Summary
- An institution that can alter authoritative registration, transfer state or certificate authority has control capable of creating foreseeable cost. A compensation duty should follow that control even though the institution does not own the resource, operate the claimant's routers or guarantee every commercial use.
- NRS should separate three remedies: automatic credits for a missed service commitment, reimbursement of reasonable correction expense, and compensation for wider provable loss. Only the third requires full examination of duty, breach, causation, foreseeability, mitigation and amount.
- A preset, ring-fenced fund makes the promise credible before a serious incident occurs. Qualified providers and common services should contribute according to controlled authority, service volume, risk and claims history, while a protected base layer prevents one major event from making ordinary compensation unavailable.
- Eligible loss should be evidenced, net and causally connected to a defined NRS failure. Direct recovery expense, duplicate service cost, documented transaction expense and bounded interruption loss can qualify; speculative appreciation, punitive awards, unsupported reputation claims and the asserted sale value of a number resource should not.
- Caps are legitimate only if they are published in advance, proportionate to control and paired with an aggregate-event rule that treats similarly situated claimants fairly. A first-come race and a disclaimer allowing the institution to keep control while accepting no meaningful consequence both fail the symmetry test.
- Independent reviewers should decide contested claims, publish reasoned and anonymized precedents, preserve urgent correction separately from money, and allocate evidentiary burdens according to custody. The service that authored the disputed record should not be final judge of the damage it caused.
- Compensation must be designed with continuity. Fund assets should be protected from operating insolvency, claims should not freeze essential registry service, insurance and vendor recovery should replenish rather than replace the fund, and court orders should preserve the authoritative record while money disputes are heard.
A wrong row can create real loss without controlling the whole Internet
The registry does not direct every router. A registration entry does not force a network to originate or accept a route. A Route Origin Authorization does not compel a routing decision. These limits are important because compensation should not be built on an exaggerated claim that one administrative institution controls all connectivity.
The opposite exaggeration is equally dangerous. It says that because the registry does not run the network, an inaccurate record cannot cause compensable harm. In practice, authoritative registration state is used by buyers, lenders, hosting providers, security teams, insurers, investigators and other registries. A wrong holder name can stall a transaction. An unauthorized provider change can create emergency legal and engineering expense. A delayed correction can require duplicate service and repeated due diligence. A mishandled RPKI transition can contribute to invalid route announcements or a defensive withdrawal.
RFC 7020 identifies uniqueness and registration accuracy as core goals of the Internet Numbers Registry System while preserving the boundary between registration and routing. Those propositions belong together. The registry's duty is not a guarantee of every network or business outcome. It is responsibility for the registration authority it actually exercises and for the foreseeable consequences of failing to exercise that authority with the promised care.
Compensation should therefore begin with a control map. Which institution accepted the instruction? Which service authenticated the representative? Which component committed the authoritative state? Who published RDAP? Who controlled hosted certificate authority? Who could contain the error, and when did it receive enough information to act? Loss should attach to a demonstrated failure at one of those levers, not to institutional importance in the abstract.
Control and consequence are currently easy to separate
Number-resource holders often have limited substitution options. They cannot simply create another globally recognized current entry when the authoritative service is wrong. Even in a portable NRS design, a common validator must preserve one coherent state. That concentration of authority can be justified by uniqueness, but it creates a corresponding accountability problem.
Service agreements commonly limit warranties and damages. Limits can protect a technical institution from ruinous or speculative exposure. They can also become asymmetric if the institution retains broad discretion over registration and security state while excluding nearly every consequence of error. The customer is then told that the record is authoritative when compliance is demanded and merely informational when harm is alleged.
NRS should reject both extremes. Unlimited liability could make a shared service uninsurable, invite remote commercial claims and threaten continuity. Near-total immunity can underprice weak controls, force customers to finance correction and reduce the institution's incentive to learn from tail failures. Symmetry means exposure proportionate to the authority exercised, the preventability of the failure and the quality of the evidence.
That principle also disciplines customers. A holder retains responsibility for securing its credentials, maintaining authorized contacts, checking notices, supplying evidence in its custody and mitigating known harm. NRS is not a universal guarantor. The fund pays where an NRS-defined duty was breached and the breach caused proved loss. Shared responsibility can reduce an award; it should not erase institutional responsibility where both sides contributed.
