Summary

  • A custodial registration can be legitimate when one accountable organization holds the registry relationship for investors, beneficiaries or an operating arrangement. The structure becomes dangerous when the named custodian is mistaken for the only party whose authority, incentives or failure can affect the prefix.
  • Three facts should be recorded separately: the organization recognized by the registry, the organization operating the range, and the person or entity able to exercise beneficial control over the holding arrangement. None is a reliable substitute for the other two.
  • “Beneficial control” in this context should describe control over the vehicle, contract, proceeds or decisive instructions. It should not silently declare IPv4 addresses to be property where the relevant registry agreement or policy uses custody, licence, assignment, holdership or registration-right language.
  • Public registration should remain operationally useful: holder identity, range, status, role contacts, operator or contact relay, and time-bounded authority where appropriate. Prices, investor percentages, trust distributions, side letters, home addresses and passive beneficiaries generally do not belong in the public response.
  • Protected registry or assurance records may contain a control declaration, verification source, effective date and change duty. Full trust deeds, cap tables and transaction documents should remain with the parties or an appropriate custodian unless a defined authority question or lawful demand requires them.
  • Disclosure should be tiered and purpose-bound. Operators and the public need contactability; registries need authority evidence; auditors, courts and competent authorities may need more under applicable law. Universal publication is not the only form of transparency.
  • Number Resource Society can support a portable beneficial-control attestation, role-based RDAP presentation and independent correction service while rejecting both anonymous control and compulsory publication of private portfolios. Its value lies in trustworthy separation of roles, not in judging the merits of every commercial arrangement.

Custody is useful precisely because identity and benefit can differ

A custodian stands between a valuable relationship and the people who benefit from it. That position is common in finance, trusts, estates and corporate administration. It can be useful in IPv4 arrangements for the same reason: the set of beneficiaries may change while the registry-facing organization remains stable; investors may be ill-suited to operate a network; a neutral vehicle may outlast an operator; or several parties may want one accountable holder rather than contradictory registrations.

The word also carries a warning. A person shown in the register may hold for someone else. The customer answering abuse complaints may not be able to transfer the range. The person who receives distributions may not be authorized to sign a ROA. The individual controlling the custodian may be absent from public data. If every observer treats the registered name as complete truth, a formally accurate entry can produce a materially false understanding of control.

APNIC's number-resource policy itself calls account holders custodians rather than owners and says that registration or delegation does not confer ownership. That is a system-wide stewardship usage, not proof that every APNIC holder is a private trustee or nominee. The distinction is important. This analysis uses “custodian” more narrowly for an organization that holds or administers a registry relationship under an arrangement benefiting or controlled by other parties.

Such arrangements do not have one universal legal form. A trustee may owe duties under a trust. A corporate nominee may act under contract. A special-purpose company may be directly owned by investors and appoint professional administrators. An operating company may hold the registration while economic rights sit elsewhere. Applicable law, registry terms and the documents determine the consequences.

There is no complete public denominator for custodial IPv4 holdings. Whois and RDAP do not disclose every trust, nominee, financing or beneficial-interest arrangement. Corporate registers vary. Private agreements are not observable from routing. Public transfer logs do not normally include beneficial-control histories. It would therefore be unsound to claim a global prevalence or failure rate.

The governance case does not depend on such a number. Where custody exists, the authoritative systems need to know enough to prevent impersonation, preserve contact and respond to a genuine control dispute. The public does not need every commercial fact. The problem is to distinguish purposes before choosing fields.

The register, the router and the beneficiary tell different truths

The registered holder answers a registry question: which organization is recognized in relation to this range under the applicable agreement, policy and database? In ARIN's model, direct resources are associated with an Organization Identifier representing a legal organization. RIPE NCC uses holdership language in its transfer material. APNIC associates resources with account holders. The terms differ, but each system needs an entity to which registration duties and management authority can attach.

The operator answers a network question: which organization configures announcements, maintains customer use, selects upstreams, handles incidents and coordinates routing-security information? The operator may be the registered holder. It may also be an affiliate, lessee, customer, managed service or beneficiary. BGP can reveal an origin ASN, but that observation does not identify every operational subcontractor or contractual role.

The beneficial controller answers a governance question: which natural person, legal entity or decision group ultimately obtains relevant economic benefit or can cause the holding arrangement to act? Control can arise through shares, voting rights, appointment powers, a trust, contract, debt covenants or other mechanisms recognized by applicable law. A passive beneficiary and a person able to replace the custodian are not equivalent.

These roles can coincide. A founder-owned network company may be holder, operator and beneficially controlled by the same person. They can also separate. A professional trustee can be the registered holder, an ISP the operator and a family trust's beneficiaries the economic recipients. A fund vehicle can hold the range, a portfolio company operate it and the general partner control decisions.

The data should not force one name into every role. Copying the custodian into the abuse contact can make incident response fail. Copying the operator into the holder field can falsely imply that a transfer occurred. Publishing every beneficiary as a network contact exposes people who cannot answer a routing question.

Accuracy is role-specific. The holder field is accurate if it identifies the organization the registry recognizes. The operator field is accurate if it identifies the organization with current operating responsibility or provides a verified route to it. The protected control declaration is accurate if it identifies the relevant controller under a defined test and date. A system can hold all three truths without deciding that one cancels the others.

