Summary

  • ARIN's constitutional problem is institutional, not national: a private registry with public-infrastructure effects needs enforceable limits because ordinary exit is weak and registry recognition is widely relied upon.
  • IPv4 depletion since 2015 changed ARIN's economics from administrative allocation toward recognition infrastructure for a scarce, transferable and financeable input used by operators, cloud platforms, governments and banks.
  • The durable limits are mandate discipline, separated roles, due process, appealability, transparency, conflict controls, member accountability, financial restraint, external recognition boundaries and proportional remedies.
  • ARIN should remain a ledger and coordination layer, not a sovereign, court, lender, broker, appraiser or internet property state; legitimacy rises when the registry is useful but hard to use as a discretionary prize.
  • Small operators carry the highest cost when registry power is vague, because they have less cash, legal capacity and address diversity with which to absorb holds, transfer delays, service uncertainty or policy drift.

A rejected transfer file exposes the constitution inside the registry

The board packet is not dramatic. It contains a rejected transfer file, a staff note on a legacy-resource contact dispute, a request to keep an existing reverse-DNS delegation stable while a buyer cures a corporate-authority defect, and a budget memo asking whether reserve policy should assume another year of legal and compliance spending. No packet page declares that constitutional limits are at stake. Yet the scene is constitutional in the only sense that matters for internet-number economics: one private institution is deciding how far its recordkeeping power may reach into operational continuity, scarce-resource liquidity and the confidence of people who cannot simply choose another North American registry.

The file does not need a scandal to matter. Suppose a small broadband provider in the United States has found a buyer for a portion of unused IPv4 space, while keeping enough addresses for its own customers. The buyer is a regional cloud business. A bank financing the buyer has asked for registry-recognition conditions. A public-sector customer wants assurance that reverse DNS and route-origin materials will not be disturbed. ARIN staff identify an authority gap in the seller's chain of corporate approvals. That may be a real defect. A good registry must reject forged authority, prevent duplicate recognition and protect the integrity of the public record. The problem begins when the economic consequence of the hold is broader than the defect.

If the record says only that the transfer cannot proceed until one signature is verified, the market can price the delay. If the notice is vague, if the cure target moves, if unrelated services appear at risk, if the review path is hard to understand, if the buyer cannot learn whether the current holder remains recognised, or if the file seems to depend on institutional preference rather than evidence, a narrow authority question becomes a capital event. The bank widens conditions. The buyer seeks indemnities. The seller accepts a lower price. Customers ask whether numbering continuity is safe. None of that is solved by saying that ARIN is a steward. Stewardship is a claim about purpose. Constitutional limits are constraints on power.

Here, "constitution" is an institutional-economics term. It is not a theory of United States constitutional law. ARIN is not a state. It does not issue statutes, run courts or command police. It is a private nonprofit registry whose records and services are treated by operators, counterparties, courts, governments and markets as a necessary layer of public infrastructure. That is precisely why its limits matter. The relevant constitution is the bundle of formal and informal rules that decides what ARIN may decide, who decides it, how the affected party is heard, how error is corrected, which services continue, who may appeal, what conflicts must be disclosed, how money may be used, and when external institutions may intervene.

In a scarce IPv4 economy, those limits are not decorative. They are part of the price of trust.

The constitution is the price of constrained exit

Ordinary private power is often disciplined by exit. Customers leave bad vendors. Members resign from weak clubs. Buyers choose another supplier. That discipline works badly at the registry layer. A holder of ARIN-administered number resources cannot move the same resources to a competing North American registry because it dislikes a fee schedule, transfer interpretation, service boundary or staff decision. An operator may route traffic through many networks, buy transit from several providers and host workloads in multiple clouds, but the recognised registry record for its ARIN-region resources remains tied to the ARIN system.

Constrained exit changes the economics of authority. It does not make ARIN illegitimate. The internet needs unique number-resource records, and regional registries perform a real coordination function. But constrained exit means that private-form governance can produce public-like consequences. If ARIN refuses to recognise a successor, pauses a transfer, suspends a service, marks a dispute, changes agreement treatment, interprets a policy broadly, or withholds routing-security support, the immediate counterparties are not the only people affected. Customers, banks, data-centre operators, security teams, cloud platforms, public agencies and courts may all read the registry state as part of their own risk assessment.

That is why the constitutional lens is economic rather than ceremonial. It asks what minimum set of constraints makes reliance rational when exit is weak. Mandate limits tell the market that the registry is not free to convert every policy value into enforcement. Due process tells the holder that a serious decision will be explained before it becomes final. Separation of functions tells members that policy, administration, board oversight and appeal will not collapse into one institutional will. Transparency lets outsiders distinguish a curable defect from a systemic risk. Conflict rules tell participants that scarce records are not influenced through private channels. Financial restraint prevents mission language from becoming a blank cheque. Proportional remedies keep a narrow defect from producing broad harm.

The strongest argument for limits is not hostility to ARIN. It is the opposite. ARIN's legitimacy rises when members and markets can say with confidence that the registry is powerful where it must be powerful and weak where a private registry should be weak. It should be powerful at maintaining uniqueness, accurate records, authenticated changes, reliable publication services, documented transfers, fraud resistance and stable numbering services. It should be weak at deciding broad commercial merit, regional political destiny, private lending outcomes, valuation, brokerage strategy, ordinary business models or the moral worth of address use.

