in international fora: another solution for the problem of sanctions would be to build on cyber norms, explore the humanitarian value of access to essential properties of the Internet and draw infrastructural analogies to argue for exemption of RIRs from sanctions in international fora. We will delve into this issue and identify the appropriate fora and the grounds for which there can be exemption or other avenues.

Planning for a public sanctions and Internet database

We want to encourage public accessibility of our findings and are creating a database of current regulatory frameworks, industry actors and approaches that could affect providing access to essential properties of the Internet. In the process of that, we will be identifying and mapping the actors that are involved in the field of sanctions and the Internet: for example we will list compliance regimes, sanction regimes, and different private and governmental actors that may have a role in affecting access through sanction regimes. We will also enumerate key industry actors and their compliance practices which could potentially facilitate or hamper access to numbers resources. We look forward to your feedback on the usefulness and design of such a database.

The Domain Name Multistakeholder Theatre

At the early stages of the Internet, domain names ( were the point of entry for the majority of people’s online presence. As a result the allocation of these domain names mattered for the Internet. The general public, using the Internet for personal growth and development and citizen journalism cared about their domain names. Small businesses cared as well about their domain name, if the amusing case of is any indication

1998 saw the creation of a new body that, at a high level, would govern overall the allocation of domain names.  It was called Internet Corporation for Assigned Names and Numbers, or ICANN. For the reasons outlined above, ICANN mattered a lot to the Internet, so its policies affected a large number of people on the Internet. 

That has changed. The Internet has developed such that, while the Domain Name System is ever more important to technical operation, the role of ICANN (while still critical) has been diminished. Most of the time, people’s point of entry to the Internet does not expose them to domain names anymore.* 

Despite this change, some at ICANN still believe that ICANN is in charge of security and stability of the Internet as a whole and believe there is much at stake at ICANN. They also believe that the multistakeholder model that ICANN runs can only be done through bloated layers of processes and bureaucracy. This was evident in the recent ICANN Hague meeting which happened last week. 

For any issue that ICANN has to deal with, it comes up with an elaborate process that involves a wide variety of stakeholders (though it is dubious what stakes some have) and a very detailed process that will take months to operationalize. This was obvious from the re-opening of the issue of Closed Generics, a term for an obscure operational wrinkle where allocation of generic names such as .books to corporations like Amazon is disputed.  While the policy development group did not come up with a resolution on Closed Generics, the Board (instead of making a decision) sent the issue back to the community to make a decision. The community obviously came up with an elaborate process of having a facilitator, a bunch of representatives and so on.  

The problem with having a multistakeholder theater is that it leads ICANN away from its important but narrowly-limited mission. There are a bunch of regulators around the world that want to see things are happening. If ICANN is not doing that narrow, limited mission that it has, then the regulators will regulate. So while it is very gratifying to be transcribed, have high level panels with distinguished stakeholders and talk about issues and reopen them many times, we might have an irrelevant multistakeholder body soon. 


*This might be anecdotal but a cursory look at the number of domain name registration (from Verisign report) is indicative of such change: “New .com and .net domain name registrations totaled 10.6 million at the end of the fourth quarter of 2021, compared to 10.5 million domain name registrations at the end of the fourth quarter of 2020.” we can compare this number to Facebook’s new users which is 500,000 every day., another reason might be that while apps and other Internet services use domain name system extensively, the general Internet user doesn’t use it directly.

Sanctions, Global Internet Connectivity and Content Delivery Networks

On Friday, Mykhailo Fedorov, Ukraine’s digital transformation minister, asked Cloudflare and Amazon to stop serving Russian web resources and protecting Russian services.

He said in a tweet that Ukraine was “calling on Amazon to stop providing cloud services in Russia.” He also said that “Cloudflare should not protect Russian web-resources while their tanks and missiles attack our kindergartens.”

Content Delivery Networks might already refrain from serving sanctioned countries, including Russia. However, sanctions that affect Internet traffic have been under-discussed for a long time. It is unclear so far the extent to which any sanctions have affected CDN services and traffic either destined for or coming from Russia. There is some evidence that CDN “geoblocking” has affected Russian sites. It is documented in an excellent paper published in 2018 that discusses geoblocking and economic sanctions in CDNs by validating the observations through Cloudflare. But sanctions might affect CDNs and Internet traffic beyond geoblocking. 