Beneficial control must not smuggle in an unsupported property conclusion

Beneficial ownership is a developed concept in company, trust, tax and anti-money-laundering law. It usually looks through a legal title or entity to the natural person who ultimately owns or controls the arrangement under the applicable test. That language is useful, but transferring it carelessly to IPv4 can create a conclusion the evidence does not support.

Regional policies and agreements characterize number-resource relationships differently. ARIN says resources under its administration are assigned to organizations and are not sold by ARIN. APNIC says account holders are custodians and that delegation or registration does not confer ownership. RIPE NCC describes transfers as changes of holdership. Legacy resources and local law can add complexity. No single label supplied here decides the property status of every IPv4 right in every jurisdiction.

The disclosure system should therefore define its entity. A “beneficial controller of the holding vehicle” may be a person who controls the registered company. A “beneficiary of transfer proceeds” may have an economic claim under a trust. A “person with decisive instruction rights” may approve sale or operator replacement. These statements can be true without asserting that the person beneficially owns the addresses as chattels.

Precision also helps legal compliance. FATF Recommendation 24 concerns beneficial ownership and control of legal persons for anti-money-laundering purposes. It does not turn every asset or identifier associated with a company into property of the beneficial owner. A company-law register can identify a person with significant control over the custodian, while the registry agreement continues to govern the organization's number-resource relationship.

The parties should avoid public labels such as “true IP owner” unless a competent legal conclusion supports them. The label is rhetorically satisfying and operationally ambiguous. Does it mean investor, trust beneficiary, holder recognized by the RIR, controller of the holder, operator, purchaser awaiting transfer or creditor with security? Each possibility grants different powers.

A well-designed record uses verbs and scope. “Company A is the registered holder.” “Company B operates the range until a stated date.” “Person C controls appointment of the custodian's board under the reviewed declaration.” “Trust D receives specified economic benefits.” The record should state who verified the claim and when. It should not compress all of that into one disputed noun.

The custodian must be accountable, not merely nameable

Putting a professional company in the registry improves little if the company cannot explain its mandate or act independently. Accountability requires capacity, records, duties and replacement.

The custodian should be a valid legal organization capable of entering the registry agreement and satisfying applicable eligibility rules. It should maintain secure accounts, current points of contact, board or manager records, authority documents and a complete list of services connected to the range. At least two qualified people should be able to perform continuity-critical tasks. Shared credentials should be prohibited.

Its mandate should identify whose instructions it may accept and for which actions. Routine contact corrections may come from the operator. A transfer may require trustee or board approval. A ROA request may follow a technical schedule. A distribution instruction belongs to the financial administrator. The custodian should reject a request that comes from a beneficiary who has economic rights but no power to direct the action.

Independence is practical rather than ceremonial. If the operating company hires and can dismiss every custodian director at will, the custodian may not protect other beneficiaries. If one investor controls the bank account and registry login, the trust language may hide unilateral control. Governance should disclose appointment rights, related parties, fees and conflicts to the authorized beneficiaries and reviewers.

The custodian should provide periodic statements of actions taken, current authority, open disputes and material service risks. These reports need not reveal customer traffic or personal data beyond the recipient's entitlement. They should allow beneficiaries to detect an unauthorized transfer request or an expired operator mandate before damage occurs.

Replacement must be possible. The governing documents should specify resignation, removal for cause, ordinary replacement, incapacity, insolvency and loss of regulatory or corporate standing. Handover duties include registry correspondence, contact lists, account inventories, RPKI arrangements, IRR and reverse-DNS authority, contracts, logs and protected control records.

A custodian that cannot be replaced has become the beneficiary of its own gatekeeping position. Custody is legitimate when it protects continuity for others and remains bounded by a provable mandate.

Trustee, nominee, administrator and operator are not interchangeable

Commercial documents often use “custodian” as a broad convenience. The underlying roles should be named more carefully because their duties and powers differ.

A trustee generally holds or administers rights under a trust and owes duties defined by the trust instrument and governing law. Beneficiaries may have economic interests without direct instruction rights. Some trusts give a protector or another person powers over appointment and reserved decisions. The registry should not assume that a beneficiary can bind the trustee.

A nominee company may hold legal title or appear in a record under a contract requiring it to act for another party. Its discretion may be very narrow. That can simplify administration but increase dependency on the principal's authority and the enforceability of the nominee agreement.

A corporate services administrator may maintain records, arrange filings and relay instructions without itself holding the resource relationship. Calling it the holder because it operates the email account would be inaccurate. Likewise, a lawyer or escrow agent retaining documents is not necessarily the custodian of registry rights.

The network operator has a separate mandate. It needs practical power to announce routes, coordinate upstreams, maintain customers and respond to incidents. It may receive limited registry and RPKI permissions, but it should not acquire transfer authority merely because it has technical access.

An investor or beneficiary may receive returns and information. It may hold reserved voting rights or none. A secured lender may have consent rights after default. A protector may replace a trustee. A general partner may control the investment vehicle. These parties all matter to beneficial-control analysis, but they are not one role.