Constitutional limits also lower legal and commercial friction. A court is more likely to respect a registry decision when the record shows authority, reasons, notice, cure, review and proportionality. A bank is more likely to finance an address-dependent transaction when registry risk is bounded. A small operator is more likely to update records honestly if review does not feel like an open-ended threat. Members are more likely to vote and participate when their role is not ceremonial. The point is not to make every dispute painless. It is to keep disputes from becoming evidence that the registry itself is an unchecked gate.

ARIN's region makes the problem quiet but expensive

ARIN serves a region that is economically deep and institutionally demanding: the United States, Canada, and a set of Caribbean and North Atlantic economies. Its environment includes hyperscale cloud platforms, national and regional access networks, universities, cable and wireless operators, security vendors, content platforms, hosting companies, public bodies, financial institutions, brokers, address-rich legacy holders and small networks operating with thin margins. The region is not uniform. A large American platform, a Canadian rural ISP, a Caribbean carrier, a university with early allocations and a small hosting provider do not experience registry power in the same way.

That diversity is exactly why limits matter. A registry rule that seems modest to a national provider may be costly for a small island operator. A documentation demand that a hyperscaler can satisfy with counsel and staff may cause a family-owned ISP to delay a transaction. A routing-security service boundary that a large network can work around may make a smaller operator look less bankable to customers or upstreams. A policy process that rewards frequent meeting attendance may hear from skilled volunteers while missing the firms that are most exposed to compliance cost. North American institutional stability can hide these asymmetries because there is no obvious crisis on the front page.

The history of IPv4 depletion makes the region more sensitive. ARIN's IPv4 free pool reached depletion in September 2015. Since then, additional IPv4 capacity has largely moved through waiting-list rules, reserved pools, transfer routes, acquisitions, legacy-resource clean-up, leasing structures and private inventory decisions. The registry has not stopped mattering. Its role has changed. It is less a distributor of abundant future capacity and more a recognition layer for scarce capacity already embedded in production networks and private transactions.

Legacy resources deepen the constitutional problem. Many North American address holdings predate ARIN or were issued under assumptions different from the current contract and service environment. They are not an embarrassment to be normalised by institutional appetite. They are evidence that the registry sits on historical records as well as contemporary agreements. A legitimate registry must keep those records accurate and useful without pretending that every old record is merely a pending invitation to accept modern institutional control. The more important RPKI, IRR, RDAP, Whois, reverse DNS and transfer readiness become, the more careful ARIN must be about service boundaries that can function as contract pressure.

External reliance is also unusually broad. Courts may look to registry records in disputes over transfers, authority or fraud. Banks and investors may treat registry recognition as part of credit support or acquisition diligence. Cloud providers may need assurance that capacity is clean and usable. Governments may care about continuity for public services, procurement and critical networks. Operators depend on public record data, reverse DNS, routing-security materials and contactability. In this setting, a registry decision is rarely just a ticket outcome. It is an institutional signal that travels into other contracts.

The factual base for this analysis is not ARIN's self-description alone. It is the public machinery around the registry: the Number Resource Policy Manual, the policy-development process, transfer and waiting-list materials, Registration Services Agreement and legacy-service documents, fee schedules, election and meeting records, annual reporting, and service documentation for RDAP, Whois, IRR, RPKI and reverse DNS. Those materials do not settle the constitutional question. They show where authority is exercised, where reliance forms and where limits must be legible to outsiders.

This is why a mature ARIN requires constitutional limits even without visible institutional breakdown. A stable registry can accumulate quiet discretion precisely because people trust it. Scarcity turns that discretion into an economic variable.

Mandate limits keep recordkeeping from becoming preference

The first limit is mandate discipline. ARIN should be able to state the power it is using in language tied to a core registry function. Is it preserving uniqueness? Verifying authority? Preventing a duplicate claim? Correcting public data? Processing a transfer under a published rule? Protecting reverse DNS or routing-security integrity? Recording a dispute? Complying with a specific external legal constraint? Collecting fees necessary for the service relationship? If the answer does not fit a named function, the action deserves suspicion.

Mandate discipline is not the same as institutional minimalism for its own sake. A registry with no discretion would be dangerous. Forged documents exist. Dormant organisations can be exploited. Account compromise is real. Court orders may require action. Sanctions rules may constrain services. Corporate reorganisations can produce ambiguous authority. Legacy records may be incomplete. A registry must be able to pause, ask, verify, mark, correct and, in severe cases, refuse. The constitutional question is whether the remedy matches the function.

The danger is mandate laundering. A limited power enters the institutional machinery as record protection and leaves as broad control over market behaviour. A transfer-review power becomes a way to judge business plans. A contract-status rule becomes pressure to abandon legacy independence. A fraud-control review becomes a standing audit of ordinary commercial use. A policy phrase about stewardship becomes authority to suppress liquidity. A regional-service concept begins to sound like political sovereignty. The vocabulary remains respectable; the power has changed.

ARIN's transfer market shows why the line matters. Source authority verification protects the ledger. Dispute-state checks protect the ledger. Signed officer acknowledgements protect the ledger. Fraud screening protects the ledger. But recipient qualification and forward-looking need assessments in private transfers sit closer to market control. They may be defended, but the defense should be economic and explicit: what concrete harm is being prevented, how often does it occur, what narrower alternatives exist, and who pays for the restriction? In a depleted market, inherited conservation language cannot be the whole answer.

