[a dated, biased (what isn't?), insightful, and
relevant interview]
Published on Policy DevCenter
(http://www.oreillynet.com/policy/)
http://www.oreillynet.com/pub/a/policy/2002/12/05/karl.html
Karl Auerbach: ICANN "Out of Control"
by Richard Koman
12/05/2002
Editor's note: Strong forces are reshaping the
Internet these days. To understand these forces--
governmental, business, and technical--Richard Koman
interviews the people in the midst of the changes.
This month, Richard talks to Karl Auerbach, a public
board member of ICANN and one of the Internet
governing body's strongest critics.
October's distributed, denial-of-service attack
against the domain name system--the most serious yet,
in which seven of the thirteen DNS roots were cut off
from the Internet--put a spotlight on ICANN, the
nongovernmental corporation responsible for Internet
addressing and DNS. The security of DNS is on ICANN's
watch. Why is it so susceptible to attack, when the
Internet as a whole is touted as being able to
withstand nuclear Armageddon?
It's religious dogma, says Karl Auerbach, a public
representative to ICANN's board. There's no reason DNS
shouldn't be decentralized, except that ICANN wants to
maintain central control over this critical function.
Worse, Auerbach said in a telephone interview with
O'Reilly Network, ICANN uses its domain name dispute
resolution process to expand the rights of trademark
holders, routinely taking away domains from people
with legitimate rights to them, only to reward them to
multinational corporations with similar names.
Auerbach--who successfully sued ICANN over access to
corporate documents (ICANN wanted him to sign a
nondisclosure agreement before he could see the
documents)--will only be an ICANN director for a few
more weeks. As part of ICANN's "reform" process, the
ICANN board voted last month to end public
representation on the board. As of December 15, there
will be zero public representatives on the ICANN
board.
How does ICANN justify banishing the public from its
decision-making process? Stuart Lynn, president and
CEO of ICANN, said the change was needed to make
ICANN's process more "efficient." In a Washington Post
online discussion, Lynn said: "The board decided that
at this time [online elections] are too open to fraud
and capture to be practical, and we have to look for
other ways to represent the public interest. It was
also not clear that enough people were really
interested in voting in these elections to create a
large enough body of voters that could be reflective
of the public interest. This decision could always be
reexamined in the future. In the meantime, we are
encouraging other forms of at-large organizations to
self-organize and create and encourage a body of
individuals who could provide the user input and
public interest input into the ICANN process."
Former ICANN president Esther Dyson is also supporting
the move away from public representation on the board.
"I did believe that it was a good idea to have a
globally elected executive board, [but] you can't have
a global democracy without a globally informed
electorate," Dyson told the Post. "What you really
need [in order] to have effective end-user
representation is to have them in the bowels (of the
organization) rather than on the board."
Auerbach isn't buying. "ICANN is pursuing various spin
stories to pretend that they haven't abandoned the
public interest," he says in this interview. "ICANN is
trying to create a situation where individuals are not
allowed in and the only organizations that are allowed
in are those that hew to ICANN's party line."
In this interview, Auerbach makes a number of strong
criticisms of ICANN, beyond the issue of public
access:
* ICANN uses its domain name dispute resolution
process to expand the rights of trademark holders,
routinely taking away domains from people with
legitimate rights to them, only to reward them to
multinational corps with similar names, Auerbach says.
* ICANN unnecessarily maintains the domain name
system as a centralized database, making it vulnerable
to attack.
* ICANN has failed to improve network security
since September 11 and has ignored Auerbach's
suggestions for improving DNS security.
* ICANN staff takes actions without consulting the
board, withholds information from the board, and
misleads board members.
* Finally, Auerbach charges that ICANN is guilty
of corporate malfeasance.
Koman: On October 21, there was a denial-of-service
attack on DNS, which was widely reported as the most
serious yet. Something like seven of the thirteen root
servers were unavailable for as long as three hours.
What is ICANN's responsibility for DNS, and how
vulnerable is it to attack?
Auerbach: On the Internet, there are a couple of areas
that arguably need some centralized authority. One of
these is IP address allocation--addresses need to
handed out with some notion of how they comport to the
physical topology of the network.
A lot of people look at the domain name system as
equally in need of centralized control. They look at
DNS and see there's a root on top and some number of
names underneath and they say, "Whoa, we need an
organization to manage that." From a technical point
of view, that's completely untrue. The DNS is really
an optional service on top of the basic functionality
of the Internet. We could have many different versions
of DNS. The only concern is they be consistent with
one another. People have elevated this argument for
consistency to the idea that we can only have one,
catholic source of names. That's a leap of logic that
does not exist in reality; nevertheless ICANN uses
that leap to justify its existence.
