Summary
- RIRs are private, member-linked institutions operating through contracts, corporate rules and community policy. Public administrative law does not automatically apply to them, and their technical expertise should not be replaced by a government hearing model.
- Their decisions can nevertheless have utility-like effects. An applicant cannot shop among RIRs for the same regional registration role, and a holder can depend on registry records, reverse DNS, certification and transfer services that counterparties recognise.
- Minimum fairness should attach to consequence rather than institutional label: intelligible notice, disclosed grounds, access to decisive evidence subject to justified redaction, a realistic response window, a reasoned decision, binding time limits, conflict rules and independent review able to preserve or restore the position.
- Existing RIR materials contain useful components but uneven coverage. ARIN publishes a request appeal after internal escalation; APNIC's agreement includes an Executive Council appeal against certain revocation notices; RIPE NCC maintains a scoped conflict process; AFRINIC's agreement provides a show-cause or cure period for specified termination action.
- No published procedure proves its value without outcome denominators. Registries should report decision time, further-information rounds, denial grounds, appeals, interim relief, reversals, remands and restoration, while protecting personal, security and commercially confidential material.
The private decision that feels public to the person receiving it
An organisation plans a new network. It has equipment, customers, staff and financing, but needs an address allocation or Autonomous System Number suited to its design. It submits information to the relevant regional Internet registry. A resource analyst asks for more evidence. Weeks later, the request is denied because staff believe a policy criterion is not met. The applicant may revise, escalate, appeal, redesign its network, obtain space through a provider or abandon the plan.
Legally, this is not the same as a ministry refusing a licence. The registry is generally a private corporation or membership association. The applicable rule may have been developed by an open technical community rather than enacted by a legislature. The relationship may be contractual. The staff member applies specialised policy to evidence about network need, organisational identity and technical coordination.
Functionally, however, the applicant experiences familiar features of administrative power. One institution occupies the recognised position for the region. It interprets rules that bind a large class. It can demand information, decide whether evidence is adequate, set conditions and issue a decision with practical consequences. There may be no equivalent provider that can issue the same recognised registration directly. Delay can decide the matter as effectively as an express refusal.
The same pattern appears after allocation. A registry can correct records, suspend services, deny a transfer, reject an account-control claim or begin revocation. Those actions do not directly switch off every route, but they can change signals used by providers, auditors, security teams and customers. The member may have signed an agreement, yet downstream reliance extends beyond the parties.
Calling this government would be inaccurate. Calling it an ordinary market transaction would also be incomplete. The useful concept is utility-like effect: not legal classification as a public utility, but a combination of recognised exclusivity, dependency, standardised rules and consequences that are difficult to replace quickly.
That effect supports a minimum procedural bargain. The registry retains private form, technical expertise and community policy. In return for the reliance created by its recognised role, it provides protections associated with sound decision-making: notice, a chance to answer, reasons, deadlines, conflict control and review. These protections are not ceremonial. They reduce factual error, expose inconsistent interpretation and make the institution's authority intelligible to the people who must live with it.
Why 1997 is a useful starting point
ARIN began operations in 1997 as the regional registry for its service area. That year is not the birth of Internet number administration, but it marks a mature institutional phase: a private non-profit registry applying community-developed policy, entering standard agreements, collecting fees and providing services at regional scale. Similar institutional development across the RIR system makes the period from 1997 to the present a useful frame for procedural accountability.
During that period, the scarcity and uses of number resources changed. IPv4 exhaustion increased the significance of transfers and legacy holdings. Public registration moved beyond a contact directory into an input for security and commercial checks. RPKI created a cryptographically verifiable service around route-origin authorisations. Registry accounts became control points for sensitive changes. Fraud detection and due diligence grew more demanding. A decision once framed as allocation administration can now affect valuable operating positions.
Institutional maturity also changed expectations. RFC 7020, published in 2013, describes registration accuracy, uniqueness and hierarchical allocation as central goals. It acknowledges that registry goals can conflict with the interests of users, service providers and other consumers, requiring careful judgment and cooperation through community-developed policy. The document also notes a historical change: the earlier possibility of taking a final assignment appeal to IANA had given way to appeal arrangements developed by RIR communities.
That shift placed more responsibility inside each regional institution. Local resolution can be faster, more expert and more responsive to regional policy. It also means that the registry system cannot point upward whenever an applicant questions a decision. If the final practical review is regional, its independence, reasons and remedy matter.
The period has produced more rules, portals and agreements, but publication alone is not procedural fairness. A person can read the rule and still not know which fact failed, which evidence was decisive, how long staff may take, who reviews an interpretation or whether a successful challenge will restore the lost position. Mature institutions need a decision architecture, not only a policy archive.
The standard proposed here is therefore evolutionary. It does not claim that registries acted without process for three decades. Each has developed forms of escalation, review and community accountability. The question is whether the protection is complete across consequential decision types and whether outsiders can verify that it works. Longevity increases the case for a common minimum because exceptions and informal practice accumulate with time.
