Summary

  • Conference attendance shows who entered a meeting channel, not how the affected Internet is distributed across ASNs, resource holders, downstream customers or routing dependencies.
  • A credible denominator for number-resource representation should layer autonomous systems, legal organisations, registry accounts, customer dependency surfaces, geography and operational role instead of treating all badges as equivalent civic units.
  • Counting ASNs alone is also limited public evidence because one organisation may operate many networks, one ASN may support millions of users and many affected customers never hold number resources directly.
  • The practical reform is a representation evidence ledger: separate event reach, policy contribution, member authority and operational exposure before claiming that a decision speaks for the networked public.

The wrong denominator flatters the room

A conference room can look representative while the network it governs remains mostly absent. The visible scene is persuasive: people at microphones, remote windows, institutional banners, policy slides and a chair asking whether there is any objection. The meeting may genuinely be open. Travel fellowships may bring newcomers. Remote access may let people listen from far away. None of that answers the denominator question. How much of the routed Internet, and how much of the population dependent on it, is actually touched by the people in the room?

Number-resource governance has a special problem because its subject is not a general public issue in the abstract. It is a control system for addresses, autonomous system numbers, registry records, routing trust, transfer records, reverse DNS and operational coordination. The people who appear at meetings matter, but they are not the only affected unit. A small broadband operator, a cloud provider, a national research network, a mobile carrier, an enterprise ASN, a content network and a downstream customer population all experience policy differently.

When an institution substitutes event attendance for representation, it changes the population under discussion. A meeting denominator counts accessible humans under an event design. An operational denominator counts networks, legal resource holders, users, customers and dependencies exposed to the rule. The two can overlap, but they do not collapse into each other. A room of one hundred may include a majority of the people willing to speak and a tiny share of the autonomous systems affected.

The substitution is usually quiet. A report says many people attended. A later paragraph says the community discussed the proposal. A board paper says the community supported the outcome. The attendance number then becomes a shadow denominator for authority. Readers are left to assume that the bodies in the room map onto the networks outside it.

The first repair is linguistic discipline. Event reach is event reach. Operator representation is operator representation. Member authorisation is member authorisation. Customer impact is customer impact. If a policy touches routing security, transfer rights or registry access, the institution should say how the affected autonomous systems, organisations and dependent customers were identified, notified and heard. If it cannot say, it should not borrow the conference pass total to fill the gap.

Autonomous systems are a better start, not a complete answer

Autonomous systems are attractive because they are closer to the Internet's operational structure than badges. An ASN is not merely an identity label; it reflects a routing policy domain visible in interdomain routing. Policies that affect route registration, RPKI behaviour, resource transfers, abuse contacts, reverse DNS or address stewardship often land through the operators that run or depend on these systems. Counting them helps governance escape the theatre of who managed to attend a meeting.

Yet ASN counting can mislead if treated as a perfect electorate. One organisation may hold many ASNs for technical, historical or acquisition reasons. Another may operate a single ASN that carries national-scale access. Some ASNs are dormant, internal, experimental or used only in limited contexts. A large cloud provider's autonomous systems may represent enormous downstream dependency, while a small enterprise ASN may carry a narrow operational surface. The ASN is a vital unit, but it is not the person, the customer base, the legal member, the affected user or the public interest by itself.

The useful move is not to replace conference passes with a single ASN tally. It is to make autonomous systems one layer in a multi-layer representation model. The model should ask how many active ASNs could be affected, which legal organisations control them, which registry accounts or members hold the related resources, which downstream networks or customers depend on them and which geographic or market segments would be exposed. Each layer answers a different legitimacy question.

The Number Resource Organization's public accountability materials describe the Regional Internet Registries as organisations with their own governance and communities, while ICANN's criteria for establishing new RIRs emphasise regional service, community support and policy processes. Those sources point away from a pure conference-room model. The registry system is accountable through a mixture of service relationships, community policy development, member structures and regional legitimacy. Attendance can illuminate one channel; it cannot substitute for the rest.

Counting ASNs therefore changes the analysis from access to exposure. If a policy concerns how routes are authenticated, exposure includes networks whose valid announcements, customer routes or operational practices may be affected. If a policy concerns transfers, exposure includes resource holders, counterparties, brokers, due-diligence teams and service users. If a policy concerns registry eligibility, exposure includes organisations whose ability to obtain, retain or move resources changes. The conference room may contain expertise, but expertise is not the same as a mapped constituency.