Compensation does not turn a number resource into property
A remedy for defective service is not a judgment that an IP prefix or autonomous system number is owned like land or inventory. The claimant can recover loss caused by an erroneous exercise of registration authority without receiving the market value of the resource itself. The legal and economic entity of compensation is the service failure and its consequence.
This distinction matters in scarcity conditions. IPv4 blocks may be associated with transfer prices, leases, transactions and financing. If the fund automatically paid an asserted block value whenever a record was disputed, NRS would encourage speculative claims and quietly convert administrative recognition into a title insurance product. That is not necessary to create accountability.
Suppose an erroneous hold delays a permitted transfer. The claimant might prove additional escrow cost, renewed legal review, duplicate provider fees and a documented contractual charge caused by the delay. Those are measurable consequences. A claim that the block "could have been worth" a higher amount in a different transaction is more remote and vulnerable to assumptions. The first category can be considered under published rules; the second should normally be excluded absent an exceptionally specific binding transaction and strong proof of causation.
The same separation protects continuity. Correcting the authoritative record remains the primary remedy. Money cannot validate a route, restore a certificate or identify the current holder. NRS should never offer cash in place of correction where correction is possible. Compensation addresses residual loss after containment and restoration; it does not purchase permission for the institution to leave the ledger wrong.
Three remedy layers prevent every miss becoming litigation
NRS should establish three layers. The first is an automatic service credit. If a defined correction, transfer or recovery commitment is missed for a provider-controlled reason, the relevant fee is reduced or returned according to a published table. The customer need not prove wider loss. The timestamped miss is enough.
The second is reimbursement of reasonable direct correction expense. This includes obtaining replacement identity evidence after provider loss, paying a second registrar during an avoidable transfer delay, engaging urgent technical support to restore intended certificate state, or repeating due diligence made necessary by an NRS-authored contradiction. The claimant provides receipts and shows why the expense was reasonable. Review should be quick and capped at a practical level.
The third is compensation for consequential provable loss. It applies where the claimant alleges a larger economic effect, such as a documented service interruption, a lost binding transaction, customer reimbursements paid because of the failure or substantial response expense. This route requires a fuller causal inquiry and independent decision. It should not delay the first two remedies.
The layers preserve proportionality. A two-day routine delay does not require a complex hearing. A serious unauthorized record change is not disposed of with a small invoice credit. Customers know which evidence is needed, and NRS receives differentiated signals. Frequent credits indicate service weakness; high correction reimbursement can identify poor evidence custody; large compensation claims identify severe control failures.
Acceptance of a lower layer should not silently waive a higher one. The customer can receive an automatic credit while preserving a timely compensation claim. Any settlement of the larger claim should state clearly what is released. NRS should also prevent double recovery by deducting lower-layer payments from overlapping heads of loss rather than forcing customers to choose before the facts are known.
The fund must exist before the error
A promise to pay from the ordinary annual budget is weak. After a major incident, the same institution may face recovery cost, lost revenue, litigation and urgent continuity spending. Customers then compete with service restoration for the same cash. A board that approved the disputed control may decide whether compensating claimants is affordable. The promise is least reliable when it matters most.
NRS should create a legally protected fund with assets separated from ordinary operating accounts. The fund should have a stated target range, contribution formula, permitted investments, liquidity requirement and replenishment rule. Its governing instrument should limit withdrawals to compensation, claims administration, approved insurance premiums and closely defined continuity support connected to covered failures.
Preset funding creates information. Contributions become a visible cost of authority. A provider controlling high-risk changes cannot claim that errors are costless merely because customers absorb them. Claims history can affect future contributions, while a shared base ensures that a newly failed provider does not leave its customers without remedy. The fund also allows the NRS fee schedule to show the price of accountability separately from ordinary service.
The fund should not be so large that it becomes a discretionary reserve for unrelated activity. Money collected for claimant protection should not finance conferences, policy expansion or routine operating deficits. Audited accounts should show opening assets, contributions, claims paid, claims reserved, recoveries, investment result, expenses and closing coverage. If assets exceed the target range, the excess should reduce future contributions or strengthen expressly approved coverage rather than disappear into general spending.
