[a dated, biased (what isn't?), insightful, and relevant interview] Published on Policy DevCenter (http://www.oreillynet.com/policy/) http://www.oreillynet.com/pub/a/policy/2002/12/05/karl.html Karl Auerbach: ICANN "Out of Control" by Richard Koman 12/05/2002 Editor's note: Strong forces are reshaping the Internet these days. To understand these forces-- governmental, business, and technical--Richard Koman interviews the people in the midst of the changes. This month, Richard talks to Karl Auerbach, a public board member of ICANN and one of the Internet governing body's strongest critics. October's distributed, denial-of-service attack against the domain name system--the most serious yet, in which seven of the thirteen DNS roots were cut off from the Internet--put a spotlight on ICANN, the nongovernmental corporation responsible for Internet addressing and DNS. The security of DNS is on ICANN's watch. Why is it so susceptible to attack, when the Internet as a whole is touted as being able to withstand nuclear Armageddon? It's religious dogma, says Karl Auerbach, a public representative to ICANN's board. There's no reason DNS shouldn't be decentralized, except that ICANN wants to maintain central control over this critical function. Worse, Auerbach said in a telephone interview with O'Reilly Network, ICANN uses its domain name dispute resolution process to expand the rights of trademark holders, routinely taking away domains from people with legitimate rights to them, only to reward them to multinational corporations with similar names. Auerbach--who successfully sued ICANN over access to corporate documents (ICANN wanted him to sign a nondisclosure agreement before he could see the documents)--will only be an ICANN director for a few more weeks. As part of ICANN's "reform" process, the ICANN board voted last month to end public representation on the board. As of December 15, there will be zero public representatives on the ICANN board. How does ICANN justify banishing the public from its decision-making process? Stuart Lynn, president and CEO of ICANN, said the change was needed to make ICANN's process more "efficient." In a Washington Post online discussion, Lynn said: "The board decided that at this time [online elections] are too open to fraud and capture to be practical, and we have to look for other ways to represent the public interest. It was also not clear that enough people were really interested in voting in these elections to create a large enough body of voters that could be reflective of the public interest. This decision could always be reexamined in the future. In the meantime, we are encouraging other forms of at-large organizations to self-organize and create and encourage a body of individuals who could provide the user input and public interest input into the ICANN process." Former ICANN president Esther Dyson is also supporting the move away from public representation on the board. "I did believe that it was a good idea to have a globally elected executive board, [but] you can't have a global democracy without a globally informed electorate," Dyson told the Post. "What you really need [in order] to have effective end-user representation is to have them in the bowels (of the organization) rather than on the board." Auerbach isn't buying. "ICANN is pursuing various spin stories to pretend that they haven't abandoned the public interest," he says in this interview. "ICANN is trying to create a situation where individuals are not allowed in and the only organizations that are allowed in are those that hew to ICANN's party line." In this interview, Auerbach makes a number of strong criticisms of ICANN, beyond the issue of public access: * ICANN uses its domain name dispute resolution process to expand the rights of trademark holders, routinely taking away domains from people with legitimate rights to them, only to reward them to multinational corps with similar names, Auerbach says. * ICANN unnecessarily maintains the domain name system as a centralized database, making it vulnerable to attack. * ICANN has failed to improve network security since September 11 and has ignored Auerbach's suggestions for improving DNS security. * ICANN staff takes actions without consulting the board, withholds information from the board, and misleads board members. * Finally, Auerbach charges that ICANN is guilty of corporate malfeasance. Koman: On October 21, there was a denial-of-service attack on DNS, which was widely reported as the most serious yet. Something like seven of the thirteen root servers were unavailable for as long as three hours. What is ICANN's responsibility for DNS, and how vulnerable is it to attack? Auerbach: On the Internet, there are a couple of areas that arguably need some centralized authority. One of these is IP address allocation--addresses need to handed out with some notion of how they comport to the physical topology of the network. A lot of people look at the domain name system as equally in need of centralized control. They look at DNS and see there's a root on top and some number of names underneath and they say, "Whoa, we need an organization to manage that." From a technical point of view, that's completely untrue. The DNS is really an optional service on top of the basic functionality of the Internet. We could have many different versions of DNS. The only concern is they be consistent with one another. People have elevated this