The vulnerable object is not an election speech, a communique, a lawsuit headline or a public-policy slogan. It is a line in a registry ledger. One IPv4 block has a holder name, an organisation identifier, contacts, status fields, maintainer references, reverse-DNS delegation, routing-security consequences, transfer history, fee status, dispute context and enough institutional recognition to be treated by buyers, lessors, lenders, customers and courts as the current public record of control. The line may look clerical. It is not. It can be altered, regularised, frozen, transferred, certified, questioned, restored or placed under review. Each verb has a market consequence.
Imagine a scarce AFRINIC-administered /16 that has become part of a hosting provider's balance sheet and customer base. A buyer asks for the transfer chain. A lender asks whether the registry record is clean. A customer asks whether routing will continue. An abuse desk asks which contact is accountable. A routing team asks whether ROAs, route objects and reverse-DNS records will survive a change of corporate control. A court asks what the last verified state was before a dispute began.
The registry officer handling the file sees a ticket, documents, portal credentials, an old holder record, an ownership story and a proposed update. The economic question is simple: who may touch the record, under what authority, with what evidence, with whose second approval, under what conflict declaration, with what public trace and under what later review? If those questions are answered by habit, personality or private escalation, the registry has converted public trust into an influence market. If they are answered by controls, the record can remain usable even when the institution around it is under pressure.
That is the scene in which corruption risk becomes infrastructure risk. The danger is not only a crude bribe passed across a desk. It is a staff insider who knows which dormant organisations have weak records. It is a consultant or broker who knows which procedural gap can be exploited. It is a board ally who can push a policy interpretation that changes value. It is a candidate slate that can inherit control after a weakly verified election. It is a receiver-era decision made for continuity but lacking a public chain of authority. It is a transfer whose paperwork is correct enough to pass but not transparent enough to reassure the market. It is a power of attorney that appears at a voting desk or in a registry file without the affected member understanding how it got there.
AFRINIC matters because all these risks are no longer theoretical. Public reporting has described allegations of historical manipulation of African IPv4 records, later institutional efforts to repair or police resource use, a major dispute with Cloud Innovation, court processes in Mauritius, bank freezes, receivership, failed or annulled election attempts, disputes about powers of attorney, efforts to rebuild a board and continuing fights over the registry's authority. Some claims are allegations. Some are reported procedural events. Some matters have been before courts. Some remain contested. The corruption-control question does not require turning every allegation into a verdict. It requires recognising that a registry holding scarce, valuable and operationally embedded records cannot rely on institutional virtue.
The institutional economics are colder than the rhetoric. IPv4 scarcity turned registry records into market infrastructure. A registry that can alter recognition, pause a transfer, accept a signer, certify a route-origin assertion, publish or withdraw contact data, or define a dispute state sits at a gate between running networks and capital value. If that gate is opaque, market participants add a risk premium. If the gate is auditable, separated, dual-controlled and evidenced, the premium falls. AFRINIC is therefore a test case for a broader proposition: anti-corruption controls are not administrative housekeeping around the registry. They are part of the price, liquidity and legitimacy of the number-resource market itself.
The record is where corruption risk enters
Corruption in a registry is best understood as the unauthorised conversion of registry discretion into private advantage. That definition is wider than criminal bribery and narrower than general dysfunction. It asks what power can change the recognised state of a valuable record, and whether that power can be exercised without a reliable trail. A person who can move a holder name, approve a transfer, suppress a dispute, alter contact authority, regularise an old inconsistency or delay a rival's transaction can affect value even if no money is seen changing hands.
This separates corruption-risk controls from three related institutional problems in AFRINIC's recent history. Due process asks what notice, reasons, cure and appeal a holder should receive after an adverse registry decision. Dispute resolution asks which forum should decide contested claims and how remedies should isolate the conflict. Receiver continuity asks how the registry keeps operating when ordinary governance has failed. Corruption-risk controls ask a different prior question: how does the institution prevent the record, the forum, the election and the emergency backstop from being quietly bent by insiders or organised outsiders before anyone reaches an appeal?
The answer begins with state changes. A registry file has many states. A block may be active, reserved, under review, in transfer, disputed, frozen, reclaimed, returned, certified for RPKI, delegated for reverse DNS or linked to a particular organisation and set of contacts. Each state should have a defined source of authority. A payment receipt should not authorise a transfer. A board resolution should not silently rewrite a technical record. A staff ticket should not override a court restraint. A power of attorney should not become a blank cheque for unrelated registry actions. A receiver's preservation mandate should not be stretched into a permanent value-allocation policy without a separate authority trail.
State-change control is also where public and private evidence meet. Some material cannot be exposed in full: identity documents, credentials, privileged legal communications, security evidence, abuse reports and fraud indicators may require redaction. Yet the existence of the control can be public. The market does not need every passport scan. It does need to know that the identity was checked by someone independent of the requester, that the staff member had no recorded conflict, that a second approval was logged, that the change was time-stamped, that the prior state is recoverable, and that a disputed change can be isolated without erasing evidence.
In ordinary associations, such controls might look like internal governance hygiene. In a post-exhaustion registry, they are economic infrastructure. The holder of a large IPv4 block cannot tell a customer or lender that the record is safe merely because a registry says it acts with integrity. The holder needs to rely on a system in which improper alteration is difficult, detectable and reversible. A registry that cannot supply that confidence becomes a source of risk rather than a reducer of risk.