Contributions should follow controlled risk
A flat levy is simple but can misallocate cost. A registrar handling low-risk contact updates does not exercise the same authority as a common validator able to commit holder and provider changes. A hosted RPKI operator can create a different class of consequence from a provider that only offers customer support. NRS should combine a shared base with risk-sensitive contributions.
The shared base pays for system-wide legitimacy and protects customers if a small provider fails. The variable portion can reflect active resources served, number and type of authoritative changes, hosted security authority, prior service misses, verified claims and quality of continuity controls. The formula should avoid using raw complaint volume alone, because providers that welcome correction may receive more reports than providers that obstruct complaints.
Risk adjustment needs limits. If one severe claim immediately makes a provider's contribution unaffordable, the formula may accelerate failure and reduce competition. Experience should be averaged across several periods, with strong weight on control improvement. A provider that discloses an incident early, compensates customers and fixes the weakness should not face the same long-term treatment as one that conceals repeated errors.
Common services should contribute directly. It would be unfair to charge only retail registrars when the validator, RDAP publisher or shared certificate service caused the loss. Where NRS itself operates the decisive layer, its budget should include a transparent contribution. Institutional centrality must not become contribution immunity.
Customers may ultimately pay some cost through fees. That does not make the fund pointless. Insurance, capital and quality controls are commonly funded by the users of a service. The governance gain lies in pricing risk before failure, pooling severe but infrequent loss, differentiating providers and preventing the entire consequence from falling unpredictably on one harmed holder.
Covered failures must be defined by conduct and authority
The fund should cover specified failures rather than every adverse event involving number resources. A first category is an NRS-authored record error: an unauthorized or incorrectly implemented change to holder, resource, provider, status or public registration data. A second is unreasonable failure to contain or correct a substantiated error after adequate notice.
A third category is transfer failure within provider control: wrongful refusal, loss of verified evidence, contradictory current state, failure to retire former authority or avoidable delay beyond the published commitment. A fourth is security-authority failure, including unauthorized RPKI action, defective handoff, loss of agreed continuity material or failure to revoke former provider control as required.
A fifth category is recovery failure: NRS or a qualified provider cannot execute the promised recovery route because it did not preserve the required evidence, test successor access or maintain the independent channel. A sixth is serious disclosure failure where protected customer evidence is exposed through violation of a defined custody duty and causes proved response cost.
Excluded events should be equally clear. NRS should not pay merely because a lawful court order restricts a change, a network rejects a route under its own policy, a customer publishes an incorrect ROA through controls it solely manages, market prices move, or a claimant fails to maintain required contacts after repeated notice. Exclusion depends on causation, not labels. If NRS implements a court order incorrectly or leaves a stale restriction after the order expires, the institutional error can still be covered.
The rules should address combined causes. If a stolen customer credential and a provider's failure to apply required secondary verification both contributed, the reviewer can allocate responsibility. A contributory failure by the claimant may reduce payment. It should not produce all-or-nothing immunity where the provider's control was intended to prevent exactly that kind of credential misuse.
Provable loss needs a disciplined test
A claimant should establish six elements. First, an NRS duty applied: a service commitment, custody duty, authorization control or correction obligation. Second, the responsible service breached that duty. Third, the claimant experienced measurable loss. Fourth, the breach was a factual cause of that loss. Fifth, the type of loss was reasonably foreseeable from the duty. Sixth, the claimant took reasonable steps to limit avoidable harm after learning of the problem.
Factual causation asks what would probably have happened without the failure. The inquiry must use evidence, not certainty impossible after the event. A signed transfer agreement, contemporaneous due-diligence questions, timestamps, invoices, routing observations, customer credits and staff records can support the counterfactual. A later assertion that a transaction might have occurred is weaker.
Foreseeability limits remote chains. It is foreseeable that a wrong authoritative holder record may cause verification and correction expense. It may be foreseeable that an unauthorized certificate change requires emergency engineering. It is less foreseeable that a distant investor reacts to a rumor only loosely connected to the record. Published covered-loss categories can make this boundary clearer before claims arise.