In this blog I will provide an analysis of how sanctions may affect Internet traffic. These sanctions have been affecting Internet traffic from countries such as Iran, Cuba, Syria and Russia for a while. 

What is a Content Delivery Network?

A CDN is a system of servers located around the globe that facilitate website performance by delivering the content from the closest servers to the users. It provides various services that affect global connectivity through website operators, IXPs, ISPs, web browsers and others. There are different business models that CDNs use and the differences are important in how sanctions affect their services so all the issues I am raising here might not apply to every CDN. 

Content Delivery Networks or CDNs help generally with Internet performance by keeping Internet traffic contained within a geographic area or network. They often also provide security services (by combating DDoS attacks, for example).  CDNs are very often used by even relatively small website operators. Some of them also provide DNS over HTTPS (DoH) resolution services. They are also often used to make mobile apps work quickly and to provide large-scale software distribution (such as when an operating system update becomes available).

It is important to understand that the consumers of CDN services are ordinary users of the Internet, but that those users are not customers. The customers of CDNs are the website operators, software publishers, and so on who pay the CDNs to distribute content. CDNs nevertheless can have an effect on ordinary Internet users. So, we should examine how CDNs might affect various people around the world.

Not serving people in sanctioned countries at all

It is well known to residents of sanctioned countries that some of the cloud services and CDNs based primarily in the US do not directly serve these residents either as customers or as ordinary users. There was, in fact, an outcry about AWS not serving developers from Iran in 2019. Amazon responded about not providing web services to Iranians:

“We comply with all applicable laws in the countries in which we operate, including any international sanctions and other restrictions that may be in place for certain countries,” an AWS spokesperson told Al Jazeera in an emailed statement. “Because Iran is subject to broad trade restrictions, limiting virtually all business with Iran, we do not serve customers in that country.”

It is not true that sanctions limit virtually all business with Iran and sanctioned countries. Sanctions don’t apply to noncommercial and personal communication. But this over-compliance with sanctions can be observed in many places, and affects not only CDN customers but even ordinary Internet users.

Peering policy and sanctions

CDNs generally benefit from peering, and many of them maintain an open peering policy (Cloudflare is one example). An open peering policy means that any other networks can peer with the open peering network, normally without any monetary cost. But while open peering generally includes any network, it does not mean that networks based in sanctioned countries are not affected by the sanctions. In Cloudflare’s case, for example, if peering is also deemed to be a “transaction”, then sanctions might well affect them. Cloudflare’s policy on peering and sanctions is silent as to their view of these kinds of sanctions, but their policy while allowing open peering also allows them to restrict peering or not peer when they desire to do so. 

Enabling customers to block access to sanctioned countries

CDNs allow their customers to decide “what content” is served to “which users”.  In effect, website operators use the geoblocking features to prevent serving users merely because they are based in a certain country. Often, this is used to enforce various content licenses or to conform to distribution restrictions, such as when a video is available in one country but not another. Sometimes, however, site operators use geoblocking not to serve any content to users in sanctioned countries. It’s a blanket compliance with sanctions that is probably not even required by law. But when users are considered as “legal risks” because of their location, then this discriminatory practice is justified internally. Website operators have already been discriminating based on geographical location for years, including against users in Russia. 

Content Delivery Network not serving a certain region or country

A CDN can decide not to serve a country or a region at all because of sanctions. So, it might adopt a policy, for example, not to allow its DoH resolvers to serve IP addresses based in Russia. This would mean that, for example if the Web Browser uses DoH resolvers of that CDN, users of the web browser based in sanctioned countries won’t be able to look up any website on that web browser without reconfiguring the browser. 

Domain and website operators

Cloudflare offers a free tier customer account that helps with better access to services that are not large enough to afford full paid service. Residents of sanctioned countries might use these services (especially since they are free). However, these customers might want to hide their origins not to be blocked from the service, and might therefore use various VPNs to hide their actual origin IP address (because they can otherwise be blocked). But this technique also effectively moves the customer’s geolocated IP address, so such customers might also not be served with the most efficient routing service. For example, if Cloudflare thinks a connection is coming from  North America, it is likely to use a North American server to answer queries. In reality, the customer might be in Russia. As a result, the website might load at a lower speed for the Internet user.