The same test applies to advanced services. RPKI and IRR services may require agreement status for operational, liability or administrative reasons. Yet as routing-security expectations grow, optional service boundaries can become practically compulsory. A mandate-limited registry should revisit the line when a service shifts from useful add-on to market expectation. It should not silently rely on that shift to enlarge contractual leverage.

Mandate limits protect ARIN as much as holders. When ARIN acts within a narrow function, it has a stronger claim to deference. When it uses broad institutional language, it invites courts, members and markets to ask whether a private registry is governing value beyond its proper role. A useful test for every serious file is this: could ARIN explain the decision without the words "stewardship", "community" or "public interest"? Those words may describe the purpose of the system. They should not substitute for criteria.

Scarcity turns discretion into a risk premium

IPv4 scarcity changed the price of error. In the allocation era, a delayed request could be frustrating, but future supply still framed the relationship. After depletion, an address block can represent customer continuity, capacity planning, acquisition value, financing support, migration optionality, security posture and bargaining power. The registry record is not the whole asset, and legal systems may describe number resources in different ways, but counterparties will treat a scarce, durable, transferable and productive input as economically asset-like. Recognition is the point at which that asset-like value becomes legible.

Risk premiums arise when recognition is uncertain. A buyer discounts a block if transfer recognition may take unpredictable time. A seller accepts wider warranties if the registry may question history. A lender discounts an address-dependent business if service access or transferability is unclear. A cloud provider builds redundancy if capacity may be tied up by registry review. A small ISP delays expansion if it cannot tell whether a documentation question will remain narrow. A customer asks for continuity clauses that the provider may not be able to satisfy. These costs rarely appear under the heading "constitutional risk", but that is what they are.

Scarcity also changes incentives inside the registry. A staff decision that once looked administrative can now move value. A board policy choice can affect liquidity. A fee schedule can have distributional effects across legacy holders, small networks, large incumbents and brokers. A resource-review practice can change how honestly holders update records. A service boundary can nudge organisations into agreements. None of this requires bad faith. The economics of scarcity converts ordinary administrative discretion into a market condition.

The distributional effects are not even. Large networks can carry uncertainty with lawyers, address diversity, reputational buffers and technical alternatives. Small operators often cannot. A rural broadband provider, a Caribbean network, a small data centre or a regional hosting firm may hold one critical address portfolio and have limited staff. If the registry treats a narrow defect as broad uncertainty, the smaller firm pays first. Its financing becomes more expensive. Its customers become more cautious. Its buyer pool narrows. Its willingness to participate in policy falls because participation itself feels like exposure.

Constitutional limits reduce the premium by making categories predictable. A forged signature is different from a missing certificate. A disputed transfer is different from the current holder's ongoing recognition. A sanctions-related service constraint is different from a general commercial dislike. A court order is different from a policy preference. A resource review based on fraud indicators is different from routine curiosity. When ARIN labels the category, states the rule, preserves unrelated services and provides review, the market can distinguish severe risk from routine friction.

This is the central economic reason not to postpone limits until a crisis. By the time a crisis occurs, discretion has already been priced into contracts. The cheaper path is to make registry power boring, visible and bounded before counterparties assume the worst.

Separation of functions substitutes for sovereignty

A state constitution separates powers because concentrated authority is dangerous. A registry constitution needs a different but related separation: policy formation, board oversight, staff administration, enforcement, appeals, member voting, legal compliance and financial control should not collapse into one practical command. ARIN is not a sovereign, so it cannot borrow sovereign legitimacy. Its substitute is institutional architecture.

The policy community can propose and debate number-resource policy. The Advisory Council and Board have roles in the policy path and corporate oversight. Staff administer services, apply rules, review tickets, maintain records and operate systems. Members elect directors and advisory representatives. Legal counsel handles disputes and compliance. Finance staff and the board manage budgets and reserves. Each lane matters. The constitutional risk appears when the lanes blur in high-value files.

If board influence quietly steers an individual transfer, the holder cannot know whether staff applied a rule or politics. If staff effectively create policy through repeated interpretation, the public process becomes decorative. If legal strategy dictates broad service treatment, continuity can become hostage to litigation. If member pressure turns a disliked business model into an enforcement target without adopted criteria, participation becomes majoritarian asset control. If appeals return to the same people who made the first decision, review becomes a courtesy rather than a constraint.

Separation should be practical. Staff can apply policy, but live high-consequence files should have written reasons and escalation. The board can oversee performance, risk and institutional strategy, but it should avoid informal case direction. The policy process can create rules, but it should not be retrofitted to decide one holder's dispute. Appeals should have distance from the first decision and authority to reverse, narrow, remand or stay. Legal compliance should be precise about what law requires and what institutional preference adds. Finance should fund core registry work before expansive programmes.

This structure also protects the people inside ARIN. Staff are more credible when they can point to published criteria. Directors are safer when recusal and case-boundary rules exist. Counsel is more persuasive when legal action is tied to a narrow mandate. Members are more effective when voting changes policy prospectively rather than becoming pressure on individual records. Separation converts trust from personal reputation into institutional design.

The North American setting makes separation especially important because many participants are sophisticated and repeat players. Brokers, large networks, cloud firms, universities, lawyers and public bodies may understand how to present claims effectively. Smaller holders may not. If ARIN's lanes are unclear, influence can become a hidden currency. If the lanes are clear, sophistication still helps, but it helps through evidence rather than access.

The aim is not to make ARIN slow. A separated registry can be faster because participants know where to go. The aim is to prevent a private registry from acquiring, through habit, the combined functions of rulemaker, prosecutor, judge, execution office and market supervisor.