Organisations connect the registry to legal accountability

Number resources are not held by abstractions. They are usually administered through legal organisations, contractual accounts, local Internet registries, national registries, service providers, enterprise networks, universities, public agencies and infrastructure operators. Any representation count that stops at people or ASNs misses the legal and financial path through which registry decisions become enforceable.

Organisation-level evidence matters because it anchors authority. A network engineer may speak with deep operational knowledge but no power to bind an employer. A chief executive may have authority but little technical detail. A consultant may serve several operators. An association may represent members only after a documented consultation. A public-sector attendee may observe without committing a regulator. The badge does not say which role is being performed.

The organisation layer should therefore be explicit. Which affected legal entities were directly notified? Which were members at the relevant date? Which controlled active resources covered by the proposal? Which submitted a comment, authorised a vote, delegated a proxy or remained silent after notice? Which appeared only through an employee's personal contribution? These questions are not bureaucratic decoration. They separate expertise, interest and mandate.

This distinction protects both large and small networks. Large organisations should not be allowed to turn many staff badges into many voices unless the process values individual expertise for a specific reason. Small organisations should not disappear because they sent one person to one session while a multinational sent a team. When decisions are about obligations attached to resources, the legal unit that must comply deserves visible treatment.

Organisation mapping also helps expose concentration. Ten conference passes from ten unrelated access providers are not the same as ten passes from one vendor group. Five ASNs under common control are not five independent affected operators. A hundred enterprise customers behind one managed service provider may have no direct registry account, yet may feel the effects through contractual service changes. A representation claim should show where independence exists and where it is assumed.

A practical report can publish safe aggregation without naming every actor. It might show active resource-holding organisations notified, responding organisations, organisations represented by authorised contacts, unique ASNs linked to those organisations and downstream dependency indicators where available. The point is not to create a surveillance catalogue. It is to prevent a room count from masquerading as a map of the affected Internet.

Customer dependency is the missing public-interest layer

The deepest weakness in conference-pass legitimacy is that most people who depend on number resources do not hold them and never attend registry meetings. Residential users depend on broadband providers. Small businesses depend on hosting platforms, payment processors and managed connectivity. Public services depend on government networks and commercial transit. Content reachability depends on interconnection and routing decisions that are invisible to ordinary users.

Registry governance cannot represent every end user through direct attendance. It can, however, acknowledge customer dependency as a layer of impact. A rule that changes resource transfer availability, routing authentication incentives, abuse-contact quality or registry service continuity may affect customers far beyond the organisations that submit comments. Those customers rarely know which registry policy created the effect. They experience it as price, reachability, resilience, fraud response, service delay or outage risk.

Customer dependency evidence does not require claiming to know each individual user. It can use categories: access customers, hosting customers, mobile subscribers, public-sector service populations, enterprise networks, community networks, interconnection partners and downstream autonomous systems. It can identify whether the affected operators are retail-facing, wholesale, infrastructure-only, governmental, educational or content-related. It can note uncertainty instead of pretending that a member vote captures the entire public.

This layer is especially important when a small number of operators carry large populations. One national mobile provider may be worth more in dependency terms than dozens of small enterprise ASNs. Conversely, a technically small network may carry critical infrastructure, emergency services, research connectivity or a remote community. Counting only people at microphones flattens those differences. Counting only ASNs may do the same in another direction.

The public-interest problem is not solved by saying that operators know their customers. Operators often do understand operational risk better than outsiders, but their commercial incentives may differ from customer welfare. Customers may value stability over monetisation, portability over lock-in or abuse response over minimal compliance cost. A representation model should therefore ask how customer-facing consequences were tested, not merely whether any operator attended.

A useful governance paper would include an impact matrix. Which operator types are affected? Which customer dependencies might change? Which evidence comes from direct operators, which from associations, which from public-interest groups and which remains untested? This is more honest than treating the audience as the governed population. It also gives board members a way to ask for targeted consultation before converting a narrow meeting signal into a durable rule.