Mitigation must be reasonable, not heroic. A customer should use an available emergency channel, preserve evidence and avoid knowingly increasing loss. It should not be required to accept an insecure workaround, disclose protected material publicly or build a substitute global registry. Delay by NRS can expand the reasonable response: emergency counsel or duplicate service that would be excessive in an ordinary case may be justified when authoritative control is uncertain.
The award should be net. Insurance payments, contractual reimbursements and automatic credits for the same loss are deducted, subject to rights of recovery. Costs avoided because the event occurred are also considered. The purpose is to restore the claimant's proved position within the published limits, not create a gain.
Loss categories should distinguish evidence strength
Direct response cost is the strongest category. It includes reasonable technical investigation, credential replacement, urgent correction, additional verification and customer notification required by the covered failure. Invoices, time records and incident chronology can establish amount and necessity. NRS can publish standard hourly caps for in-house work while allowing justified exceptions for specialized response.
Duplicate and transaction cost is also measurable. A delayed transfer may require overlapping registrar fees, extended escrow, repeated legal opinions or renewed corporate documents. The claimant should show that the expense would not otherwise have been incurred and that the amount was reasonable. Ordinary cost of a planned transaction remains the claimant's responsibility.
Interruption loss is more difficult but should not be automatically excluded. If a covered RPKI or registration failure causes demonstrable service degradation, contemporaneous traffic, monitoring, customer refund and revenue evidence can support a bounded award. The reviewer must distinguish the NRS contribution from independent network configuration, upstream policy or customer error.
Lost transaction claims require especially strong proof: a binding or near-final agreement, defined conditions, credible counterpart testimony, a clear timing link and evidence that the registry failure was decisive. Even then, the award may cover wasted transaction cost rather than the full expected gain where market and completion risks remain substantial.
Speculative resource appreciation, generalized loss of confidence, punitive awards and unsupported reputational amounts should be excluded. Non-economic harm may be appropriate in personal-data regimes, but an NRS commercial compensation fund should not casually copy that category. If protected personal information is involved, applicable law may provide rights outside the fund; the fund rules should preserve them rather than obscure them.
Burdens of proof should follow custody
The claimant bears the burden of identifying the covered failure and loss. That does not mean the claimant must prove facts held exclusively by NRS. The service controls authentication logs, change approvals, publication timestamps, replica divergence, staff access and continuity tests. Once the claimant identifies a plausible covered event, NRS should preserve and disclose relevant evidence to the independent reviewer.
Adverse inference should apply where a provider failed a required retention duty. If the institution was obligated to preserve approval evidence and cannot produce it, the missing record should not automatically defeat the customer. Similarly, a customer that destroys transaction records after notice may weaken its amount claim. Symmetry in evidence is as important as symmetry in money.
Security-sensitive evidence needs protected review. The claimant and reviewer may need to know whether multi-party approval occurred without receiving reusable credentials or details that expose other customers. Summaries, controlled inspection and expert verification can establish facts while limiting disclosure. Confidentiality must protect security, not conceal institutional error.
The authoritative event history should be presumptive evidence of what NRS published, but it should not be irrebuttable. A compensation system would be circular if the challenged ledger proved its own correctness. Independent observations, signed notices and relying-party records can show that public state differed from the institution's later account.
NRS should pay for independent expertise where a claimant presents a credible technical issue beyond ordinary review. Small customers should not lose because only the institution can afford an RPKI specialist. Cost control can use reviewer-approved scopes and shared neutral experts rather than unrestricted dueling reports.
Caps need fairness, not a race to the fund
No credible shared service can promise payment without limit. NRS should set a per-claimant cap, a per-event aggregate and an annual fund protection layer. The amounts should reflect the service's real risk, customer dependence and available capital, and they should be reviewed with claims evidence rather than chosen as a nominal multiple of a small annual fee.
A cap tied only to fees paid can be too low. Registry fees may be modest relative to the cost of emergency correction, and many affected networks or customers may not pay NRS directly. Yet an unlimited relationship to claimed downstream loss is also unsustainable. A layered cap can offer full direct-cost reimbursement up to one threshold, broader consequential loss up to a higher threshold and exceptional review for severe institution-authored events.
Aggregate events require a fairness rule. If one validator error affects hundreds of holders, the first claimants should not consume the fund before slower claimants understand their loss. NRS should declare an event window, reserve expected claims, set a filing period and distribute the aggregate proportionately if approved amounts exceed the event layer. Urgent hardship payments can be made without deciding final shares.