Internet, sanctions and global connectivity 

When it comes to compliance with sanctions, many industries over comply. Services and products related to the Internet, be it the New gTLDs, Content Delivery Networks and other services, are not exempt. But over compliance with sanctions at the Internet infrastructure level can have a devastating effect on ordinary people’s access to the Internet while not having the optimal deterrent outcome on States and their decision-makers. Perhaps we need to rethink the sanction regime for the Internet to keep the Internet global and open, facilitate free flow of information and discuss meaningful remedies during wars and conflicts.   


Internet Governance Revenge Fantasy or Helping Ukraine?

To the Internet community:
We must empower Ukraine to operate and defend itself on the Internet, and stop arguing over dubious actions against Russia that don’t even affect the perpetrators of this war—the Russian ruling party.
In this blog, I will tell you why many of the ideas about limiting access to Internet infrastructure in Russia won’t work and won’t be effective.

1. Taking the Country Code Top Level Domain (ccTLD) .RU down
In a letter, the Government Advisory Committee Ukraine representative at ICANN has asked ICANN to remove .RU (Russia’s ccTLD) from the root zone. This means that any of the second level domains in that space ( won’t be accessible. This is a bad idea:
-This does not ‌help Ukraine’s Internet in any way. Russia is not undertaking the cyberattacks through .RU.
-Ordinary people and institutions that run their domain names in that space will lose access.
-Those who have the economic power (eg.. the government and the oligarchs) can register other second level domains while ordinary people with established businesses might have less access to alternatives.
-It sets a bad precedent that can affect future ICANN actions. If ICANN takes action‌, it should also take action when there are claims against other ccTLDs. The precedent, for example, can help attach ccTLD to those who claim it is an asset and have a writ of attachment against a ccTLD.

2. The Autonomous Systems: lets not respond to the Russians
When ISPs and Internet Exchange Points and other network operators want to talk to each other, they talk through Autonomous System Numbers (ASNs or ASes). ISPs on the RIPE mailing list were discussing whether they should respond to announcements coming from Russian ASes.  Remember that these ASes connect people to the global Internet. So, if Network Operators don’t respond and connect—if‌ these Russian ASes are “shunned”— the shunned ASes will be effectively cut off. Remember, the Internet doesn’t work like a telephone system: sometimes ASes get their connections through connecting to ASes in other countries. It is not all territorial. It is also not so clear-cut to understand which AS is run by the government and which is run by others. And governments, especially autocratic ones, try to have a hand in every private affair. Also, not all parts of the government are providing services in favor of war against Ukraine. Some provide critical services to the population, and they do interconnect with networks outside of Russia to provide those services.
Removing Russian ASes (that in itself is a debatable concept) from the routing table only makes it less efficient for these ASes to communicate. It is unlikely to create a disconnection. It only creates latency for ordinary people who connect through the ISPs.

Ripe NCC Executive Board announced that it will not take any action with this regard. Note that the community can take some collective action on its own. But RIPE NCC Executive Board as an institution announced will not take any action.

3. Root servers  
The Ukrainian GAC member to ICANN requested removal of Russia-located root server instances. ICANN, which operates the “l” root server cluster, has a few root server instances in Russia. So do some other root server operators, and ICANN cannot control them. Even if ICANN shuts down the root servers, other actors root servers can effectively be used. Shutting down the root servers is in any case also not an effective way to disconnect, since Internet service providers in Russia can get access to the root zone in other ways and find other ways to connect. More importantly, in no way does removing root servers from Russia help Ukraine not to be attacked or to have better access to the Internet.

Effective sanctions and punishment can work and should be used to stop the perpetrators of this war. We should wake up from this Internet revenge fantasy that does not help anybody! Instead, let’s help Ukraine’s interconnection and access to the Internet. This is not the time to try and prove our “theoretical” ideas might have some merit!