Attendance counts are still valuable, but only at their own level

The remedy is not to stop counting attendance. Event access is a legitimate governance metric. An open process that nobody can enter is not open in practice. Travel cost, language, time zone, remote access, disability access, professional workload and meeting design all shape who can observe and contribute. Conference data can reveal important barriers.

But the value of attendance data depends on keeping it at the right level. Registrations measure successful entry into an event system. Check-ins measure a defined act of arrival. Session presence measures access to a particular discussion. Contributions measure interventions, submissions or edits. Authorised votes measure formal authority under a membership or election rule. Operational exposure measures the networks and customers affected. These are related but different ladders.

A registry can say that a meeting drew many attendees from many economies. It can say that a policy session heard operational concerns from network engineers. It can say that authorised members voted. It can say that the affected ASN population was mapped and that direct notice reached organisations controlling a large share of exposed routes. The problem begins when those sentences are compressed into one claim of community approval.

The APNIC Policy Development Process is careful in distinguishing opinion gauges, consensus calls and later stages of endorsement. The IETF's RFC 7282 is similarly useful because it warns that rough consensus is not merely majority sentiment and that objections must be addressed. These documents do not give number registries a full representation denominator, but they do clarify that process evidence is not a single headcount.

Event counts should therefore function as access diagnostics. If many people register but few enter policy sessions, agenda discoverability is poor. If only one region or language group contributes, outreach is incomplete. If remote observers never have their questions read, hybrid access is symbolic. If session attendance is high but written objections go unanswered, the problem is not access but deliberation.

Treating attendance honestly strengthens the institution. It lets engagement teams celebrate real reach without inflating mandate. It lets policy teams diagnose where participation narrows. It lets boards ask whether a decision has enough operator evidence. It lets members see whether their authority was used appropriately. The conference pass remains useful because it is no longer asked to do constitutional work.

A denominator can be layered without becoming a census

Critics may entity that a layered denominator sounds impossible. The Internet is distributed, data is messy and privacy matters. That is true. The answer is not a perfect census. It is a disciplined set of approximate layers, each marked by scope and uncertainty.

Layer one is event reach: registrations, check-ins, remote accounts, session attendance and contribution counts. Layer two is community contribution: unique contributors, affiliations, recurring contributors, objections, edits, mailing-list submissions and response treatment. Layer three is member or account authority: eligible members, voting contacts, proxies, authorised organisational positions and formal votes. Layer four is operational exposure: active ASNs, address holders, routes, registry entities, RPKI dependencies or service classes affected.

Layer five is customer and public dependency: downstream customer categories, critical-service exposure, geographic reach and affected market segments.

No layer should be forced into the others. A person may contribute as an expert without an organisation's mandate. An organisation may be a member without running many active routes. An ASN may be operationally important without a large customer base. A consumer population may be affected without direct membership. The report should show the mismatch rather than hide it.

Safe aggregation can handle sensitivity. Publish ranges where precise counts would expose small actors. Use categories where names are unnecessary. Allow confidential impact statements when public disclosure would reveal security or commercial information. Retain raw data only as long as needed. Make the method public even where some inputs remain protected.

The point of layering is decision discipline. A narrow technical clarification may not require extensive customer mapping. A change to election eligibility requires member-authority evidence. A rule that affects routing security may require operational exposure. A service-fee proposal may require customer and small-operator analysis. The denominator should match the power being exercised.

Layering also reduces the risk of performative consultation. Institutions often invite the same visible contributors to fill every legitimacy gap. A layered report would show when the same people are being counted as attendees, contributors, operators, community, public interest and mandate. Expertise can be respected without letting it impersonate every constituency at once.

Board election legitimacy needs an operator denominator

Board elections are where the conference-pass error becomes most dangerous. A registry board does not merely moderate a meeting. It controls budget, executive oversight, risk appetite, accountability arrangements and, in some cases, responses to disputes that can affect the continuity of registry service. The electorate may be defined by membership rules, but legitimacy depends on whether those rules connect to the operators and dependencies the registry exists to serve.

If election discourse is dominated by meeting attendees, the institution may confuse campaign visibility with operational representation. Candidates who travel, sponsor, speak frequently or belong to established circles can appear more representative than candidates backed by quieter resource holders. A well-attended candidate forum does not show that the affected operator base was reached. A country-diverse audience does not show that resource-holding organisations had equal practical opportunity.