The control declaration should therefore describe the form of arrangement and map functions. The public record can remain simple. The protected file needs enough structure to answer a disputed instruction: who is the holder, who can appoint it, who can direct this action, who benefits, who operates and which document establishes each answer?

Terminology is not pedantry here. It prevents a registry from accepting an operator's sale instruction, a trustee from interfering with routine routing, or a passive beneficiary from being exposed as if responsible for abuse.

Current registry fields establish a useful baseline, not a complete answer

ARIN's public guidance describes an Org ID as a unique identifier for an organization, defined by legal name, address and points of contact. POCs may serve administrative, technical, abuse, NOC, routing or DNS functions. ARIN Online accounts are individual and private, while public organizational and role information can appear in registry data. This model already proves that one organization can have differentiated human and functional authority.

The model does not purport to display beneficial control. An Admin or Tech POC may have substantial ability to manage records, but the POC is not necessarily an investor, director or beneficiary. ARIN expressly explains that a POC listed for a failed business does not thereby acquire authority to sell or transfer the resources. Contact and economic right are different categories.

APNIC's policy requires registration for assignments and allocations while allowing privacy choices for certain customer assignments. It emphasizes uniqueness, troubleshooting and identifiable custody within reasonable privacy and applicable law. RIPE Database entities likewise support operational and organizational roles under regional rules. The details differ across systems.

The baseline can be improved by adding a relation rather than overloading existing fields. A registered-holder relation identifies the organization with the direct registry status. An operator relation identifies the entity responsible for live use or gives a verified contact relay. A protected-control declaration records the relevant person or entity behind a custodial arrangement.

The relation should be time-bounded and sourced. An operator may change without a holder transfer. A trust beneficiary may change without changing the trustee. A control change at the custodian may require new verification even though the legal name stays the same. History should preserve former roles for incident attribution without displaying every past personal detail forever.

Public status language matters. “Registered holder” should not be presented as “beneficial owner.” “Operator attested by holder” should not be presented as a registry-certified contract. “Control declaration held” should not reveal the content or imply criminal suspicion. Each label should state no more than the evidence supports.

Existing fields are therefore the foundation: unique range, recognized organization and useful contacts. The missing element is a disciplined way to represent separation without turning the public database into a trust registry.

RDAP can express roles and privacy, but it needs a defined relation

RDAP provides a structured way to return registration data. RFC 9083 defines entity roles including registrant, administrative, technical, abuse, proxy, notifications and network operations centre. These roles are valuable because they allow one response to distinguish function rather than repeat an undifferentiated contact.

A custodial IPv4 response can use existing roles for much of the public layer. The registered organization can appear in the role appropriate to the server's model. The operator can appear as a technical or NOC entity, or through a clearly defined extension relation. Abuse reports can go to the abuse role. A professional contact relay can use a proxy-like function if the semantics and policy are clear.

Existing roles do not fully describe beneficial control. “Registrant” and “proxy” are not universal substitutes for trustee, beneficiary, controller or protector. Overloading them would create inconsistent interpretations. A narrowly specified extension or linked attestation is preferable to assigning a familiar word a hidden financial meaning.

RFC 7481 permits tiered access according to server policy and discusses private, redacted, obscured and proxy registration data. RFC 9537 supplies machine-readable redaction methods, including replacement of an email address with a contact URI. These mechanisms demonstrate that a response can be transparent about withheld fields while preserving a usable contact route.

Redaction should not use misleading placeholder text. A response can state that a protected control declaration exists and give its verification date without emitting a blank name that users mistake for missing diligence. Where even the existence of a field creates risk, policy may withhold that signal, as RFC 9537 recognizes.

Access policy remains a governance choice. RDAP does not decide which registry, authority or investigator should see a beneficiary. The service must define purpose, authentication, logging, retention and review. A powerful query interface without those controls can turn role separation into bulk surveillance.

The technology is ready to carry more honest distinctions. The institution still has to decide why each distinction is collected and who may see it.

The public layer should answer operational questions

Public registration serves uniqueness, coordination, troubleshooting and contact. The public layer should be designed around those functions.

For a custodial holding, the response should identify the prefix and the organization recognized as holder under the registry's terminology. It should show current status and relevant dates. It should provide reachable abuse and network contacts, preferably organizational channels rather than personal home details. It should identify the operator where disclosure is necessary and proportionate, or provide a verified relay capable of reaching the operator.

If the operator relation is attested rather than directly established by regional policy, the label should say so. An “operator declared by registered holder” statement is useful and bounded. It does not prove that every private contract is valid or that the operator has transfer rights.

The public layer may show that the registration is custodial if that fact materially affects how instructions or complaints are handled. It can identify the professional custodian and a role contact. It need not list every beneficiary. The design should consider whether public use of the word “trust” exposes sensitive family, estate or security information without improving network response.

Prices, revenue shares, voting percentages, distribution schedules, lender covenants, customer lists, trust deeds, passport data and residential addresses generally do not answer public operational questions. Publishing them creates misuse and accuracy risk. A stale cap table may be more misleading than no cap table.

Correction must be accessible. The operator should be able to report a wrong contact. A beneficiary who discovers an unauthorized public claim should have a protected route to challenge it. The public response can mark a relation as disputed without publishing allegations or confidential evidence.