Administrative law is an analogy, not a jurisdictional shortcut
Administrative law offers a vocabulary for disciplined power: lawful authority, relevant evidence, notice, hearing, reasons, consistency, proportionality, timeliness and review. Those ideas are useful because they address recurring decision failures. But transplanting a national statute wholesale into a private transnational registry would create new errors.
First, the source of authority differs. A government department often acts under legislation and public-law duties. An RIR acts through its constitution, agreements, community policy, board authority and recognised technical role. A reviewer must identify which source controls the decision rather than assume a public delegation.
Second, participation differs. Open policy communities can include operators, vendors, civil society and individuals across many countries. Membership elections and public consultations provide forms of legitimacy that do not resemble a national electorate. Their value should be preserved, while recognising that the applicant affected by a case still needs individual process.
Third, subject matter differs. Resource decisions require technical judgment about network plans, utilisation, identity, routing design and policy compliance. A rigid evidentiary code could slow decisions and reward parties with legal resources rather than technical merit. Procedure should make expertise accountable, not displace it.
Fourth, governing law differs across RIRs and agreements. A protection that is legally mandatory in one jurisdiction may be contractual or voluntary in another. The minimum can be expressed through corporate rules, service agreements and published procedure without pretending one court controls the entire system.
The analogy works at the level of failure prevention. Secret grounds produce unanswerable decisions in both public and private settings. Indefinite delay defeats both a licence applicant and a network applicant. Review by the original decision-maker's direct supervisor may correct mistakes, but it does not provide the same assurance as a conflict-checked body with authority to grant relief. Reasons improve consistency wherever power is exercised.
The proposed charter is consequently modest. It does not require trial-style discovery, oral hearings in every case, public disclosure of confidential business plans or a state judge before any service action. It requires enough process to let the affected party understand the case, correct material facts, receive a decision on time and obtain review that is not merely another look by the same chain of command.
This is administrative law without an administration: its disciplines detached from state identity and adapted to a private institution whose recognised role produces concentrated effects.
The decision life cycle, not the final letter
Procedural quality is often assessed by looking at the final denial or termination notice. By then, much of the outcome may have been determined. A complete model follows the decision from rule to remedy.
The first stage is rule clarity. The applicant should be able to identify the policy, agreement and procedure governing the request. Version and effective date matter. If staff guidance adds evidentiary expectations, those expectations should be public unless disclosure would undermine a legitimate fraud or security control. A rule cannot guide behaviour if its practical test is known only inside the registry.
The second stage is intake. The registry should confirm receipt, identify a case reference, state the ordinary timetable and name the secure communication channel. It should check whether the request is complete and provide a consolidated list of missing information where possible. Repeated small requests for evidence can extend a case without revealing what would satisfy the test.
The third stage is inquiry. Staff may need follow-up documents, identity verification or clarification of a network plan. Each request should connect the information to a policy criterion. The applicant should know whether a question is mandatory, optional or intended to resolve a concern. Confidentiality and retention terms should be clear.
The fourth stage is preliminary assessment. Before an adverse decision based on contestable facts, the registry should state the concern and allow a response. This is especially necessary where information came from a third party, an automated risk signal or an inference from inconsistent records. A person cannot correct an allegation never disclosed.
The fifth stage is decision. The notice should identify the authority, material facts, evidence accepted or rejected, policy interpretation, conclusion, consequence, effective date and review route. Reasons can be concise in routine cases, but they must be specific enough to explain why this request failed.
The sixth stage is review and interim protection. The reviewer needs the record, power to address factual and policy error, conflict safeguards and authority to preserve the position if delay would defeat the appeal. A review that can only recommend future improvement is not a remedy for the applicant.
The final stage is learning. Anonymised outcomes, statistics and corrected guidance should feed back into staff training and community policy. If many appeals expose the same ambiguous clause, the institution should not force each applicant to rediscover the ambiguity privately.
Notice must describe a case, not merely announce a consequence
Notice is sometimes reduced to delivery: an email was sent to the registered contact, therefore the party was heard. Delivery is necessary but not sufficient. A meaningful notice allows the recipient to understand what is proposed and what answer could matter.
For an incomplete application, the notice should identify the missing element and the policy criterion it serves. For suspected inconsistency, it should identify the conflicting facts. For nonpayment, it should state the invoice, amount, due date, cure date and staged consequences. For alleged misuse or false information, it should distinguish established fact from allegation and identify the evidence that can be disclosed.
Notice should also name the decision type. Is staff asking for clarification, proposing denial, suspending a discretionary service, terminating an agreement, correcting a record or revoking registration rights? These acts have different consequences and different review needs. Vague language such as "action may be taken" leaves the recipient unable to assess urgency.