The election denominator should start with eligible voting members or accounts at the record date. It should then show which member categories voted, whether voting power is concentrated, how proxies were used, whether ballots reflect common control and how participation compares with active resource use. Where legally and safely possible, it should also indicate whether operators controlling different types of resources had visible pathways to evaluate candidates.

An ASN layer is useful here because board decisions affect operational communities beyond the formal act of voting. If a registry has many resource-holding members but the active routing base is concentrated elsewhere, the institution should understand the gap. If a large number of affected networks receive service indirectly through upstream providers or national structures, the formal electorate may not capture their concerns. The election can still be valid under its rules, but the institution should not describe it as broad operator authorisation without evidence.

This distinction is not a call to replace membership elections with ASN plebiscites. That would create new distortions. It is a call to report election legitimacy with aligned denominators. Legal authority comes from the election rule. Public legitimacy comes from whether the rule, notice, candidate access and information environment allowed the affected operational community to evaluate the choice.

Boards should be cautious when they cite meeting excitement, candidate-forum attendance or conference applause as signs of mandate. The decisive evidence is the authorised electorate, the fairness of the process and the relationship between the electorate and the operator base. Anything else is atmosphere.

Regional diversity cannot substitute for network diversity

Country and region labels are useful, but they are blunt. A person associated with a country may be a regulator, an operator, a vendor, a student, a civil-society advocate, a lawyer, a researcher or a traveller working for a multinational. A country label on a badge does not say which networks, customers or organisations are represented. It also does not prove national consensus.

Network diversity asks different questions. Are access providers present? Are mobile operators present? Are enterprise networks present? Are content networks present? Are community networks present? Are hosting providers present? Are educational and research networks present? Are critical public services present? Are small resource holders present, or only the operators with travel budgets?

A process can be regionally broad yet operationally narrow. Many economies may appear in a meeting report while only a few operator types provide comments. Conversely, a small meeting may include the exact operational experts needed for a narrow technical policy, provided their authority and limitations are stated. The legitimacy issue is not whether every possible category appears every time. It is whether the institution claims a breadth it did not measure.

Regional diversity can also hide dependency asymmetry. A country with one visible operator may host millions of users behind that network. Another may have many small ASNs serving niche markets. A third may depend heavily on international transit and content distribution controlled elsewhere. A fourth may have strong domestic engineering capacity but limited travel funding. Treating each country label as equal public representation erases those differences.

A layered report can show geography and network role together without exposing individuals. It can state that comments came from access operators in several subregions, from enterprise networks in one market and from content or hosting operators elsewhere. It can identify missing categories. It can ask whether an unresolved objection came from a network role materially affected by the rule.

This is where the denominator becomes editorially important. The public should not be told that a region spoke if the evidence shows that a few recurring voices with regional labels spoke. Nor should a strong operator warning be dismissed because it came from a country with few attendees. Network diversity gives substance to geography.

Associations and coalitions need mandate records

Associations are often necessary in Internet governance. They reduce transaction costs, coordinate small operators, translate policy language, provide legal support and bring structured positions into meetings. Without associations, many smaller networks would have no visible path into registry debate. The risk is that an association can be counted as both one organisation and many implied principals without showing the mandate chain.

When an association speaks, the process should know what kind of position it presents. Was it approved by a board? Was it based on a member survey? Were dissenting members allowed to record minority views? Does it represent all members, only a working group or only the staff secretariat? Does the association include operators directly affected by the policy, vendors with commercial interests or a mixture of both? The answer need not disqualify the input; it determines how it is weighed.

Coalitions raise similar issues. A letter signed by many organisations may be stronger evidence than one speech, but only if signatories are real principals and the statement's scope is clear. A coalition name at a microphone may represent an organised constituency or merely a convenient banner. The distinction matters when a chair later says that affected operators supported the outcome.

Mandate records can be lightweight. The association can disclose its constituency type, approval mechanism, date of position, scope and any material exclusions. A coalition can publish signatories and the text they authorised. Confidential members can be aggregated where safety requires, but the existence of confidentiality should not become permission to claim unlimited backing.

