The mandate problem

AFRINIC's crisis is often told as a story about a troubled election, a long dispute with a resource holder, a court-appointed receiver, or the final years of IPv4 scarcity. Each version is partly true. None is sufficient. The deeper issue is how a narrow coordination mandate can be stretched, defended and rhetorically cleaned until it begins to resemble broader authority over markets, members, business models and institutional succession. That process is what this article calls mandate laundering.

The phrase should be used carefully. It does not mean that every official act by AFRINIC is illegitimate, or that a registry can never enforce policy. It describes a governance mechanism. A limited mandate enters the system as a technical responsibility: keep unique number records, distribute resources under adopted policy, maintain registration data, operate related services, and preserve continuity for the region. It can exit the system as something much more discretionary: deciding which uses of addresses remain acceptable years after allocation, who has enough legitimacy to vote, which emergency interventions are necessary, and whether economic reliance by members deserves protection. The laundering happens in the passage between the two.

AFRINIC is a useful case because the evidence is public and layered. Its own about page identifies it as a nonprofit, member-based organisation registered in Mauritius, serving Africa and parts of the Indian Ocean, entrusted with distributing and managing IPv4, IPv6, and autonomous system numbers. Its policy manual describes a bottom-up policy development process and distinguishes number-resource policy from general business procedures. Its exhaustion page records the Soft Landing regime and Phase 2 scarcity rules. Independent reporting by KrebsOnSecurity, the Internet Governance Project, and The Register then shows what happened when record integrity allegations, resource review, market value, litigation, receivership, election disputes, and external intervention converged around that formal structure.

Public commentary has already supplied parts of the vocabulary. The heng.lu public note index lists essays with titles such as "Mandate Laundering: From RIR Fantasy to Transition Architecture," "The Registry Continuity Fallacy: Protect the Ledger, Not the Gatekeeper," and "On When the Bookkeeper Auditions for Olympus." The titles are polemical, and Lu Heng is an interested participant in the AFRINIC dispute through Cloud Innovation, Larus, and NRS-related advocacy. Yet the vocabulary points to a real institutional-economics question: when does a bookkeeper of a shared ledger become a gatekeeper over the economic life built on that ledger?

The Register captured the same question in less theoretical form in March 2026, when it reported AFRINIC's accusation that Cloud Innovation, Larus, and associated advocacy campaigns were trying to paralyse the registry. In response, Lu Heng told the publication that the structural problem was a registry model concentrating high-consequence power over economically critical number resources while disconnecting that power from matching legal and financial liability. The claim is not a court finding. It is a party's argument. But it is analytically important because it identifies the axis on which mandate laundering works: authority is justified as coordination, while the consequences look like commercial control.

The calm way to read AFRINIC is therefore neither as a morality play against a registry nor as a defence of a resource holder. A regional internet registry needs enough authority to protect uniqueness, accuracy, conservation and abuse-handling mechanisms. A resource holder should not be able to turn a public coordination system into a private arbitrage machine without scrutiny. Courts, ICANN, peer registries, governments and members all have legitimate interests when an RIR cannot function. The problem is not the existence of power. The problem is whether the power remains tied to the mandate that justified it.

Mandate laundering matters because internet-number governance depends on a delicate bargain. Operators accept a registry's records because the registry is expected to be stable, narrow, and procedurally accountable. The registry is not supposed to become an industrial-policy agency for IPv4, a commercial licensing board, or a political instrument for whoever can control member credentials. The more scarcity makes addresses valuable, the more tempting it becomes to speak in the language of community stewardship while exercising the leverage of a regulator. AFRINIC shows how that temptation develops, how it is resisted, and how quickly resistance can then be characterised as a threat to continuity.

The thin registry mandate

At the center of the AFRINIC matter is a simple technical function. Public IP addresses and ASNs must be unique if the public internet is to work. The same number cannot safely be assigned to two unrelated networks that expect global reachability. A regional internet registry maintains the records, evaluates requests, publishes registration data, supports related operational systems such as WHOIS, reverse DNS, IRR, RPKI, and RDAP, and implements policies adopted through the community process. The power is real, but it begins as a power to preserve coherence in a shared naming and numbering system.

AFRINIC's public materials fit that model. The about page describes the organization as the RIR for Africa and the Indian Ocean region and says it is entrusted with distribution and management of critical Internet Number Resources. The Consolidated Policy Manual says the CPM contains policies for managing and distributing IP number resources in the AFRINIC service region. It states that policies are created through a bottom-up Policy Development Process of consultation, discussion, and consensus, and that all ratified and implemented policies that have gone through the PDP are integrated into the manual.

The manual's definitions are revealing. An Internet Registry is described as an organisation responsible for distributing IP address space to its customers and registering those addresses. A Regional Internet Registry manages and distributes public Internet address space within its region. Allocation means distributing address space to Local Internet Registries for subsequent distribution. Assignment means delegating address space for a specific use within the Internet infrastructure operated by an end user or ISP. The text is administrative, not metaphysical. It is a rulebook for record keeping, request evaluation, registration, and delegation.

