Summary
- Bylaws are a corporation's operating constitution. They distribute power among members, directors, officers and committees; they do not ordinarily make every customer, route operator or Internet user a member of that corporation.
- The legal bridge from an RIR's corporate authority to a resource holder is usually a membership or registration services agreement that identifies the parties, incorporates specified policies and defines services, duties, dispute routes and remedies.
- Downstream customers can be harmed by a registry decision without acquiring membership votes or contract rights against the registry. Their claims require a separate basis in their provider contract or applicable public and private law.
- Recognition of one RIR for a large region makes registry records and related services unusually consequential. That dependence supports stronger transparency, notice, review and continuity duties, but it does not enlarge a bylaw's legal audience by itself.
- Accountability analysis should ask four separate questions: who authorised the corporate decision, who assented to the operative rule, who suffered the effect, and what forum can grant a defined remedy.
The legal map begins with parties, not infrastructure
An RIR decision can travel further than the paper on which it is written. A board authorises a change. Staff apply a policy. A registry record, reverse-DNS delegation or routing-security service changes. A local registry or provider then adjusts its own systems. Customers experience delay, loss of reachability, blocked transactions or uncertainty about who may use a number resource. By the end of that chain, the original decision may affect thousands of people who never attended an RIR meeting and never signed an RIR membership form.
That breadth of consequence creates a seductive but mistaken inference: if the decision affects the Internet, the rule authorising it must bind the Internet. It does not follow. Legal authority is not measured only by the radius of a technical effect. It is traced through institutions, parties, instruments and remedies.
Four questions keep the analysis disciplined. First, did the corporation have power under its charter, bylaws and governing company law to make the decision? Second, did the identified holder or member undertake a duty through an agreement that validly incorporates the relevant policy? Third, did another party, such as a customer, acquire a right through its own contract or through applicable law? Fourth, which court, arbitrator, regulator, corporate body or review panel can provide what remedy?
These questions can produce different answers in the same incident. A board resolution may be valid inside the corporation but implemented in breach of a holder agreement. A holder may be bound while its customer has no direct claim against the RIR. A non-member may lack contractual rights yet have a statutory claim. A policy may be procedurally valid but applied irrationally to particular facts. Technical reliance proves that the stakes are serious; it does not answer any of those legal questions.
The distinction is not a strategy for weakening registries. It is the condition for legitimate authority. When an institution can identify the source, audience and limit of each power, affected parties know where to participate and where to seek review. When every corporate statement is described as community law, the institution gains rhetorical reach but loses legal precision. The Internet then appears governed by rules whose authors, parties and remedies cannot be named.
What a bylaw actually does
A bylaw is not merely an office manual. Within a corporation or association it can perform constitutional work: define classes of membership, allocate voting rights, set quorum, establish board composition, regulate meetings, authorise committees, set amendment procedures and provide mechanisms for removing officeholders. Governing company law and the corporate charter stand above it. Board resolutions, policies and staff decisions stand below it. The bylaw connects those levels by identifying who may act for the legal entity and how.
That is substantial power. If a board is properly constituted, its decisions can bind the corporation. If members possess voting or recall rights, the bylaw can make those rights enforceable within the corporate relationship. If an amendment requires notice or a special majority, failure to follow that procedure may expose the resolution to challenge by a person with standing under the relevant law. None of this is symbolic.
The legal audience is nevertheless bounded. Directors and officers accept offices defined by the corporate constitution. Members enter a status recognised by it. The company itself must act within the powers and purposes established by its charter and governing law. A stranger does not usually become a member merely by relying on a service supplied by the company or by a company further down a distribution chain.
This boundary is familiar outside Internet governance. A university's bylaws can allocate authority between trustees and faculty without binding every employer that relies on its degrees. A stock exchange's constitution can regulate its members without becoming the complete law of every investor. A utility's corporate rules do not displace customer contracts and regulation. External importance may justify special legal duties, but it does not erase the distinction between corporate constitution and generally applicable law.
RIR governance often blurs that boundary because the same institution performs several roles at once. It is a corporation or association. It has members. It operates a recognised registry. It enters service agreements. It helps administer policies developed through a regional community. It supplies data and security services on which outsiders rely. A sentence valid in one role is too easily carried into another.