The annual protection layer should not erase accepted claims. Amounts beyond available liquid assets can become scheduled obligations supported by future contributions, insurance recovery or a separately approved continuity levy. The fund instrument should state priority before failure. Claimants should not discover only after an incident that ordinary vendors or discretionary projects rank ahead of them.
Caps must not shield intentional wrongdoing, fraud or knowing concealment by a provider where applicable law permits wider recovery. The fund can pay customers promptly within its rules and seek recourse against responsible persons or insurers. A bounded compensation promise is a floor of institutional responsibility, not a license to contract around mandatory law.
Independent review is the institutional hinge
The service that made the disputed change cannot have final authority over compensation. Staff should be able to accept clear claims quickly, but contested duty, causation and amount need reviewers with structural independence. Appointment, tenure, conflicts, funding and removal rules matter as much as technical expertise.
NRS could maintain a standing panel combining number-registry knowledge, cybersecurity, accounting and commercial loss assessment. Cases would be assigned without provider selection. Reviewers would disclose conflicts and could not decide claims involving recent employers or clients. Their compensation should not depend on denying or reducing awards.
The claims route should have defined stages: notice and evidence preservation, initial coverage decision, exchange of relevant material, neutral technical assessment where needed, reasoned determination and a limited appeal. Deadlines should protect claimants without forcing unsafe haste. Small direct-cost claims should use a simplified route; severe or novel claims need fuller examination.
Decisions should identify the duty, facts, causal findings, allowed and rejected losses, mitigation, offsets, cap and payment timing. Anonymized precedents should be published so similar claimants receive similar treatment. Personal, security and commercially sensitive facts can be removed without reducing the decision to a conclusion.
The reviewer should also be able to refer systemic control findings to provider qualification and governance bodies. Compensation is not the only consequence. If several claims reveal the same authentication weakness, the institution must correct the control. Conversely, a compensation decision should not itself change the authoritative number record; correction authority and money review remain coordinated but distinct.
Courts and continuity must not be forced into a false choice
A claimant may have rights under contract, tort, data protection, insolvency or other applicable law. Participation in the NRS fund should not require a blanket waiver of mandatory rights. The governing terms can require disclosure of parallel proceedings, prevent double recovery and allow a court to consider amounts paid.
Courts should receive a clear picture of the continuity stakes. Freezing the operating account or disabling an authoritative service to secure a damages claim can harm unrelated holders. The ring-fenced fund gives claimants an asset connected to their remedy while reducing pressure on essential operations. It does not make NRS immune from lawful orders; it gives a court more proportionate options.
The fund instrument should specify jurisdiction, service of notice, recognition of determinations and treatment of collective events. Because customers are global, one exclusive distant forum can make small claims illusory. Remote review, multiple filing languages and enforceable written decisions can provide access while keeping the fund legally anchored.
An urgent record correction should never wait for the money case. NRS must contain and correct the authority failure under its service commitments while the reviewer examines loss. Likewise, paying compensation should not be presented as proof that a disputed holder claim is correct if the payment concerns delay or custody failure. Remedies answer different questions.
Continuity also limits claimant leverage. A claimant should not be able to threaten a shared service into paying an unsupported amount by seeking indiscriminate disruption. Independent review, protected assets and published caps make bargaining less dependent on who can create the greatest operational fear.
Insolvency protection makes the promise credible
The institution most likely to cause a severe continuity failure may also be financially distressed. If compensation assets remain in its ordinary account, insolvency can transform harmed customers into unsecured creditors behind expenses they did not choose. NRS should separate beneficial purpose, custody and control of the fund as far as applicable law allows.
The fund may use an independent trustee or equivalent protected vehicle, with diversified custody and dual authorization for payment. Assets should be held conservatively and liquid enough for event claims. Investment return is secondary to availability. Custodians should have no power over authoritative number state merely because they protect the money.
Provider contributions should continue during wind-down where service remains active. A successor should assume customer service and relevant claim cooperation, but not undisclosed historical liabilities without an agreed allocation. NRS can reserve for known incidents before allowing a provider to distribute residual assets or exit qualification.