Due process protects the small operator first

Due process is often described as fairness. For ARIN it is also cost control. A holder facing an adverse registry decision needs to know what was decided, why it was decided, what evidence is missing, what can be cured, what services continue, who can review the decision and when finality attaches. Without that information, the holder and its counterparties must price the worst plausible interpretation.

The small operator is the first beneficiary of disciplined process. A large company can hire counsel, keep a transaction open, produce historical files, arrange bridge capacity and absorb delay. A small operator may have one administrator, one lawyer used only occasionally and one address position that matters to customer continuity. If ARIN sends a vague notice, the small operator may over-disclose, under-negotiate, abandon a sale, sign a contract it does not understand or avoid updating stale records. Weak process therefore becomes regressive.

Good due process begins with notice, but notice is not enough. Reasons are the critical part. A refusal based on missing source authority is different from one based on recipient qualification. A service suspension for non-payment is different from an emergency action for suspected account compromise. A reverse-DNS change pause is different from a general account hold. A legal restraint is different from staff caution. Reasons let the holder cure; they also let outsiders avoid overreacting.

Cure paths matter because many defects are fixable. A missing officer acknowledgement, incomplete corporate succession document, stale Point of Contact, unclear legacy relationship or inconsistent ticket can be corrected if the target is named. A cure path should state the required act, the deadline, the preserved services and the consequence of success or failure. A demand that keeps expanding is not a cure path. It is discretion with paperwork.

Temporary continuity is the other pillar. The default should be to preserve the last verified operational state while the disputed change is reviewed, unless a narrow risk makes preservation unsafe. If a transfer is disputed, pause the transfer; do not threaten unrelated public registration or reverse DNS. If a routing-security change is disputed, preserve the last safe publication state where possible. If account authority is questioned, block new changes while maintaining existing recognition. This is not leniency. It is proportionality applied before damage occurs.

Due process should be graded by consequence. A routine formatting error needs a simple correction. A transfer denial needs reasons and escalation. A suspected compromise may need fast emergency action and rapid review. A service termination threat requires stronger notice and cure. A decision that affects transferability, routing-security reliance, reverse DNS, public recognition or agreement status needs more than a help-desk answer. The procedure should become heavier as the economic consequence rises.

ARIN's appeal and service documents provide factual building blocks. The constitutional task is broader: make reviewability normal whenever registry action can move scarce-resource value.

Appealability prevents first decisions from becoming private law

A registry cannot function if every decision is endlessly open. Finality matters. Buyers need to close. Sellers need to know whether a block can move. Operators need stable public records. ARIN needs to stop forged or unsupported requests. The issue is not whether the institution can decide. It is whether the first adverse decision becomes final merely because it came from the registry.

Appealability is the constitutional device that prevents first decisions from becoming private law. It gives a holder a structured path from staff decision to escalation, review and finality. It gives ARIN a cleaner record. It gives courts and counterparties a reason to distinguish disciplined registry action from unchecked discretion. It gives the market confidence that error can be corrected before value is destroyed.

A useful appeal system should answer several questions in ordinary language. What decisions are appealable? Who may appeal? What is the deadline? Must internal escalation occur first? Who reviews the file? What standard applies? Can the reviewer stay the decision? Can the reviewer accept cure, narrow a hold, require better reasons, restore a service, approve a request or remand for more evidence? What remains stable while the review proceeds? When does the decision become final?

Standing requires care. The registered holder should have full rights. A successor, buyer, lender or operational network may have a reliance interest, but ARIN should not become a general court for all commercial disputes. The constitutional middle is limited participation tied to the registry effect. A buyer may need confirmation that a transfer denial is based on recipient qualification rather than source authority. A lender may need status information with consent. A downstream customer may need continuity assurance without seeing private file materials. Standing should follow the registry consequence without exposing confidential records unnecessarily.

Stays are as important as appeals. An appeal after the buyer walks, the loan expires or the service state changes may be formally available but economically useless. A stay should preserve the last verified state unless the specific risk requires a narrower or different interim measure. For emergency actions, review should be fast and staged: first continuity and scope, then merits. For ordinary adverse decisions, the timeline can be longer but should be visible.

Appeal data should be reported in aggregate. How many escalations occur? What categories are involved? How long does review take? How often are decisions reversed, narrowed or clarified? How often does cure resolve the file? How often are emergency holds used, and how long do they last? Confidentiality can be protected. Patterns can still be published. A mature registry should not fear evidence that some first decisions change. Reversal can show that the safety valve works.

Appealability also disciplines rulemaking. If many files fail in the same place, the policy may be unclear. If small holders lose at higher rates, burdens may be regressive. If review often narrows staff action, delegations may be too broad. Appeals are not only a remedy for holders. They are a sensor for constitutional stress.

Transparency should reveal constraints, not mythology

Transparency is not the same as public relations. A registry can publish many documents and still leave the market unsure where its power ends. Constitutional transparency answers a harder question: what constraints bind the institution when decisions become consequential? It reveals the rule, decision-maker, evidence standard, service effect, appeal path, conflict control, aggregate outcome and financial implication.

ARIN already operates in a public style relative to many private institutions. Its policies, meetings, transfer materials, board information, service documents and election structures are visible. Those facts are useful. They should be treated as exhibits, not as the conclusion. The economic question is whether the visible materials let a holder, buyer, bank, court or small operator predict what ARIN cannot do as much as what it can do.