argument for consistency to the idea that we can only have one, catholic source of names. That's a leap of logic that does not exist in reality; nevertheless ICANN uses that leap to justify its existence. By some religious dogma, we have come to the conclusion that there must be one ICANN sitting on top of the domain name space. It's a false conclusion but many people believe it, and it's a very useful conclusion for trademark interests, who have found that enforcing trademarks through the court system is just plain expensive. They found ICANN to be a very convenient tool to expand the law of trademarks, so trademark holders can exert control over non-trademark holders in a much less expensive way, and in a way that happens to lack all the protections of due process and judicial review. That's a dream for the trademark holders; they love ICANN. Koman: Let's talk about the recent denial-of-service attack. Auerbach: The interesting thing is, September 11 was more than a year ago and ICANN formed this high-level plenary committee to go and deal with DNS security, and to date not a single peep has come out of that committee. Yet I proposed in early October 2001 a set of several concrete, specific things that people could do to protect DNS, and more importantly, to recover from a DNS outage. And also to go after the bad guys to deter others from doing it. ICANN, because they refuse to admit I exist, deep- sixed the entire set of suggestions and hasn't even admitted that they exist. ICANN has intentionally disregarded things it could have done to protect DNS security, which possibly, had they been adopted, would have either slowed, prevented, or more quickly deflected this most recent attack. ICANN does not have the public interest at heart. ICANN isn't doing a diddly thing about network security. The committee itself has great people on it, but they're great people in a very narrow sense. They're technical experts but they know nothing about how to recover from a disaster. How do you lock a door? They know nothing about collection of evidence. They know nothing about how to recover from a disaster. Koman: How insecure is DNS; how susceptible is it to attack? Auerbach: Well, I don't disagree with the assessment of Bruce Schneier that DNS is probably the most vulnerable point of the Internet. ICANN has proclaimed as a matter of religious dogma--and it's nothing more-- that there shall be but one DNS root. Well that means ICANN is declaring the Internet shall have one single point of failure and here it is. ICANN has by that dogma condemned the Internet to vulnerability. Koman: The whole Internet is based on its decentralized nature, on redundancy, on the lack of single points of failure. Auerbach: Except in the domain name system. And the domain name system need not be that way. ICANN is making a lot of assertions that are not justified by technology and are not consistent with the public's desire to control its own Internet experience. Public Representation on ICANN Koman: On October 31, ICANN approved new bylaws that removed the five publicly elected board members, leaving no public representation on the board, as of December 15. Auerbach: That's right. Now ICANN is pursuing various spin stories to pretend that they haven't abandoned the public interest. One is that they have governments participating in ICANN and the governments represent the people of their nations, and because governments are an advisory group within ICANN, we don't need mere people. That argument is fallacious; governments not only represent their citizens; they also represent businesses and other entities within their borders. But ICANN gives special privileges to those businesses in its forums, and businesses still do get to elect board members. They've also created these so-called at- large advisory committees (ALACs)--note that they're called "at-large" as if the public could join, but membership is not open to the public; membership is only open to organizations. ICANN is trying to create a situation where individuals are not allowed in and the only organizations that are allowed in are those that hew to ICANN's party line. You have no way to vote against ICANN directors. You have as much right to vote against ICANN directors as the peasants in France had of voting against Louis XIV. Koman: What is ICANN's attitude to the idea that the Internet is a public resource and that the public has some justifiable interest in being involved in its governance? Auerbach: ICANN is an oligarchy. ICANN claims it's a private organization yet it claims immunity from things like antitrust because it derives its powers via contracts with the government. It has decided that things like decentralizing the domain name space should not be done because the public should not be confused. ICANN has made all these decisions based on the concept of what the public should have and what it should not without ever asking the public what it wants or allowing the public to have its representatives among those who decide these issues. Koman: So doesn't the public have a reasonable right of governance of this critical public resource? Auerbach: The public does have an expectation--ICANN's purpose is to benefit the public and yet ICANN has done nothing but promote business. There are public interests that are really important on the Internet. Like making sure the domain name system works reliably day in and day out, that it's