The manual also draws a boundary that is often ignored in public argument. It says the Policy Development Process covers the development and modification of policies for handling Internet Number Resources within the service region, while general business practices and procedures are not within the PDP. This separation matters. It means that not every claim of institutional convenience can be washed through the language of community policy. A policy mandate is not a blank cheque for every operational, contractual, or political move by the registry. Conversely, a registry cannot protect the ledger if every operational discipline is treated as an illegitimate power grab.

The thin-mandate view is not a theory of helplessness. AFRINIC can require documentation, evaluate need, maintain data accuracy, publish abuse contacts, process reverse delegations, apply eligibility criteria for ASNs, and enforce policy-consistent procedures. The exhaustion page says applications during scarcity phases are submitted through tickets, processed by hostmasters, peer-reviewed by another hostmaster, and subject to final approval by a registration services manager. In Phase 1, final approval was batched weekly and ordered by when applications became complete. These details are mundane, but they show what a registry mandate looks like before inflation: sequence, documentation, review, approval, invoice, and record.

Mandate laundering begins when the same machinery is described not as a constrained administrative process but as open-ended guardianship over the future of the region. The words used are usually attractive: community, stewardship, fairness, development, continuity, resilience. Each can be true in a limited sense. The registry does serve a community. It does steward scarce identifiers. It should act fairly. It supports development by keeping the numbering system reliable. Continuity is essential. But attractive words can hide a change in the kind of power being exercised. A registry that checks whether a request meets a policy is doing one thing. A registry that decides whether a member's later business model remains sufficiently aligned with the original moral purpose of allocation is doing another.

The difference is not semantic. It changes the risk faced by every operator that relies on number resources. If the registry's role is mainly ledger maintenance, the operator's main duties are accurate records, payment, compliance with clear policy, and cooperation with specific reviews. If the registry's role becomes broad economic gatekeeping, the operator faces continuing uncertainty over whether future staff, boards, receivers, courts, or external actors will reinterpret past allocations in light of current politics. That uncertainty is costly even if no revocation occurs. It changes how addresses are financed, leased, transferred, routed, insured, and litigated.

AFRINIC's public fee schedule makes the point in another way. The organization charges resource membership fees and allocation or assignment fees. Categories depend on the amount of billable resources held. Fees support operations and can change according to operational costs and financial health after board validation. That is a registry-financing model, not a market-pricing model for the full value of IPv4 capacity. A member can therefore hold resources whose operational and market value far exceeds the annual administrative fee. The registry's mandate must operate inside that gap. Mandate laundering is one way institutions try to close the gap rhetorically without clearly admitting that they have moved from administration to economic regulation.

Scarcity made the mandate valuable

IPv4 scarcity is the economic condition that turned mandate boundaries into a live dispute. The protocol's usable address space is finite, and IPv6 has not made IPv4 irrelevant because the transition is incomplete and the two protocols do not provide immediate interchangeability for every customer, application, reputation system, firewall rule, hosting stack, or connectivity requirement. A company may support IPv6 and still need IPv4 reachability to serve users, interoperate with old systems, host services, handle abuse reputation, or avoid customer friction.

AFRINIC's exhaustion page records the formal scarcity regime. It notes that AFRINIC has managed a pool of Internet Number Resources since 2005, delegated them to organisations that could justify need, and managed the resources according to policies consolidated in the policy manual. It states that IPv4 resources are scarce and that the AFRINIC community supported a Soft Landing policy in 2011 to guide members through exhaustion, manage the IPv4 pool during scarcity, and smooth the transition to IPv6. The page records Phase 1 beginning on 31 March 2017 and AFRINIC entering Soft Landing Phase 2 on 13 January 2020.

Those official facts are narrow exhibits, not conclusions. The important conclusion comes from institutional economics. A rationing rule gives administrative language commercial consequences. Phase 2 limits allocation and assignment size and subjects requests to scarcity-specific evaluation. Members requesting additional space must show efficient use of delegated IP space. Applications move through hostmaster review and approval. Under abundance, such rules may look like routine conservation. Under scarcity, they determine who gets access to an input that others may have to buy, lease, or substitute around.

The Internet Governance Project's 2021 analysis of the AFRINIC crisis described the price mechanism more explicitly. It argued that the dispute made little sense without the rise in IPv4 value and the gap between administrative allocation fees and transfer-market prices. IGP reported that the price per individual IPv4 address had risen substantially between 2017 and 2021 and used a /16 block to illustrate the resulting value. The exact market price at any later date depends on block quality, route reputation, transaction structure, and legal conditions. The structural point is stable: a resource distributed through need-based registry processes can acquire a market price outside the registry system.

That gap creates two rational fears. The registry and its supporters fear arbitrage, hoarding, out-of-region export, misrepresentation at application, or the conversion of resources intended for regional network development into liquid inventory. Resource holders fear retroactive review, selective enforcement, contractual termination, and loss of capacity after customers and revenue streams have been built. Both fears can be grounded in real incentives. The problem is that each fear encourages mandate expansion by someone. The registry says scarcity requires more continuing control. The holder says commercial reliance requires stronger rights. External guardians say continuity requires intervention. Governments say public importance requires oversight.