The ARIN materials show the value of staged specificity in one context. The public page on resource revocation, returns and reinstatement explains fee-related consequences at 120 and 180 days past due: service and directory effects precede agreement termination and revocation. It also describes reinstatement and holding periods before reissue. A member can see that time is substantive, not a courtesy.
Contact design matters. Registries often rely on registered points of contact, for good reason: they need an authoritative channel. But organisations change staff, suffer account compromise and enter insolvency. A severe notice should use more than one verified channel where feasible and include an escalation route for a person who can prove authority but cannot access the portal. The registry should record delivery, bounce, access and acknowledgement without treating silence as proof that the message reached a responsible human.
Emergency action can precede full notice when advance warning would enable fraud, data destruction or security harm. The exception should be documented. The recipient should receive prompt post-action notice, the evidence that can safely be disclosed and rapid review. Emergency cannot become a label attached to ordinary delay or administrative convenience.
Good notice narrows disputes. It may show that the issue is a missing document rather than a policy disagreement. It may let staff correct a mistaken entity match before service changes. It gives the registry a cleaner record if enforcement becomes necessary. Precision benefits authority as much as defence.
The right to answer requires access to the decisive case
A response window is hollow if the registry withholds the point that needs answering. The affected party should receive the material facts and evidence on which an adverse decision is likely to turn, subject to specific and justified limits.
Evidence can include submitted documents, account history, public records, utilisation data, communications, third-party reports and internal analysis. The registry need not disclose every staff note. It should disclose the substance of adverse material: the entity match considered false, the usage calculation considered inadequate, the relationship considered unauthorised, or the policy clause interpreted against the request.
Redaction may be necessary. Personal data, confidential business information, security techniques, privileged advice and the identity of a protected reporter may require limits. The decision-maker should not use confidentiality as a complete answer. A summary can often state the allegation, period and conduct without exposing the source. A reviewer with appropriate safeguards may inspect unredacted material and assess whether the summary was fair.
The registry should distinguish evidence from policy interpretation. An applicant may agree on what happened but disagree about what a clause means. The final reasons should show which kind of dispute was decided. This distinction is critical on appeal: factual review may require new documents, while policy review may require consistency with community text and prior decisions.
Machine-assisted risk screening creates a further duty. If a tool flags identity, fraud or inconsistency, a human should examine the underlying signal before a severe action. The recipient should be told the substance of the concern and given a way to correct stale or mistaken data. Proprietary scoring cannot become an unreviewable secret ground.
The burden should remain proportionate. An applicant seeking scarce or sensitive resources can reasonably be asked to establish eligibility. Once the registry proposes an adverse action against an existing position, it should identify the evidence supporting that action. Procedure should not force a holder to prove a negative against unspecified suspicions.
Access to the decisive case improves security. Errors in identity and account control are themselves risks. A legitimate holder who can see the inconsistency may resolve it faster than an analyst working from incomplete records. The goal is not maximum disclosure; it is enough disclosure for an informed answer and a reliable decision.
A response window must fit the consequence
There is no universally correct number of days. A request for a missing certificate may justify a short deadline. A threatened revocation involving complex corporate succession, historical records or customers across several countries may require more time. The principle is proportionality between the response burden, urgency and consequence.
A published baseline reduces bargaining. Routine clarification might receive ten business days. A preliminary denial might receive fifteen. A proposed termination or revocation might receive thirty, absent fraud or security urgency. The exact periods can differ by registry, but the procedure should state them and permit reasoned extensions.
APNIC's Membership Agreement provides a concrete example of response and review architecture. It describes notices concerning breach, consideration of responses and an appeal to the Executive Council against a qualifying revocation notice, with the Council to consider the appeal within 30 days. The protection is meaningful because it names an organ and a time. Its limits also matter: the Council belongs to the institution's governance, and a deadline to consider is not necessarily a promise of independent interim relief.
AFRINIC's Registration Service Agreement contains a show-cause or cure period before specified termination action. That design recognises a basic truth: a breach allegation and a justified termination are not the same event. The quality of the protection depends on what evidence is supplied, how the response is assessed and whether reasons follow.
The clock should run from effective notice, not merely from the timestamp on a message that bounced or reached a disabled account. If the registry sends new decisive evidence late in the period, the recipient should receive time to answer it. If staff delay for months and then demand a response in days, claimed urgency deserves scrutiny.
Extensions should not be arbitrary. The applicant can identify missing documents, cross-border retrieval, illness, organisational change or settlement discussions. The registry can consider service risk and prior delay. Grant or refusal should be recorded. A short extension can prevent a mistaken severe decision; an unlimited extension can prejudice other applicants or preserve risk. Reasons discipline both.
Most of all, the response should reach a person empowered to change the preliminary view. A mailbox that collects submissions after the effective decision is not a hearing. Staff should confirm what was considered and address material points in the final reasons.