reasonably protected and stable. ICANN has not done any of that. The public's expectations of what ICANN ought to be doing have been unfilled and the public's expectation of what ICANN ought not to be doing have been quite well fulfilled. ICANN is squishing out of the seams in jobs it ought not to be doing. Corporate Malfeasance? Koman: Stuart Lynn says they made this change to streamline the efficiency of the organization. Auerbach: Since when has efficiency of ICANN been an important goal? ICANN has been the most inefficient organization in the world; it's only created seven top- level domains in its four years of existence. And it only had elected members for half of that period, and only a partially elected membership. ICANN doesn't need efficiency; it needs to examine itself and discover, for example, that its staff is utterly out of control. Stuart Lynn in Shanghai got up and announced to the world that ICANN is going to have three new top-level domains of the sponsored type. Who decided that's what we need or that we need only three of them? Stuart Lynn did. He didn't consult with the community yet he declared the future business landscape of the Internet. He decided who is going to be on the main street of the Internet and who is going to be forced into the back alley. That's not a decision that arose out of elections and non- elections; that arose out of the fact that ICANN has an irresponsible staff that doesn't account to the board, much less to the public, and the board doesn't do anything about it. Insubordination is rife throughout ICANN and the board simply chooses to be powerless and not do anything about it. Elections are a non sequiteur. They have nothing to do with this issue. In terms of corporate governance, ICANN makes Enron look like a saint. I had to sue them to look at the most basic information a board member should look at, and what's amazing is that out of the lawsuit, we discovered that no other board member had bothered to do it, including ICANN's own audit committee. I can't even believe the auditors signed off on ICANN's annual report because I looked at the raw data and it's unauditable. You can't verify that an expense that was paid was actually tied to an expense requisition--they were just paying random invoices. Koman: But there's a congressional committee that oversees ICANN, is there not? Auerbach: No. ICANN plays this shell game--it claims to be a private corporation but it's not really private because it's a public benefit corporation of California. ICANN is in fact, a 501(c)3, which means it's exempt from federal taxes. ICANN is not a governmental organization so Congress's role is not to oversee ICANN but rather to look at it and then determine whether or not Congress needs to pass legislation that controls how the executive branch-- the Department of Commerce--acts in situations like this. Yes, Congress can put pressure on the Department of Commerce, but it's indirect pressure. Commerce has chosen to blind itself to the foibles of ICANN. Commerce has not held ICANN to its commitments. It has not audited ICANN to see that ICANN is doing the job it's supposed to do. As far the financial aspects go, Commerce has really no role because ICANN is a private organization. That's what the directors' role is, to oversee the finances, yet ICANN's management has tried to make it so the directors can't do that. Koman: So in the absence of ICANN directors asking for accountability ... Auerbach: There is none. Koman: There is no other layer? Auerbach: Well, there is one other person who can hold ICANN accountable, but his name is rarely mentioned-- Bill Lockyer, the attorney general for the state of California. He can hold ICANN accountable if the board members do not. I imagine the IRS can as well. I've pointed out certain problems in ICANN whereby the board members may be personally liable for millions of dollars for certain acts of ICANN; and even with that sort of sword of Damocles hanging over ICANN and its directors and their pocketbooks, they're not willing to take action. It's an organization that's just unbelievable. Koman: Karl: In testimony to Congress, you said, if ICANN ceased to exist ... Auerbach: The Internet would run perfectly. The Internet addressing is now being administered by four groups called the RIRs (Regional Internet Address Registries), and they issued what amounts to a declaration of independence from ICANN--they presented it in Shanghai. That's the critical function. Addresses would continue to be allocated by these groups even if ICANN were to disappear. Verisign takes care of the DNS part--it still prepares the root zone file every day and publishes it--that's where it comes from. ICANN does not have its fingers on the keyboard editing that file--that's still inside Verisign. And that would still happen if ICANN disappeared. Koman: So the existence of ICANN is in fact a threat to the Net? Auerbach: Well, as we've seen in the security case, had they not been there we might have reacted more quickly to the threats coming out of September 11. But ICANN has said, "Oh huff and puff, we'll establish these grand glorious committees that will solve the problem. And because so many other things are happening, people have a sense of complacency; they say, "Oh, ICANN's handling that." But ICANN's not. ICANN's far more willing to give .com to Verisign in perpetuity, and deal with reassigning .org, than it is in dealing with