This is why mandate laundering is an economic problem, not only a rhetorical one. Scarcity makes the control point valuable. If a registry can approve, delay, suspend, reclaim, certify, refuse, or delegitimise address use, then control of the registry is also valuable. If member votes determine the board, control of member credentials is valuable. If emergency policies can replace a registry, control of the emergency process is valuable. If courts decide whether a local company is merely a corporate shell or a vessel carrying a global function, legal framing is valuable. Every layer of legitimacy becomes a contested asset.

The AFRINIC record shows the incentives before it shows the answers. KrebsOnSecurity reported in 2019 that allegations from researcher Ron Guilmette concerned address blocks that had allegedly been commandeered from African organisations no longer in existence or acquired years earlier, with companies tied to then-policy coordinator Ernest Byaruhanga allegedly involved in selling address blocks. AFRINIC's then-new chief executive told Krebs that the organization was aware of the allegations and was conducting an investigation. Krebs did not publish a final adjudication. The report nonetheless matters because it demonstrates why a registry might later feel pressure to audit and enforce with unusual severity.

Scandal produces its own laundering channel. After an alleged internal-control failure, stronger enforcement can be presented as moral repair. A registry that was accused of weakness must show discipline. A staff or board culture under attack may seek legitimacy by appearing tough on misuse. Members and outside observers may welcome the posture because the alternative seems to be impunity. Yet a post-scandal enforcement drive can become a way of smuggling broad discretion into a system that had not clearly authorised it. The institution says it is restoring trust. The affected member sees a threat to business continuity. The court sees a contractual dispute. The community sees a test of loyalty. Scarcity makes each interpretation expensive.

Community language as a conversion device

The RIR system uses community language because it has real value. Number-resource policy is not made by a legislature in the ordinary sense. It depends on operators, engineers, members, and interested participants accepting a process as legitimate enough to coordinate a global technical commons. AFRINIC's policy manual speaks of openness, transparency, fairness, public discussion, archived procedures, rough consensus, last call, appeal, and board ratification. These mechanisms are meant to restrain unilateral staff power and to keep the registry anchored in the operational community it serves.

Community language becomes dangerous when it is treated as a source of unlimited delegation. No community process can authorise everything merely by existing. A mailing list does not turn a registry into a market regulator. A public policy meeting does not decide every contractual reliance question. A board's ratification does not remove the need for proportional remedies, evidence standards, confidentiality protections or independent review. If the phrase "the community" can be invoked whenever the registry wants to expand discretion, community becomes a laundering solvent: it cleans the appearance of power without necessarily constraining its use.

AFRINIC's own manual contains a useful limit. It separates internet number resource policies from general business practices and procedures. That distinction is not a technicality. It means that a policy process must not be treated as a universal mandate for all governance, enforcement, communications, legal strategy, or election choices. Some matters are indeed policy matters. Others are corporate-law matters, contract matters, operational matters, or litigation matters. When these categories blur, a registry can present a contested business or legal act as if it were simply the will of the community.

The Cloud Innovation dispute illustrates the conversion problem. IGP's 2021 account reported that AFRINIC questioned Cloud Innovation over alleged discrepancies between registered usage and actual use, inconsistency with needs expressed in its agreement, and a bylaw provision about members originating services within the service region. IGP reported that AFRINIC asserted that changes in service required approval and re-justification, and that AFRINIC claimed discretion to terminate the Registration Service Agreement and reclaim resources. Cloud Innovation disputed the interpretation and characterised the demands as excessive. The merits belong to contracts and courts. The institutional point is that a need-based application concept had become a continuing permission concept.

That move is the heart of mandate laundering. The original mandate asks whether the registry can distribute unique resources under policy. The expanded mandate asks whether a holder's evolving commercial use remains morally and procedurally acceptable to the registry. In a network business, uses change. Customers change. Routing arrangements change. Geographic demand changes. Leasing and sub-allocation structures change. A rule requiring accurate registration is one thing. A rule requiring registry approval for every meaningful evolution in the holder's service model is another. If the latter exists, it should be clear, narrow, public and paired with predictable remedies. If it is inferred broadly from community stewardship language, the mandate has been laundered.

The same can happen on the other side. NRS, whose public site uses phrases such as "Your money. Your record. Your vote" and argues that scarcity turned registry discretion into economic power, frames decentralisation and IP-asset ownership as the natural response to registry chokepoint risk. Larus's public site frames first-party IPv4 leasing as a continuity structure that moves registry-layer contract exposure upstream, away from customers. These are interested-party claims, not neutral adjudications. They also use attractive words: ownership, autonomy, continuity, risk reduction, decentralization. A resource holder can launder its own preferred mandate too, converting reliance and commercial value into a claim that the registry's public-resource discipline should be sharply reduced.