Reasons are the institution's proof of work
A reasoned decision does more than comfort the losing party. It demonstrates that the registry identified the correct authority, considered relevant evidence, applied a consistent interpretation and connected the consequence to the finding. Without reasons, review becomes speculation.
The minimum decision should state seven things: the question; governing policy, agreement or procedure; material facts; disputed facts; assessment of key submissions; conclusion; and remedy or review route. A routine approval can be brief. A denial, suspension, record correction or revocation needs enough detail to let another informed person test the path.
Reasons should avoid formula. "Limited public evidence justification" does not explain which element is limited public evidence. "Policy requirements not met" does not identify the requirement. "Security concerns" may protect sensitive detail, but should still identify the class of risk and why a less severe measure was inadequate. A decision can be concise without being opaque.
Reasons also protect staff. Resource analysts make difficult judgments under incomplete information. A written record shows what they knew at the time and prevents later critics from attributing a motive unsupported by the case. Supervisors can identify training needs. Community entities can distinguish a bad rule from a bad application.
Consistency requires access to prior reasoning. Full publication may expose confidential network plans, but registries can release anonymised or synthesised decisions. A digest can state the policy question, relevant facts, outcome and review result. Over time, applicants learn what evidence meets a criterion, and staff are less likely to create divergent local practices.
Publication should not harden policy through hidden precedent. Community-developed policy remains the rule. Decision digests explain application and should identify when an issue requires policy clarification. A reviewer should not invent a new substantive eligibility test and then treat it as settled because several private letters repeated it.
The discipline of reasons is especially valuable where staff discretion is broad. Expertise often works through tacit judgment: an experienced analyst recognises an implausible plan or inconsistent history. Writing reasons forces that intuition into testable propositions. Sometimes the intuition survives. Sometimes it reveals reliance on an irrelevant factor or a stereotype about a new entrant, small network or unfamiliar jurisdiction.
An institution that can explain its decisions earns deference. One that insists on trust while withholding grounds consumes legitimacy with every adverse case.
Deadlines bind the decision-maker too
Procedures often impose strict deadlines on applicants but describe registry timing as typical, indicative or as soon as practical. That asymmetry can turn delay into unreviewable power. A network deployment, financing condition or customer contract may expire while a request remains open.
ARIN's public request guide says a resource analyst typically reviews a submission within two business days and will approve it or request more information. This is useful service information. It is not the same as a binding final decision period, especially where several rounds of questions follow.
A fair timetable separates stages. The registry should set targets for completeness review, substantive inquiry, preliminary assessment, final decision and appeal. The clock may pause while the applicant owes specified information, but the case record should show when and why. A new question should not reset the entire period without explanation.
Complexity can justify extension. The decision-maker should issue a notice before the deadline stating the unresolved issue, work completed, remaining step and new date. Senior approval may be required after a threshold. Very old cases should receive independent case management rather than disappear into correspondence.
There must also be a consequence for institutional delay. Automatic approval may be unsafe for number resources and fraud controls. Better remedies include escalation to a senior reviewer, fee credit, deemed eligibility for independent review, preservation of queue position, or an order to decide by a fixed date. Where a transfer or time-sensitive opportunity is lost, the reviewer should have authority to fashion restorative relief if possible.
Public metrics are indispensable. Median time hides the tail; registries should publish distributions by case type, including the 50th, 90th and 95th percentiles, paused days and the number of information rounds. They should identify cases exceeding the standard and give reason categories. Comparison should account for complexity rather than reward superficial speed.
Deadlines also improve policy. If one criterion repeatedly produces long inquiries, the community can ask whether evidence expectations are unclear or disproportionate. If one region or applicant class experiences longer cases, the institution can examine language, staffing and verification design. Timeliness is not merely customer service; it is equal treatment over time.
ARIN's appeal path: a useful structure with visible edges
The ARIN Appeal Process version 3.0, dated 19 May 2025, offers a clear case study. It allows an organisation to appeal an ARIN decision on a number-resource request where it believes staff did not follow community-established policy and procedure. The process applies after escalation through Registration Services, the department director and the Chief Experience Officer. The registered Administrative Point of Contact must initiate the appeal within 30 business days after the final escalation denial.
Several features are strong. The procedure is public. It identifies eligible decisions and applicants. It fixes a filing period. It states that review uses the policies and procedures in force when the request was denied. It requires the original request reference, connecting review to a record rather than restarting the application informally.
The visible edges are equally instructive. The procedure is framed around resource-request decisions. A reader should not assume that every suspension, transfer, account-control, fee, fraud or directory dispute falls within the same path. Exhaustion through senior internal management can correct errors, but it also consumes time before a distinct review begins. A filing right held by the registered Admin POC may be difficult where account authority itself is disputed.
The published page also says ARIN reserves the right to modify, suspend or remove the process. That reservation may be legally effective, but legitimacy favours stability. A review protection should not disappear during the type of controversy for which it matters. Material changes should receive board approval, community notice, prospective effect and transition for pending cases.