Useful transparency would separate categories. Allocation from a residual pool is not the same as recognition of a private transfer. A merger-related transfer is not the same as a specified-recipient transfer. Legacy public-record maintenance is not the same as agreement-based routing-security service. A staff evidence request is not the same as an adverse decision. A dispute annotation is not the same as a merits finding. A legal order is not the same as institutional preference. If categories blur, the market prices confusion.

Transparency should also label uncertainty. Allegation, investigation, pending review, rejected request, cured defect, final denial, court restraint and confirmed fraud are different states. A registry that treats them carefully lowers market panic. A registry that lets informal language do the work can make a curable problem look like a structural defect. The same discipline should apply to public commentary by members and critics. Not every complaint is proof. Not every staff refusal is overreach. The value lies in reliable labels.

Metrics are the next step. Transfer processing times, documentation rounds, denial categories, waiting-list movement, review outcomes, resource-review counts, emergency-hold categories, service-continuity preservation and appeal timelines would help the market price institutional friction. Publication need not disclose private parties, transaction terms, security indicators or legal strategy. Aggregates are enough to distinguish an efficient ledger from a discretionary bottleneck.

Transparency also means stating the limits of official narratives. ARIN can accurately describe itself as a regional registry and community-based institution. That description does not answer whether a specific rule is proportionate or whether a service boundary creates leverage. "Community" is a participation fact, not a magic source of consent. "Stewardship" is an obligation to protect a narrow function, not a licence to supervise capital. "Region" is a service area, not a sovereign territory.

The registry's strongest transparency is therefore constraint transparency: here is the power, here is the reason, here is the limit, here is the review, here is the data. Mythology is unnecessary when the ledger is disciplined.

Conflict controls protect public trust from private conversion

Scarce registries attract private incentives because the record has value. People who understand weak records, transfer timing, dormant organisations, policy language, fee pressure, service boundaries or board procedure may possess valuable information. Directors, staff, contractors, lawyers, brokers, consultants, policy participants and large members can all have interests that intersect with registry outcomes. That does not imply misconduct. It means the conflict architecture must be serious.

Conflict controls are constitutional because they prevent public-like reliance from becoming private advantage. A registry record is valuable because others believe it is neutral, evidence-based and not influenced by hidden relationships. If participants believe that a transfer can be accelerated through board access, that a resource review can be softened through private channels, that a policy proposal is written to serve one portfolio, or that a service boundary rewards particular commercial structures, the ledger loses some of its public quality.

ARIN's region makes conflicts subtle. The North American internet economy is dense. People move between networks, law firms, brokerage roles, vendor work, security services, policy groups, academic institutions and registry governance. A person may participate in a policy debate while their employer holds large address assets. A director may know parties in a dispute. A consultant may advise a member and comment on policy. A lawyer may understand both registry process and transaction economics. Such overlap is normal in a specialised field. Normality is why disclosure and recusal must be routine rather than exceptional.

Conflict controls should apply by matter and by function. Board members should not steer individual files outside formal channels. Staff should log sensitive escalations. Contractors should disclose relationships relevant to systems, data or dispute work. Policy participants should reveal direct economic stakes when proposing market-shaping rules. Election officials should be insulated from campaign interests. Appeal reviewers should be separated from the first decision. Legal and finance committees should understand when institutional defense spending could protect legitimate continuity and when it could defend discretionary overreach.

The same logic should bind critics and advocates. A resource holder, broker, lessor, buyer, public-interest group or member coalition can contribute valuable evidence while also having economic interests. Participation should not be excluded merely because it is interested. But interest should be visible where it affects claims about policy, transfers, fees, services or governance. The cure for conflict is usually disclosure, recusal, audit trail and separation, not silence.

Conflict rules protect legitimate decisions. If ARIN refuses a forged transfer after clean conflict checks, the refusal is stronger. If it approves a controversial transfer through a documented process, the approval is less likely to be seen as favoritism. If it changes fees after publishing rationale and director interests, members can debate policy rather than suspect private conversion. A transparent conflict system is not anti-registry. It is how a high-trust ledger survives a high-value market.

Member accountability is necessary but not sufficient

ARIN's member governance is a real constraint. Members elect the Board and Advisory Council, participate in meetings, comment on policy, review materials and influence the culture of the institution. The North American registry is not a faceless vendor. Its legitimacy depends partly on this participatory structure. But member accountability has constitutional limits of its own.

The first limit is representation. The affected economy is larger than the voting membership. Customers, downstream networks, lenders, buyers, sellers, lessors, public agencies, cloud users and end users may rely on registry outcomes without voting in ARIN elections. Even among resource holders, participation capacity varies. A large operator can send people to meetings, track policy and vote consistently. A small operator may treat registry governance as an occasional administrative burden until a file goes wrong. Silence is not always consent. It may be cost.

The second limit is expertise. Policy debates can become technical, procedural and time-consuming. That is appropriate for many internet-number questions, but it can underweight economic consequences. A needs-based transfer rule, fee category, waiting-list condition, resource-review practice or service-boundary change can affect capital allocation as much as network administration. Member accountability should therefore include economic evidence: who pays, which holders are affected, what smaller networks face, how transfer liquidity changes, how uncertainty enters contracts and whether alternatives would protect the ledger at lower cost.

The third limit is majoritarian temptation. A registry community can be open and still produce rules that burden absent or minority holders. Incumbents may prefer restrictions that raise barriers to entry. Address-rich holders may prefer rules that protect optionality. Address-poor entrants may prefer rules that cheapen access. Brokers, buyers, lessors and cloud providers may want different liquidity. Member voting can discipline the institution, but it can also become a market for control unless mandate limits and rights constraints fence it.