The correct method is to label each act. Electing a trustee is corporate governance. Adopting a number policy is community and institutional rulemaking. Incorporating that policy into a signed agreement is contract. Updating a registration is service performance. A network's choice to accept a route is independent operation. A customer's right to continued connectivity arises from its own legal relationship. These acts interact, but the bylaw does not absorb them.
Charter, bylaws, policy and agreement are not interchangeable
The first boundary lies between the charter and bylaws. The charter creates the corporation under a particular jurisdiction and states its basic purposes and structure. The bylaws organise the corporation's continuing government within those purposes. Neither document is automatically a service contract with every party affected by the corporation's work.
The ARIN Articles of Incorporation illustrate the point. The published record identifies an original filing on 18 April 1997 and amendments on 19 June and 7 August 1997. It forms a Virginia nonstock corporation, states that the corporation will have members as provided in the bylaws, denies authority to issue capital stock and lists educational, charitable, scientific and number-resource purposes. Those provisions establish identity and capacity. They do not say that every North American network or customer has joined ARIN.
The second boundary lies between bylaws and policy. A bylaw can assign responsibility for policy development or approval. The resulting policy may establish allocation, transfer, registration or review criteria. Yet the policy still needs a legal path to a particular party. That path may be a membership term, a registration agreement, an express acceptance, a rule backed by applicable law or another recognised basis.
The third boundary lies between policy and service performance. Even where a holder is bound by a policy, the institution must apply it consistently with the agreement, its own procedures and governing law. A valid rule does not immunise a mistaken fact finding, unequal application, inadequate notice or a remedy that exceeds the text.
The fourth boundary lies between the RIR-holder relationship and the holder-customer relationship. A provider may receive resources from an RIR and then assign addresses or supply connectivity to customers. The provider's promises to those customers come from downstream contracts and applicable law. The RIR's bylaws do not silently become a term of every broadband, cloud or hosting agreement.
These distinctions prevent both overreach and evasion. A registry cannot justify an adverse service decision merely by pointing to a broad corporate purpose when the operative agreement promises more specific procedures. A holder cannot ignore a policy that it validly accepted merely because the policy was developed collectively. A customer cannot assume direct membership rights against the RIR, but neither can the RIR dismiss foreseeable customer harm as irrelevant. The correct legal instrument must be identified at each step.
ARIN's bylaws define an institution, not a continent
The ARIN Bylaws, published as Version 32 dated 16 May 2022, are unusually useful because they state both mission and machinery. They describe ARIN's support for Internet operation through management of number resources in its service region, community policy development and informational outreach. They also say that ARIN will continue an open, transparent multistakeholder process for registry policy development.
Those commitments matter to the corporation and to anyone assessing whether it acts consistently with its stated purpose. But the document's concrete provisions show its principal legal function. It establishes Trustee, General and Service Member classes. General Members in good standing may vote in elections and participate in members-only discussions. Service Members in good standing may participate in specified discussions but do not have election voting rights. Trustees exercise authority over the corporation subject to the charter and Virginia law.
This is not universal suffrage for everyone affected by ARIN. The right to vote turns on membership class and good standing. A customer receiving addresses from a provider may have no ARIN vote. A security researcher relying on registry data may have no vote. A network outside the service region that uses ARIN data in routing decisions may have no vote. Their dependence does not satisfy the membership conditions.
The recall mechanism makes the boundary sharper. A petition signed by at least 10 percent of General Members in good standing can initiate a process to remove a trustee, followed by a member vote under stated conditions. This is a real accountability tool, but it belongs to an identified constituency. A million affected end users cannot substitute their signatures if none is a General Member.
The bylaws also vest control of ARIN's power, authority, property and affairs in or under the Board, subject to charter and law. That clause authorises corporate control; it does not declare the Board sovereign over all activity involving Internet numbers in North America. The entity controlled is ARIN's affairs. The external significance of those affairs comes from recognition, contracts and reliance, not from an enlargement of the grammatical entity.