ARIN's Registration Services Agreement provides the contractual setting around services, duties, termination and disputes. The appeal page and agreement should be read together, while resisting the assumption that a contract clause answers every procedural question. Applicants need one map showing which route applies to which decision, whether filing stays action, who decides, what record is reviewed and what relief is available.
This is not criticism of having internal escalation. Early review by experienced managers can be fast and effective. The design question is whether an applicant eventually reaches a reviewer with sufficient distance and authority. ARIN could strengthen public confidence by reporting anonymised counts: initial denials, management reversals, formal appeals, time to result, grounds and remedies. Without denominators, users know the door exists but not whether it opens.
Internal review is valuable, but independence needs structure
Independence is not a binary choice between staff and a national court. It is a set of safeguards: distance from the initial decision, absence of conflicts, secure tenure for the case, access to the full record, authority to disagree and reasons that can be scrutinised.
An internal manager has advantages. The manager understands policy, systems and operational constraints. They can correct a mistake quickly and coach staff. Internal escalation should remain the first route for many cases. Its limitation is institutional alignment: the reviewer may supervise the original decision-maker, share performance goals or have participated in developing the contested practice.
A board or executive council adds governance authority and may include elected members. APNIC's revocation appeal to its Executive Council gives the member access to a body beyond ordinary staff. Yet the council governs the same organisation and may have approved relevant policy or received advice on the dispute. Conflict declarations and recusals should be explicit. The member should know who participated and whether the council can stay the notice.
A standing panel can provide greater distance. Panel members should be selected through an open process, approved by the membership or another plural body, serve fixed terms and disclose interests. The panel should include technical, legal and user perspectives without allowing any constituency to control outcomes. Remuneration should not depend on affirming registry decisions.
RIPE NCC's Conflict Arbitration Procedure illustrates a developed panel model. The published procedure defines scope for specified disputes and request evaluations, identifies initial timing and explains that the process is informal rather than arbitration under Dutch civil procedure. Parties retain access to competent national courts. These details make the nature and limit of the forum visible.
Scope remains crucial. A panel cannot be called independent review for the whole institution if important decision classes are excluded. The registry should publish a review matrix: decision type, first reviewer, independent route, filing period, stay rule, standard of review, permitted evidence and available relief. Gaps should be deliberate and explained.
External courts remain necessary for legal rights, but they are not a practical first appeal for every applicant. Cost, jurisdiction and delay can make judicial review inaccessible. A credible private panel can resolve most cases while preserving court access for contractual, corporate or mandatory-law questions.
Review must be capable of changing reality
A procedure can be fair on paper and useless in operation if the consequence occurs before review. A denied allocation may be preserved for reconsideration. A revoked and reissued resource, expired transfer or withdrawn certification position may be harder to restore. Effective review begins with interim relief.
Filing should not automatically freeze every decision. A bad-faith appeal could preserve fraud, security risk or nonpayment indefinitely. The affected party should be able to request a stay under published factors: arguable error, risk of irreparable effect, impact on other applicants and users, security, public interest, delay by each side and availability of conditions.
Conditions can preserve balance. Fees may be placed in escrow. Transfer rights may be frozen while registration remains. Contact data may be updated without deciding beneficial control. A certificate action may be limited while a key-compromise concern is investigated. The reviewer should give a short reason for granting or refusing interim protection.
The final reviewer needs a range of remedies. It may affirm, reverse, vary, remand with directions, require a new decision-maker, restore a deadline, preserve queue position, correct a record or order service restoration. A declaration that staff erred is inadequate if the applicant has already lost the only available opportunity.
Restoration should be operationally planned. The registry should know how to reverse a directory change, re-enable account access, correct an inaccurate status and notify counterparties. Some acts cannot be fully undone. That reality argues for cautious interim design, not for denying review.
The standard of review should be clear. The panel may examine policy interpretation afresh while giving weight to technical expertise; review factual findings for evidentiary support; and review discretionary consequence for reasonableness and proportionality. Calling everything discretion makes review empty. Replacing every expert judgment with the panel's preference makes first-instance expertise pointless.
Reasons on review should address the decisive grounds and state any broader recommendation separately. If the panel identifies ambiguous policy, it can refer the issue to the community without delaying relief in the case. Individual justice and general rulemaking are connected but distinct.
The institution should track compliance with review outcomes. A reversal is not complete when the letter is issued; it is complete when the record, service or application position is restored and the affected party is told what changed.
Procedure must work for the small applicant
Formal rights can favour organisations with lawyers, consultants and long experience in registry forums. A small network, community provider, university or new entrant may struggle to identify the correct policy, produce unfamiliar corporate documents or frame an appeal within technical vocabulary. Equal procedure requires usable access.