The fourth limit is election quality. Member accountability depends on clean voter rolls, understandable eligibility, conflict disclosure, transparent candidate information, clear campaign rules and meaningful turnout. If the electorate is small, confused or dominated by repeat insiders, elections may legitimate the institution formally without disciplining it economically. A constitutional registry should report participation patterns and treat low engagement as a governance risk, not as proof that all is well.

None of this argues against member governance. It argues against asking member governance to do the work of every other limit. Members cannot replace due process for an individual holder. Elections cannot cure vague mandates. Policy participation cannot justify opaque conflict. Board accountability cannot substitute for appealability. Member governance is one wall, not the whole constitution.

The healthier view is modest and strong: members provide oversight, policy input and electoral accountability, but ARIN remains bound by functions, process and proportionality even when an active subset would prefer a broader power. That is how participation strengthens the ledger rather than converting it into majority-controlled infrastructure.

Financial restraint is a constitutional limit

Money is part of registry power. Fees decide who pays for the institution. Budgets decide what the institution becomes. Reserves decide how much independence it can maintain and how much member capital it holds. Legal spending decides whether disputes are resolved narrowly or defended expansively. Outreach and programmes decide whether the registry stays close to its core function or grows into a broader policy actor. In a private registry with constrained exit, financial restraint is constitutional.

ARIN needs adequate funding. Running reliable systems, public registration services, reverse DNS, routing-security support, security controls, member services, policy support, legal compliance, audits and continuity planning costs money. Underfunding a registry would be reckless. The constitutional question is not whether ARIN should be cheap. It is whether the fee and budget system is demonstrably tied to the narrow functions that justify constrained exit.

Fee incidence matters after depletion. A fee schedule may look neutral while affecting holders differently. Small networks may pay a higher effective burden relative to revenue. Legacy holders may face choices between basic services and agreement-linked services. Large holders may absorb increases easily. Transfer participants may pay not only fees but process costs. If the registry accumulates broad programmes or reserves without a clear link to core service resilience, members may see fees as extraction rather than coordination cost.

Reserve policy deserves plain explanation. A registry should hold enough reserves to survive operational shocks, security incidents, legal obligations, economic downturns and continuity risks. It should not hold reserves so large or opaque that members cannot tell whether fees fund resilience or institutional expansion. The target, rationale, stress assumptions and use rules should be visible. Reserve discipline lowers suspicion that the registry is using monopoly position to accumulate unaccountable capital.

Legal spending is especially sensitive. A registry must defend the ledger, comply with law, respond to subpoenas or court orders, fight fraud and protect staff. It should not treat every challenge as a threat to institutional dignity requiring maximum defense. The constitutional question for each large legal matter is: what function is being protected? Public-record accuracy? Transfer integrity? Contract enforcement? External legal compliance? Board authority? Service continuity? Or discretionary power that should have been narrower? Members should be able to see categories, trends and governance controls without exposing privileged detail.

Financial restraint also protects independence from vendors and programmes. If a registry grows a large ecosystem of conferences, sponsorships, consultants, committees and initiatives, those constituencies may come to depend on institutional expansion. That can be healthy when tied to core education and technical coordination. It can become mission creep when the institution's social role becomes a reason to preserve revenue and discretion beyond the ledger.

A constitutional budget is therefore a constrained budget, not a starved one. It funds the record, the systems, the security, the review, the member function, the audit and the continuity plan. It explains reserves. It reports legal categories. It measures fee burden. It sunsets programmes that do not serve the mandate. It treats member money as a trust-like contribution to infrastructure, not as a general fund for institutional ambition.

External recognition should validate the ledger, not crown the operator

ARIN's authority depends partly on external recognition. Other registries, IANA-related coordination, network operators, courts, governments, banks, auditors, brokers, cloud platforms and customers all treat ARIN records as meaningful. This recognition is necessary. A registry nobody recognises cannot provide a common ledger. But external recognition is also dangerous if it is misunderstood. It should validate the function, not crown the operator with unbounded authority.

Courts are one external limit. They may interpret contracts, enforce orders, address fraud, preserve evidence or decide disputes around authority. A court order can require registry action or restraint. That does not make the court the day-to-day registry. It also does not make ARIN immune from review because technical coordination is important. The proper division is functional: ARIN maintains the specialised record; courts decide legal disputes and constrain overreach when a private registry decision affects rights, contracts or public reliance.

Banks and auditors are another recognition layer. They do not decide registry policy, but they decide whether address-dependent value is financeable. If ARIN's processes are narrow and reviewable, financiers can treat registry risk as manageable. If processes appear discretionary, they will demand discounts, covenants, escrows or alternative capacity plans. Financial recognition is quiet but powerful. It can reward constitutional discipline with lower capital costs.

Governments and public buyers rely on registry stability for services, procurement, public networks and security. They should want reliable records, not a private registry swollen into a policy sovereign. Public reliance should push ARIN toward accuracy, continuity, transparency and appealability. It should not encourage the registry to decide broad public-policy questions that belong to legislatures, regulators, courts or market actors.

Cloud providers, carriers and operators create a technical recognition layer. They use records, contact data, reverse DNS, IRR materials, RPKI signals and transfer histories as part of operational risk. Their recognition is practical rather than ceremonial. They should be able to rely on ARIN's ledger without treating ARIN as a judge of every route, customer, lease, business plan or transaction. The registry can supply evidence; networks still make routing and commercial choices.