AFRINIC's public history shows why this matters. The institution has been described as boardless for long periods, subject to receivership, exposed to litigation, and challenged over elections and member authority. Those conditions do not prove corruption in any given act. They do lower the market's tolerance for undocumented discretion. When an institution is under stress, corruption risk rises not only because people become dishonest, but because normal controls become easier to bypass in the name of urgency, legal strategy, factional pressure or institutional survival.
The first discipline, then, is to name the object. The object is not "community trust" in the abstract. It is the custody of authority over scarce-number records. Once the object is named, the control design becomes less theatrical. The relevant questions become operational: who had the key, who checked the file, who saw the conflict, who approved the exception, who preserved the old state, who can reconstruct the change and who can challenge it without losing service continuity while the challenge is heard?
Scarcity made discretion valuable
The pre-scarcity registry model was built for a lower-value world. A regional internet registry distributed unique numbers, maintained registration data and supported coordination among networks. The service mattered, but many decisions could plausibly be treated as administrative. IPv4 exhaustion changed the object under administration. Addresses became scarce, priced, leased, traded, financed and litigated. The registry did not become a bank, a land office or a securities depository in law. It did, however, begin to exercise practical authority over records that markets use in ways similar to title, custody and settlement infrastructure.
The Internet Governance Project's 2021 analysis captured the economic pressure. It noted that AFRINIC had a small share of global IPv4 space, came late to the RIR system and, for a period, remained the region with the most meaningful free pool available at administrative prices. It also described the transfer-market price rising from roughly $8 per IPv4 address in 2017 to about $30 by 2021, making a /16 worth around $2 million at that point. Prices move. The institutional implication remains: a staff decision over a block is no longer a low-stakes filing act.
Scarcity creates three corruption surfaces. The first is allocation and recovery. When free-pool resources are rationed, the person who can determine need, completeness, eligibility or compliance can alter who receives value. The second is transfer and regularisation. When addresses can move in a secondary market, the person who can accept a chain of authority or reject a transfer file can affect settlement. The third is enforcement and dispute-state control. When a block is accused of misuse, fraud or defective authority, the person who can freeze, flag, certify or unflag the resource can affect bargaining power.
These surfaces matter even if a registry insists that number resources are not ordinary property. That doctrine may describe the registry's formal view of the resource relationship. It does not erase market reliance. Operators still pay for transactions, sign leases, support customers, carry routes, maintain security assertions and value continuity. The corruption risk attaches to that reliance. If a registry employee, board member, consultant, broker or politically connected participant can influence a record without being exposed by controls, the market sees a gatekeeper with asymmetric power.
Official material is useful here only as factual exhibit. AFRINIC is a Mauritius-registered nonprofit RIR serving Africa and parts of the Indian Ocean. Its public materials identify functions such as managing IPv4, IPv6 and ASNs, operating Whois and RDAP, supporting reverse DNS, IRR and RPKI, and processing resource requests under policy. Exhaustion material describes soft-landing phases, hostmaster evaluation, peer review and approval mechanisms. Those facts show the institutional process. They do not by themselves prove that the process is sufficient for asset-grade corruption control.
An asset-grade process treats discretion as a cost to be justified. A single staff officer should not be able to move a high-value record from one practical state to another without independent verification. A single board faction should not be able to change transfer economics without conflict review and reliance analysis. A single legal strategy should not contaminate neutral record maintenance. A single receiver-era urgency should not become a channel for quiet capture. The higher the market value of the resource, the more the registry must separate judgment from execution.
This is not a call to make the registry slow for its own sake. Scarce markets need speed. A transfer that takes months because every control is manual and discretionary creates its own corruption risk: participants begin looking for shortcuts. The better model is objective and fast where the evidence is standard, slower and documented where the evidence is conflicting, and independently reviewable where the decision affects value. Corruption risk falls when participants know the path and cannot improve it through private access.
The point also explains why old governance language now feels insufficient. "Stewardship" mattered when the central risk was waste of a common pool. In a scarce market, stewardship must include custody, audit and settlement discipline. The registry still serves a community, but the community cannot be protected by goodwill alone. It is protected when the institution makes valuable discretion expensive to abuse.
The reported address heist was a provenance warning
The most direct AFRINIC corruption-risk exhibit remains the public reporting on alleged historical address manipulation. KrebsOnSecurity reported in December 2019 that accusations followed a multi-year investigation by researcher Ron Guilmette into African IPv4 blocks that appeared to have moved into the hands of internet marketing firms outside the original allocation context. The report described allegations that Ernest Byaruhanga, a former AFRINIC policy coordinator and early staff member, secretly operated or was linked to companies selling scarce address space, and that records tied to dormant or defunct African entities had been altered. Guilmette estimated the market value of the documented resources at more than $50 million.
Those statements require discipline. A report, an allegation and an investigation are not the same as a final adjudicated finding. The relevant public record includes claims, responses, employment consequences, institutional investigations, remediation efforts and later litigation around recovered or disputed resources. An article about corruption-risk controls should not convert every reported claim into proven fact. The stronger point is institutional: if the alleged facts could even appear plausible in a registry environment, the provenance system was already too weak for the value it was protecting.
Provenance is the history of how the record became what it is. For a scarce IPv4 block, provenance should answer several questions without folklore. Who first received the resource? Under which policy and documents? Which organisation existed then? Did it merge, dissolve, rename, sell assets or stop operating? Who had authority to request updates? Which staff member processed each consequential change? Was the request peer-reviewed? Were conflicts checked? Were old holders or successors notified? Was the change published? Were dispute flags preserved? Could a later reviewer reconstruct the chain without relying on the memory of the person who made the change?