Insolvency protection must extend to records. Claims cannot be decided if event logs, customer notices and authorization evidence disappear with the provider. Qualified services should preserve required evidence in protected continuity custody. Access should be activated under defined conditions, audited and limited to correction, succession and claims review.
The objective is not to create a parallel financial institution. It is to ensure that a promise made by an essential administrative service survives the exact event that makes ordinary corporate payment least dependable. If legal separation is weak in a chosen jurisdiction, NRS should disclose that weakness and maintain additional insurance or collateral rather than call the fund ring-fenced when it is not.
Insurance and recovery should replenish, not substitute
Insurance can expand capacity for rare severe events. Cyber, professional indemnity and fidelity coverage may respond to different failures. NRS should publish covered categories, major exclusions, deductibles, limits, insurer credit quality and whether policies pay the fund or the operating entity. A certificate of insurance without those facts is not useful protection.
The customer should claim against NRS, not negotiate among insurers. The fund can pay an approved amount and pursue insurance recovery. Coverage disputes should not suspend ordinary payment within the funded layer. If an insurer later pays for the same loss, proceeds replenish the fund after costs and claimant shortfalls.
NRS should also have rights of recovery against a vendor or provider that caused the failure. Subrogation must be controlled. Recovery should not expose a claimant's confidential evidence beyond what is necessary, and the claimant should be consulted where litigation could affect its interests. Amounts recovered first restore fund payments and costs; any uncompensated claimant loss should receive the priority stated in advance.
Insurance must not weaken prevention. A provider with poor controls should face higher contributions, qualification consequences and policy pricing. Deductibles and co-insurance can preserve incentive, provided they do not undermine customer payment. NRS should examine whether repeated incidents are becoming uninsurable and respond before renewal failure creates a coverage cliff.
Public reporting should distinguish funded claims, insured recoveries, provider recoveries and amounts still reserved. Otherwise, a large fund balance may look reassuring while most protection depends on disputed coverage. The compensation promise should be understandable from assets already controlled, not optimistic assumptions about future litigation.
Transparency should reveal accountability without publishing the claimant
The public needs to know whether the fund works. NRS should report claims received, accepted, denied, settled, withdrawn and pending; decision times; award ranges; failure categories; providers and common services responsible; credits and direct-cost reimbursements; appeal outcomes; and recoveries. Severe incidents should receive a narrative account after security risk is contained.
Claimants need privacy. A small number of resource holders, transaction dates or technical facts may make an organization identifiable even without its name. NRS should aggregate carefully, delay sensitive publication where justified and obtain consent before using a case as a detailed example. Protected evidence should never become promotional material.
Provider accountability should not disappear behind privacy. Where sample size permits, provider-level claims rates and severity should be public with service-volume denominators. For rare events, NRS can identify the responsible control layer and corrective action even if the provider name is temporarily withheld to protect an active investigation. Withholding should have a review date.
The fund's own expenses require scrutiny. Legal and administrative cost can consume claimant value. Reports should show expense per claim, reviewer cost, insurer cost and time to payment. A sophisticated remedy that is too expensive for ordinary customers is not effective.
An annual independent actuarial and governance review should test whether contribution assumptions, caps, event correlations and legal protections remain adequate. The review should examine near misses and service credits as leading indicators, not just paid claims. Low payouts can mean excellent controls, narrow coverage or inaccessible claims; the evidence must distinguish them.
Fraud control must not recreate institutional immunity
A compensation fund will attract weak or inflated claims. NRS should verify standing, preserve contemporaneous evidence, compare claimed losses with accounting records, require disclosure of related payments and penalize deliberate misrepresentation. Collective events need duplicate detection so affiliates do not recover the same loss through several entities.
Those controls should be proportionate. Demanding every small claimant disclose its entire business or prove the impossible would turn fraud prevention into denial. The simplified route can use receipts, declarations and targeted checks. Larger claims justify deeper financial examination under confidentiality.
Providers may also game the system. They can misclassify failures as customer-caused, avoid creating incident records, settle privately to keep claims rates low or pressure customers to accept credits with broad releases. NRS should require provider reporting of covered events whether or not a claim is filed, audit settlements and prohibit retaliation against claimants.