Reading the document as a regional constitution therefore produces a category error. It confuses a corporation's service region with a territory and its membership with a population. ARIN is consequential because its registry role is recognised and widely relied upon. It is not a government merely because its database has regional scope. Its bylaws should be taken seriously as corporate law, not inflated into legislation they were not drafted to be.
Membership is a bundle of rights, not a synonym for dependence
Membership does not answer every accountability question, but it identifies a defined set of corporate rights. The member may vote, attend specified meetings, inspect certain records, propose resolutions, challenge procedures or remove officeholders where the constitution and governing law permit. Those rights can be conditioned on class, fees, status and notice. They are not distributed according to how much an organisation depends on the registry.
That mismatch creates the central legitimacy problem. The people with the largest operational exposure may not be the people with the strongest corporate rights. A provider can hold membership while thousands of its customers bear the cost of interruption. A multinational network may hold resources through several regional relationships but have unequal voting rights in each. A small member may possess a formal vote while a large non-member relying on registry data has none.
The conclusion should not be that voting rights must follow every packet. Corporate voting is one accountability channel, not a universal compensation mechanism. The conclusion is that institutions must stop treating member participation as proof that every affected interest was represented. Membership data answer who belongs to the corporation. They do not answer who depends on its services, who bears downstream risk or who can obtain relief.
This distinction also clarifies the phrase community consensus. A policy forum may welcome contributions from members and non-members. Participation can improve evidence and legitimacy. Consensus can guide the institution's exercise of authority. It does not necessarily create a contract among all entities, and silence on a mailing list is not assent by every customer in a region.
Corporate democracy and open consultation therefore need separate evaluation. Corporate democracy asks who votes and can remove governors. Consultation asks who may speak, what evidence must be considered and how reasons are published. Contract asks who accepted which terms. Remedy asks who can challenge the final act. A system may be open at consultation but narrow in voting, broad in technical impact but narrow in contractual privity.
Governance reporting should publish those denominators. How many General Members can vote? How many Service Members cannot? How many resource holders are governed by standard, legacy or other arrangements? How many local registries serve downstream customers? Without those counts, an institution can call a process participatory while leaving the relationship between entities and affected parties obscure.
The agreement is the bridge to a holder
The ARIN Registration Services Agreement demonstrates how corporate authority becomes a defined bilateral relationship. Version 14.0, dated 15 August 2025, names ARIN and the holder, describes included number resources and services, incorporates policies to a stated extent, allocates responsibilities and sets terms for suspension, termination, assignment, liability and dispute handling.
The distinction from the bylaws is visible in the language of parties. The agreement says the relationship is one of independent contractors. Neither party may act for or bind the other except as expressly provided. An entire-agreement clause identifies the agreement and incorporated policies as the understanding between those parties concerning the covered resources and services. A no-third-party-rights clause says the agreement is for the parties' benefit and does not grant rights or remedies to others except where expressly provided.
Those clauses do not settle every claim under applicable law. A contract cannot necessarily exclude a mandatory statute or eliminate every tort or regulatory duty. They do, however, defeat the idea that RIR obligations automatically radiate through technical dependence. The document goes out of its way to identify a bilateral boundary.
Incorporation of policy is the key legal bridge. A policy developed in an open forum can become relevant to the holder because the agreement says so, not because a regional discussion legislated for the world. The scope and hierarchy of incorporated terms still matter. If a policy conflicts with the agreement, the agreement may specify which prevails. If a later policy changes a material obligation, questions of notice, assent and the governing terms arise. If staff apply a rule outside the incorporated subject, corporate authority alone may be limited public evidence.
The bridge also has limits in time and subject. A current standard form cannot prove what every legacy holder accepted. One agreement may cover specified resources while another relationship governs others. Corporate succession, transfer and renewal can change the operative text. Analysis must identify the actual instrument and version rather than cite whichever current document is easiest to find.
The agreement model strengthens rather than diminishes institutional authority. A precise contract tells the holder what services to expect, what policies apply, what conduct is prohibited and how a dispute proceeds. It gives the institution a defensible basis for action. Calling the bylaws universal law adds no legitimate power; it only obscures which promise supports the decision.