Dormant records are especially dangerous. A live operator notices when its prefix is touched. A dissolved company, an acquired business unit, a stale contact or a long-unused allocation may not. The insider who knows the dormant population has information that the market does not. If change controls are weak, the same knowledge becomes economic opportunity. The corruption control is not a press statement promising better behaviour. It is a system that treats dormant, legacy and historical records as high-risk records requiring enhanced provenance before any material state change.
The reported heist also shows why anti-corruption cannot mean only stronger enforcement against resource holders. A registry emerging from record-manipulation allegations may be tempted to respond by expanding audits of member business models, use geography or leasing practice. Some review is legitimate where fraud or false authority is suspected. Yet corruption repair must not become a general licence for discretionary commercial policing. The original disease was weak control over who could change the record and on what evidence. The cure should be stronger evidence controls, not a permanent cloud over every holder's operating model.
The market consequence is plain. A buyer or lender considering an AFRINIC-registered block must ask whether old records are clean, whether historical changes can be traced and whether the current holder's recognition could later be challenged. If the answer is uncertain, the block carries a provenance discount. That discount does not punish only alleged wrongdoers. It affects honest holders, small networks and the region's reputation as a reliable registration environment.
Public evidence matters even when sensitive details are withheld. A registry can publish categories of remediation: number of historical blocks reviewed, number placed in dispute state, number corrected, number referred to court or law enforcement, number restored to prior holders, number left unchanged after independent review, and the control changes adopted to prevent recurrence. Such disclosures would not expose private documents. They would tell the market that the provenance problem has been converted from rumour into governed evidence.
The lesson is not that AFRINIC should relitigate every historical accusation in public prose. The lesson is that provenance is a preventive asset. If the transfer chain, dormant-record review, staff access log and authority file are strong enough, a later allegation has a place to land. If they are weak, every allegation becomes a broad attack on the registry's integrity because no one can easily separate a bad file from a bad institution.
Separation of duties turns integrity into a system
Separation of duties is the oldest anti-corruption lesson in administrative systems: the person who receives a request should not alone approve it, execute it, reconcile it and conceal its audit trail. In a registry, the idea should be treated with the seriousness of settlement infrastructure. The staff member who helps a member complete a file should not be the final approver of a high-value transfer. The person who investigates suspected fraud should not be the person who decides the commercial remedy. The board member with a policy preference should not direct staff action in a live resource file. The receiver or emergency manager should not blend preservation authority with discretionary market control.
The reason is economic, not merely ethical. Every combined role lowers the cost of capture. If a single officer can interpret policy, validate documents, approve a state change and suppress the trail, a briber or insider needs to influence one person. If independent functions are required, each with logs and narrow mandates, corruption becomes harder and more visible. The market prices that difference. A transfer market with separated controls can settle faster because counterparties trust the process. A market with fused controls demands legal buffers, indemnities and delay.
AFRINIC's existing processes already contain some limited separation. Public exhaustion material describes hostmaster evaluation, peer review by another hostmaster and final approval by a registration services manager for certain IPv4 requests. That is a useful factual exhibit. It should be extended into a complete corruption-control architecture for all high-consequence actions: allocation, transfer, reclaim, dispute status, member-authority recognition, contact authority, reverse-DNS changes, RPKI state changes and restoration after historical irregularity.
The required separation has several layers. Intake checks completeness and basic identity. Evidence review assesses corporate authority, chain of control and resource status. Technical review examines uniqueness, routing-adjacent effects, RPKI, reverse DNS and publication-service consequences. Legal or policy review assesses formal constraints without deciding factual questions alone. Conflict review checks whether staff, board members, consultants, candidates, brokers or counterparties have interests in the outcome. Execution changes the record only after the previous layers have produced a recorded decision. Audit reviews a sample and all exceptional cases after the fact.
The board-staff boundary is critical. A board should set policy, budget and oversight rules. It should not become a private escalation desk for particular resource files. The temptation is obvious in a crisis: directors receive complaints, legal arguments, lobbying and political pressure. But once directors can steer live record changes, board politics enters the ledger. That is a corruption risk even if every director acts in good faith. The control is to require that any board-visible resource matter be logged, routed to the proper staff process and disclosed in aggregate or, where material, with enough public information to show that no private channel changed the outcome.
The staff-member boundary matters as well. A staff officer handling resource records should have declared outside interests, cooling-off limits with brokers and consultants, restricted access to dormant records, monitored use of privileged tools and mandatory leave or rotation for sensitive functions. None of this assumes guilt. It assumes that familiarity with the registry's weak points has economic value. The public reporting on historical manipulation of African IPv4 space made that assumption unavoidable.
Separation also protects staff. A registry employee in a high-conflict institution should not be forced to carry the whole risk of a controversial decision alone. Dual review, written reasons and conflict logs distribute responsibility and make retaliation harder. Staff who can point to a rule-bound chain are less exposed to pressure from directors, litigants, brokers, governments or activist groups. Good controls are therefore not anti-staff. They are anti-pressure.
The same principle should apply to technology. Credentials that can edit registry records should be separated from credentials that approve policy exceptions, publish public notices, manage RPKI material, process reverse-DNS changes or alter election membership status. A compromised account should not become a master key. A trusted staff member should not become indispensable because no one else can verify what that person did. Separation of duties is ultimately a refusal to let trust become single-point failure.