The institutional task is to resist both conversions. A registry's community mandate must not become open-ended power over business models. A holder's reliance interest must not become immunity from fraud checks, accurate-record requirements, or clear policy enforcement. "Community" should mean a process for making and reviewing specific rules. "Continuity" should mean preservation of the ledger and services. "Stewardship" should mean disciplined management of a shared identifier system. "Ownership" should be used cautiously because official registry doctrine does not treat number resources as ordinary property, even though holders may build commercial reliance around them.

AFRINIC's crisis became so difficult because all these languages collided at once. Community was invoked to defend registry stewardship. Continuity was invoked to defend receivership and external intervention. Asset language was invoked to defend address-holder reliance. Rule-of-law language was invoked to defend court action. Pan-African development language was invoked to defend control over regional resources. None of these languages is automatically false. Each becomes suspect when it expands a thin mandate without revealing the new power being claimed.

Emergency continuity and the second laundering channel

Emergency continuity is the most persuasive form of mandate expansion because failure is not an option. A regional internet registry cannot simply collapse without raising questions about resource records, reverse DNS, registration services, member support, policy implementation, and coordination with the other RIRs and ICANN. If AFRINIC cannot elect a board, appoint executives, pay staff, or operate normally, someone will argue that extraordinary measures are needed. Often that argument is correct.

The NRO's September 2023 statement on the appointment of an official receiver is a narrow factual exhibit for this point. It said the Bankruptcy Division of the Supreme Court of Mauritius had appointed a receiver under the Companies Act, restrained AFRINIC from relocation, takeover, merger, restructuring, or management control, and tasked the receiver with maintaining the status quo of assets, preserving business value, overseeing elections under AFRINIC's constitution, facilitating the formation of a proper board, and appointing a chief executive. The NRO welcomed the appointment as a positive development that could restore functional governance and help members keep receiving registry services.

The statement is not an authority for every later conclusion. It is evidence of how continuity language works. The receiver's mandate was framed as preservation, not conquest. The official goal was to keep the registry functioning, restore member governance, and return AFRINIC to participation in the number-resource system. Those are legitimate emergency aims. But the emergency frame also changes the field. Once continuity becomes the supreme concern, actions that would normally demand stronger consent can be justified as necessary stabilisation. The more serious the crisis, the easier it becomes to equate opposition with danger to the ledger.

The Internet Governance Project's 2023 analysis treated receivership as evidence that private internet governance had resilience because ordinary legal institutions could preserve a failed governance body while replacing leadership. That is one reasonable interpretation. The same evidence permits a more cautious reading: private registry governance had become dependent on a court-supervised corporate rescue process in the jurisdiction of incorporation. The registry was not replaced by a government ministry or treaty body, but neither was it simply self-correcting. A local court, an official receiver, peer-registry statements, member disputes, and global coordination concerns had all entered the governance stack.

The 2025 election sequence then showed how repair mechanisms can themselves become control points. The Register reported in April 2025 that the receiver planned June elections and appointed senior British lawyers to a Nomination Committee to address concerns about potential interference. In June, The Register reported that ICANN sought changes to election oversight and clarification regarding Cloud Innovation's appearance in corporate records as a shareholder or registered member issue. The Supreme Court ordered a communique that treated the Cloud Innovation listing as erroneous and declined to reconstitute the Nomination Committee. Voting proceeded, then was suspended and annulled after reported concerns about powers of attorney and voter documentation.

Each step could be described as continuity protection. Appoint outside lawyers to protect the election. Ask a court to correct a corporate-record problem. Suspend voting to investigate proxy concerns. Annul the election to protect fairness. Seek an emergency registry mechanism if a dysfunctional RIR cannot recover. At the same time, each step also decides who controls the body that controls the ledger. Emergency continuity is not neutral in its effects. It can preserve the institution while changing who has leverage inside it.

The Register's July 2025 reporting captured the legitimacy cost. AFRINIC's receiver had not publicly explained the annulment in enough detail to satisfy ICANN and other observers. ISPA in South Africa alleged that some powers of attorney were fraudulent or suspicious. An anonymous member told The Register that someone attempted to vote on his behalf using a document he said he had not signed. AFRINIC, the receiver, the Nomination Committee, and public authorities did not answer all media inquiries. These reports do not prove every allegation. They do show that election integrity had become part of the registry's resource-control surface.

Later in 2025, AFRINIC announced eight elected directors, and The Register described that as a chance to convene a board for the first time since 2022. The same report noted continuing risk: critics questioned election arrangements, court challenges were expected, a government investigation remained relevant, and a criminal investigation into the June election was under way. A board may be necessary for continuity, but it does not erase the legitimacy questions that arose on the path to electing it.

Emergency continuity also travels upward. The Register reported in 2026 that the RIR community was revising ICP-2, the policy framework for recognising RIRs, so that it would cover the full lifecycle of a registry and include mechanisms for assistance or derecognition. That may be necessary. AFRINIC exposed a genuine gap. But it is another place where mandate laundering can occur. A policy designed to prevent registry collapse can become a policy that lets a central layer discipline regional self-governance. The right distinction is between protecting the ledger and choosing winners in regional disputes. Emergency guardianship should be judged by whether it preserves data integrity, service continuity, and transparent process without becoming a permanent political hierarchy.