This also protects associations from institutional misuse. If an association submits a narrow technical comment, the registry should not cite it as endorsement of a broader governance package. If a coalition supports a transition period, it should not be counted as supporting the entire final policy after material changes. The mandate record preserves scope.

Here again, conference attendance is the weakest possible evidence. Seeing an association representative in the room tells us almost nothing about the members' authorisation. A process that values small-operator representation should make mandate disclosure easier, not pretend a badge solved it.

A representation evidence ledger would change the report

The practical reform is a representation evidence ledger attached to significant policy and election outcomes. It would not be a new barrier to every small operational update. It would be a structured public account when an institution claims broad support, community mandate or operator legitimacy.

The ledger would begin with the decision: what changed, who can be affected and what kind of authority is being exercised. It would list event reach separately from contribution evidence. It would identify the formal decision channel: consensus call, board vote, member vote, staff implementation or external coordination. It would show the denominator relevant to that channel. It would then add operational exposure: ASNs, resource-holder categories, customer dependency categories and known missing viewpoints.

For each major claim, the ledger would state the evidence level. "Open meeting discussion" is one level. "Written submissions from affected operators" is another. "Authorised member vote" is another. "Direct notice to organisations controlling affected resources" is another. "Downstream customer evidence" is another. The institution could still decide under uncertainty, but the uncertainty would be visible.

The ledger would also include objection treatment. RFC 7282's central lesson is that consensus is not the absence of noise after fatigue; objections must be understood and addressed. A registry ledger should therefore show whether operational objections were accepted, rejected, deferred or answered by safeguards. It should distinguish unresolved concern from mere preference.

Such a ledger would make legitimacy claims harder to inflate but easier to defend. If a policy truly did receive broad support across operator types and formal authority channels, the evidence would be stronger than a press sentence. If the record is thin, the institution can say so and explain why action was still necessary, reversible or limited.

Most importantly, the ledger creates memory. Future boards, staff and critics can see what was known at the time. A conference pass cannot bear that weight. A structured evidence record can.

NRS design should start from operational proof

Future Number Resource Society design has an opportunity to avoid inherited denominator errors. If NRS wants to present itself as a governance path for the resource-dependent Internet, it should not build legitimacy primarily from who attends launch events, speaks on panels or signs general statements. It should build from verifiable operational authority.

That begins with resource and routing evidence. Which ASNs, address holdings, registry accounts or service dependencies connect a principal to the issue? Which organisation controls them? Which person is authorised to act? What is the scope of the mandate? Does the authorisation expire? Can the principal withdraw or revise it? Can the mandate travel across forums without being reinterpreted?

An NRS model should also recognise indirect dependency. A customer or user group may lack number resources but still have legitimate public-interest evidence. Its role should be labelled as customer, user, civil-society, research, public-sector or market-impact evidence, not disguised as operator authority. The system gains credibility by letting different voices appear under accurate labels.

This is not anti-participation. It is pro-accountability. Open discussion remains essential for detecting blind spots and improving rules. But open discussion should not be used to manufacture authorisation after the fact. A contributor can inform a decision; a principal authorises a mandate. The record should not confuse them.

NRS could publish a simple denominator card for every major position: affected resource types, known operator principals, authorised representatives, consulted customer dependencies, unresolved gaps and expiry date. That would make its claims portable and contestable. Other institutions could assess the position without guessing whether it emerged from a room, a mailing list or a verified mandate chain.

If NRS instead repeats the old metric habit, it will reproduce the governance problem it claims to solve. A large meeting, a polished report and a broad slogan can create visibility. They do not prove that the autonomous systems, organisations and customers under the rule have spoken.

The honest claim is narrower and stronger

The honest claim is rarely as grand as the promotional one, but it is stronger. "The session drew attendees from many regions" is credible. "Operators controlling a documented share of affected ASNs submitted comments" is credible. "Eligible members voted under the published election rule" is credible. "Customer-impact evidence remains limited and should be tested before implementation" is credible. Each sentence knows its denominator.

The inflated claim is easier to write: the community supported the outcome. That sentence may be true in some contexts, but in number-resource governance it should be earned. Which community? Under which role? Through which authority? With which operational exposure? After which objections were addressed? A conference pass does not answer.

