September 22, 2003

Will Network Solutions/Verisign Get Away With It Again?

As pretty much everyone now knows, Verisign recently used its monopoly registry position over .com and .net to impose a revenue-producing mechanism, which they call "SiteFinder", onto all users of  the internet who are human and thus who make mistakes.

I think that it has now been pretty well established that Verisign's "SiteFinder" has damaged the technical stability of the Internet, that it represents a major abuse of Verisign's monopoly position, and that it amounts to a mass harvesting of web user's browsing habits.

ICANN has requested that Verisign voluntarily roll-back "SiteFinder".  Verisign has, so far, refused to do so.

I believe that what ICANN is requesting is entirely appropriate and that a due respect for the stability of the internet should compel Verisign to comply with that request.  However, there are signs that greed will prevail over reason and that Verisign will withdraw "SiteFinder" only in the face of an unambiguous, unequivocal, and incontrovertible order to do so.  This may mean that either ICANN or the US Department of Commerce may have to pull out the legal guns.

And if they do, I hope that ICANN or the DoC wins.

However, prudence obligates us to examine whether ICANN or the US Department of Commerce have the strength to win.

It is not at all clear to me that ICANN has the power to compel Verisign to rescind Verisign's "SiteFinder".  Nor is it clear to me that the US Department of Commerce, even if it might have the authority, has the will.

The relationship between ICANN, the DoC, and Verisign is one governed by agreements that have the look and smell of contracts.  This means that many of the rights and duties of these players are governed by contract principles.  Clearly the relationship between the DoC and Verisign is a child of US Federal law.  However, since both Verisign and ICANN are incorporated in the State of California, many of those principles governing the contracts between Verisign and ICANN will be found in the laws of California.  And California, perhaps more so than other states, tends to allow contract obligations to be interpreted in the light of the history of the contractual relationship.

More than ten years ago - on January 1, 1993, Network Solutions received a five year grant of monopoly authority over .com, .net, .edu, and .org from the US Government.  That grant was supposed to expire after 5 years, on September 30, 1998.  This note is being written on September 22, 2003 - nearly five full years after NSI's original contract was to have expired.

The circumstances of that initial contract might raise a few eyebrows - NSI won even though there were others in the running who had significantly greater and proven competence (think "founders of UUnet"), who bid much lower fees.

That original has been amended by the US Department of Commerce no less than 25 times.  Those amendments collectively amount to The Great Internet Giveaway, in which control over the core assets of the internet has been abandoned into the hands of NSI/Verisign.  As a result, Verisign today  has come to effectively control those internet assets that it was originally hired to simply administer.

The amazing largess of the US Department of Commerce towards Verisign has been matched by ICANN.

ICANN has given NSI/Verisign gift after gift after gift.  ICANN spent several years not allocating new top level domains (TLDs), thus continuing NSI/Verisign's monopoly, much to the benefit of Verisign's financial bottom line.  And when new TLD's were finally allocated, the restrictions that ICANN imposed on the newcomers did nothing but confirm NSI/Verisign's dominance for several additional years.  ICANN's division of the DNS name business into "registries" and "registrars" came with a nice prize for NSI/Verisign - that company was allowed to double dip into the system as both a "registrar" and the monopoly "registry" of the largest TLDs.  And we ought to never forget that ICANN, on the private initiative of its outside "counsel" gifted the .com TLD unto NSI/Verisign in perpetuity.  And ever since, ICANN has continuously assumed "the position", even over the objections of ICANN's own DNS policy bodies, whenever NSI/Verisign came knocking - one has only to look at the history of the Wait Listing Service to how easily ICANN succumbs to NSI/Verisign's siren song.

Verisign has demonstrated an amazingly ability to negotiate the pants off of the US Government and ICANN.

However, Verisign's ability to wag ICANN and the Department of Commerce has met with a bit more friction as of late.  For example, ICANN showed a bit of backbone when Verisign wanted to race into the early, and arguably reckless, deployment of  internationalized domain names.  ICANN and Verisign went head-to-head over a system that was remarkably similar to "SiteFinder" but in the context of internationalized domain names.  In that instance, Verisign backed down.

Verisign's "SiteFinder" represents a repudiation of the entire structure of governance of the internet as conceived by the IFWP, the NTIA Green and White Papers, and ICANN itself.

But is there anything that either ICANN or the US Department of Commerce can do about it?