.ONEWORLD .SOMEINTERNET: New gTLD registries and sanctioned countries

Imagine that you run an organization out of a building. Imagine that the landlord comes one day and says, “Oh I didn’t know you are a resident of country X or dealing with anybody from country X. I have to close this place down right now.” And then you are done. You don’t have an organization anymore. 

This very scenario happens on the Internet. ​​Residents of sanctioned countries cannot register a domain name in some new generic top-level domain space. These new gTLDs (like .MARKET) do not serve residents of sanctioned countries and if the registry finds out that a domain name registrant is domiciled or serves residents of sanctioned countries, the registry will inform the registrant and suspend their domain name. 

You might argue that displacement of this sort happens every day in this world, not just on the Internet. That might be true to a certain extent, but it is still a discriminatory practice. Also, what happened to our “one world one Internet” and “Internet is for everyone” values? Confiscating people’s domains merely because of their nationality goes against the values of the Internet we cherished. But there are solutions to overcome this injustice, if only Internet governance institutions and actors truly want to uphold the value of global interconnectivity. In this blog, I will tell you how we can uphold those values. 

Whose access? 

Note that in this blog and wherever else I talk about sanctions and access, I do not mean at all those entities and individuals that can be found specifically named in lists such as the US OFAC’s specially designated nationals list or similar. I restrict this discussion to the access by the ordinary residents of sanctioned countries. These are people and organizations that are deprived of access merely because of their nationality or place of residence, and not entities and individuals mentioned in designated sanction lists.

A background

Readers of this blog are probably familiar with ICANN, but it’s worth a quick recap. The Internet Corporation for Assigned Names and Numbers coordinates the development of policies around allocation and assignment of domain names at the top level of the domain name system (the “root zone”). One of its core commitments is to provide global interoperability and global coordination (See ICANN Bylaws). While ICANN does not have a direct authority over what is happening outside the root zone, they sometimes have policies that affect things outside the root, because they impose those policies as a prerequisite for permitting entry in the root. For many years, the Domain Name System root (the top-most part of the domain, like “com” or “org”) was stable, but starting in 2001, ICANN started making it bigger. This gathered speed in 2012 with the main round of “new gTLDs”. The new gTLDs had a community developed guidebook that came up with some restrictions and policies about names such as geographic names, names that targeted a certain community, brand names and others. If this seems arcane, it all becomes relevant below. 

Why do sanctions affect access to register domain names? 

ICANN is incorporated in the US and is bound by US jurisdiction, so it must also comply with US laws. But contrary to common beliefs, it does not seem that ICANN’s incorporation under US jurisdiction causes these problems on its own. The problems (to my knowledge) are:

  1) There is inefficiency in applying for and receiving a license to provide services to sanctioned countries;

The Work Stream 2 (WS2) on Accountability working group recommended to ICANN in 2018 to start applying for an OFAC license (after some risk analysis). The license would not have solved all the problems, but at least we would have had clarity on what problems might lie ahead. ICANN has not started implementing most of the work stream 2 on accountability recommendations since 2018. 

  2) One of ICANN’s new gTLD policies creates a direct relationship between registrants and registries. The policy might make the registries liable and increase their risk.

This policy is called Specification 12. It addresses “community” new gTLDs, and it creates a direct oversight role for the registries to ensure they enforce certain conditions on the registrants. Such conditions can include certain eligibility criteria, name selections, and content and use restrictions. (See .RADIO’s agreement for an example.) Because of this direct role, many registries that have adopted Spec 12 prohibit their registrars from serving sanctioned countries. 

When doing research about sanctions, one might form the impression that the sanctions would only affect registries that are based in the US and have to follow US OFAC restrictions. This is, however, not the case. Registries that have adopted specification 12, even in a non-US jurisdiction, over-comply with OFAC. For example, .ASIA’s  Paragraph 11.1 (A) of End User agreement requires each registrar to warrant that it is not “directly or indirectly in or from any country that is subject to comprehensive U.S., EU and or UK export or sanctions restrictions (currently including but not limited to Iran, Sudan, Syria and North Korea)”, “nor [that the registrar] intends to transmit or sell domains to such countries unless specifically licensed for such export.”