Dual control should cover every high-consequence touch
Dual control is the practical sibling of separation of duties. It says that certain actions require two or more independent approvals before execution. The model is common in banking, custody, security operations and critical infrastructure because some mistakes and abuses are too costly for single-key control. A regional registry should apply the same principle to actions that alter the recognised state of scarce number resources.
The action list is not hard to define. Dual control should cover transfers, reclaim or revocation steps, restoration of previously disputed resources, changes to organisation holder records, acceptance of a new authorised representative, significant reverse-DNS delegation changes, RPKI certificate or ROA actions with continuity consequences, publication of a dispute flag, removal of a dispute flag, changes to dormant or historically tainted records, and any exception to normal process. If a change can affect asset value, customer continuity or legal bargaining power, it should not be a one-person act.
Dual control must be independent, not theatrical. Two people in the same reporting line approving under the same manager's pressure may not be enough. A real control separates the functions. One person verifies evidence. Another verifies authority and procedural compliance. For the highest-risk actions, a third control checks conflicts and confirms that no court restraint, receiver instruction or pending dispute requires preservation of the last verified state. The point is not to create a veto maze. The point is to ensure that a corrupt or pressured actor cannot move the ledger alone.
The control should be visible in metadata even when details are private. A public or member-facing change log can show that a high-consequence action passed dual control, that a conflict check was completed, that a redacted evidence bundle exists, that a review path is available and that the prior state is archived. The market does not need the personal names of every staff reviewer in every case. It does need a verifiable assurance that the change was not an undocumented single-key act.
Exception handling is where dual control is most important. Emergencies are a classic corruption channel. An account compromise, court order, receiver instruction, election deadline, security event or legal threat can all justify speed. Speed can be legitimate. It can also be exploited. The control is an emergency override that requires after-action publication: what category of emergency, what temporary action, what authority, when independent review occurred, what state was preserved, and whether the action became permanent. Emergency secrecy should expire unless a court or security reason requires continuing redaction.
RPKI deserves special mention. A route-origin authorisation or certificate state is technical, but its governance is not only technical. Changes can affect how relying parties treat routes. A registry should treat RPKI continuity controls as part of anti-corruption design because security services can become leverage if they are entangled with membership disputes, fee disputes or commercial disagreements. Dual control should prevent any person from using a routing-security service as a private enforcement tool. Security assertions should be neutral, auditable and insulated from unrelated institutional conflict.
Reverse DNS, Whois and RDAP also require dual-control thinking. These services may look less dramatic than a resource transfer, yet they are part of operational trust. A malicious or improper contact update can redirect accountability. A reverse-DNS change can affect reputation, mail deliverability and service operations. A Whois or RDAP record can shape the due-diligence file in a transaction. Controls should scale with consequence, but the principle remains: the more a change affects external reliance, the less it should depend on a single actor.
AFRINIC's receivership and election history strengthens the case. When ordinary governance is disputed, the market cannot rely on informal assumptions about who is in charge. Dual control becomes a substitute for settled legitimacy. It tells members that, even if the board, receiver or court process is contested, the ledger's operational changes still require narrow evidence and independent sign-off. That is how a registry preserves confidence while the institution around it fights.
Transfer provenance is anti-bribery infrastructure
An IPv4 transfer is an economic settlement event. It may be called a registry update, but money, customer commitments, tax treatment, escrow arrangements and future routing all depend on the update being recognised. That makes transfer provenance the registry's anti-bribery system. If the transfer chain is clear, attempts to buy influence have less room to work. If the chain is opaque, private access becomes valuable.
Transfer provenance should begin before the transfer request reaches the registry. The seller's control must be evidenced. The buyer's identity and authority must be verified. The resource status must be checked for disputes, freezes, court orders, unpaid obligations and existing security assertions. The chain of prior control should be available at least in redacted form where old records are material. The registry should record which evidence type satisfied each requirement and whether any exception was granted. A clean transfer is not one in which everyone likes the parties. It is one in which each state change can be reconstructed.
This is where AFRINIC's controversy over out-of-region use, leasing and transfer restrictions intersects with corruption controls. A registry that uses broad discretion to decide whether a commercial model is acceptable creates private bargaining value around the approval process. Participants will try to learn which staff member is sympathetic, which board faction matters, which consultant can interpret the rule, which political argument will help and which delay can be weaponised. Objective transfer criteria reduce that corruption surface. They make the registry less interesting as a gatekeeper.
Objective criteria do not mean no controls. Fraud prevention should be strict. A forged document, fake successor, stolen credential, undisclosed dispute or false identity should stop the transaction. But the stop should be tied to evidence, not sentiment. A transfer file should fail because a required element is missing or contradictory, not because the registry dislikes leasing, fears asset mobility or wants to preserve regional control over value. When commercial morality becomes part of the approval test, the approval test becomes vulnerable to lobbying.
The Internet Governance Project's 2021 analysis of the Cloud Innovation dispute illustrates the problem. It described AFRINIC concerns about registered usage, actual use, need representations and regional service obligations, and it also described Cloud Innovation's argument that requiring approval for changes in customer or service use could make the registry a central planner over operational networks. One need not adopt either side's full legal position to see the corruption-control lesson. If the registry's transfer or use-control power is open-ended, private actors will compete to influence that power. If the registry's role is narrow and evidentiary, influence has less to buy.