Counting autonomous systems is not a technocratic obsession. It is a reminder that Internet governance governs infrastructure. The people who enter meeting rooms matter because they bring knowledge, accountability and judgment. The networks outside the room matter because they carry the consequences. A legitimate process makes the relationship between the two visible.

Institutions should continue to open doors, fund access, improve remote channels and welcome new voices. They should also stop asking attendance statistics to do the work of representation. Event access is a beginning. Mandate requires a chain: principal, authority, scope, affected surface, evidence and review.

When the denominator is layered, disagreements become clearer. A proposal may have many supporters but little operator evidence. It may have few speakers but strong authorised backing. It may affect many customers whose interests were never tested. It may be technically necessary despite limited attendance. Each case demands a different institutional response.

That is the promise of counting ASNs, organisations and dependencies alongside people. It does not make governance easy. It makes the claim visible enough to verify.

Measurement should create duties, not decoration

A layered denominator is useful only if it changes behaviour. If a registry publishes an ASN exposure count, an organisation map and a customer-dependency note, then ignores the gaps, the report becomes decoration. The evidence should create duties. A missing operator category should trigger targeted notice. A high-dependency customer segment should trigger impact review. A concentrated voting pattern should trigger governance explanation. A thin objection record should trigger caution about consensus language.

The duty does not need to be identical in every case. A minor wording change may require no additional outreach. A policy that changes transfer rights or registry access should. A board election dispute may require an independent review of electorate and proxy records. A routing-security obligation may require operational testing among networks that cannot attend meetings. The point is proportionality tied to exposure, not a universal procedural tax.

This is where conference-pass metrics fail most clearly. They create a celebratory duty: thank the attendees, publish the map, show growth. They rarely create a decision duty. If the room was large, institutions feel reassured. If the room was small, they may recruit more attendees next time. Neither response necessarily reaches the affected networks. A layered denominator says what kind of absence matters.

The board should see those duties before approval. Staff can recommend proceeding, but the recommendation should state whether denominator gaps are acceptable, mitigated or scheduled for review. Chairs can declare consensus, but the declaration should identify whether operational exposure was measured. Members can vote, but voter information should not be confused with customer dependency. Each governance actor gets a more precise task.

Measurement without duty can even make legitimacy worse. It gives institutions more numbers to cite while leaving the same unrepresented surfaces untouched. Measurement with duty makes the numbers uncomfortable in the right way: they expose what must be fixed, not merely what can be advertised.

The denominator will always be contested

No denominator will satisfy everyone. Operators will disagree about which ASNs count as active. Organisations will contest common-control treatment. Customer advocates will argue that dependency is underestimated. Institutions will worry about privacy. Small networks will fear being hidden in aggregation. Large networks will resist being treated as one voice when their internal units differ. These disputes are inevitable.

The existence of contest does not justify returning to the badge count. A contested operational denominator is still more honest than an irrelevant attendance denominator. The solution is to publish methods, uncertainty and appeal routes. If active ASN status is inferred from routing visibility, say so. If customer dependency is categorical, say so. If related organisations are collapsed, explain the rule. If small cells are suppressed, explain why.

Contestation can improve the model. A community network may show that the operator categories miss shared infrastructure. A cloud provider may show that one ASN supports many service surfaces. A national association may show that resource records do not capture downstream service dependence. A regulator may show that customer impact differs from operator preference. The denominator becomes a deliberative entity rather than a hidden assumption.

This is also why NRS and registry bodies should avoid pretending that counting ASNs is neutral science. It is governance judgment supported by technical evidence. The judgment should be reviewable. A denominator chosen for an election may differ from one chosen for routing-security implementation. A denominator chosen for public-interest impact may differ from one chosen for member fees. What matters is matching the unit to the claim.

The old shortcut produced certainty by counting the room. The better practice produces accountable uncertainty by counting the affected surface. Governance should prefer the second, because the first is certain about the wrong thing.

A final discipline follows from that preference: never publish a ratio whose numerator and denominator describe different worlds. If the numerator is attendees, the denominator is the invited audience. If the numerator is authorised operators, the denominator is the affected operator base. If the numerator is ASNs, the denominator must explain activity, control and dependency. Mixed ratios are not shortcuts; they are category errors with percentages attached.