The NRO, ICANN-related structures and the wider RIR system are coordination layers, not sources of blank-cheque legitimacy. Their role is strongest when preserving data continuity, global uniqueness, coordination and interoperable policy boundaries. It is weaker when invoked to defend institutional discretion as such. The same distinction matters for market-oriented critiques that argue registry-layer centralisation has become structural risk. Those critiques are most useful when they force a functional question: what must be centralised for uniqueness, and what should be constrained, decentralised, modular or reviewable because scarcity has made central discretion too costly?

External recognition should therefore be conditional in practice. Recognise the record because the record is accurate. Respect the registry because its powers are limited. Preserve the function because the function is shared infrastructure. Do not turn recognition into sovereignty.

Proportional remedies keep defects from becoming crises

A constitutional registry does not merely define power. It defines remedies. Remedies matter because registry errors and holder errors are both inevitable. A document will be incomplete. A signature will be questionable. A company name will have changed. A legacy chain will be hard to prove. A staff member may apply a rule too broadly. A policy may be ambiguous. A holder may obstruct. A fraudster may exploit a stale record. The remedy architecture decides whether these defects become manageable tasks or institutional crises.

The first rule is proportionality. Match the remedy to the defect. If the defect is authority for a transfer, pause the transfer and request proof; do not disturb unrelated recognition. If the defect is contactability, require contact validation; do not imply resource illegitimacy. If the defect is unpaid fees, follow the agreement's notice and cure logic; do not use payment as a proxy for broader judgement. If the defect is suspected compromise, freeze new actions and verify control; preserve the last known good state. If the defect is a court restraint, record the specific restraint and keep non-restrained services stable.

The second rule is reversibility. Where possible, registry action should preserve the ability to restore the prior state. A disputed change can be held. A record can be marked pending. A service can remain in its last valid configuration. An adverse decision can be stayed. Irreversible actions require stronger reasons, higher review and clearer authority. Reversibility is cheaper than compensation and more useful than apologies.

The third rule is correction. If ARIN is wrong, the system should make correction fast, visible and non-humiliating. Accept the cure. Restore the record. Narrow the hold. Clarify the service boundary. Reopen the ticket. Publish aggregate lessons where appropriate. A registry that corrects itself earns more trust than one that pretends first decisions are always right.

The fourth rule is symmetry. Holders should not benefit from forged documents, strategic delay, misleading claims or refusal to provide basic evidence. ARIN should not benefit from vague notices, overbroad holds, moving cure targets or category confusion. Courts, appeal reviewers and internal governance should be able to impose costs or consequences in both directions where conduct is unreasonable. Symmetry keeps due process from becoming either obstruction or institutional immunity.

The fifth rule is structural learning. Repeated defects in one category are evidence about the system. If many small holders fail a documentation requirement, guidance may be unclear or burden too high. If transfer reviews repeatedly need more rounds, forms may not match reality. If emergency holds last too long, the emergency rules are too vague. If legacy-service questions keep recurring, the boundary needs clearer explanation. A constitutional registry reads remedy data as governance data.

Proportional remedies help ARIN avoid becoming a court, lender, broker or appraiser. They keep the registry close to its competence. The registry decides what the record can safely recognise; it does not decide the whole commercial life of the resource. That is the difference between a ledger with remedies and a gatekeeper with punishments.

The ledger is not a sovereign, court, lender or broker

The ledger-vs-sovereign boundary is the core of ARIN's constitutional economics. ARIN maintains a recognised record of number-resource allocation, assignment, transfer, contacts and related services. That record is indispensable because the internet is a system of independent networks that need unique identifiers. Yet the need for a common ledger does not make the ledger operator a sovereign over the things recorded.

ARIN is not a court. It may need to interpret documents for registry purposes, comply with legal orders and decide whether a request satisfies policy. It should not purport to settle every underlying commercial or corporate dispute. Where the legal question exceeds registry competence, ARIN's proper role is to preserve the last verified state, mark dispute where appropriate and follow competent external decisions without expanding them.

ARIN is not a lender. Its recognition may affect financeability, but it should not decide credit merit, collateral value, debt structure or borrower strategy. Banks can discount registry risk; they should not need ARIN to become a secured-credit supervisor. ARIN can make financing safer by making records clear, transfer rules predictable and review paths credible.

ARIN is not a broker. It can recognise transfers under policy and protect the ledger from fraud, but it should not supervise price, negotiate terms, pick winners, encourage one commercial structure over another or use process friction to shape market outcomes without explicit justification. Brokers, buyers and sellers carry market risk. ARIN supplies the recognition layer.

ARIN is not an appraiser. Scarce IPv4 has market value, and registry decisions can affect that value. But ARIN should not treat valuation as part of its mandate except where fees, fraud indicators or legal constraints require limited attention. Its job is not to say what a block is worth. Its job is to maintain the conditions under which others can value it confidently.

ARIN is not an internet property state. It can recognise contractual rights and registration status in the terms its agreements and policies provide. It should avoid language that pretends either that address value is imaginary or that ARIN holds sovereign title over all economic uses. The more careful answer is better: number resources are scarce operational inputs whose recognised registry status matters, and the registry's private authority must be limited accordingly.