By some religious dogma, we have come to the
conclusion that there must be one ICANN sitting on top
of the domain name space. It's a false conclusion but
many people believe it, and it's a very useful
conclusion for trademark interests, who have found
that enforcing trademarks through the court system is
just plain expensive. They found ICANN to be a very
convenient tool to expand the law of trademarks, so
trademark holders can exert control over non-trademark
holders in a much less expensive way, and in a way
that happens to lack all the protections of due
process and judicial review. That's a dream for the
trademark holders; they love ICANN.
Koman: Let's talk about the recent denial-of-service
attack.
Auerbach: The interesting thing is, September 11 was
more than a year ago and ICANN formed this high-level
plenary committee to go and deal with DNS security,
and to date not a single peep has come out of that
committee. Yet I proposed in early October 2001 a set
of several concrete, specific things that people could
do to protect DNS, and more importantly, to recover
from a DNS outage. And also to go after the bad guys
to deter others from doing it.
ICANN, because they refuse to admit I exist, deep-
sixed the entire set of suggestions and hasn't even
admitted that they exist. ICANN has intentionally
disregarded things it could have done to protect DNS
security, which possibly, had they been adopted, would
have either slowed, prevented, or more quickly
deflected this most recent attack. ICANN does not have
the public interest at heart.
ICANN isn't doing a diddly thing about network
security. The committee itself has great people on it,
but they're great people in a very narrow sense.
They're technical experts but they know nothing about
how to recover from a disaster. How do you lock a
door? They know nothing about collection of evidence.
They know nothing about how to recover from a
disaster.
Koman: How insecure is DNS; how susceptible is it to
attack?
Auerbach: Well, I don't disagree with the assessment
of Bruce Schneier that DNS is probably the most
vulnerable point of the Internet. ICANN has proclaimed
as a matter of religious dogma--and it's nothing more--
that there shall be but one DNS root. Well that means
ICANN is declaring the Internet shall have one single
point of failure and here it is. ICANN has by that
dogma condemned the Internet to vulnerability.
Koman: The whole Internet is based on its
decentralized nature, on redundancy, on the lack of
single points of failure.
Auerbach: Except in the domain name system. And the
domain name system need not be that way. ICANN is
making a lot of assertions that are not justified by
technology and are not consistent with the public's
desire to control its own Internet experience.
Public Representation on ICANN
Koman: On October 31, ICANN approved new bylaws that
removed the five publicly elected board members,
leaving no public representation on the board, as of
December 15.
Auerbach: That's right. Now ICANN is pursuing various
spin stories to pretend that they haven't abandoned
the public interest. One is that they have governments
participating in ICANN and the governments represent
the people of their nations, and because governments
are an advisory group within ICANN, we don't need mere
people. That argument is fallacious; governments not
only represent their citizens; they also represent
businesses and other entities within their borders.
But ICANN gives special privileges to those businesses
in its forums, and businesses still do get to elect
board members. They've also created these so-called at-
large advisory committees (ALACs)--note that they're
called "at-large" as if the public could join, but
membership is not open to the public; membership is
only open to organizations. ICANN is trying to create
a situation where individuals are not allowed in and
the only organizations that are allowed in are those
that hew to ICANN's party line.
You have no way to vote against ICANN directors. You
have as much right to vote against ICANN directors as
the peasants in France had of voting against Louis
XIV.
Koman: What is ICANN's attitude to the idea that the
Internet is a public resource and that the public has
some justifiable interest in being involved in its
governance?
Auerbach: ICANN is an oligarchy. ICANN claims it's a
private organization yet it claims immunity from
things like antitrust because it derives its powers
via contracts with the government. It has decided that
things like decentralizing the domain name space
should not be done because the public should not be
confused. ICANN has made all these decisions based on
the concept of what the public should have and what it
should not without ever asking the public what it
wants or allowing the public to have its
representatives among those who decide these issues.
Koman: So doesn't the public have a reasonable right
of governance of this critical public resource?
Auerbach: The public does have an expectation--ICANN's
purpose is to benefit the public and yet ICANN has
done nothing but promote business. There are public
interests that are really important on the Internet.
Like making sure the domain name system works reliably
day in and day out, that it's reasonably protected and
stable. ICANN has not done any of that. The public's
expectations of what ICANN ought to be doing have been
unfilled and the public's expectation of what ICANN
ought not to be doing have been quite well fulfilled.