Historical public data should be limited by purpose. Researchers and incident responders may need to know who operated a range at a past date, but indefinite publication of former beneficiary details is harder to justify. Organizational role history can often provide accountability without exposing natural persons.

The test is practical: can a network operator reach the right function and understand the status without being invited to infer the private bargain? If yes, the public layer is doing its job.

The protected layer should establish control without becoming a commercial archive

The registry or an independent assurance provider may need more than the public sees. It must prevent an unauthorized director, operator or beneficiary from changing the holder or transferring the range. It may also have duties under applicable law. The protected layer should be sufficient for those purposes and no broader.

A control declaration can identify the registered vehicle, form of custodial arrangement, current trustee or custodian, persons or entities meeting the selected control tests, nature of control, effective date, verification source and next review. It should identify the actions for which the declaration matters: appointment of the holder's governing body, transfer approval, operator replacement, or another defined power.

The declaration should distinguish active control from passive benefit. A beneficiary entitled to distributions but unable to direct the trustee should not be presented as the person authorized to contact the registry. A protector able to replace the trustee may be a relevant controller even without a large economic share. A corporate investor may require look-through under applicable rules, but the scope should be explicit.

The registry need not retain every underlying document. The custodian or a qualified verifier can retain trust instruments, shareholder registers and resolutions and issue a scoped attestation. The registry can request source documents when a material change or dispute requires deeper review. This reduces concentration of sensitive files.

Where source documents are collected, each should have a stated evidentiary purpose, access group and retention rule. A trust deed may show appointment power; it should not be circulated to network staff who only need an abuse contact. A passport used to verify a controller should not become the routine credential for route changes.

The protected record should include change history and evidence provenance. It should show who submitted the declaration, who verified it, what sources were reviewed, what was not verified and when the conclusion expires. Unsupported self-certification can be labelled as such rather than silently elevated.

This layer creates accountable privacy. The information is available to those with a defined reason, yet it is not exposed merely because a prefix is publicly routed.

Control tests should reflect power, not a single global percentage

Company-law and anti-money-laundering regimes often use ownership or voting thresholds and additional control tests. The United Kingdom's people-with-significant-control regime, for example, describes several conditions and recognizes that control can arise through rights and arrangements, with protections for some personal information. FATF standards call for adequate, accurate and current beneficial-ownership information available to competent authorities. These frameworks are instructive, but they do not supply one universal IPv4 threshold.

Jurisdictions differ. Trusts separate roles differently from companies. A person with 20 per cent of economics may have no operational power; a general partner with a small economic stake may control the vehicle. Negative control through a veto can matter for a sale while remaining irrelevant to routine network use.

The control declaration should therefore use categories. Economic interest records entitlement to value. Voting control records ordinary or reserved decision power. Appointment control records the ability to select directors, trustees or operators. Instruction control records the ability to direct a transfer, ROA or other defined action. Other effective control captures arrangements that produce comparable power and require explanation.

Thresholds can be set by applicable law or the assurance policy for a stated purpose. They should not be represented as a legal standard outside that context. A registry interested only in unauthorized transfer risk may focus on persons able to bind or control the holder. A competent authority applying anti-money-laundering law may require a different look-through. An investor report may include broader economic interests.

The public response does not need the percentages. It can state that control was verified under a named standard and date. Authorized reviewers can see the category and supporting evidence. Where no person meets a threshold, the record should follow the applicable rule rather than invent a controller for neatness.

This approach avoids two errors: hiding decisive power because it falls below a percentage, and exposing passive beneficiaries who cannot affect the resource. Beneficial-control disclosure becomes an analysis of power tied to purpose, not a mechanical census.

Verification must link the person, the mechanism and the action

A beneficial-control declaration is only as reliable as its verification. A list of names supplied by the operator can create false confidence.

The verifier should first establish the legal organization and custodial form. Corporate registries, governing documents, trust or nominee agreements, resolutions and regulated-service records may contribute, depending on jurisdiction. No single source is sufficient in every case. Public company data can be stale or incomplete; private documents can be forged or superseded.

Second, the verifier links each claimed controller to a mechanism. Shares, voting agreements, appointment powers, protector rights, debt covenants and contractual instructions should be identified. The conclusion should state what action the mechanism controls. “Person X can appoint a majority of the custodian's directors” is stronger than “Person X is connected to the fund.”

Third, identity is verified proportionately. Natural-person identity may require reliable documents and independent checks under the applicable standard. Legal entities require formation, status and authority evidence. The verifier should minimize copies and protect high-risk personal data.

Fourth, time is attached. Control changes. A declaration should have an effective date, review date and event-driven update duty. A signed trust deed from five years ago may remain valid, but the trustee or protector may have changed. Verification that never expires becomes historical evidence presented as current truth.

Fifth, operational consistency is checked without treating it as proof. Do the holder's contacts respond? Does the appointed operator use the expected ASN or providers? Do current ROAs correspond to the mandate? Inconsistency can trigger inquiry; consistency does not prove beneficial control.

Finally, conflicts are recorded. The verifier may find competing documents or an unresolved legal question. It can state the limits and recommend a restricted action rather than choose a winner beyond its competence. Verification is credible when it identifies uncertainty, not when it converts every file into certainty.