Claims reviewers should recognize moral hazard without overstating it. Compensation can reduce a customer's incentive to protect credentials if every loss is automatically paid. Contribution reduction, mitigation rules and exclusion of customer-controlled error preserve responsibility. Yet controls such as secondary verification exist precisely because single credentials can fail. A provider should not escape its promised safeguard by pointing to the event the safeguard was designed to catch.
False claims and concealed service failures are mirror risks. The compensation constitution should treat both as threats to the shared pool. Institutional legitimacy depends on refusing unsupported claims and on paying supported ones with equal discipline.
Five scenarios test the boundary
The wrong holder blocks a signed transfer. NRS mistakenly restores a former company name after a data reconciliation. A buyer pauses closing because authoritative RDAP no longer matches the seller. The holder notifies NRS with the accepted merger evidence, but correction takes twelve days. The claimant proves additional escrow, renewed legal review and a contractual extension fee. Those direct costs fit the fund if the NRS-authored error and delay caused them. An asserted increase in the block's market value during the same period would ordinarily be too speculative.
A compromised account passes weak verification. An attacker uses a stolen credential to change the service provider. NRS rules required secondary confirmation through an established channel, but the registrar omitted it and the validator accepted the change. The holder pays for emergency investigation and restoration; some customer services are interrupted. The stolen credential may justify shared responsibility if the holder ignored clear security duties, but it does not erase the failed secondary control. Direct response cost and proved interruption loss can be allocated according to contribution.
A court order is implemented too broadly. A court restrains transfer of one prefix during litigation. NRS freezes all resources held by the company and leaves the restriction after the order expires. The lawful narrow restraint is excluded; the overbroad implementation and stale hold are institutional acts. Compensation can cover proved duplicate service and transaction expense caused by the excess while the record correction proceeds separately.
A hosted RPKI handoff creates an avoidable invalid state. The holder follows the published transfer plan, but the departing provider revokes authority before the new service is operational. Independent observations and change records show the gap. The holder incurs emergency engineering and customer credits during a measured degradation. The fund examines whether the gap breached the handoff duty, whether it contributed to the loss and whether network configuration also played a role. It does not assume every routing change was caused by RPKI.
A common validator error affects many holders. A software defect publishes contradictory provider state for several hundred records. Most customers incur only verification effort; a smaller group faces transaction delay. NRS declares one aggregate event, pays automatic credits, uses a simplified route for standard correction expense and reserves the event layer for larger proved claims. Approved claims are not paid in filing order. The common service contributes to replenishment, and the failure affects qualification and control review.
These scenarios keep the compensation boundary close to evidence. The fund is not a reward for experiencing any difficulty involving an address. It is a structured response where NRS authority failed, the claimant incurred a measurable consequence and the causal link survives independent examination.
The strongest objections support better design, not zero responsibility
The first objection is existential exposure. Number resources support significant businesses, so claimed losses could exceed any registry budget. That is precisely why the fund needs coverage definitions, causation, caps, aggregation, insurance and continuity protection. Unlimited exposure is not the only alternative to immunity.
The second objection is that compensation will make staff afraid to correct records. Poorly designed personal blame can do that. NRS should place ordinary compensation on the institution and shared fund, reserve individual recourse for fraud or serious misconduct, and reward early disclosure. A correctable error reported quickly should cost less than concealment. The incentive becomes careful action and fast containment, not paralysis.
The third objection is that users do not pay fees reflecting commercial value. Compensation need not insure the entire value of every dependent business. It can cover defined direct and bounded consequential loss. The relevant comparison is not fee versus customer revenue alone; it is authority, preventability and a socially sustainable protection layer.
The fourth objection is legal diversity. Customers, providers and harms span jurisdictions. NRS cannot replace every national remedy. It can create a contractual minimum with one clear filing route, preserve mandatory rights and state how parallel recovery is handled. A common fund reduces rather than eliminates cross-border complexity.
The fifth objection is that public claims will damage trust. Hidden uncompensated errors damage trust more deeply. An institution demonstrates legitimacy when it can distinguish unsupported allegations from proved failure, pay the latter, publish the lesson and continue service. Trust based on the absence of visible claims is fragile.