Every registry should publish a plain-language decision guide alongside the authoritative rules. It should explain stages, evidence examples, confidentiality, ordinary times, extension rights and review. Examples must be illustrative rather than hidden requirements. Assistance staff should help a person understand the process without advocating for approval.
Language access matters across multinational service regions. A decisive notice should be understandable to the recipient, with translated guidance and a way to clarify authoritative terms. Requiring legal-quality English from every applicant can produce unequal outcomes unrelated to technical eligibility.
Fees and representation also matter. Internal and panel review should be free or low-cost for ordinary cases. A party should be allowed representation but not required to retain counsel. Written review should be the default, with a remote oral session where credibility, complexity or accessibility justifies it.
Identity verification must accommodate different legal systems. Corporate registers, public documents and naming conventions vary. Staff should explain acceptable alternatives and escalate unfamiliar evidence to specialists rather than equate unfamiliarity with risk. Enhanced checks can be justified by specific concerns; they should not become a geographic presumption.
The registry should measure abandonment. How many applicants stop responding after repeated information requests? How many fail because the authorised contact changed? How many miss appeal dates? These are not all registry errors, but patterns can reveal procedural barriers. User research with unsuccessful applicants is as valuable as satisfaction surveys of members who received resources.
Small applicants also need protection against retaliation in community spaces. Challenging a decision should not impair later service or reputation. Case confidentiality should be maintained, and public discussion should use anonymised facts unless the applicant chooses disclosure or law requires it.
A process that only experts can navigate does not become fair because the rules are online. Utility-like effect is most acute for those with the fewest substitutes and least institutional knowledge. Usability is therefore part of legitimacy, not an optional service feature.
Confidentiality and transparency can coexist
Registry cases can contain network diagrams, customer forecasts, security incidents, personal identity documents, pricing, corporate ownership and abuse reports. Full public hearings would deter candour and create risk. Complete secrecy, however, prevents consistency checks and lets unsupported practices grow.
The solution is layered records. The parties receive the case material needed to answer, subject to justified redaction. The reviewer receives the complete record under confidentiality safeguards. The public receives anonymised decisions and aggregate data. The policy community receives recurring interpretive issues stripped of case identifiers.
Redaction should have a reason code and reviewer. "Confidential" is a conclusion, not an explanation. The institution should distinguish personal privacy, third-party commercial confidence, security sensitivity, privilege and protected reporting. Each category may support a different summary and duration.
Anonymisation must account for small communities. Removing a company name may not conceal a distinctive resource request or country. Publication can delay until sensitivity falls, combine similar cases or present a synthesised digest. The aim is to show reasoning without exposing applicants.
Aggregate reporting should include denominators, not celebratory anecdotes. Registries should publish applications by type, completeness outcomes, information rounds, approval and denial, decision times, appeals, interim requests, reversals, remands and restoration. They should explain category changes so year-to-year comparison remains valid.
Outcome data also protect institutional independence. If a panel never reverses staff, the explanation may be excellent first-instance quality, narrow jurisdiction, inaccessible filing or excessive deference. If it reverses frequently, policy or training may be weak. Numbers trigger questions; they do not answer them alone.
Transparency should extend to reviewer selection. Names, qualifications, terms, appointment route, conflicts policy and recusal statistics should be public. Case-specific conflicts can be disclosed to parties even where the case remains private. A panel that operates behind a generic title cannot generate confidence merely by being labelled independent.
The wider technical community benefits from this balance. Public reasoning clarifies policy. Confidential evidence remains protected. Applicants learn what the institution expects. Boards can supervise fairness without reading every file. Transparency becomes a system for improving decisions rather than a demand to expose sensitive material.
Emergency action needs stronger review, not permanent exemption
Registries face real emergencies: compromised credentials, fraudulent transfer attempts, false identity documents, active security incidents, court directions and threats to signing systems. Advance notice may enable harm. A fair procedure must permit immediate protective action.
The emergency power should be defined by trigger and consequence. The decision-maker should identify the risk, evidence, action, duration and why ordinary notice would be unsafe. The action should preserve rather than redistribute where possible: lock an account, pause a transfer, restrict privileged changes or preserve logs. Permanent reallocation or public accusation rarely belongs in the first hours.
Authorisation should be senior and recorded. Two-person approval can reduce error for severe actions. If the concern involves the ordinary chain of command, an alternate authority should exist. Staff should not improvise emergency power from a broad contractual clause when a tailored policy can define it.
Post-action process must be rapid. The affected party should receive notice as soon as the risk permits, with the substance of the concern, evidence that can be disclosed and instructions for review. An independent reviewer should examine the measure within a fixed short period even if the party cannot file immediately. Continued restriction should require renewed reasons.
Emergency cases need an expiry. A temporary lock should not become an indefinite adverse status because the investigation moved slowly. The registry can apply for extension by showing ongoing necessity and work completed. The reviewer can impose conditions and narrower scope.