Transfer provenance should include negative evidence. If a transfer is refused, the refusal should state the exact element that failed. If a dispute flag is added, the source of the dispute should be identified at the category level: court order, rival corporate authority claim, fraud allegation, unpaid fee issue, policy bar or technical inconsistency. If a transfer is paused, the last verified state should remain public. If a dispute is later resolved, the resolution path should be recorded. Markets can price a known problem. They discount the unknown.
Brokers and large holders should be inside the control design, not outside it. Brokers reduce search costs, but they can also become influence channels. Large holders provide liquidity, but their files can carry complex histories. The registry should require broker disclosure where a broker acts for a party, should record whether the broker is paid by seller, buyer or both, and should bar staff and board conflicts with brokers. Such disclosure does not criminalise brokerage. It treats brokerage as an economically material role in a scarce market.
AFRINIC's future transfer credibility will depend less on whether the institution wins a narrative argument and more on whether ordinary counterparties can close without fearing hidden discretion. A buyer should not need a political map of the registry to understand a transaction. A seller should not need an insider to know whether a block can move. A lender should not price the risk that an unlogged objection will appear at the last moment. Transfer provenance is how the market separates legitimate verification from rent-seeking gatekeeping.
Conflict checks must attach to decisions, not slogans
The language of community is too weak to control corruption risk. A community can be sincere, captured, apathetic, fragmented or organised by a minority. A conflict check is colder. It asks who has an interest in the decision and whether that interest was disclosed before power was exercised. In a registry, conflict checks should cover staff, directors, candidates, committee members, receivers, consultants, lawyers acting in governance roles, nomination officials, election vendors, brokers and major resource holders when they participate in decisions that affect value.
Conflict-of-interest governance is a wider subject. The corruption-control point here is narrower: without conflict records tied to decisions, other controls cannot be trusted. A dual-control approval is weaker if both approvers have undeclared relationships with a broker. A transfer decision is weaker if a reviewer has a commercial interest in the outcome. An election decision is weaker if nomination officials or proxies have undisclosed links to a litigant or slate. A receiver decision is weaker if advisers are perceived as aligned with one faction. Public trust requires more than assurances of neutrality.
Conflict disclosure must be structured. A vague statement that officials will act in the interest of the community does not help the market. The record should identify categories: employment, consulting, legal representation, board service, campaign support, resource-holding interest, broker commission, family relationship, litigation interest, vendor relationship, prior public advocacy and financial exposure to transfer outcomes. Not every disclosed conflict disqualifies the person. Some expertise comes from participation. The control is to reveal the interest, determine whether recusal is required and record the decision.
AFRINIC's 2025 election reporting shows the practical stakes. The Register reported that the receiver appointed senior British lawyers to a Nomination Committee because of concerns about potential interference. Later reporting described questions raised around potential conflicts in the nomination process and a court process around election arrangements. The same body of reporting described allegations surrounding powers of attorney and voter documentation. These were not merely campaign controversies. Board control affects budgets, bylaws, policies, resource governance, litigation posture and the staff environment in which registry records are maintained. Election conflicts therefore become ledger conflicts.
The member-law distinction adds another layer. Public reporting in 2025 described debate over resource members, registered members under Mauritian company law and rights under AFRINIC's bylaws. If governance rights are legally ambiguous, conflict controls become more important, not less. A person may have one kind of membership, another kind of resource interest and a third kind of political or commercial alignment. A registry that fails to map those interests invites later claims that decisions were procedurally pure only because the institution ignored the interests that mattered.
Conflict checks should also apply to policy processes, but the line should be modest. A transfer policy, abuse-contact rule, portability rule or revocation mechanism can shift significant value. Policy authors and active participants may have legitimate reasons to participate while holding addresses, brokering transactions, representing operators or opposing certain business models. Disclosure lets readers evaluate the argument. It also reduces the chance that policy language becomes a hidden instrument for private advantage. The control is not to burden every mailing-list comment with legal ceremony. It is to make material interests visible before high-consequence recommendations become institutional action.
Public disclosure need not become a harassment tool. Personal addresses, private identity documents and security-sensitive information can be withheld. But the economic interest should not be secret. A board member tied to a broker can disclose the category without publishing bank records. A committee member who represented a litigant can disclose that fact. A policy author with a large resource-holding exposure can declare the exposure band. The registry should design disclosure to inform, not to punish.
The key economic point is that conflicts are inevitable in small expert communities. The problem is not that people have interests. The problem is hidden interest combined with high-consequence discretion. A registry that pretends community virtue removes conflicts is less credible than one that assumes conflicts exist and manages them openly. In scarce-address governance, declared conflict is a cost. Hidden conflict is a risk premium.
Election authority is part of ledger custody
It is tempting to treat election mechanics as constitutional theatre separate from registry operations. AFRINIC proves the separation is false. A board election determines who oversees budgets, executives, legal strategy, policy ratification, risk appetite, committee formation and the operating culture around the ledger. If a board's authority is doubted, every later high-consequence registry action carries a governance discount. That discount is a corruption-risk cost even before any improper record change occurs.
The 2025 election cycle supplied a concrete control problem. The Register reported that AFRINIC had been unable to elect a board since 2022, that a receiver arranged elections, that the June 2025 vote was suspended shortly before completion because of concerns over powers of attorney or powers given to delegates, and that the receiver later annulled the election after concerns over voter documentation. ISPA South Africa was reported to have alleged that authorised representatives found votes or powers of attorney recorded in ways they disputed. AFStar was reported to have alleged fraudulent powers of attorney. These allegations require adjudicative caution. They are not all proven findings. But they show why election authority must be audited like a registry transaction.