what it needs to do to make sure the DNS root level runs responsibly and reliably. For example, my first day on the board I suggested ICANN put in place a monitoring system so that we can learn when DNS servers at the root start to go south. They simply didn't want to consider it. Verisign does that on their own. The security stuff--they don't want to hear about it. Public Action Koman: What can people do? No amount of public agitation will bring about change? Auerbach: No, agitation will work. The Department of Commerce might realize, hey, their little baby is out of control. More congresspeople might realize something's rotten in Denmark and start accumulating the pressure on Commerce. And, of course, there are people outside the U.S. who might realize that ICANN is, for example, advocating wholesale violations of privacy by publishing the whois databases to anybody and anyone, with preference to trademark people, and that includes your personal ID; you've entered into a contract to buy a domain name; you didn't enter into a contract to publish your name, address, phone number, company affiliation, and email address to everybody in the world, including spammers. But ICANN says it has to be that way. Privacy is a balance between somebody's need to know and your need for privacy. There are a lot of principles that have come up over the years about how this balance is to be struck, and ICANN has disregarded all of those, because the trademark people- -in their race to accuse people of being trademark violators and obtain their names, addresses, and phone numbers--have insisted that ICANN make all this stuff widely available. I know a woman who's been stalked because her name was listed in the whois database; it's not that uncommon. And all of us have received spam and phone calls. Koman: What can outraged citizens do about this? Auerbach: Well, be outraged, first of all. Participate in ICANN. I displayed a photo showing that the meetings were empty, and they said, "here we are in the most populous nation in the world and the fact that nobody shows up means that we're doing a good job!" Wait a minute, maybe it's that people have become totally disenchanted with you and have figured out that showing up doesn't make any difference. But we can't give them that excuse; people still have to participate in ICANN and ensure that we have a firm record of ICANN constantly and repeatedly going against the demonstrated consensus of opinion; also what the public needs to do is keep up constant pressure on their representatives, and also on Don Evans in the Department of Commerce. I'd make noises; if you're in California, write to the attorney general, and ask how come we have this public benefit corporation in California that receives all these benefits yet seems to operate in complete defiance of the principal of benefitting the public. Koman: When ICANN demands that DNS be centralized when it could very well be decentralized; when P2P technologies themselves, rather than "pirate users" are attacked by the record companies and Hollywood ... doesn't it seem that there is a battle for control of the infrastructure of the Net, and that the battle is drawn on lines of how centralized or decentralized the Internet shall be? Auerbach: There's definitely a battle for control. A lot of people are fearful of chaos. ICANN's attitude is that we are technologists; we know better about how the world should run than you do. And these are people who can't even run a small business and keep it afloat. Yes, they're smart people and they are very condescending to other people who have other backgrounds and other points of view. But you know, technology isn't everything; dispute resolution is important; knowing how to keep finances is important. Koman: Were some directors filled in and others left in the dark? Auerbach: There was definitely an inner circle. Very definitely. I hear from the budget committee, "Oh, we're watching that." Yet I have never been able to find out whether there's information to be watched. There's some information flowing that I've not yet found. When Stuart Lynn announced his grand plan for change--I don't want to call it "reform" because it's not reform--several board members had already heard it, had seen it; I was just appalled that members had sent people around the world to talk to outsiders, without validating that the board wanted this. And Stuart Lynn gets up there and announces we're going to have three new top-level domains. He never asked the board for that. He just did it. He has given me and the whole board information that he knew was false. I believe that his intent was to mislead. I have instances where he's knowingly made false statements to the board. I think he should be fired for insubordination, as well as incompetence. And the same for their law firm. Joe Sims--he's the secret director--he's unelected but he's party to everything. He's made more money through ICANN than anyone else. Koman: Through his law firm? Auerbach: Yes, and he's a partner. Auerbach: He's the one who brokered the gift of .com to Verisign in perpetuity, privately. And he went to ICANN and said, "here's what I've done--adopt it." And ICANN said OK. Even over the advice of its own advisory group. Koman: Amazing. Auerbach: The public interest is not being served. Richard Koman is a freelance writer and editor, and former O'Reilly editor. Read his blog [http://rkoman.blogspot.com/]