  3) Registries’ internal policy 

It is possible that a registry not bound by Spec 12 still adopts a risk-averse policy to avoid transacting with residents of sanctioned countries. The rationale seems to be similar to other tech-companies’ rationale when dealing with sanctions: it is simply too expensive to risk getting fined by OFAC, and it is simply too complex to apply for a license. Even if a firm such as a registry applies for a license, third parties will rarely serve the firm’s customers because the third parties also comply excessively with sanctions. 

The solution?

It seems like the solution lies in discarding Spec 12. This clause in a way is against ICANN’s mission, which is to ensure interoperability of the DNS globally and coordinate the allocation at a global scale. Note that it needs to coordinate the allocation at a global scale, not to eliminate allocation of some domains to facilitate coordination.

Another solution is for ICANN to implement the WS2 on Accountability recommendation, undertake research and apply for an OFAC license. 

When it comes to registries, all we have left is to raise awareness about the issue, and in some instances try and apply for OFAC licenses to pave the way, thereby easing sanctions on ordinary people who live in or are from sanctioned countries.

Turning enemies into allies: what if law enforcement started loving encryption?

Legislators around the world don’t like encryption and actively want to kill it. The activities range from having a campaign against encryption to coming up with laws. The US senate judiciary committee on December 10, 2019 warned tech corporations and social media platforms to find a way for law enforcement agencies to access personal communication of the corporations’ users and customers. Otherwise, the legislators would impose their will on these platforms. Lindsey Graham, the Chair of the committee, said:  “My advice for you is to get on with it, because this time next year [in 2020] if we haven’t found a way . . . we will impose our will on you

It has been two years since the threat of regulation, so it would be interesting to see what sort of activities have taken place since that threat.

 Lindsay Graham did not manage to impose his will on these corporations. At least not yet. But he and his colleagues came up with a new bill called Lawful Access to Encrypted Data Act (LAEDA, 2020). When the bill came out, according to the Electronic Frontier Foundation, it was even more out of touch with reality than bills such as EARN IT Act.

The bill is not very sophisticated. The legislator didn’t consider the public comments it received, so it simply recommended a backdoor. And it invoked the usual justifications such as combatting terrorists and criminals’ (mostly child predators’) use of these technologies and apps. The bill also argued that encryption makes it impossible to receive information and evidence, even with a court order.

 Why so riled up?

I think one of the most important questions we need to ask is why nation states, legislators, and law enforcement—regardless of their autocratic or democratic natures—hold so many reservations about encryption? Law enforcement personnel, when investigating criminal activities (including cybercrime and cybersecurity attack) need to gather as much evidence as possible. In criminal investigations, since many of our modes of communications have moved online, they have to gather the evidence that is available on the Internet. They cannot, however, access the encrypted texts online, unless they have the access key to the encrypted materials. Access to that key has become impossible since tech corporations have adopted technologies that do not give the corporations the key. Only the users or the users’ devices know what the necessary key is.

 How did tech corporations get on with it?

Tech corporations do not take the threat of legislation for granted. Last year Apple decided to install a kind of “upload filter” on its iCloud that would scan photos for Child Abuse Materials. According to Apple Technical Summary Report: “CSAM Detection enables Apple to accurately identify and report iCloud users who store known Child Sexual Abuse Material (CSAM) in their iCloud Photos accounts”. The system Apple suggested included three technologies which would lead to decryption of the message using a “hash database”. For example, if the user image “hash” matches the CSAM hash database, then the server can derive the encryption key and successfully decrypt the message. The digital rights activists were vehemently against this plan and Apple did not go ahead with implementation.

Meta delayed implementing encryption for some of its products. Meta already put encryption in place for WhatsApp messenger in 2016. It had announced plans to implement end-to-end encryption on Facebook and Instagram’s Messenger Service, but Meta delayed the implementation until at least 2023.

 What is law enforcement doing?

Law enforcement, for now, relies on social media for intelligence assessments and investigations. The Federal Bureau of Investigation contracts with social media monitoring companies “to obtain early alerts on ongoing national security and public-safety related events through lawfully collected/acquired social media data”. There are some suggestions to hoard metadata. But these collaborations with the private sector and sometimes even with not for profits that are human rights oriented can have dire consequences such as encroaching on the rights of others, financially benefiting from surveillance or just glorifying Open Source Intelligence Techniques and denying their consequences on some of the human rights.  