Changes should be reported by event and confirmed by time

The value of a control record declines quickly if changes are not captured. Custodial arrangements can change through share transfers, trustee replacement, death, incapacity, fund restructuring, enforcement, merger, insolvency or amendment of governing documents. The registered legal name may remain unchanged throughout.

The declaration should define reportable events. A change in the person able to appoint the custodian's governing body is reportable. So is a change in transfer approval, replacement of the trustee, addition of a protector with decisive power, or transfer of a controlling interest. A passive beneficiary receiving a small distribution adjustment may not be relevant to registry authority unless applicable law says otherwise.

The reporting period should reflect risk and legal requirements. A pending transfer or operator replacement requires current information before action. Routine assurance may allow a reasonable update period. Emergency circumstances such as death or credential compromise need an interim contact and a bounded verification state.

The system should confirm continuity rather than delete history. The prior declaration receives an end date; the new declaration references the superseded state. If a change is disputed, the current public holder and operator contacts can remain while the protected record shows the contested control question and any restricted action.

Periodic confirmation catches silent staleness. The custodian should attest that the record remains current and verify contacts. High-risk or complex arrangements may require independent review. Low-change arrangements can use longer intervals with event-driven duties. The policy should report its actual review population rather than imply continuous real-time verification.

Failure to update should have proportionate consequences. A stale beneficial-control declaration may block a transfer or other high-risk change until corrected. It should not automatically erase operational contacts or invalidate safe routes. The consequence should connect to the uncertainty.

Time-aware records turn custody from a static name into a maintained relationship. They also make historical accountability possible without pretending yesterday's controller remains today's.

Privacy is not the enemy of transparency

Beneficial-control transparency is often presented as a choice between public access and secrecy. Official frameworks show a more complex picture.

FATF's revised Recommendation 24 emphasizes adequate, accurate and current beneficial-ownership information and timely access by competent authorities. That objective is not identical to universal Internet publication. Different mechanisms can provide authority access. The relevant national law determines implementation.

The Court of Justice of the European Union held in 2022 that indiscriminate general-public access to specified beneficial-ownership information under the challenged anti-money-laundering provision was a serious interference with privacy and data-protection rights and was not limited to what was strictly necessary or proportionate. The judgment did not abolish legitimate beneficial-ownership controls. It demonstrates why audience and purpose matter.

United Kingdom guidance on people with significant control publishes selected information while protecting home addresses and allowing protection in specified risk circumstances. Trust information is available in more limited circumstances, including defined legitimate-interest routes. These rules are jurisdiction-specific and continue to change; they are design evidence, not a global legal template.

Data minimization supplies the practical principle. Collect enough to fulfil the stated purpose, keep it relevant, limit it to what is necessary and review retention. A registry preventing unauthorized transfers needs authority evidence. It does not automatically need to publish a beneficiary's date of birth, home or portfolio.

Privacy also improves accuracy. People are more likely to disclose sensitive control information to a protected, governed service than to a public feed searchable by competitors and criminals. Over-publication can encourage nominees, stale information and avoidance. Protection should not become anonymity: authorized access, verification, logs and correction remain essential.

The right objective is accountable disclosure. The fact exists, the appropriate institution can verify it, access follows purpose, misuse is reviewable and the public receives the operational information it needs.

A contact relay can preserve reachability without exposing a beneficiary

Incident responders need a route to the party able to act. They rarely need the home address of a trust beneficiary.

A contact relay can receive a report, authenticate the sender where necessary, route it to the operator or custodian, preserve timestamps and confirm receipt. RFC 9537's replacement method explicitly contemplates replacing an email value with a contact URI. The standard is not specific to custodial IPv4, but it provides a machine-readable privacy tool.

The relay should be tested. A web form that sends mail to an abandoned inbox is not privacy protection; it is opacity. Service targets, escalation, spam controls, language support and emergency channels should be defined. The public should know what type of contact sits behind the relay: abuse, NOC, holder authority or protected control correction.

The relay must not leak the protected identity through headers, error messages or predictable identifiers. Staff access should be limited. Logs should record routing and response without retaining unnecessary report content indefinitely. The beneficiary should not receive raw abuse complaints unless the arrangement gives that person an operational role.

Authenticated users may receive more direct contact under policy. A transit provider handling a route leak may need a named incident commander. A registry reviewing a transfer needs the custodian's authorized officer. A competent authority may use a lawful channel for control data. Tiered access can preserve speed without treating every web visitor as equally entitled.

Performance should be measured with a stated denominator: number of relay messages, valid incidents, successful deliveries, response times and escalations among participating records. It should not be compared with the unknowable universe of custodial holdings.

The relay makes an important separation visible. Contactability is a service property. Public identity is a disclosure choice. One can be strong without making the other unlimited.

Routing evidence can test operation but cannot prove the trust

Observed BGP routes help identify the autonomous systems announcing a prefix. They can test whether the declared operator's network plan corresponds with reality and reveal unexpected origins. They cannot reveal a trust instrument, beneficial share or lawful instruction.