ICANN is squishing out of the seams in jobs it ought
not to be doing.
Corporate Malfeasance?
Koman: Stuart Lynn says they made this change to
streamline the efficiency of the organization.
Auerbach: Since when has efficiency of ICANN been an
important goal? ICANN has been the most inefficient
organization in the world; it's only created seven top-
level domains in its four years of existence. And it
only had elected members for half of that period, and
only a partially elected membership. ICANN doesn't
need efficiency; it needs to examine itself and
discover, for example, that its staff is utterly out
of control. Stuart Lynn in Shanghai got up and
announced to the world that ICANN is going to have
three new top-level domains of the sponsored type. Who
decided that's what we need or that we need only three
of them? Stuart Lynn did. He didn't consult with the
community yet he declared the future business
landscape of the Internet. He decided who is going to
be on the main street of the Internet and who is going
to be forced into the back alley. That's not a
decision that arose out of elections and non-
elections; that arose out of the fact that ICANN has
an irresponsible staff that doesn't account to the
board, much less to the public, and the board doesn't
do anything about it. Insubordination is rife
throughout ICANN and the board simply chooses to be
powerless and not do anything about it. Elections are
a non sequiteur. They have nothing to do with this
issue.
In terms of corporate governance, ICANN makes Enron
look like a saint. I had to sue them to look at the
most basic information a board member should look at,
and what's amazing is that out of the lawsuit, we
discovered that no other board member had bothered to
do it, including ICANN's own audit committee. I can't
even believe the auditors signed off on ICANN's annual
report because I looked at the raw data and it's
unauditable. You can't verify that an expense that was
paid was actually tied to an expense requisition--they
were just paying random invoices.
Koman: But there's a congressional committee that
oversees ICANN, is there not?
Auerbach: No. ICANN plays this shell game--it claims
to be a private corporation but it's not really
private because it's a public benefit corporation of
California. ICANN is in fact, a 501(c)3, which means
it's exempt from federal taxes. ICANN is not a
governmental organization so Congress's role is not to
oversee ICANN but rather to look at it and then
determine whether or not Congress needs to pass
legislation that controls how the executive branch--
the Department of Commerce--acts in situations like
this. Yes, Congress can put pressure on the Department
of Commerce, but it's indirect pressure. Commerce has
chosen to blind itself to the foibles of ICANN.
Commerce has not held ICANN to its commitments. It has
not audited ICANN to see that ICANN is doing the job
it's supposed to do. As far the financial aspects go,
Commerce has really no role because ICANN is a private
organization. That's what the directors' role is, to
oversee the finances, yet ICANN's management has tried
to make it so the directors can't do that.
Koman: So in the absence of ICANN directors asking for
accountability ...
Auerbach: There is none.
Koman: There is no other layer?
Auerbach: Well, there is one other person who can hold
ICANN accountable, but his name is rarely mentioned--
Bill Lockyer, the attorney general for the state of
California. He can hold ICANN accountable if the board
members do not. I imagine the IRS can as well. I've
pointed out certain problems in ICANN whereby the
board members may be personally liable for millions of
dollars for certain acts of ICANN; and even with that
sort of sword of Damocles hanging over ICANN and its
directors and their pocketbooks, they're not willing
to take action. It's an organization that's just
unbelievable.
Koman: Karl: In testimony to Congress, you said, if
ICANN ceased to exist ...
Auerbach: The Internet would run perfectly. The
Internet addressing is now being administered by four
groups called the RIRs (Regional Internet Address
Registries), and they issued what amounts to a
declaration of independence from ICANN--they presented
it in Shanghai. That's the critical function.
Addresses would continue to be allocated by these
groups even if ICANN were to disappear. Verisign takes
care of the DNS part--it still prepares the root zone
file every day and publishes it--that's where it comes
from. ICANN does not have its fingers on the keyboard
editing that file--that's still inside Verisign. And
that would still happen if ICANN disappeared.
Koman: So the existence of ICANN is in fact a threat
to the Net?
Auerbach: Well, as we've seen in the security case,
had they not been there we might have reacted more
quickly to the threats coming out of September 11. But
ICANN has said, "Oh huff and puff, we'll establish
these grand glorious committees that will solve the
problem. And because so many other things are
happening, people have a sense of complacency; they
say, "Oh, ICANN's handling that." But ICANN's not.