 What is the solution?

History teaches that we can’t rely only on sending public comments to Congress to prevent the creation of bad laws. Neither can we have a technocratic view that we can resolve this issue only through technical means. We need governance mechanisms and coalition building.  

 Turning enemies into allies

There are different ways that we might be able to convince nation states not to come up with encryption threatening laws occasionally.

 One way might be by coalition building. For example, when Belgium wanted to impose a backdoor law, the Global Encryption Coalition opposed the law which helped with not having the encryption clauses. It also helped the cause that many global lobbyists are also in Brussels.

 The Internet includes giant social systems. We need a system so that all people who are affected by these systems can understand them. To do that we need to engage law enforcement in these conversations about encryption.

Law enforcement agencies exist to uphold the rule of law. Encryption itself is a great tool that helps with upholding the rule of law. Law enforcement and ubiquitous encryption are really not natural enemies. Perhaps turning law enforcement agencies to one of the allies and advocates for encryption might work better. So, the Encryption Coalition can have an intake of members from pro-encryption law enforcement agencies. That way, we might not have to continue playing the game of whack a mole and go after every bad law that threatens encryption on the planet.

Plans for the new year: defeating Digital Perseus

I officially launched Digital Medusa in September 2021. It has been challenging but also very fulfilling, and any step towards defeating digital Perseus is worthwhile. Below, I summarize some of what Digital Medusa has done over the past four months and a limited list of what will happen in the new year:

Social Media Governance 

  1. I joined the co-chairs of the Christchurch Call Advisory Committee— a civil society group that advises the New Zealand and France governments on the Christchurch Call commitments, which aim to moderate terrorist, violent extremist content. 
  2. We (Jyoti Panday, Milton Mueller, Dia Kayyali and Courtney Radsch) came up with a framework on analyzing multistakeholder governance initiatives in Content Governance. The framework will be published as a White Paper of Internet Governance Project. Let us know if you have any comments. 
  3. I joined a panel of the Paris Peace Forum on Christchurch Call. Read all about it. Watch.
  4. My research on Telegram governance became more popular after the Capitol riot in January 2021. NYT piece mentions my research
  5. I found an amazing network of people who work on prosocial design. Prosocial design and governance are alternative approaches to heavy content moderation and punitive measures for platform governance. We plan to discuss prosocial governance more in 2022. 

Internet Infrastructure

  1. I joined a group convened by Mark Nottingham to discuss how legislative efforts can hamper interoperability of the Internet, and the available remedies. 
  2. Because of the Taliban reign in Afghanistan, I wrote about how sanctions will affect Afghanistan’s access to the Internet. We also had a webinar (thanks to Urban Media Institute) with the Afghan colleagues to discuss the developments/setbacks. The video will be available on this website
  3. Fidler and I published an article in the Journal of Information Policy about Internet protocols and controlling social change. We argue that to understand Internet protocols’ effect on society we need to put them in context. Implementation matters and making Internet protocols aligned with human rights without considering context might not bring the social change needed. A lot of discussion went on about this paper on the Internet History mailing list, and there are some very interesting insights (the thread is filled with ad hominem attacks against the authors but even those attacks are good anthropological research materials.)


What will happen in 2022?


  1. I am helping draft an Internet Governance syllabus that the community can use to convene Internet governance schools and trainings. I am doing this work for the Internet Governance Forum, and it will be in a consultative manner. The plan is to come up with a global syllabus, including core modules but also modules that are elective. There will be a lot of focus on what Schools on Internet Governance (SIGs) do and helping developing countries to more easily convene schools and training on Internet governance. 
  2. Digital Medusa will do more vigorous research about sanctions that affect access to the Internet.
  3. Along with the Christchurch Call Advisory Network members, Digital Medusa is planning to be very active and find effective ways to contribute to CCAN and the Christchurch Call community. 
  4. Digital Medusa will undertake research and advocate for prosocial governance instead of just focussing on “content moderation” in Social Media Governance


Digital Medusa, for now, includes my (FB) activities. Hopefully, in the new year we can go beyond one Digital Medusa and attract more partners. 