Elections as an economic control surface

Board elections at a regional internet registry can look like internal association business. In a scarcity regime, they are more than that. Directors influence budgets, executives, bylaws, legal strategy, policy implementation, resource-review posture, member communications, and the registry's stance toward external intervention. Control of the board can therefore affect the value and security of address holdings, the legitimacy of resource reviews, and the future of transfer or leasing policy. The registry's governance layer becomes an economic control surface.

The Register's April 2025 report already suggested that members understood the stakes. South Africa's Internet Service Providers Association had warned members to exercise heightened vigilance over AFRINIC credentials because entities obtaining multiple members' credentials could manipulate voting processes and alter board compositions or policy decisions in ways not reflecting true consensus. AFRINIC had reportedly warned members about solicitations to access credentials by obscure or fictitious organisations. The receiver mentioned potential interferences when explaining the decision to appoint a senior Nomination Committee.

That record matters because mandate laundering often depends on a claim about legitimacy. A registry says it is acting through the community. A faction says it represents members. An external body says it protects global coordination. A court says it is preserving corporate order. If the member register, voting credentials, proxy rules, powers of attorney, or corporate categories are uncertain, each legitimacy claim weakens. Control of the ledger then rests on a contested map of who counts as the community.

The June 2025 election disputes show how administrative details can become decisive. ICANN objected to the Nomination Committee and asked why Cloud Innovation was listed in corporate records in a way that raised governance concerns. The court communique treated that listing as erroneous and not attributable to AFRINIC or the receiver. Voting later stopped after questions over powers of attorney. ISPA alleged that representatives found votes cast or voting authority claimed on their behalf without proper authorisation. AFRINIC's receiver annulled the election, citing concerns about voter documentation and the need to protect transparency and fairness.

The immediate question was electoral. The broader question was institutional. If one person can claim powers of attorney for many resource holders, the distribution of registry authority can change without an open policy debate. If the registry or receiver cannot produce a transparent account of disputed voting documents, the board that eventually emerges inherits doubt. If external actors intervene too aggressively, members may see regional autonomy being overridden. If external actors do nothing, the global system may see capture or collapse. Each response can be framed as protection. Each also reallocates control.

The September 2025 board election did not end that problem. The Register reported that seven of eight elected directors had been endorsed by Smart Africa, a body with many member nations that pursues digital-technology adoption across Africa. Smart Africa had called for a coordinated continental response to prevent institutional capture and ensure that no actor could disrupt critical internet functions. That language is understandable after years of litigation and paralysis. It also raises the question of whether "continental response" can itself become a substitute for member-led legitimacy. A regional registry should not be captured by one commercial litigant. It should also not become a proxy for a narrower state-backed or pan-institutional bloc unless its members knowingly and lawfully choose that governance path.

This is not an argument against Smart Africa, ISPA, ICANN, NRS, AFRINIC staff, or any other participant as such. It is an argument about incentives. When the ledger controls scarce resources, factions will organise around the ledger. Some will frame their position as defence of Africa. Some will frame it as defence of member money. Some will frame it as defence of global coordination. Some will frame it as defence of business continuity. The public reader should ask what concrete power each claim would give its sponsor. Mandate laundering is easiest to see when the rhetoric is translated back into decision rights.

The decision rights in AFRINIC are substantial. Who can vote? Who can sit on the board? Who can amend bylaws? Who can determine whether resource members are registered members under Mauritian law? Who can bring legal claims? Who can appoint committees? Who can approve transfers, audits, suspensions, or policy implementation? The Register's May 2026 report noted that ISPA's legal review argued that AFRINIC resource members are not necessarily registered members under Mauritian company law and that bylaw changes may be needed to reconcile governance rights with local law. NRS criticised that approach and called for new representation. The dry corporate-law question is really about whether resource members have enforceable governance power or only community-process influence.

That is the economic meaning of elections in this crisis. A registry's mandate can be laundered through community consent only if the community is identifiable, credentialed, and able to hold the registry to account. If the community is a rhetorical audience rather than a legally and procedurally clear constituency, the mandate is unstable. Members will litigate because voting no longer feels sufficient. External bodies will intervene because the registry no longer looks self-correcting. The board will claim necessity because it inherits a broken process. Mandate inflation will then appear as emergency maintenance.

Resource review and the business-plan boundary

The hardest boundary in the AFRINIC dispute is between legitimate resource review and business-plan review. A registry must be able to ask whether records are accurate, whether resources were obtained through false statements, whether contact information works, whether assignments are registered properly, whether abuse contacts exist, whether fees are paid, and whether policy requirements are met. Without those powers, the ledger decays. Dormant resources can be hijacked. Fraud can persist. Members who comply are disadvantaged.

At the same time, a registry can turn review into continuing commercial permission. If every change in use is treated as a new application, the holder's business becomes dependent on registry approval long after resources were delegated. If the registry requires detailed customer-use information without clear limits, it can intrude into confidential commercial relationships. If a remedy for disputed use is total reclamation, the registry's leverage over the holder may be disproportionate to the alleged breach. If the registry also disclaims meaningful liability for downstream harm, the holder faces catastrophic downside from an institution whose own downside is limited.