Customers stand outside the glass even when they bear the loss
RFC 7020's description of the Internet Numbers Registry System shows why outsider effects are normal rather than exceptional. Local registries commonly obtain addresses through a relationship with an RIR, a parent local registry or another allocating entity. They then allocate or assign addresses to providers, end users or child registries. The hierarchy is designed to distribute administration, but it also distributes legal relationships.
A customer at the lower level may never contract with the RIR. Its agreement may be with an access provider, cloud company, host, university or enterprise group. The customer may use addresses assigned from the provider's larger allocation. It may rely on the provider to maintain accurate registration, reverse DNS and routing arrangements. If an upstream registry relationship fails, the customer can suffer a real interruption despite having no direct voice in the upstream corporation.
The customer's first enforceable claim is often downstream. Did the provider promise continuous service, portable addressing, notice, redundancy or assistance with renumbering? Did it represent that it possessed authority to supply the addresses? Did it breach a service level or fail to disclose a known registry dispute? Those questions concern the provider-customer contract and applicable law.
A direct claim against the RIR needs an additional basis. The customer might invoke a statute that protects a defined class, a tort duty recognised on the facts, competition law, data law, a misrepresentation directed to it or another cause recognised by the relevant jurisdiction. The success of such a claim cannot be inferred from the bylaws. Equally, absence of membership does not prove that no claim can exist.
This middle position matters. If every affected customer were treated as a direct party, an RIR could face indeterminate obligations inconsistent with the contract structure. If all customers were treated as legally invisible, the institution could ignore foreseeable systemic harm created by its singular role. Legal standing and governance responsibility are related but distinct. A customer may lack a private contractual remedy while still presenting evidence that should shape notice, continuity planning and proportionality.
Good administration therefore asks who sits outside the direct relationship. Before a consequential registry action, the institution and holder should identify dependent assignments, critical services, transition needs and communications. This does not confer membership by sympathy. It recognises that legitimate exercise of bounded power includes attention to foreseeable external effects.
Technical dependence amplifies power without changing the instrument
ICP-2 helps explain why RIR decisions can feel governmental. The criteria accepted on 4 June 2001 expected each large region to be served by a single RIR, partly to avoid fragmentation, coordination difficulty and confusion. Recognition depended on substantial regional support, financial viability, neutrality, technical capability, open policy processes and service to the community.
A single recognised registry is not easily replaced by a dissatisfied holder. Competing databases may exist, but the accepted regional record and associated services derive value from common reliance. Reverse DNS, public registration data, transfer recognition and routing-security services can all make a registry decision operationally significant. Exit is unlike changing an ordinary vendor.
This dependency changes the standard by which authority should be judged. A corporation holding a singular coordination role should provide clear rules, stable procedures, reasons, notice, conflict safeguards, independent review and continuity measures proportionate to the consequences. It should not hide behind the proposition that affected outsiders lack votes. Its recognised function creates responsibilities of stewardship even where the exact legal cause differs by jurisdiction.
Dependency does not, however, change a bylaw into a statute. The recognition document itself is criteria for approving an RIR, not a contract with every user. The expectation of open, transparent structures supports institutional review, but it does not identify every plaintiff, standard and remedy. Recognition can be relevant evidence about purpose and legitimacy without supplying a complete private cause of action.
The same distinction applies to technical standards. Networks may coordinate around registry data because common records reduce collisions and uncertainty. That voluntary and distributed reliance can be strong enough that departure is costly. Yet the rule of recognition remains different from a command backed by state coercion. Independent networks retain routing choices; customers retain contracts with providers; public law remains jurisdiction-specific.
Calling the registry a monopoly can illuminate bargaining power, but it cannot replace analysis. The relevant questions are which service lacks substitutes, which market and region are affected, what legal duties attach, and which remedy is available. Dependence is evidence for scrutiny. It is not a magic word that either invalidates every bylaw or makes every bylaw universally binding.
RIPE NCC keeps association and service remedies distinct
The RIPE NCC Articles of Association, ripe-818, effective 1 July 2024, provide a comparative example. They define the Association, its members, Executive Board, Management Team and General Meeting under Dutch law. The published English text expressly notes that the Dutch text governs if a difference arises. That governing-text statement is itself a reminder that institutional authority is located in a legal jurisdiction, not in a borderless constitutional ether.