This boundary does not weaken ARIN. It makes ARIN more defensible. The institution can say no to forged authority because that protects the ledger. It can pause a transfer under a specific dispute because that protects the ledger. It can require agreement for certain services if the reason and consequence are clear. It can comply with law. It can maintain fees. What it cannot do, without losing legitimacy, is convert every dependency on the record into a general permission over the market.

The safest registry is therefore not the grandest registry. It is the narrow one whose record is so reliable that others can build law, finance, routing, cloud services and public connectivity around it without fearing hidden sovereignty.

Financial and procedural limits reinforce each other. A due-process rule without budget support becomes an unfunded promise. A transparency policy without conflict controls becomes publicity. Member voting without appealability can still leave individual holders exposed. Mandate limits without financial restraint may be eroded by programmes that create reasons to expand. External recognition without remedies can harden first decisions into fact. The architecture is only credible when the pieces reinforce one another.

Consider the transfer file in the opening scene. Mandate discipline tells ARIN to frame the defect as source authority, not general market approval. Due process gives the holder reasons and a cure target. Temporary continuity preserves current recognition, reverse DNS and unrelated services. Separation prevents board or member pressure from steering the file privately. Conflict controls require anyone with a transaction interest to stay out of the decision. Transparency lets the buyer and bank understand the category of hold without seeing confidential documents. Appealability gives a second look if staff misapply the rule. Proportional remedies allow the transfer to proceed when the signature is verified. Financial restraint ensures the cost of this system is part of core registry service, not an optional courtesy.

Now imagine the opposite. A vague hold, no clear cure path, private escalation, unclear service effects, no aggregate data, a broad appeal exclusion and expensive uncertainty. Nothing dramatic has happened. The registry has not revoked a block or shut a network. Yet the economic damage has begun. The buyer lowers the price. The bank asks for more collateral. The seller delays investment. The small operator learns that registry interaction is dangerous. Future records become less accurate because holders avoid touching them. This is how constitutional weakness shows up in a mature registry: as avoidance, discounting and quiet distrust.

The same interaction applies to fees and reserves. If ARIN funds review systems, public data quality, cybersecurity, publication continuity and member accountability, fees look like infrastructure cost. If fees fund expansive identity or policy projects with unclear connection to the ledger, they look like rent. If legal spending protects narrow functions, members may accept it. If it appears to defend broad discretion, it becomes a legitimacy cost. Money tells members what the institution believes it is.

Procedural limits therefore need financial expression. Publish what is funded. Show how review capacity is staffed. Explain reserve targets. Report legal categories. Measure small-holder burden. Track processing times. Support policy participation that includes economic evidence. An institution that wants constitutional trust must pay for the boring machinery that produces it.

This may sound less glamorous than visions of regional stewardship. It is also more valuable. Markets do not need ARIN to be grand. They need it to be dependable, constrained and hard to capture.

The next two years will test whether maturity means restraint

ARIN's next constitutional test will probably not arrive as one defining crisis. It will arrive through accumulation. Transfer rules will be debated. Legacy service boundaries will become more important as routing-security expectations rise. Fee and reserve choices will be scrutinised. Resource-review practices will be watched by buyers and lenders. Small operators will decide whether participation is worth the cost. Courts and banks will continue to treat registry records as evidence. Governments and public buyers will ask for continuity. Cloud and hosting demand will keep IPv4 scarcity alive even as IPv6 grows.

The first watchpoint is whether ARIN distinguishes allocation-era logic from post-depletion recognition. Conservation remains relevant, but it cannot justify every market restriction after the free pool has gone. Needs-based transfer limits, waiting-list rules and inter-RIR compatibility should be defended with evidence about concrete harms and costs, not inherited vocabulary.

The second watchpoint is service leverage. If RPKI, IRR, reverse DNS and related services become operationally essential, agreement boundaries must be explained and reviewed. Optional services can become de facto necessities. A constitutional registry notices when that transition changes bargaining power.

The third watchpoint is review data. Aggregate appeal, cure, denial, delay, emergency and resource-review metrics would make ARIN's discretion easier to price. Absence of data will not prove abuse, but it will leave markets dependent on anecdotes and private advice.

The fourth watchpoint is small-operator burden. Documentation, fees, meeting participation, legal vocabulary and transfer friction all scale differently across firms. ARIN should measure whether its rules protect the ledger at costs that smaller networks can bear.

The fifth watchpoint is board and member accountability. Elections, participation and policy debates should be treated as control over infrastructure economics, not as volunteer ritual. Candidate information, conflict disclosure, turnout and economic-impact discussion will matter more as scarcity persists.

The sixth watchpoint is external reliance. Courts, banks, governments, operators and cloud providers will keep reading ARIN records. The more ARIN demonstrates mandate limits, reasons and remedies, the more those institutions can rely on the ledger without asking ARIN to become something larger.

The conclusion is deliberately modest. ARIN should be a better ledger, not a louder sovereign. It should protect uniqueness, accuracy, authenticated change, public registration, reverse DNS, routing-security coherence, transfer integrity and continuity. It should avoid becoming a court of general commercial disputes, a lender's guarantor, a broker's supervisor, an appraiser of IPv4, a regional capital controller or an internet property state. Its authority is strongest when it cannot easily be used for those things.

Constitutional limits are how a private registry earns public-like reliance without claiming public sovereignty. They make the institution less exciting and more valuable. In a post-2015 IPv4 economy, that is the bargain ARIN needs to keep renewing: narrow power, visible rules, reviewable decisions, restrained finances, accountable members, proportional remedies and a ledger that remains trusted because the operator knows where it ends.