IGP's 2021 account is valuable because it puts this boundary in concrete terms. It reported that AFRINIC's letters to Cloud Innovation raised concerns about discrepancy between registered usage descriptions and actual countries of use, inconsistency between expressed need and actual purpose, and regional service-origin language. IGP also reported that AFRINIC asked for a change request and information on use, and claimed discretion to terminate the RSA and reclaim resources. IGP was sharply critical of AFRINIC's approach and also criticised Cloud Innovation's legal response as excessive. Its account should be read as analysis from a research group, not as a judicial record. Still, the described mechanism is exactly the one that mandate laundering theory predicts.

The registry begins with a narrow claim: resources were justified on one basis and appear to be used on another. It then moves to a broader claim: the holder must re-justify or secure approval for changed use, possibly at customer-level detail. It may then move to the strongest claim: the registry can terminate the relationship and reclaim the numbers. At each step the rhetoric remains policy compliance and stewardship. The practical effect approaches control over an operating business whose customers may have no direct role in the dispute.

Cloud Innovation's response, as described by IGP and later reporting, pushed in the opposite direction. It argued that ISPs change assignments and customer use routinely; requiring approval for every change would make the registry a central planner. It contested out-of-region use restrictions and objected to intrusive demands about customers. It litigated aggressively, including securing injunctions and orders that froze AFRINIC bank accounts. IGP called some of those tactics excessive and damaging to the registry. The broader lesson is that discretionary overreach and legal overreaction can reinforce each other. Each side uses the other's conduct to justify a wider mandate for itself.

AFRINIC's later public posture, as reported by The Register in March 2026, framed continuing litigation as a web of procedural roadblocks obstructing restoration, training, research, and member service. That complaint may have force. A registry cannot rebuild if every committee, bylaw review, allocation, or communication becomes another court front. But "litigation is obstructive" cannot be allowed to launder the underlying question away. If members litigate because registry powers are unclear and high-consequence, the answer is not simply to delegitimise litigation. It is to narrow and clarify the powers so that litigation becomes less attractive.

The same logic applies to address leasing. The Register's May 2026 report described a Larus press release about a first-party IPv4 leasing platform and a claimed continuity structure tied to Cloud Innovation's registry position. AFRINIC responded that a court order did not approve or create such a structure, and later described an interim order requiring takedown of statements suggesting that the Supreme Court of Mauritius had sanctioned or authorised leasing, monetisation, transfer, or commercial exploitation of AFRINIC-allocated resources. Cloud Innovation and Larus disputed AFRINIC's characterisation and said the order did not decide whether IPv4 leasing is lawful or determine their business model.

That episode is not a side show. It shows how commercial claims and judicial references can be used to launder legitimacy. A company can imply that a court-recognised corporate status validates a leasing model. A registry can imply that a court's concern over misleading statements validates broader control over commercialisation. The court may have decided neither. Public readers should separate record rectification, member status, service-agreement rights, leasing legality, ownership doctrine and public-statement restrictions. They are related, but not identical.

A credible resource-review regime would reduce this confusion. It would specify review triggers, evidence standards, confidentiality limits, time frames, appeal routes, and remedy bands. It would distinguish fraud from changed use, inaccurate records from commercial disagreement, unpaid fees from policy breach, and downstream customer continuity from holder misconduct. It would state when resources may be suspended, when no further allocations may be made, when records must be corrected, when partial remedies are available, and when full reclamation is justified. A registry that wants to avoid being seen as a gatekeeper should welcome such constraints because they make enforcement more legitimate.

The rhetoric of continuity

Continuity is the most morally attractive word in this dispute. Everyone claims to protect it. AFRINIC claims instability prevents it from serving members and developing the region. ICANN says courts need to understand AFRINIC's unique role and the nature of resources it administers. The NRO thanks staff for keeping operations and services going during difficult times. NRS warns members that registry chokepoint power can destroy networks. Larus sells continuity assurance as a product, arguing that registry-layer risk should sit upstream with a specialist first-party lessor. Courts preserve status quo or issue orders to prevent harm. Each claim speaks to a real risk.

The danger is that continuity can become a universal justification. If continuity means preserving the resource ledger, keeping essential registry services running, and preventing conflicting number claims, it is narrow and compelling. If continuity means preserving whichever institution or faction currently claims to guard the ledger, it becomes a way to protect the gatekeeper. The distinction is not hostile to AFRINIC. It is a condition for saving AFRINIC's legitimacy. Institutions survive crises better when the public can see that emergency help is protecting the function rather than insulating incumbent discretion.

ICANN's May 2026 intervention, as reported by The Register, shows both the necessity and risk of continuity rhetoric. ICANN sought standing in a case involving an attempt to wind up AFRINIC. Its spokesperson said the purpose was to ensure that the court understood AFRINIC's unique role and that numbering resources allocated through AFRINIC are not assets of AFRINIC available for distribution in a winding-up. That is a strong continuity argument. A local insolvency process should not mistakenly treat number resources as corporate property to be divided among creditors or claimants. The public coordination function is real.