A phased constitution can make the promise credible
NRS should begin by defining covered duties and preserving the evidence needed to test them. Service commitments, change approvals, authoritative observations and customer notices need consistent retention. A compensation right without evidence is ceremonial; evidence without an independent remedy leaves the institution judging itself.
Next, NRS should establish the protected vehicle, initial capital and contribution formula. A transition period can use conservative caps while historical service data and near misses are examined. The fund should not advertise broad protection until legal separation, payment authority and continuity custody have been tested.
The third stage introduces automatic credits and direct-cost reimbursement. These high-frequency, lower-value remedies expose definition weaknesses and administrative burden. Published results can refine standard evidence and contribution risk factors before large consequential claims arrive.
The fourth stage activates full independent review, event aggregation and insurance. NRS should conduct exercises involving a provider insolvency, common-validator error, RPKI handoff failure and court restraint. The test is not only whether an award can be calculated, but whether correction continues, evidence remains available and payment can be made without the failed provider's cooperation.
Finally, NRS should make compensation data part of governance. Claims, credits, recovery times and repeated causes should influence qualification, budget, control investment and leadership review. Members should not be asked merely whether they approve the annual fund balance. They should see which powers generated loss and whether those powers remain appropriately placed.
Responsibility is the price of authoritative control
An authoritative ledger cannot plausibly be indispensable when it demands compliance and incidental when it makes a mistake. The institution need not promise every commercial outcome to accept this point. It needs only to identify the levers it controls, define the care attached to them and bear a bounded consequence when a breach causes proved loss.
The liability fund gives that promise substance before the crisis. Provable-loss rules keep it tied to evidence. Caps protect continuity. Independent review prevents self-judgment. Contribution design places cost near controlled risk. Public decisions create precedent. Insurance and recovery enlarge capacity without making the claimant wait. Protected custody lets the remedy survive provider failure.
The model also clarifies what compensation cannot do. It cannot make an inaccurate record acceptable, convert an IP prefix into property, guarantee routing, remove lawful judicial authority or erase customer security duties. Correction, continuity and mitigation remain primary. Money addresses the residual consequence of a defined institutional failure.
For NRS, this is more than consumer service. It is a legitimacy test. An institution that distributes control but centralizes consequence in the customer has preserved the old asymmetry under a new name. An institution that pairs authority with evidence-backed responsibility can claim a stronger basis for trust: not that it will never be wrong, but that it has arranged in advance to correct the ledger, compensate proved harm and learn at its own expense.
Sources
- RFC 7020, The Internet Numbers Registry System - the accuracy, uniqueness and stewardship goals that define the controlled registration surface without making the registry responsible for all routing.
- RFC 7484, Finding the Authoritative Registration Data Access Protocol Service - the bootstrap structure used to identify authoritative RDAP service, relevant to reliance and correction.
- RFC 9083, JSON Responses for the Registration Data Access Protocol - the authoritative registration response structures in which holder, event, status and notice errors may appear.
- RFC 6480, An Infrastructure to Support Secure Internet Routing - the RPKI authority surface and the limited relationship between resource certificates, routing attestations and network decisions.
- RIPE NCC, RIPE NCC Standard Service Agreement, RIPE-812 - a current public example of number-registry service duties, member duties and contractual limitation provisions relevant to the symmetry inquiry.
- ARIN, Registration Services Agreement - public registration-service terms and liability allocation that illustrate why duties, remedies and limits should be read together.
- European Union, General Data Protection Regulation, Article 82 - a bounded comparison in which compensation, responsibility for damage and recourse are connected to controlled conduct; it is not a rule for all number-registry loss.
- European Union, Revised Payment Services Directive - a bounded comparison for rapid reimbursement, evidence burdens and allocation of responsibility in a different regulated service.
- International Oil Pollution Compensation Funds, Compensation and Claims Management - a comparative example of a pre-arranged international fund, admissible-loss rules, evidence and collective event claims outside the Internet sector.
- United Kingdom Financial Services Compensation Scheme, How FSCS Is Funded - a comparative example of ex ante industry levies supporting a protected compensation function, not a proposed legal model for NRS.
- ICANN, Emergency Back-End Registry Operator Program - a bounded continuity comparison showing that a critical registry function can require pre-arranged substitute service when an operator fails.