The Articles allocate residual powers to the General Meeting, regulate financial reporting and provide concrete member rights. They state that a member may commence legal proceedings against Executive Board members to enforce specified annual-report and financial-report obligations after the relevant period. They also recognise an arbitration procedure for disputes between members and the Management Team concerning decisions under standard service agreements, with the General Meeting controlling key features of the arbitration pool and procedure.
These are examples of enforceability with identified elements. The eligible claimant is a member. The duty is specified. The respondent and forum are identifiable. The relief is connected to an obligation or service decision. The mechanism is not merely an aspiration that the Association act well.
The RIPE NCC Standard Service Agreement, ripe-812, dated November 2023, supplies the separate service layer. It regulates services, policy compliance, liability, term, termination and deregistration between RIPE NCC and the member. A third party can appear in the factual chain, but that does not make it a member or agreement party.
The comparison exposes a common drafting weakness elsewhere: placing a broad mission in a constitution without connecting it to review. RIPE NCC's documents do not solve every outsider problem, and member arbitration does not become a customer remedy. But the architecture shows how authority can be made testable. Corporate duties are enforced through corporate channels; service disputes through a defined member procedure; outsider claims require their own basis.
This layered model also discourages opportunistic switching. An institution cannot cite the association constitution when it wants discretion and the service agreement when it wants limitation without accepting the constraints of each. A member cannot demand powers reserved to the General Meeting through a service dispute. Precision protects both sides.
APNIC shows governance nested inside a corporation
The APNIC By-laws begin with an explicit hierarchy. They record that, by resolution on 24 June 1998, a special committee called APNIC was appointed under the corporation's Articles of Association. The committee is governed by bylaws promulgated under those Articles and remains subject to the corporation's powers and officers.
The document then identifies members as APNIC's governing body, an Executive Council acting on its behalf and a secretariat. Members receive voting powers, including a demanding mechanism under which review or amendment of an Executive Council decision requires an affirmative two-thirds vote of the entire paid-up membership. The Executive Council acts between general meetings within delegated authority and manages APNIC's affairs.
This structure is consequential, but its legal topology is specific. The special committee sits inside a corporation. Members govern through defined procedures. The Executive Council receives delegated power. A non-member customer does not become part of that topology solely because an APNIC member supplies it with connectivity or addresses.
The APNIC Membership Agreement makes the bridge express. It says that, in return for acceptance as a member and payment of fees, the company and member agree that the terms govern their relationship. It requires mechanisms for open communications, support for training, consideration of member requests and provision of rights and services under the APNIC documents.
The wording offers a practical lesson. Institutional documents can be connected without being collapsed. The Articles authorise the corporate structure. The bylaws allocate member and council authority. The membership agreement defines the company-member relationship. Other APNIC documents regulate services and policy. A customer's provider contract remains another layer.
APNIC's entities include service to the Asia-Pacific Internet community and development of public positions in members' interests. Those purposes can guide interpretation and expose inconsistency. They do not automatically provide every person in the region with a vote or damages claim. A broad beneficiary class in a mission is not the same as an identified rights holder under an operative clause.
The two-thirds review threshold also illustrates why formal rights need denominator evidence. A power can exist on paper yet be difficult to exercise across the entire paid-up membership. Reporting should therefore distinguish the existence of a member mechanism from its practical accessibility, historical use and capacity to address urgent operational harm.
Community participation is legitimacy evidence, not universal assent
RIRs correctly emphasise open policy development. Internet number policy benefits from the knowledge of operators, holders, civil society, researchers and governments. Public archives and reasoned discussion can reveal technical consequences that a board or staff team would miss. Broad participation is therefore part of competent stewardship.
But participation performs different work from assent. A person who comments on a proposal does not necessarily accept a contract. A person who does not comment does not necessarily waive rights. A rough consensus among active contributors does not establish that every holder received adequate notice of a contractual change. A member vote does not represent every downstream customer.