Happy new year to all! To a year with fewer Digital Perseus moments and fresher digital governance point of views. 


Layerless Internet Governance: In Search of Internet Infrastructure

Content governance at the Internet infrastructure level is gaining some traction and Techdirt, EFF and a few others will hold a session on October 6th. This event is a good excuse for this blog but I have a slightly different approach. I looked at the infrastructure governance with a more holistic lense. It is still possible to make a system of governance for Internet infrastructure – one that ensures an open, interoperable and global Internet. It is still possible to even affect the governance of platforms positively by good governance at the infrastructure level. But first we need to find the Internet infrastructure we keep talking about, determine how it has evolved and how and whether non-infrastructure elements have affected it. 

Facebook/Instagram/WhatsApp went down a few days ago, because of  a Border Gateway Protocol misconfiguration. Facebook had updated its BGP incorrectly. BGP allows one network that is part of the Internet to talk to other networks on the Internet.Since the BGP is a part of Internet infrastructure, there are arguments that this was an Internet infrastructure shortcoming and that centralization of Facebook is the centralization of the Internet. Which I totally disagree with but it sets the scene for addressing a critical issue: what is and where is this Internet infrastructure to govern?

I think Internet layering is partly at fault for making Internet infrastructure obscure. Some believe that the Internet has various layers. Those actors closer to the bottom layers are seemingly the operators of Internet infrastructure. For example, the Internet Service Providers are one operator of Internet infrastructure. Closer to the top of the stack, in the application layer, there are online platforms. Customarily these platforms were not known as Internet infrastructure. The distinction was so popular that we built the field of Internet studies partly based on it: some just study content-moderation/governance on online platforms. Some work on Internet infrastructure governance. The problem is that as the Internet and Internet-related technology evolve, the layers won’t help us much with identifying Internet infrastructure.

Setting the layers aside, I define Internet infrastructure as “Operators and service providers of the Internet that control, modify and affect the entire or substantial part of the presence of users on the Internet”. For now, we can see three kinds of Internet infrastructure emerging: 

1. Internet infrastructure by way of architecture:

Internet infrastructure through architecture: it is infrastructure as a part of the current architecture of the Internet. This kind of Internet infrastructure is more or less easy to identify. Their impact on online presence is immediate and far-reaching on the Internet. Most of the operators of Internet protocols, Internet Service Providers, Content Delivery Networks, domain name registries and registrars, and the like belong to this category of infrastructure. 

2. Internet infrastructure by way of policy:

Some platforms and Internet services can become a part of infrastructure through policy. This is a much harder category to define. For example, Apple (by way of policy) has a set of criteria for the apps in its App Store. If the apps do not meet the criteria, they cannot be on the App Store and iOS users have limited or no access to them on the Internet. In this instance, the App store has become Internet infrastructure because it can limit the Internet presence of certain services and Apps for the entire population of iOS users. Apple here is the gatekeeper for using that service “on the Internet”. When it approves an app, the App operates separately and does not exclusively use the App store’s network. So even if the App store goes down, approved and downloaded apps do not have a disruption in their service. 

Another example is the authentication account provided by tech-corporations. If certain integral online services and apps solely work through authentication accounts that Google or Facebook provide (via the OAuth protocol), these accounts also can be a part of Internet infrastructure. 

3. Internet infrastructure through collective action:

Various actors get together and adopt a policy that affects the Internet and Internet services. This kind of Internet infrastructure can hamper access to services on the Internet through collective action. An example that we have warned against in a blog about upload filter, is tech-corporation consortiums such as the Global Internet Forum to Counter Terrorism that might mandate certain features such as upload filters for online platforms that can become a part of Internet architecture.

Another example (that might be debated) is online payment intermediaries that collectively stop facilitating transactions that are vital for the existence of certain online platforms to function on the Internet. When there are no alternatives, it might lead to the service providers’ diminished Internet presence. 

Inspiring Governance

Early Internet infrastructure governance inspired a lot of the current platform governance models. The take-downs, site integrity and spam, in general, many of the top-down governance mechanisms have remained. Also, content policy dialogues have started paying attention  to multistakeholder governance, which was a fundamental feature of Internet infrastructure governance at least for domain names. 

