Recent events in Ukraine have spotlighted some fundamental questions about Internet governance and the use of state-imposed sanctions. This post frames the discussion in reference to one of the Internet's most enduring maxims.
"Be conservative in what you do, be liberal in what you accept from others"
The robustness principle, also known as Postel’s Law (after the pioneering computer scientist Jon Postel) is probably familiar to everyone in the Internet technical community. Originally formulated in some of the early RFC documents, it was a guiding principle for Postel and his colleagues and while it’s come under some criticism in recent years, it’s a principle that’s baked into the Internet at its most fundamental level.
At that fundamental level, the robustness principle means connection - the approach it defines has been key to facilitating connection and interoperability. In a large, complex and evolving system, the robustness principle helps ensure the necessary degree of resilience and tolerance.
Connection is what the Internet is good at - so good, in fact, that it has grown with a scale and speed arguably unparalleled by any other human invention. Along the way, the structures and processes of the Internet technical community (including the global registry system, the Internet Engineering Task Force, and ICANN and its management of the DNS) have evolved with a focus on facilitating new connections, minimising friction, and integrating new approaches, platforms and technologies.
The robustness principle has served as an important normative framework in all this; but it also serves as a warning about the fragility of connection. It warns that a careless attitude to your own actions, or a dogmatic rigidity in what you’re willing to accept from others, jeopardises the very mechanisms that facilitate interconnection. That’s true of technical standards and protocols, but it can apply equally to the structures and processes that we have developed to govern and administer connection.
That’s why disconnecting people or networks is a very different, and far more challenging, proposition. Yes, there are examples of multistakeholder processes for removing or preventing participation - a current example under discussion might be the root server operators’ proposed governance system, which would allow for the removal of a root server operator. But the complex and lengthy discussions around these kinds of policies reinforce just how difficult and risk-laden such actions are.
In recent weeks, the Russian invasion of Ukraine has raised some challenging questions for our Internet governance systems. As people in Ukraine have looked to defend themselves, and their supporters around the world have considered how to help, it’s little surprise that the Internet - now such a central part of our social and economic structures, and potentially a vector for additional aggression - would be seen as a potential lever. In that context, the Ukrainian government sent requests to the RIPE NCC and ICANN, asking them to make changes in their registries to hamper Russian networks (in the case of the RIPE NCC, by de-registering the IP resources of Russian-registered entities).
Both the RIPE NCC and ICANN have responded publicly to the Ukrainian government, and neither organisation was willing to comply with the requests. The fuller explanations provided by each organisation are worth reading, and provide more detail on the specific reasons why these are not actions either organisation can take unilaterally. But at the root of each decision is a larger reality, which is that politically-driven changes to the Internet’s core registries (such as the RIRs or the DNS) present a significant risk to the global Internet itself - even if the underlying political positions have very broad support.
This is an argument that the RIPE NCC has been making for some time now in a slightly different context: that of state-imposed sanctions.
The challenge posed by state sanctions as applied to Internet administrative organisations is something that the RIPE NCC has been navigating for some years now. You can read a number of documents - here, here, here - that detail the steps we’ve taken to ensure compliance with sanctions developed at the EU level and enforced by the Dutch government.
Beyond compliance, however, there is the slow-burning question: could this be better? Debate has flared recently over measures that Internet operators might take to disconnect specific networks in support of their Ukrainian peers (and particularly about the wisdom of doing so). The one point around which there seems to be a degree of consensus, though, is this: state sanctions regimes in their current form are a blunt instrument, and when applied to the Internet’s core functions, they are not only of limited effect, but actually jeopardise the structures and processes upon which our global Internet relies.
That it should take such a catastrophic event to draw out this consensus is regrettable, if not surprising - sometimes it takes a crisis to achieve a moment of clarity. But there is scope now to ask, “What next?”.
Here it’s important to note that the Internet is not inherently special. In deploying sanctions, governments have always grappled with the impact that such measures can have on food and medical supplies, public infrastructure, and traditional communication mechanisms. The complexity of modern supply chains can mean that the impact on such essential goods and services is often just as unpredictable as when sanctions are applied to Internet services and networks. However, unlike more traditional “essentials”, Internet services are often not included in the exemptions built into sanctions.
With the collective focus of the global Internet technical community, governments around the world, and other stakeholders now focused on the impact that a far-reaching sanctions approach can have, this may be an important moment to consider how we might mitigate the risks posed to the global Internet. Employing a focused, multistakeholder process, able to produce clear, coherent recommendations, based on a commonly understood framework, could help governments to achieve their policy ends, while protecting the core functions of the Internet. As a global community, we have various tools at our disposal, including the Internet Governance Forum, and I hope that we will be able to apply these tools and methodologies to this challenge.
The robustness principle, that mainstay of the Internet’s technical development, can help us find the best path in this situation as well: sanctions are an immensely powerful tool, and as such, the governments who wield them should do so conservatively. A globally connected Internet may require that we accept that there are some levers we should not pull, no matter the moral force of the argument. A clearer approach, allowing for exemptions in relation to the Internet’s core functions, may be vital to maintaining the Internet’s global connection, now and in the future.
I would welcome any thoughts or suggestions in the comments below, and I hope that the RIPE NCC will be able to help drive progress in this space. I would also recommend readers refer to the archive of the RIPE Cooperation Working Group remote session on Internet connectivity and sanctions, and encourage you to continue the discussion on that working group's mailing list.