The distinction matters most when policy becomes coercive in effect. If a registry proposes a new basis for suspension, revocation, publication of data or denial of a transfer, it should identify how that rule enters existing legal relationships. Does the agreement incorporate future policies automatically? Are there limits on that incorporation? What notice is provided? Can a holder terminate or seek review? Does mandatory law constrain the change?
An institution that answers those questions need not abandon bottom-up governance. It gives the community process legal integrity. Contributors know which body will adopt the outcome, holders know which instrument makes it operative, and reviewers know which procedural record to examine.
Confusing consensus with assent can also harm the community. It encourages institutions to count participation rather than evaluate affected interests. A heavily discussed proposal may still overlook customers who lack specialist representation. A quiet proposal may affect fundamental contract expectations. The number of messages does not determine the legal source or proportionality of power.
RFC 7020 expects evolution of the registry system to remain open, transparent and broadly multistakeholder. That is an institutional standard worth preserving. The same document describes hierarchical relationships rather than a single undifferentiated polity. Its architecture supports the conclusion that legitimacy travels through both participation and defined relationships, not through a fiction that everyone online joined the same assembly.
Non-members need an independent route to a remedy
The proposition that bylaws do not bind outsiders is not the proposition that outsiders are rightless. It means the claim must identify another legal route. Depending on facts and jurisdiction, that route might be contract, a statute protecting a defined class, competition law, consumer law, data protection, negligence, misrepresentation, administrative review, insolvency law or a rule governing nonprofit corporations.
Each route has elements. A contract claim requires a promise, parties, breach and legally cognisable loss, subject to the governing terms. A statutory claim requires the claimant and conduct to fall within the statute. A negligence claim requires a recognised duty and the other elements under the applicable law. Competition analysis requires a market, conduct and legal standard. Data claims depend on the role played in processing and the rights conferred by the relevant regime.
Purpose clauses and bylaws may still matter as evidence. They can show what the corporation was formed to do, who held authority, whether a decision departed from declared procedure or whether reliance was foreseeable. They may guide interpretation of an ambiguous power. Evidence is not the same as a freestanding cause of action.
The distinction should shape complaints. An affected customer should not merely say that an RIR violated the Internet community. It should identify the record or service changed, the decision-maker, the holder relationship, the downstream promise, the harm, the requested correction and the legal or procedural route. The institution should respond on the same level rather than cite a broad mission and close the file.
Regulators and courts should also resist binary labels. Treating an RIR as an ordinary vendor may understate singular reliance. Treating it as a state may ignore corporate and contractual structure. The better approach examines the function at issue. Registry accuracy, transfer recognition, security certification, member governance and customer connectivity may engage different standards.
Remedies should follow the function. A mistaken record may call for correction and preservation pending review. A procedurally defective board act may call for corporate relief. A contract breach may support performance or damages subject to terms. A competition concern may require access or conduct remedies. No single theory needs to turn the bylaws into world law.
A four-column test for any disputed registry act
Every consequential RIR dispute can be organised into four columns: corporate authority, accepted obligation, affected reliance and available remedy. The columns should be completed with documents and facts rather than institutional labels.
Corporate authority asks which organ acted. Was it the Board, membership, council, management or staff? Which charter or bylaw provision authorised the act? Were notice, quorum, conflicts and amendment rules followed? Was the act within the corporation's purposes and governing law? A defect here concerns the validity or governance of the corporate decision.
Accepted obligation asks who is bound by the operative rule. Which agreement and version applies to the holder? Which policies are incorporated and with what priority? Did the holder receive notice? Does a legacy or sponsorship arrangement change the analysis? A valid corporate decision may still fail to enter a particular service relationship.
Affected reliance asks who experiences the consequence. Which registrations, security entities, reverse zones, routes and customer services depend on the decision? Which downstream parties knew of the risk? What alternatives existed, and at what cost and time? This column measures impact without pretending that impact alone creates privity.
Available remedy asks who may bring which challenge before which body. Is there an internal appeal, member vote, arbitration, court claim, regulator complaint or urgent preservation mechanism? What standard applies? Can the body correct a record, suspend implementation, order a new decision, award damages or remove a director? A complaint system without remedial authority should not be described as adjudication.