A power of attorney in a registry election is not merely a voting convenience. It can decide who controls the board that controls the institution that controls the ledger. It should therefore have a provenance chain: issuer identity, authority of signer, scope, date, revocation terms, verification method, submission channel, receiving officer, conflict check, member notification, challenge period and final acceptance. If a member learns only at the voting desk that someone else claims to vote on its behalf, the control has already failed economically. The vote may still be investigated, but confidence has been damaged.
Member registers are equally important. A registry may have resource members, registered members under company law, voting members, account contacts and technical contacts. These categories should not blur when control is contested. The public record around AFRINIC has included controversy over Cloud Innovation's status in Mauritian corporate records and later clarification or dispute over what that status meant. The lesson is not that one party's legal theory should prevail in all circumstances. It is that member status is a control surface and must be reconciled across company records, bylaws, resource accounts, voting rules and court orders.
Election anti-corruption controls should mirror resource controls. No single officer should accept unlimited proxies without independent verification. No last-minute bulk delegation should be treated as routine. Every proxy or power of attorney should trigger direct notice to the purported issuer through a verified channel. Members should have a clear challenge window. Election officials should publish aggregate statistics on proxies: how many filed, how many rejected, how many challenged, how many withdrawn, how many held by the same representative and what cap applied. Where secrecy is needed for ballots, authority verification can still be transparent in aggregate.
Credential solicitation is another risk. The Register reported that South Africa's Internet Service Providers Association warned members to guard AFRINIC credentials because entities obtaining multiple members' credentials could manipulate votes. AFRINIC had also warned members of solicitations to access credentials. Credential control is not a user-support footnote. A registry credential can become a governance instrument. Member portal access, voting identity, contact authority and resource-change permissions must be segmented so that one compromised credential cannot become total institutional power.
Board legitimacy does not solve corruption risk by itself, but illegitimate or doubted board authority magnifies it. A clean board can still make bad policy. A disputed board may make good operational decisions that the market discounts. The control objective is not to guarantee that everyone likes the result. It is to make the chain from member authority to board authority reconstructable enough that losers cannot plausibly claim invisible manipulation and winners cannot plausibly use victory as a shield against audit.
For AFRINIC, this is not an abstract governance lesson. The registry's recovery depends on convincing resource holders that the institution can distinguish a valid vote from a forged or unauthorised instruction, a valid member from a misclassified one, and a valid board act from a factional act. The same discipline used to protect the ledger must protect the body that controls the ledger.
Receivership concentrates authority and therefore needs more controls
Receivership is often described as an emergency backstop. In AFRINIC's case, the Bankruptcy Division of the Supreme Court of Mauritius appointed a receiver after governance paralysis. Public statements from the Number Resource Organization described the receiver's role as maintaining the status quo of AFRINIC's assets, preserving the value of the business, overseeing the election process, facilitating a proper board and supporting operational continuity. That factual picture is important. Yet receivership is not automatically an anti-corruption cure. It replaces one authority problem with a more concentrated temporary authority. That concentration must be controlled.
The receiver's legitimate function is preservation. The registry should keep serving members, maintain technical services, protect assets, organise governance restoration and avoid irreversible institutional drift while the ordinary governance structure is repaired. The corruption risk appears when preservation becomes a channel for policy discretion, factional advantage, creditor pressure, election engineering or quiet reallocation of control. A receiver may be honest and still be over-empowered. Controls should not depend on guessing character.
Receiver-era controls should begin with a public mandate map. What can the receiver do alone? What requires court approval? What requires member consultation? What must be preserved in the last verified state? What decisions are temporary and expire when a board is restored? What conflicts have been declared by advisers? What changes to registry records are ordinary operations and what changes are exceptional? Without such a map, every receiver act carries an avoidable ambiguity premium.
The election controversies show why this matters. The receiver had to move the institution toward board reconstitution. That task required nomination rules, eligibility decisions, voting mechanics, vendor selection and treatment of powers of attorney. Each step could affect who later controlled the registry. A receiver cannot avoid making choices. The anti-corruption question is whether the choices are evidenced, challengeable and separated from private influence. A failed election is not just a delay; it teaches the market that the emergency backstop may itself become a contested control surface.
Operational continuity also needs ring-fencing. Resource records, publication services, RPKI, reverse DNS, Whois, RDAP, IRR and ordinary member support should remain under documented operational procedures unless a court or verified emergency requires change. Legal strategy in major litigation should not silently influence the treatment of unrelated member records. A receiver managing institutional survival should not permit the registry to use routine service interfaces as pressure points against litigants or critics unless a specific legal basis exists and is recorded.
Financial controls matter as well. The Internet Governance Project described how the 2021 bank-account freeze threatened AFRINIC's operations before the merits of the underlying claims were resolved. Financial distress can create corruption risk because vendors, lawyers, creditors and institutional allies gain leverage. Emergency funding, support from other RIRs, legal budgets and vendor contracts should therefore carry disclosure and approval controls. The question is not whether outside support is bad. The question is whether money creates influence over registry policy, litigation posture or resource treatment.
Receivership should preserve evidence for later governance. A restored board should inherit a clear record of what the receiver changed, why it changed, what remains temporary, which disputes are pending, which controls were bypassed under emergency authority and which commitments bind the institution. If the board receives only outcomes without evidence, it may ratify hidden capture unknowingly. If it receives a full handover log, it can distinguish continuity decisions from policy choices.