After closure, the registry should assess error and collateral effect. Was the identity match accurate? Did the lock affect unrelated services? Did communication reach the holder? How long did restoration take? Aggregate emergency statistics should be reported separately, since combining them with ordinary cases hides risk.
This model protects security better than a broad exemption. Staff can act decisively because authority is clear. Legitimate holders receive a fast correction path. Bad actors cannot exploit ordinary notice to complete a transfer. The institution develops evidence about which emergency controls work.
Fairness does not mean hesitation in every crisis. It means that urgency changes the sequence of notice and hearing, not the duty to justify, review and end the action.
Community governance and individual fairness perform different jobs
RIRs often defend legitimacy by pointing to open policy development, member elections, public meetings and consultation. Those mechanisms are real strengths. They allow technical rules to evolve across borders with participation by people who operate networks. They should not be discounted simply because they differ from legislation.
Collective governance answers what the general rule should be and who oversees the institution. Individual procedure answers whether that rule was correctly and fairly applied to a particular applicant. A well-attended policy meeting does not let a holder correct a mistaken identity match. A perfect hearing cannot cure a policy that the community never authorised.
The two systems should communicate. Review decisions can identify recurring ambiguity and refer it to the policy community. Policy changes can specify transition for pending cases. Boards can supervise processing times and reviewer independence without directing outcomes. Members can approve the review charter and budget.
ICP-2 offers relevant institutional benchmarks, including neutrality, impartiality, openness, documented procedures, technical capability and community support. It is not an adjudication code, but its values point toward reliable case procedure. Recognition should not be treated as a one-time certificate that answers later questions. Continuing fitness includes the ability to make consequential decisions transparently and correct errors.
Community participation has representation limits. Downstream users, small applicants and organisations denied membership may have little influence in elections. Attendance requires time, language access and technical familiarity. Individual rights should not depend on political success within the community.
Conversely, a reviewer should not rewrite community policy case by case. If the policy produces an undesirable result but staff applied it correctly, the reviewer can state that fact and refer reform. Relief must remain within the authority granted by the review charter and governing agreement.
Legitimacy is strongest when each mechanism does its own work. The community writes clear policy. Staff apply it with reasons. The affected party can answer. An independent body corrects error. The board publishes performance and protects institutional capacity. Courts remain available for legal disputes. No single mechanism carries the whole burden.
A minimum procedural charter
Every RIR could adopt a common charter while preserving regional detail. The following protections are minimums, not a complete code.
- Published authority. Every consequential decision cites the current policy, agreement, corporate power or procedure that authorises it, with version and effective date.
- Case acknowledgement. The registry confirms receipt, case reference, responsible unit, secure channel and ordinary timetable.
- Consolidated completeness review. Missing material is identified together where reasonably possible and connected to the criterion it serves.
- Specific adverse notice. Before a contestable adverse action, the party receives the proposed decision, material grounds, likely consequence and effective date.
- Access to decisive evidence. Adverse material is disclosed or fairly summarised; redactions are justified and reviewable.
- Proportionate response time. Published baselines reflect complexity and consequence, with reasoned extension and emergency exceptions.
- Human assessment. Severe action is not based solely on an unexplained automated or third-party signal.
- Reasoned decision. The institution states authority, facts, submissions, interpretation, conclusion and review route.
- Institutional deadlines. The registry and reviewer have stage-specific time limits, transparent pauses and escalation for overdue cases.
- Conflict control. Decision-makers and reviewers disclose interests, recuse where necessary and use an alternate appointment route.
- Independent review. A body outside the original management chain can examine decisive facts and policy application.
- Interim relief. The reviewer can preserve a position under published factors and tailored conditions.
- Effective remedy. Review can reverse, vary, remand, restore, correct and preserve queue or service position where possible.
- Accessible participation. Plain guidance, language support, remote written process and low-cost filing make rights usable.
- Layered transparency. Parties receive the case, reviewers receive the full record, and the public receives anonymised reasoning and denominators.
- No retaliatory effect. A good-faith challenge does not prejudice later service or community participation.
The charter should be incorporated into stable governance, not left as a discretionary web page. Material weakening should require notice, reasons, member or board approval as appropriate, and prospective transition. Pending cases should retain the protection in force when the adverse decision was issued unless a later change benefits the affected party.
Regional procedures can exceed the minimum. One RIR may use a member-approved panel; another may contract with external neutrals; a third may combine board review with judicial access. The test is functional: can the person understand, answer and challenge the decision before the consequence becomes irreversible?
Measuring whether the charter works
Adoption is the beginning. A registry can publish excellent rules while informal delay, narrow eligibility or weak remedies make them ineffective. Measurement should follow the case life cycle.
At intake, report submissions, incomplete cases, time to completeness decision and abandonment. During inquiry, report the number of further-information rounds and paused days. At decision, report approval, denial, withdrawal and reason categories. For adverse action, report notice periods, emergency use and whether action occurred before review.