The columns expose gaps. If corporate authority and holder assent are clear but outsider impact is severe, continuity and downstream remedies need attention. If impact is small but authority is absent, the decision remains institutionally defective. If a broad purpose exists but no claimant, standard or remedy can be identified, the promise is reputational rather than enforceable.
Using this test also improves public explanations. Instead of saying that policy required an outcome, an RIR can state which organ adopted the policy, which agreement made it applicable, what facts satisfied the rule, which affected dependencies were considered and how review can change the result. That is accountable power in operational form.
Better governance preserves the boundary rather than denying it
The practical reform is not to draft a bylaw that claims jurisdiction over everyone. It is to make the boundaries visible and build safeguards where reliance crosses them. Every RIR should publish a hierarchy of instruments showing the charter, bylaws, board resolutions, policies, membership terms, registration agreements and review procedures, with dates and precedence rules.
Second, institutions should publish relationship denominators. Counts should distinguish voting members, non-voting service members, contracted resource holders, legacy holders, local registries, sponsored relationships and known downstream assignments where aggregation is possible. Confidential customer details need not be exposed. The purpose is to show how far formal representation reaches.
Third, consequential policy changes should include a legal-path statement. It should identify the adopting body, the agreement provision that makes the policy operative, treatment of existing and legacy relationships, notice, transition, review and expected third-party effects. This is more useful than a generic assertion of consensus.
Fourth, review should match the harm. Corporate members need mechanisms for board accountability. Holders need independent review of service decisions. Customers need rapid channels to present evidence and obtain preservation even when they are not direct parties. Regulators need records sufficient to evaluate statutory concerns. These channels can remain distinct while exchanging evidence.
Fifth, RIRs and holders should plan for downstream continuity. Before suspending a service or changing a critical record, they should map dependencies, preserve evidence, communicate with affected providers and provide proportionate time for correction where security does not require immediate action. A non-member's lack of vote is not a reason to make avoidable harm invisible.
Finally, institutional language should remain exact. Bylaws authorise the corporation. Agreements bind identified parties. Policies supply substantive criteria where validly adopted and incorporated. Technical standards coordinate independent systems. Public law protects interests defined by jurisdiction. None is weakened by refusing to call it universal law.
Evidence limits and the watchpoints ahead
The public documents establish institutional architecture, not a complete map of every relationship. Current standard agreements do not reveal how many resources remain under legacy terms, how sponsorship arrangements distribute rights or how many downstream customers lack a direct registry relationship. Corporate records cannot show the operational consequence of every decision.
Comparative legal conclusions also require caution. ARIN is formed under Virginia law. RIPE NCC is a Dutch association. APNIC's committee structure sits within an Australian corporation. AFRINIC is a Mauritian company limited by guarantee; its published bylaws combine corporate entities, member structures and resource-service relationships under that setting. Similar words can have different legal effects across those jurisdictions.
Three watchpoints deserve sustained reporting. The first is policy incorporation: whether later community rules can alter existing service relationships, with what notice and limits. The second is third-party dependence: whether RIRs can quantify customer and infrastructure exposure before consequential acts. The third is remedial independence: whether review bodies can preserve service, obtain records, test facts and require a changed outcome.
Cases should be read for function rather than slogans. A judgment about membership procedure may say little about customer standing. A contract decision may not determine statutory duties. An emergency order preserving registry operation may not validate every policy. Precision about the issue, claimant and remedy prevents one decision from becoming another false universal constitution.
The historical period beginning with ARIN's 1997 incorporation and APNIC's 1998 committee resolution shows durable institutionalisation. RIRs are no longer informal address desks. Their corporate arrangements deserve serious legal treatment. That maturity is precisely why the limits matter. Institutions entrusted with singular coordination should be able to state not only what they may do, but to whom, under which instrument and subject to which correction.
Bylaws cannot bind the Internet. They can bind and empower the institution that serves it. Contracts can extend defined duties to members and holders. Public law can protect outsiders. Technical reliance can make every decision more consequential. Accountability begins when those propositions are kept separate and the path from authority to remedy is shown in full.