AFRINIC's receiver era therefore teaches a specific anti-corruption lesson. Emergency governance is not a substitute for controls. It is a reason to intensify them. A registry under receivership must prove not only that services continue, but that continuity was not purchased by moving decisive authority into a place where ordinary members, courts, staff and markets cannot see how the ledger is being protected.
Public evidence reduces the opacity premium
Opacity has a price. In an IPv4 market, that price appears as delayed transfers, wider warranties, larger escrow holdbacks, discounted blocks, litigation reserves, duplicated due diligence, reluctance to lend against address-dependent businesses and customer concern over continuity. The registry may experience opacity as flexibility. The market experiences it as uncertainty. If uncertainty is attached to a scarce asset, it becomes a premium.
Public evidence lowers that premium by making risk categories legible. It does not require total transparency. A mature registry can publish enough to support reliance while protecting sensitive information. For each high-consequence action it can record the state changed, the authority category, the evidence category, the control path, the conflict status, the availability of review, the preservation of prior state and the public effect. A redacted change log can be more valuable than a long institutional statement because it lets counterparties verify process rather than absorb narrative.
AFRINIC's public record contains several examples where evidence gaps were themselves costly. The 2019 address-manipulation reporting raised questions about how historical records had changed. The Cloud Innovation dispute raised questions about the basis and scope of resource review. The 2025 election annulment raised questions about powers of attorney and investigation findings. ICANN letters reported in public coverage pressed for transparency around election integrity. Later reporting about liquidation petitions and government intervention raised questions about whether number-resource governance could be treated as an asset problem of the corporate entity. In each case, the market needed more than posture. It needed evidence boundaries.
Public evidence should classify claims by status. Allegation, investigation, interim order, final judgment, registry decision, receiver decision, policy ratification, member complaint and media report are different things. A registry that blurs them invites mistrust. A critic who blurs them does the same. Corruption control requires disciplined labels because the value consequence of a claim depends on its procedural status. A resource under allegation is not the same as a resource adjudged misappropriated. A disputed power of attorney is not the same as a proven forgery. A receiver communique is not the same as a final court order.
The public change log should also distinguish record correction from enforcement. If the registry corrects a stale contact, that is a ledger maintenance action. If it freezes a transfer because a signer is disputed, that is dispute isolation. If it revokes resources because of contractual breach, that is enforcement. If it updates RPKI or reverse DNS because the holder requested it under verified authority, that is service operation. Mixing these categories turns every change into a possible punishment and every punishment into a possible clerical act. Corruption thrives where categories blur.
The watchpoints are concrete: unexplained exceptional approvals, concentrated proxy authority, undisclosed broker relationships, staff access to dormant high-value records, retroactive policy interpretations, emergency actions that never expire, dispute flags removed without reasons, RPKI or reverse-DNS changes linked to unrelated conflicts, and board decisions taken while member authority is under challenge. These are not slogans. They are the places where private advantage can enter a public record.
Public evidence also disciplines official bodies and critics. A registry that publishes control evidence cannot easily hide behind "community" or "stability". A litigant or market participant cannot easily claim persecution where the evidence path is narrow, consistent and independently reviewable. Coordination bodies, governments and industry groups cannot responsibly support or condemn an action without engaging the record. The debate becomes less theatrical because the evidence is organised.
For AFRINIC, a public-evidence regime would be a way out of narrative exhaustion. The institution has been described through too many totalising stories: corrupt registry, victim registry, captured registry, recovering registry, litigated registry, African sovereignty symbol, private-law shell, technical bookkeeper. None of those stories can support market reliance alone. Evidence can. The registry does not need everyone to agree on its virtue. It needs enough people to verify that consequential power is constrained.
A practical control standard for scarce-number registries
The standard AFRINIC needs is not a vague promise of transparency. It is a registry-specific anti-corruption architecture tied to the economic consequences of IPv4 scarcity. The design should begin from a simple rule: any action that can change the market, legal or operational reliance attached to a number resource requires an evidence trail, separated functions, dual control, conflict review, preservation of the prior state and a review path. Lower-risk actions can be lighter. High-consequence actions must be treated like infrastructure settlement.
The first element is a high-consequence action register. It should define the actions that trigger enhanced controls: allocation from scarce pool, transfer approval or refusal, resource reclaim, dispute-state publication or removal, holder-name change, successor recognition, dormant-record activation, RPKI material changes, reverse-DNS material changes, acceptance of broad authority documents, election proxy acceptance, emergency override and any action involving a litigant or conflicted official. The definition should be public so members know when enhanced controls apply.
The second element is an authority matrix. It should map who can approve what: hostmasters, registration managers, legal reviewers, security staff, executives, receiver, board, court and independent reviewer. The matrix should prohibit board or receiver involvement in ordinary resource files except through logged and defined channels. It should prohibit staff from executing an action they alone approved. It should require escalation where a party is a director, candidate, broker, major litigant, contractor or related entity.
The third element is evidence classification. The registry should identify which evidence supports which claim: corporate existence, signatory authority, chain of title or control, successor relationship, fee status, resource status, court restraint, dispute claim, fraud indicator, member voting authority, proxy authority, technical continuity and security state. Evidence can be private, but the category should be recorded. This helps counterparties understand whether a decision is based on fact, law, policy, technical constraint or unresolved allegation.