At appeal, report eligible cases, filings, rejected filings, interim requests, stays, time to decision, affirmation, variation, reversal and remand. Report implementation time for relief. Distinguish internal management corrections from independent outcomes. Publish rates with raw counts so small numbers are not misleading.
Quality review should sample reasons for specificity, evidence connection and consistency. Independent auditors can inspect confidential files under safeguards and report themes. User interviews should include successful applicants, denied applicants, people who abandoned cases and staff. Metrics should be disaggregated carefully by case type and, where privacy allows, language, organisation size and geography.
Targets must avoid perverse incentives. A demand for faster closure can increase premature denials. A target for low reversal can make reviewers deferential. Balanced measures should consider accuracy, timeliness, user understanding, correction and security. Staff should not be punished merely because a difficult case produced a good-faith reversal.
The board and membership should receive an annual fairness report. It should identify policy ambiguities, capacity constraints, recurrent evidence problems, overdue cases and planned corrections. Reviewer recommendations should be tracked to completion or answered with reasons.
Cross-RIR comparison can accelerate learning, but rankings require caution. Different policies, resource pools and case mixes affect results. The useful comparison is procedural: which institution publishes denominators, decides interim requests quickly, corrects errors and makes its scope clear?
The most revealing number may be restoration time. An institution demonstrates accountability not by claiming that errors never occur, but by finding and correcting them before avoidable harm becomes permanent.
Objections from efficiency, contract and expertise
The efficiency objection says these safeguards will slow allocation and divert member fees to lawyers. Poorly designed formality could do that. The charter avoids trial procedure for routine cases. Clear completeness checks, preliminary notice and internal correction often reduce repeated correspondence and litigation. Independent review can be reserved for consequential disputes while remaining genuinely available.
The contract objection says applicants accepted the terms. Consent matters, but standard terms do not answer whether staff identified the correct party, applied the current policy or acted within the agreement. A review clause also improves the contract by providing a lower-cost way to resolve disagreement. Where a registry position is difficult to substitute, formal acceptance should not carry the entire legitimacy burden.
The expertise objection says external reviewers will second-guess engineers. Review should respect technical judgment while testing evidence and authority. Panels can include technical expertise, commission neutral advice and distinguish policy interpretation from engineering fact. Expertise earns weight through explanation; it should not create immunity from reasons.
The confidentiality objection says evidence cannot be disclosed. Some material cannot be public and some cannot be shared fully with the party. Summaries, protected review, redaction and delayed publication can preserve both fairness and security. Withholding everything is rarely the only safe option.
The anti-fraud objection says notice teaches evasion. Emergency powers answer that risk. Immediate locks and confidential investigation can precede notice where necessary, followed by rapid independent review. Defined emergency authority is stronger than improvised secrecy.
The community objection says open policy already supplies legitimacy. It supplies rulemaking legitimacy, not case-level accuracy. Collective and individual accountability are complements.
The fragmentation objection says five regional procedures will create inconsistency. A common minimum reduces fragmentation while allowing governing-law and institutional differences. The same concepts can be implemented through different legal forms.
None of these answers claims procedure is free. The cost should be compared with mistaken denial, prolonged uncertainty, avoidable litigation, loss of member trust and technically disruptive correction. An institution with utility-like effects cannot measure efficiency only by staff minutes per case.
Legitimacy begins where discretion becomes explainable
The Internet numbers system depends on specialised private institutions. That design has advantages: regional knowledge, technical participation, adaptable policy and distance from direct government allocation. The case for procedural protection is not an argument against that model. It is a way to sustain it under greater dependence and scrutiny.
ARIN's public appeal structure, APNIC's contractual review, RIPE NCC's panel procedure and AFRINIC's show-cause language show that the core ideas are already native to registry governance. The task is to make coverage complete, independence credible, timing reciprocal and outcomes measurable. No institution should have to become a government department to explain why it said no.
The standard is practical. Tell the applicant which rule and fact matter. Show the adverse case, subject to justified protection. Allow enough time to answer. Decide by a date that binds the registry as well as the applicant. Give reasons. Provide a reviewer outside the original chain. Preserve the position when later success would otherwise be meaningless. Correct the record and report what the institution learned.
These requirements also protect registries from exaggerated claims. A reasoned record can show that staff followed community policy, considered evidence and chose a proportionate consequence. Independent affirmation carries more authority than repeated institutional assurance. Aggregate reporting can distinguish rare severe disputes from ordinary service.
Private status is not a procedural void. Contract is not a complete constitution. Community participation is not an individual hearing. Technical expertise is not a reason to avoid explanation. Each element contributes something, and the minimum charter connects them.
Administrative law without an administration is therefore not a contradiction. It is a recognition that the disciplines of fair decision-making respond to power and dependency, not only to the name on the office door. A registry that asks the world to rely on its records should be prepared to show, case by case, how consequential decisions were reached and how errors can be put right.