An origin ASN may belong to the operating beneficiary, a transit provider, managed host, DDoS mitigation service or affiliate. Anycast and migration can create several authorized origins. Route collectors have incomplete visibility. A mismatch between the registered holder and origin is therefore a question, not proof of concealed ownership or breach.

The protected control record can include an expected-origin context. It can name the operator and approved providers or state that more-specific customer routing is permitted. Monitoring can alert the custodian and operator when observations fall outside the envelope. The alert should be investigated before public accusation.

Routing history can become useful in a dispute. If a removed operator continues to originate the range, observations support the case for technical and legal action. If a claimant has never operated the network, its route absence does not disprove an economic interest. The evidence must be matched to the question.

The public response may link the holder and operator roles so incident responders do not infer that a different ASN means hijack. It should avoid publishing a full customer or beneficiary map. A high-level relation can improve interpretation while preserving commercial structure.

This bounded use of telemetry is part of trustworthy disclosure. Technical evidence verifies technical claims. Corporate and trust evidence verifies control claims. Neither is stretched to replace the other.

RPKI authority should be disclosed as a power of its own

A custodian may retain the registry relationship while an operator needs route-origin authorizations. In a hosted RPKI arrangement, account users associated with the holder can request ROAs through the regional service. In a delegated arrangement, certification capability may sit with a qualified operator or service. The key question is who can cause authorization to appear, change or disappear.

RFC 9582 defines a ROA as a signed authorization for an origin AS and prefixes. It does not identify beneficial owners. A valid entity cannot prove that a trustee followed the trust deed or that beneficiaries approved a sale. It proves a narrower authorization in the resource-certification system.

The custodial declaration should therefore include an RPKI control schedule. It names the service model, authorized requesters, permitted origins and prefix lengths, ordinary change target, emergency process, backup and termination sequence. Beneficiaries with no technical role should not receive signing or portal authority merely to symbolize their interest.

The power should be segregated from transfer authority. An operator can request a ROA within its mandate without being able to transfer the range. A trustee can approve replacement of the operator without personally signing every entity. A custodian can preserve a backup while requiring technical confirmation for changes.

Dispute policy must prevent RPKI from becoming leverage. A disagreement about distributions should not cause surprise deletion of the operator's valid authorization. A confirmed compromise or unauthorized origin may justify rapid action. At termination, authorization should end through a coordinated sequence with route withdrawal and replacement, not an indefinite grace period or abrupt outage.

Monitoring should be independent of the party that executes changes. The custodian and operator should receive alerts. Investors may receive aggregate assurance reports. If an unexpected entity appears, logs show who acted and under what mandate.

RPKI makes beneficial-control separation more credible because it identifies a concrete technical power that the public holder label alone cannot explain.

Abuse responsibility should follow operation while evidence follows time

Harmful traffic generates pressure to identify “the owner.” That phrase often mixes the holder, operator, customer and beneficiary. Incident response improves when the system asks who could control the relevant use at the relevant time.

The public abuse contact should reach the operator or a capable service. The custodian should monitor whether the contact remains valid and receive escalation if the operator fails. A passive beneficiary should not be exposed or blamed merely because it receives economic returns. A controlling person may matter to legal inquiry, but that is a separate protected path.

The operating agreement should allocate investigation, customer action, evidence preservation and notice. The custodian may have power to require correction or replace an operator after repeated failure. It should not inspect every customer's traffic without authority. The beneficiary should not dictate individual abuse outcomes unless its governance rights include such control.

Time-bounded role history matters. An address reputation problem can outlive the operator that caused or failed to address it. The record should preserve who held the operational mandate during the incident. It should not permanently attach every old allegation to the new operator without context.

Abuse reports also need due protection. A complaint is not proof. The system should distinguish receipt, validation, action and outcome. False or malicious reports should not trigger disclosure of protected beneficiaries. Serious lawful requests can be handled through competent channels with appropriate evidence.

Metrics should show contact success and response among the service's cases, not a global abuse-rate claim. A lower complaint count can mean improvement, under-reporting or changed use. The custodian's performance is better assessed through reachability, response, recurrence and documented correction.

The goal is not to insulate capital from responsibility. It is to direct operational problems to the actor able to fix them and preserve a lawful route to those who control that actor when escalation is justified.

A beneficial-control change is not automatically a resource transfer

The shares of a registered company can change while the legal entity remains the same. A trustee can be replaced while a trust continues. An investor can sell an economic interest without changing the operator. These events may alter beneficial control but are not necessarily the same as a registry transfer.

Conversely, a registry transfer can move holdership between organizations even if the same ultimate controller remains behind both. A corporate reorganization may combine changes in legal entity, control and operations. Each event should be classified rather than treated as one universal “ownership change.”

ARIN's policy distinguishes specified transfers, inter-RIR transfers and mergers, acquisitions or reorganizations, and requires evidence and a new RSA in defined circumstances. RIPE NCC procedures similarly require documents from the participating legal entities to change holdership. These rules concern recognized registry events. They do not publish the complete private capital history.

The custodial agreement should identify which beneficial-control changes require notice, review or consent. A change that gives a new person power to direct a transfer or replace the custodian may be material even if the holder name stays fixed. A small passive-interest trade may not affect the registry relation. Applicable law and agreement can set additional requirements.