The fourth element is tamper-evident logging and public change summaries. A registry should maintain durable internal logs for all high-consequence actions and publish redacted summaries for market-facing changes. The summary should not reveal sensitive personal data. It should reveal enough to show that the action was authorised, reviewed and recoverable. A later court, auditor or independent reviewer should be able to reconstruct the path from request to execution.
The fifth element is conflict management at the matter level. Staff, directors, candidates, committee members, election officials, consultants and vendors should file periodic conflict declarations, but the decisive control is the check before a specific decision. Recusals and non-recusals should be recorded. Broker relationships, paid advocacy, litigation interests and resource-holding exposure should be treated as material. The objective is not to expel everyone with expertise. It is to ensure that expertise does not become hidden influence.
The sixth element is independent audit. A registry can audit itself for operations, but corruption-risk audit should include external review of samples and all exceptional cases. The audit should test whether controls were followed, whether exceptions were justified, whether conflicts were declared, whether dormant records were protected, whether transfer refusals matched published criteria, whether election authority documents were verified and whether receiver-era changes stayed within mandate. Findings should be public in aggregate with specific remediation where needed.
The seventh element is dispute isolation. When evidence conflicts, the registry should preserve the last verified operational state, publish a dispute category where appropriate, prevent conflicting changes and route the matter to independent decision. It should avoid converting unresolved disputes into revocation, redistribution or security-service disruption. Dispute isolation is an anti-corruption tool because it denies private actors the immediate prize of changing the state while the evidence remains contested.
This standard would not make AFRINIC perfect. No control system can. It would make improper influence harder to hide and easier to price. It would also protect legitimate registry enforcement. If a block was truly misappropriated, a strong evidence trail would support correction. If a transfer was legitimate, objective controls would stop opponents from defeating it through insinuation. Anti-corruption works best when it protects the institution and the member from each other.
The standard should also be proportionate. Not every contact typo needs an external auditor. Not every small support request needs a board-level log. The control burden should rise with consequence: scarce address volume, dormant history, disputed authority, transfer settlement, routing-security effect, election impact, litigation context or emergency override. Proportionate control is faster than discretionary control because the path is known in advance. It is also fairer because the same risk category receives the same discipline regardless of the political identity of the applicant.
Legitimacy sits at the boundary between ledger and gatekeeper
The deeper institutional question is where AFRINIC's corruption-risk controls should draw the boundary between ledger and gatekeeper. A ledger protects uniqueness, records control, publishes contact and security data, preserves history, flags disputes and executes objective changes when evidence is sufficient. A gatekeeper decides which business models, political coalitions, regions, factions or market strategies deserve the privilege of recognition. The first role can be controlled. The second invites influence because it converts moral and political discretion into economic power.
AFRINIC's crisis shows how quickly the boundary can move. Historical allegations of record manipulation created a legitimate need for provenance repair. IPv4 scarcity created a legitimate need for careful allocation and transfer records. Litigation created a legitimate need for preservation. Receivership created a legitimate need for continuity. Election difficulties created a legitimate need for authority verification. Each legitimate need can be answered by a narrow control. Each can also become an argument for broader institutional discretion. The corruption risk lies in the slide from one to the other.
A registry that wants legitimacy should choose boring controls over heroic discretion. It should make it hard for staff to change dormant records alone. It should make transfer approval objective enough that brokers cannot sell influence. It should make conflict checks routine enough that community language cannot hide private interest. It should make election authority verifiable enough that board legitimacy does not depend on applause. It should make receiver-era actions bounded enough that emergency continuity does not become quiet capture. It should make public evidence clear enough that official statements and adversarial claims can be tested against the same record.
The economic payoff is liquidity. A clean, auditable and narrowly governed registry record lets IPv4 move toward higher-valued use with fewer discounts. It lets lenders, buyers, lessors and customers distinguish real defects from institutional fog. It lets honest holders monetise or operate resources without fearing that a hidden challenge will appear after value has been committed. It lets courts preserve the status quo because the status quo can be identified. It lets AFRINIC continue as a useful registry rather than a contested gatekeeper.
The cost of opacity is the opposite. If a market believes that a registry file can be changed through private access, delayed through factional pressure, frozen through broad discretion, certified through unclear authority or governed by a board whose mandate is contested, it will not wait for a philosophical answer about property. It will add a discount. That discount will fall on African operators, counterparties using AFRINIC-registered space, customers dependent on those networks and the institution itself. Corruption risk becomes a tax on registry legitimacy.
The final judgment is institutional rather than moral. AFRINIC does not need anti-corruption controls because Africa is uniquely corrupt, because one litigant is uniquely virtuous or because coordination bodies are uniquely suspect. It needs them because a scarce IPv4 ledger is market infrastructure, and any institution that controls such a ledger must constrain the people who can touch it. Audit trails, separation of duties, dual control, transfer provenance, change logs, conflict registers, custody of authority and public evidence are not optional reforms around the edge. They are the mechanism by which a private registry earns the confidence to remain a public reference point.
At the ledger/gatekeeper boundary, legitimacy is not produced by saying the registry serves the community. It is produced by making every consequential touch on the record answerable to evidence. IPv4 liquidity depends on that discipline. Operator continuity depends on it because live networks cannot be collateral damage in an opaque institutional fight. Registry legitimacy depends on it because shared belief collapses when the record looks privately steerable. The scarce-address economy has already made the lesson visible: a registry can be small, private and useful if its power is narrow and auditable. If it becomes an opaque gatekeeper over value, corruption risk is no longer an internal problem. It is the price of the market.