With innovative governance at the infrastructure level, we can inspire better governance on platform level. Platforms such as Mastodon and Fediserve both have similar design to distributed, open and interconnected Internet infrastructure. 

Good governance of Internet infrastructure because we are not yet at a walled garden stage. A fundamental difference between Facebook’s market infrastructure and Internet infrastructure is that Internet infrastructure allows people to build other Internet services on top. Facebook rents you an office (it chooses the color, desks and everything else), but Internet infrastructure gives you a global virtual land. On the Internet, in an ideal world, people can have their own data servers, can build their own chat function, or can build (who would have thought) their own website. There is still hope for innovative governance at the infrastructure level well beyond content governance. 


A Trilogy: the tragedy of Internet infrastructure in Afghanistan

The US and other countries have imposed economic sanctions against certain target countries, such as Syria and Iran. These sanctions have had negative consequences for access by the residents of those target countries to a variety of Internet services. Over the years these  sanction laws applied to the Internet more fiercely. The dream of an open, interconnected Internet is fading. Now that the head of the newly established Taliban government is on the UN sanction list, it seems likely we are now going to add another sanctioned country to the list: Afghanistan. 

There are a few infrastructure elements in Afghanistan that sanctions can affect: generic domain names, country code domain names, and Internet protocol addresses. I will cover these areas in three different blogs. For now, we can talk about what will happen to access to Generic Top-level Domain Names.

Part I. Generic Top-level Domain Names 

The Internet uses a system called the Domain Name System (DNS) to make things on the Net accessible to humans. (If you are reading this blog, you likely already know this, but I’ll include it for completeness.) Computers on the Internet address each other through strings of numbers, which are hard for humans to remember. So, for convenience, the DNS maps those numbers to easy-to-remember names like “”. The DNS is hierarchical, so that different people can administer different parts of it. Each “dot” in a domain name is a place where a new person can take over administration in a new “zone” (this is optional, not required). The part at the end (each part is called a “label”) is called a “top-level domain name” because it is at the “top” of the hierarchy. Because on the Internet nobody likes to speak in words when a bit of jargon can make things harder to understand, “top-level domain name” (for example .ORG) is usually shortened to “TLD”.  All the TLDs are in a special zone called the root zone, and this zone is administered by the Internet Corporation for Assigned Names and Numbers, or ICANN, as one of the functions of the Internet Assigned Numbers Authority (IANA).  ICANN is incorporated in the US, which is significant for this topic.

Generic domain names are domain names that are not assigned on the basis of country. Some have been around for a long time, such as .COM. Others are pretty new, such as .MARKET. While the original TLDs were created before ICANN came into being, the new TLDs were all created according to ICANN processes.  Those processes imposed common contractual terms on the registry operators, as well as on the accredited registrars for registering names beneath these TLDs.

Afghan domain name registrants will most likely face the same problems people in Iran and other sanctioned countries face. Problems that I elaborated some years ago, such as confiscation of domain name or forcing a well established business to move, or just ending the domain name with no proper notice. New generic domains registries often have a direct relationship with the registrants, and so  have to apply sanctions to those registrants. Sometimes the legacy domain names (such as those ending in .COM) also are taken down through court order . 

Unfortunately, due to what might be called private sector over-compliance, the issue is not just limited to the US government block list (or specific sanctioned entities and individuals). Businesses are so risk averse that they don’t even give a chance to normal people living in sanctioned countries to operate their domain names.

Who is going to be cautious from now on dealing with Afghan residents? .NGO, .ACADEMY, .MARKET and a whole host of registrars.

We could have solved this problem by receiving a license from the Office of Foreign Assets Control (OFAC). But unfortunately, many actors I have talked to pass the ball to someone else until it finally gets to ICANN. We asked ICANN in a consensus report to file for a license a few years ago, but nothing seems to be happening on that front.

This was the first of the trilogy. Next time we will talk about the .AF fate.

Farzaneh Badii

About The Author

Farzaneh Badii

Digital Medusa is a boutique advisory providing digital governance research and advocacy services. It is the brainchild of Farzaneh Badi[e]i.Digital Medusa’s mission is to provide objective and alternative digital governance narratives.