Registry review should remain proportionate. It can verify that the existing organization remains valid and that authorized contacts and controllers are current. It should not silently convert every fund subscription into a resource transfer. If policy requires a transfer because the legal organization or qualifying use changed, the registry should identify that basis.

At closing, transaction documents should coordinate the two ledgers. Economic settlement, control change, operator change and registry recognition may happen at different times. Escrow or staged authority can prevent a buyer from paying for control it cannot exercise and prevent a seller from retaining credentials after its mandate ends.

Classification preserves accuracy. The beneficial-control record captures changes that the public holder field cannot. The transfer system captures changes in recognized holdership. Neither should impersonate the other.

Disputes need a visible caution and a protected case file

Custodial structures can produce distinctive disputes. A beneficiary may accuse the trustee of exceeding its powers. Two people may claim appointment as protector. A nominee may receive conflicting instructions. An operator may argue that termination was invalid. A creditor may claim control after default.

The public should not receive the pleadings. It may need a bounded caution if the dispute affects reliance on a role. The caution can say that authority for a specified change is under review, identify the action restricted and give a review date. Existing holder and operator contacts remain visible unless they are themselves unsafe.

The protected file contains claimant identity, asserted mechanism, source documents, responses, legal orders, verification notes and decisions. Access is limited to those deciding the issue or responding to lawful demand. The file should preserve contradictory evidence rather than overwrite the losing version.

Interim measures should follow the disputed power. A credible challenge to transfer authority can stop a transfer. A dispute about distributions can reserve funds. A compromised operator account can be suspended while another contact remains active. The whole registration should not be disabled by reflex.

The custodian cannot always decide the underlying law. The agreement should name mediation, arbitration, court or another forum. Registry staff can decide what evidence they require for their own services and whether an instruction matches current recognized authority. They should not claim that a database decision finally determines trust rights worldwide.

Time limits prevent strategic uncertainty. A claimant must supply evidence. The custodian or registry must review and explain continuation. Emergency holds expire. A party can seek independent relief. The record shows whether a restriction remains based on current evidence.

Correction should be additive. If the wrong controller or operator was displayed, the service corrects the current response and records the period of error for authorized audit. It does not erase the evidence that allowed the mistake to happen.

Insolvency and succession expose hidden control

Custody is often chosen for continuity, yet insolvency can reveal that continuity depended on one company or individual.

If the custodian becomes insolvent, an officeholder may control its records and contracts under applicable law. The beneficiaries need a clear route to appoint a successor, but private clauses may interact with insolvency restrictions and registry requirements. A backup custodian cannot simply take the account without recognized authority.

If a beneficiary or investor becomes insolvent, its economic interest may pass to an estate or creditor while the custodian and operator remain. The beneficial-control record should update if the event changes decisive power. It should not automatically expose the failing investor in public network data.

Death or incapacity presents similar issues in personal trusts and closely held companies. The arrangement should identify successor trustees, executors, protectors and interim authority. Personal credentials should not be the only access path. A role-based contact and independent record can keep the system reachable while legal succession is proved.

The custodian should maintain a continuity package: current governing documents, authority map, account inventory, service contacts, operator mandate, RPKI schedule, logs, fee calendar and protected control declaration. Copies should be secured and available to a lawful successor. The package needs periodic testing.

Registry policy should describe how it handles a failed custodian. It may preserve the current registration and technical services while reviewing successor evidence. It should avoid both instant transfer on an unverified claim and indefinite dependence on a defunct entity. A bounded status, documented requirements and review route provide discipline.

No technical design overrides court, insolvency or succession law. Better records make those systems less destructive by showing what the custodian held, for whom, under which powers and with which live dependencies.

Audits should test the separation, not reward document volume

A custodial arrangement can produce immaculate files and still fail if the operator is unreachable or the custodian follows instructions from the wrong person. Audit should test the control design in operation.

The auditor can sample changes and trace each from request through approval, execution and evidence. It can confirm that transfer authority did not leak into technical roles, that beneficiaries without instruction rights did not access the registry account, and that operator requests stayed within the mandate.

Contact tests should reach abuse, NOC, custodian and backup channels. RPKI and IRR records can be compared with the approved schedule. Account reviews should remove departed users and identify shared credentials. Beneficial-control declarations should be matched to current corporate or trust evidence under the stated standard.

Privacy controls deserve equal attention. Who accessed protected control data? Was the purpose recorded? Were exports retained? Were rejected requests audited? Were source documents deleted or archived according to policy? A disclosure service that verifies identity but cannot control access is incomplete.

Dispute exercises can test whether a narrow hold is technically possible. Can staff stop a transfer while preserving route maintenance? Can they replace an abuse contact without revealing beneficiaries? Can a neutral reviewer obtain the protected file? Tabletop claims should be followed by safe practical tests.

Audit reports should state scope, sample and unavailable evidence. They should not pronounce the entire custodial IPv4 market safe based on one provider. Aggregate findings can show the participating population and failure types without naming beneficiaries.

The strongest assurance is a demonstrated separation: the public can reach the operator, the registry can verify the holder, authorized reviewers can identify control, and no one role can silently exercise every power.