The authority of both the US DoC and ICANN is made confusing and weak by the maze of cooperative agreements, memorandums of understanding, CRADAs, and purchase orders that exist between ICANN, the DoC, and Verisign/NSI.  Rather than mutually reinforcing one another, these documents create a fabric of plausible excuses that allows Verisign to dance this way and that to whatever tune it decides to play - it will take a major legal effort, one that ICANN might not be able to afford, to unravel the mess.  And the outcome is hardly certain.  For example, because the DoC and ICANN have chosen to use weak and ambiguous legal forms such as "memorandums of understanding", instead of firmly and clearly enforceable "contracts", Verisign might successfully argue that ICANN and the DoC never intended to establish rights and duties that can be enforced in a court of law.

And ICANN, by virtue of its grant of permission to .museum to use the same wildcard mechanism that underlies "SiteFinder", has created a situation in which Verisign can argue that what's good enough for .museum is good enough for .com - and that if there is a difference, it was ICANN's job to define the boundaries, something that ICANN has not done.

ICANN's authority is further weakened by ICANN's historical failure to exercise controlling oversight over technical operations of DNS and by ICANN's tunnel-vision focus on non-technical matters (such as whether the lack of felicity of the sound of "iii" when spoken made that string inappropriate for use as a top level domain.)  Because ICANN has exercised only the most tenuous oversight of important technical matters, such as the operation of root servers, service level obligations of TLD servers, DNS security, data escrow, etc, ICANN is not in a good position to suddenly prohibit Verisign's use of a practice that is not in express violation of any Internet Standard.  (Verisign's practice may be in violation of some implied "penumbras" of the Internet Standards, but that is a difficult argument for ICANN to make.)

If one needs a concrete example consider that over the course of the last year the root server operators have established anycast-based replica servers.  (I personally consider what they have done to be a very good thing.)  However, by any metric this deployment represents a significant change to the critical infrastructure of DNS.  This change was made with neither notice to nor approval from ICANN.  Verisign has as a consequence been given an opportunity to make equally significant changes and, if ICANN questions them, to ask why Verisign is being singled out?

ICANN is now the victim of its own past behavior - because ICANN has never dealt with issues of internet technology but has instead focused its attention on economic and business matters with no real link to internet technical concerns, ICANN has squandered its ability to speak with authority when someone stretches a technical standard.

Because of this history, ICANN is going to have an uphill effort to argue that ICANN has the moral or contractual authority to require that Verisign's SiteFinder be curtailed on technical grounds.  And because of our legal and economic preference for regulation by competition rather than regulation by fiat, ICANN's arguments based on the economic and business repercussions or SiteFinder can me countered by Verisign saying that the marketplace, rather than ICANN, ought to resolve those issues.

Therefore, it seems to me that ICANN may not possess a sufficiently strong lever to force Verisign to discontinue "SiteFinder".

But what about the US Department of Commerce?

The US Department of Commerce has never clearly established how or why it has authority over DNS.  Two reports by the General Accounting Office of the US Congress have suggested that the DoC is floating in the air without any clear foundation of authority.

Archimedes said he could move the world if if had the right place to stand.  By analogy, the US Department of Commerce may find itself powerless because it has never been able to demonstrate why, in our US Constitutional system of delegated and limited powers, it has any power to act.  (The lack of power in the DoC does not mean that there may not be power in some other part of the US Federal government, but in the absence of any such body picking up the sword in these matters, it may be premature at this time to to burn a lot of pixels on that question.)

To make matters worse, ever since it first became involved in the internet, the US Department of Commerce has intentionally divested itself of authority by  adopting the astoundingly stupid Reagan/Thatcher notion that government functions are best done by unaccountable private bodies.

This creates a situation in which Verisign might be able to defend itself against the DoC by confounding the issues with the question whether the DoC has any authority in these matters at all.  We ought to remember that time is on Verisign's side - with every tick of the clock and every delay caused by distracting maneuvers, Verisign's income increases.

Despite these questions of authority, there still exists the Cooperative Agreement - the one created more than a decade ago - through which Verisign derives its role over .com and .net.  The DoC, even if there are questions about its ultimate source of authority, is holding the contract and has several rights that it could exercise to direct the behavior of Verisign or even to terminate the contract and transfer .com and .net to another body.

But does the DoC have the guts to do this?  I'm not sure.  The DoC has always retreated when faced with acts that in some way could affect the stability of the internet - and there is no doubt that an involuntary transfer of .com and .net to another operator could have non-trivial repercussions.

The DoC has been operating largely through the intermediary of ICANN; it's going to take a strong and brave person in authority within the DoC to turn around that well established practice and to take firm grasp of the reins that the DoC has over Verisign by virtue of that oft-amended 1995 Cooperative Agreement.  Is there anyone in the DoC who is that strong?  I believe that there are such people at the DoC.  However, those who I know are not necessarily in NTIA's management chain.

Posted by karl at September 22, 2003 9:02 PM