ICANN's far more willing to give .com to Verisign in
perpetuity, and deal with reassigning .org, than it is
in dealing with what it needs to do to make sure the
DNS root level runs responsibly and reliably. For
example, my first day on the board I suggested ICANN
put in place a monitoring system so that we can learn
when DNS servers at the root start to go south. They
simply didn't want to consider it. Verisign does that
on their own. The security stuff--they don't want to
hear about it.
Public Action
Koman: What can people do? No amount of public
agitation will bring about change?
Auerbach: No, agitation will work. The Department of
Commerce might realize, hey, their little baby is out
of control. More congresspeople might realize
something's rotten in Denmark and start accumulating
the pressure on Commerce. And, of course, there are
people outside the U.S. who might realize that ICANN
is, for example, advocating wholesale violations of
privacy by publishing the whois databases to anybody
and anyone, with preference to trademark people, and
that includes your personal ID; you've entered into a
contract to buy a domain name; you didn't enter into a
contract to publish your name, address, phone number,
company affiliation, and email address to everybody in
the world, including spammers. But ICANN says it has
to be that way.
Privacy is a balance between somebody's need to know
and your need for privacy. There are a lot of
principles that have come up over the years about how
this balance is to be struck, and ICANN has
disregarded all of those, because the trademark people-
-in their race to accuse people of being trademark
violators and obtain their names, addresses, and phone
numbers--have insisted that ICANN make all this stuff
widely available. I know a woman who's been stalked
because her name was listed in the whois database;
it's not that uncommon. And all of us have received
spam and phone calls.
Koman: What can outraged citizens do about this?
Auerbach: Well, be outraged, first of all. Participate
in ICANN. I displayed a photo showing that the
meetings were empty, and they said, "here we are in
the most populous nation in the world and the fact
that nobody shows up means that we're doing a good
job!" Wait a minute, maybe it's that people have
become totally disenchanted with you and have figured
out that showing up doesn't make any difference. But
we can't give them that excuse; people still have to
participate in ICANN and ensure that we have a firm
record of ICANN constantly and repeatedly going
against the demonstrated consensus of opinion; also
what the public needs to do is keep up constant
pressure on their representatives, and also on Don
Evans in the Department of Commerce. I'd make noises;
if you're in California, write to the attorney
general, and ask how come we have this public benefit
corporation in California that receives all these
benefits yet seems to operate in complete defiance of
the principal of benefitting the public.
Koman: When ICANN demands that DNS be centralized when
it could very well be decentralized; when P2P
technologies themselves, rather than "pirate users"
are attacked by the record companies and Hollywood ...
doesn't it seem that there is a battle for control of
the infrastructure of the Net, and that the battle is
drawn on lines of how centralized or decentralized the
Internet shall be?
Auerbach: There's definitely a battle for control. A
lot of people are fearful of chaos. ICANN's attitude
is that we are technologists; we know better about how
the world should run than you do. And these are people
who can't even run a small business and keep it
afloat. Yes, they're smart people and they are very
condescending to other people who have other
backgrounds and other points of view. But you know,
technology isn't everything; dispute resolution is
important; knowing how to keep finances is important.
Koman: Were some directors filled in and others left
in the dark?
Auerbach: There was definitely an inner circle. Very
definitely. I hear from the budget committee, "Oh,
we're watching that." Yet I have never been able to
find out whether there's information to be watched.
There's some information flowing that I've not yet
found. When Stuart Lynn announced his grand plan for
change--I don't want to call it "reform" because it's
not reform--several board members had already heard
it, had seen it; I was just appalled that members had
sent people around the world to talk to outsiders,
without validating that the board wanted this. And
Stuart Lynn gets up there and announces we're going to
have three new top-level domains. He never asked the
board for that. He just did it.
He has given me and the whole board information that
he knew was false. I believe that his intent was to
mislead. I have instances where he's knowingly made
false statements to the board. I think he should be
fired for insubordination, as well as incompetence.
And the same for their law firm. Joe Sims--he's the
secret director--he's unelected but he's party to
everything. He's made more money through ICANN than
anyone else.
Koman: Through his law firm?
Auerbach: Yes, and he's a partner.
Auerbach: He's the one who brokered the gift of .com
to Verisign in perpetuity, privately. And he went to
ICANN and said, "here's what I've done--adopt it." And
ICANN said OK. Even over the advice of its own
advisory group.
Koman: Amazing.
Auerbach: The public interest is not being served.
Richard Koman is a freelance writer and editor, and
former O'Reilly editor. Read his blog
[http://rkoman.blogspot.com/]