The registry should collect only what it can govern

A demand for beneficial information can expand rapidly. Once a registry learns that a custodian holds for others, it may ask for every investor, source of funds, side letter and trust provision. Collection can appear prudent while exceeding institutional competence.

The registry should begin with purpose. To maintain unique registration, it needs the recognized organization and range. To prevent unauthorized changes, it needs current binding authority and secure contacts. To support operations, it needs functional roles. To comply with applicable law, it needs the information that law requires. Each purpose should map to fields, access and retention.

If the registry cannot define how a beneficiary percentage affects a service decision, it should question why it collects the percentage. If it retains passports, it needs security, correction and deletion rules. If it exposes control data to staff, it needs training and audit. Sensitive information is not made safe by calling it due diligence.

The registry may rely on scoped attestations where direct retention is unnecessary. It can demand deeper source evidence for a transfer, material control change, sanctions question or dispute. This event-driven model concentrates scrutiny where authority is consequential.

It should also publish the limits of its conclusion. Verifying the person able to bind a custodian does not validate the trust, guarantee lawful source of funds, determine tax treatment or certify every beneficiary. Other competent bodies retain their mandates.

Refusal or uncertainty should produce proportionate service consequences and reasons. The registry may defer a high-risk change. It should preserve accurate public data and safe operations where possible. Missing private information should not be disguised by a false public owner label.

Institutional restraint is not leniency. It is the discipline of collecting facts that the institution can protect, interpret and use lawfully.

Number Resource Society can offer accountable privacy

Number Resource Society argues for operator rights, accurate registration, free enterprise and limits on concentrated registry power. Custodial holdings test whether those principles can support transparency without surveillance.

NRS could define a portable three-role attestation: registered holder, current operator and beneficial controller of the holding arrangement. Each role would have a scope, effective date, verifier, contact or protected reference, and explicit non-effects. The attestation would not declare universal property title or replace an RIR's transfer policy.

The public profile could expose the holder and operational contact, with a machine-readable signal that protected control verification is current. Authorized registries, auditors or lawful authorities could request the control statement under documented access rules. The underlying commercial documents could remain with qualified verifiers.

NRS could certify service properties rather than economic outcomes. Does the relay work? Is the custodian replaceable? Are instructions attributable? Are RPKI and transfer powers separated? Does a dispute restriction expire? Are access logs reviewable? These questions advance stability and member rights without approving investment returns.

An independent correction mechanism would be particularly valuable. Operators, custodians and protected controllers should be able to challenge inaccurate role statements. Reviewers should have no financial interest in the portfolio. Decisions and aggregate performance can be published without exposing private evidence.

The standard should be interoperable. Existing RIRs and independent services should be able to carry or reference it. NRS should not become the only vault for global beneficial data. Distributed retention and common proofs reduce both monopoly and breach risk.

Evidence limits must remain visible. NRS can report the number of participating holdings, verified changes, relay performance and disputes. It cannot infer the size of the undisclosed global market. Advocacy sources explain NRS's institutional intention, not proof that the proposed service already works at scale.

Accountable privacy is a positive rights architecture. It gives operators contact and continuity, beneficiaries protection from unnecessary exposure, and registries reliable authority evidence. It asks every requester to explain which truth it needs.

The ledger should disclose roles, not flatten them

A custodial IPv4 arrangement is not defective merely because the named holder benefits someone else. The arrangement may provide neutrality, continuity, pooled investment or professional administration. It becomes defective when the separation is hidden from every institution that needs to act, or when disclosure indiscriminately exposes people who cannot affect the network.

The answer is a layered ledger. The public sees the recognized holder, status and useful operational contacts. It can see an operator relation or reliable relay and understand its evidentiary status. The registry or assurance provider holds a current, scoped control declaration. Courts and competent authorities can obtain deeper evidence through lawful routes. Investors and beneficiaries receive the financial and fiduciary information their rights require.

The terms must remain precise. Registered holdership is not routing. Routing is not beneficial control. Beneficial control over a vehicle is not automatically ownership of the IPv4 addresses. A trustee, nominee, administrator, operator, beneficiary, protector and lender carry different powers. The record should use verbs, dates and sources rather than a single grand label.

Verification links identity to mechanism and action. Change rules keep the declaration current. RDAP roles and redaction make functional publication possible. Contact relays preserve reachability. Dispute notation protects the public record while a protected case file preserves evidence. Insolvency planning gives a lawful successor something coherent to inherit.

Privacy is part of accuracy because excessive exposure discourages truthful disclosure and creates harm unrelated to network coordination. Protection must remain accountable: authenticated access, audit, correction, proportional retention and review. Secrecy without verification is not privacy; publication without purpose is not transparency.

The denominator of custodial IPv4 arrangements remains unavailable. No global prevalence, abuse or failure rate should be invented. A pilot can count its own records and test its own controls. Honest evidence will accumulate only if the service earns participation.

The decisive question is not, “Who is the real owner?” It is more exact.

Who does the registry recognize? Who operates now? Who can make the custodian act? Who benefits but cannot instruct? What evidence supports each answer? Who may inspect it? What changes when the arrangement is disputed?

A ledger that answers those questions does not expose the whole bargain.

It exposes enough truth to keep the bargain from controlling the Internet in secret.

Sources