But the non-asset point does not settle the whole dispute. It does not tell a court whether a particular resource holder breached its contract. It does not define the reliance rights of a holder that has built services around delegated resources. It does not decide whether transfer restrictions are wise or whether leasing is permissible. It does not decide whether AFRINIC's board election was properly conducted. It does not decide how much discretion a registry should have to review usage years after allocation. A valid continuity claim can be laundered into a broader merits claim if the audience is not careful.

AFRINIC's own continuity claims deserve the same discipline. The registry's March 2026 warning that litigation and procedural roadblocks were obstructing restoration, training, research, and membership strengthening may accurately describe operational pain. It does not automatically prove that every challenged action was correct, every protest was bad faith, or every bylaw reform is legitimate. Conversely, Cloud Innovation's or NRS's warnings about registry chokepoints do not automatically prove that AFRINIC's enforcement actions are unlawful or that resource holders should enjoy broad commercial freedom without continuing obligations.

The continuity question should be put in operational terms. What record must be preserved? Which service is at risk? Which party has authority to act? What legal basis supports the action? How are member rights protected? What happens to downstream networks if the action is wrong? What is the least disruptive remedy? What information can be made public without exposing sensitive customer or security data? How will the action reduce, rather than increase, future litigation? These questions are less dramatic than statements about saving the internet. They are more useful.

The official and interested-party evidence both point to the same institutional lesson. A registry should be designed so that continuity does not depend on trust in a small group of officeholders. A resource holder should not need to capture a board or litigate a receiver to protect its basic reliance interests. External guardians should not need to threaten emergency replacement because the local registry lacks a working failure-and-repair process. Courts should not have to infer the technical and economic character of number resources from adversarial slogans. The thinner and clearer the mandate, the less work continuity rhetoric has to do.

That is why "protect the ledger, not the gatekeeper" is a useful public test even when one recognises that a real organisation must operate the ledger. The ledger is the record, the data, the uniqueness function, the policy history, the member status map, the reverse-DNS and certification dependencies, and the procedural trail. The gatekeeper is the discretionary layer that can decide access, legitimacy, and acceptable commercial evolution. Some gatekeeping is unavoidable. It should be named, bounded, and appealable. It should not be hidden inside continuity.

What a narrower mandate would require

A narrower AFRINIC mandate would not be weaker. It would be more enforceable. Institutions with broad, ambiguous powers often look strong until they meet a determined litigant. Then ambiguity becomes a liability. The registry struggles to explain its authority. Members doubt whether they will be next. Courts face a mixture of technical claims and commercial injury. External bodies intervene because ordinary governance cannot produce confidence. A narrow mandate reduces the number of facts that must be fought over.

The first requirement is a clean statement of the registry function. AFRINIC should be judged by the accuracy, availability, and auditability of its number-resource records; the integrity of its membership and contact records; the reliability of WHOIS, RDAP, reverse DNS, IRR, RPKI, and related registry services; and the faithful implementation of adopted resource policy. That function is already visible in the official materials. The needed discipline is to prevent every broader institutional aim from being smuggled into it. Development support, training, research, and community building may be valuable. They should not be used to expand coercive resource authority without explicit policy footing.

The second requirement is a resource-review charter that members can understand before they invest. The charter would not be a favour to large holders. It would protect the registry against claims of arbitrary enforcement. It should say what triggers review, what evidence is required, what records may be requested, how customer confidentiality is protected, what time frame applies, who decides, how appeals work, what happens during a dispute, and what remedies are available. It should also state what the registry will not do. A negative mandate is often as important as a positive mandate: no indefinite fishing expedition, no retroactive business-plan approval unless policy clearly says so, no total reclamation for minor record defects, no secret criteria.

The third requirement is remedy proportionality. If the problem is inaccurate contact data, the remedy should start with correction. If the problem is non-payment, billing and suspension rules should govern. If the problem is false application data, the remedy may be stronger. If the problem is a contested interpretation of regional-use policy, the registry should not behave as though it had already proved fraud. If downstream customers face disruption, transition mechanisms should be considered where technically possible. Proportionality turns enforcement from punishment into infrastructure governance.

The fourth requirement is a clarified member-governance map. AFRINIC's crisis shows that resource-member status, registered-member status under Mauritian law, voting rights, powers of attorney, proxies, nomination rules, and bylaw authority cannot be left to folklore. If resource members are the community whose consent legitimates the registry, their rights must be legible and enforceable. If local company law limits those rights, the mismatch should be disclosed and fixed through lawful amendment. If proxies are allowed, documentation and verification must be strong enough that a public reader can trust the result without knowing every private file.

The fifth requirement is emergency doctrine with humility. ICANN, the NRO, peer RIRs, and courts will sometimes need to act or speak. Their role should be tied to preserving the ledger, preventing conflicting claims, keeping essential services available, and ensuring lawful governance restoration. They should avoid implying that continuity support decides the merits of every resource dispute or validates every registry policy choice. Emergency power should be temporary, documented, and reviewable. If revised ICP-2 creates assistance or derecognition mechanisms, the triggers should be high, the process public, and the transition plan focused on records and services rather than institutional punishment.

The sixth requirement is better economic honesty. IPv4 addresses are not ordinary property in RIR doctrine, but they are economically valuable and operationally relied upon. Pretending otherwise encourages bad policy. A holder that has no ordinary property title may still face real loss if registration status changes. A registry that charges administrative fees may still control a scarce input with market value. A court that sees only a local company may miss the global coordination function. A company that sees only asset value may ignore the public-resource bargain under which the allocation was made. Good governance starts by saying these tensions aloud.

These requirements are not a blueprint for one party to win. They are tests for whether AFRINIC can stop laundering a thin mandate into broad discretion and whether resource holders can stop laundering economic reliance into immunity. The registry's legitimacy will not be rebuilt by victorious language. It will be rebuilt by visible constraints that make ordinary compliance cheaper than litigation and ordinary governance more credible than emergency intervention.

Uncertainty and watchpoints for public readers

There is substantial uncertainty around AFRINIC, and readers should resist simple conclusions. Some public allegations remain allegations. Some court orders are interim or procedural rather than final judgments on the merits. Some reporting relies on parties that are themselves involved in the dispute. Official statements from AFRINIC, ICANN, and the NRO are useful factual exhibits, but they should not be treated as neutral answers to contested economic questions. NRS and Larus materials are useful evidence of the resource-holder critique and business-continuity narrative, but they are also interested-party communications. IGP and The Register provide independent reporting and analysis, but they too work from the public record available at the time.

The first watchpoint is whether AFRINIC's board legitimacy becomes ordinary. A functioning board should produce routine evidence: notices, minutes, budget approvals, executive appointments, conflict controls, member communications, and decisions that do not immediately require emergency explanation. The point is not whether every critic becomes satisfied. The point is whether governance becomes boring enough that policy and registry operations no longer depend on receivership drama or court-supervised improvisation.

The second watchpoint is the membership and voting map. AFRINIC's legitimacy depends on knowing who can vote, who can delegate authority, how powers of attorney are verified, how resource-member and registered-member categories interact under Mauritian law, and how bylaws will be changed. If those questions remain ambiguous, community language will continue to serve as a laundering device for whichever faction can claim it most loudly. If they are clarified, the registry's mandate becomes more enforceable because consent becomes more traceable.

The third watchpoint is resource-review practice. Public readers should look for whether AFRINIC develops clear review criteria, proportional remedies, appeal paths, and confidentiality protections. The decisive signal will not be a speech about stewardship. It will be a documented process that distinguishes fraud, inaccurate records, non-payment, changed use, transfer requests, leasing, and regional policy questions. A registry that narrows its review power can still enforce serious breaches. A registry that relies on broad discretion will remain vulnerable to the charge that it is regulating business models rather than maintaining a ledger.

The fourth watchpoint is the revised ICP-2 process and any emergency-registry mechanism. A lifecycle framework for RIR failure is sensible after AFRINIC. The risk is that failure policy becomes a higher-level gatekeeper. The public test is whether any assistance, remediation, derecognition, or emergency transition process is tied to objective triggers, transparent procedure, preservation of data and services, and protection of legitimate member reliance. If the framework allows broad political discretion, mandate laundering will simply move from the regional registry to the global coordination layer.

The fifth watchpoint is the treatment of IPv4 commercial reality. AFRINIC reported through The Register in February 2026 that it still had a pool of unallocated IPv4 addresses and that attention should eventually move to IPv6. IPv6 is essential, but it will not remove IPv4 reliance quickly enough to dissolve the present disputes. Transfer rules, leasing practices, regional-use claims, and address-holder reliance will remain sensitive. A credible registry will address them through explicit policy and procedure, not by pretending that market value is irrelevant or by allowing commercial actors to write the rules through litigation pressure.

The sixth watchpoint is court language. Cases involving winding-up, public statements, member records, bylaws, powers of attorney, or resource rights should be read narrowly. A court order correcting a register may not approve a leasing model. A court order restraining misleading statements may not decide whether IPv4 leasing is lawful. An order allowing ICANN to intervene may not validate every ICANN concern. A receiver's authority to organise elections may not settle the long-term rights of resource members. In a mandate-laundering environment, every procedural win will be marketed as a broader victory. Readers should ask what the order actually decided.

The final watchpoint is rhetorical inflation. Phrases such as community, continuity, Africa's internet, ownership, decentralization, global coordination and registry stability all carry legitimate meaning. They also carry power. The public should keep translating them back into concrete questions: who gets to decide, under what rule, with what evidence, subject to what appeal, causing what operational effect, and bearing what liability if the decision is wrong? AFRINIC's future will be safer if those questions become easier to answer. The purpose of a registry is not to win an argument about its own importance. It is to make the numbering ledger reliable enough that nobody has to capture the gatekeeper in order to trust the record.