Summary

  • Internet governance records many acts of presence and speech, but it rarely records the mandate chain that would allow those acts to become authorisation.
  • A mandate ledger would identify the principal, representative, authority source, issue scope, duration, revocation route, evidence level, confidentiality boundary and portability of each claimed mandate.
  • Such a ledger would protect open contribution by keeping expertise, observation, organisational consent, member votes and public-interest evidence in separate columns instead of forcing them into one legitimacy story.
  • NRS and registry reform should build mandate records before claiming to represent operators or affected users; otherwise old conference and consultation metrics will keep masquerading as authority.

Internet governance records the wrong things very well

Internet governance is excellent at producing traces. There are meeting agendas, recordings, attendance lists, chat archives, mailing-list threads, public comments, draft histories, board minutes, election tallies and implementation reports. A researcher can often reconstruct who spoke, when a draft changed and which body adopted an outcome. That transparency is valuable.

The missing record is different. It asks who authorised the speaker, what the authorisation covered, how long it lasted, whether it could be revoked and whether the final outcome still fell within the original scope. Internet governance often treats those questions as informal background. They live in reputations, assumptions, email introductions, employer names, institutional memory and the confidence of chairs. They rarely live in a public mandate ledger.

This gap matters because open participation and authorisation are not the same. A person may attend a meeting to learn. Another may comment as an expert. A third may speak for an employer. A fourth may represent an association after member consultation. A fifth may cast a formal vote. A sixth may describe customer harm without any authority to negotiate. Each contribution can be legitimate, but each carries a different kind of weight.

Without a mandate ledger, these roles blur. The institution can later say that the community supported a decision, even if the record contains mostly individual expertise, uncertain affiliations and a few formal votes. Critics can also overstate mandates by claiming to speak for operators, users or countries without showing the chain. Everyone borrows the prestige of representation because the system never built a disciplined place to record it.

A mandate ledger would not end disagreement. It would make claims testable. When someone says they represent affected operators, the ledger would show which principals authorised that claim, for which issue, until which date and with what caveats. When the institution cites consultation, the ledger would show whether it heard expertise, attendance, organisational consent or formal authorisation. Authority would no longer be inferred from proximity.

Presence is not permission

The first rule of a mandate ledger is that presence is not permission. A meeting badge shows entry. A remote login shows access. A comment shows speech. A mailing-list subscription shows an open channel. None of those acts gives another institution permission to convert the person into a represented constituency.

This distinction is easy to forget because governance systems want visible breadth. A crowded session feels legitimate. A long comment thread feels deliberative. A global attendance map feels inclusive. Those feelings are not worthless; they show that doors opened and some people entered. But they do not answer whether any principal authorised a representative to bind them or whether affected groups accepted the result.

Permission requires a principal. In a registry context, the principal may be a legal member, resource-holding organisation, association, government office, customer group, operator coalition or individual acting only for themselves. The representative may be an employee, officer, counsel, consultant, volunteer, elected delegate or appointed proxy. The mandate must connect the two.

Permission also requires an act. Authority to attend is not authority to vote. Authority to discuss is not authority to endorse. Authority to support a draft is not authority to accept a later rewrite. Authority to represent a technical concern is not authority to waive a legal right. Scope matters because governance outcomes mutate as processes move.

Internet governance often tries to solve this socially. Chairs know the regulars. Staff know which companies are serious. Community members know who speaks for an association. That knowledge is useful but fragile. It excludes newcomers, creates dependency on insiders and fails when disputes become formal. A ledger turns social knowledge into reviewable evidence without eliminating trust.

The basic entry could be simple: principal, representative, issue, authorised acts, start date, expiry, evidence type, public or confidential status, revocation path and caveats. That is enough to prevent presence from being treated as permission by default.

Scope is where mandates usually break

Most mandate inflation occurs through scope drift. A person is authorised to join a discussion about one proposal. The proposal changes. A compromise introduces a fee, deadline, enforcement mechanism or election consequence. The person continues to attend. Later the institution cites the person's continued presence as support for the final package. The original mandate may no longer fit.

Scope drift is common because policy development is iterative. Drafts improve through engagement. Issues that seemed separate become linked. Legal advice arrives late. Operational exceptions appear. A board asks for broader language. A staff implementation note changes the practical effect. None of this is inherently wrong. But each material change should ask whether claimed mandates still cover the text.

A mandate ledger would include issue scope at a level that survives revision. For example: authority to comment on transfer-eligibility criteria, authority to negotiate implementation timeline, authority to vote on board election reform, authority to endorse an association position on routing-security obligations. If the final text expands beyond that scope, the ledger should mark the mandate as requiring renewal.

This protects both sides. Institutions should not rely on stale support. Representatives should not be accused of bad faith for refusing to endorse a changed package. Principals should not discover that a narrow comment became broad authorisation. Opponents should not be able to freeze a process by claiming every edit voids every mandate; materiality standards can define when renewal is needed.

Scope also matters for evidence from public-interest groups and customers. A consumer advocate may be qualified to describe customer harm but not to negotiate operator compliance detail. An operator may explain implementation cost but not speak for end users. A regulator may describe legal context but not private-sector consent. Each mandate or evidence role should occupy its lane.

The absence of scope records turns governance into rhetoric. Whoever writes the final summary chooses how far each contribution reaches. A ledger makes that reach explicit.

Expiry is accountability's forgotten field

Mandates should expire. This sounds obvious in electoral politics and contract law, but Internet governance often treats representation as persistent reputation. A person who once chaired a group, led an association, worked for an operator or signed a coalition statement may continue to be understood as carrying that constituency long after the formal basis has changed.

Expiry matters because institutions, employers and coalitions change. Staff leave companies. Associations elect new boards. Member positions evolve. Governments change policy. A coalition formed around one draft dissolves after compromise. A consultant changes clients. An individual moves from an operator to a vendor. Without expiry, old authority becomes ambient authority.

For ordinary expertise, expiry is less important. A person's knowledge can remain relevant. The ledger does not need to erase expertise when a job changes. But authority to represent a principal should have a date. It may be tied to a meeting, comment period, vote, proposal version, board term or delegation letter. It should not be indefinite by default.

Expiry also supports revocation. A principal should be able to withdraw or modify a mandate without depending on private relationships. If an association changes its position after member consultation, the ledger should show the new status. If a representative no longer speaks for an organisation, the record should stop implying otherwise. If a mandate remains confidential, the institution should at least record that it verified expiry under a reviewable process.

This is essential for portable governance. A position developed in one forum often travels to another: a registry policy debate informs an ICANN discussion, an association statement appears in a board paper, a coalition letter becomes evidence for NRS, a workshop consensus is cited in a national consultation. Without expiry, old evidence travels forever.

The simplest rule is severe but fair: no authority claim should be used after its expiry unless renewed. If expiry is unknown, the claim should be treated as historical evidence, not current mandate.

Confidentiality is not an excuse for unverifiable authority

Some mandates cannot be fully public. Operators may fear commercial retaliation. Small networks may depend on dominant providers. Security-sensitive infrastructure may not want to disclose internal arrangements. Government offices may have clearance limits. Associations may protect member identities. A mandate ledger must account for confidentiality.

Confidentiality should narrow disclosure, not eliminate verification. The ledger can publish categories while retaining evidence under independent review. It can say that an authorised representative for a set of small access providers submitted a confidential position, that the scope was transfer eligibility and that the mandate expires after the current draft. It need not name every provider if doing so would create harm.

Independent verification becomes important here. A trusted secretariat, ombudsperson, election officer, auditor or review panel can confirm that a mandate exists without publishing sensitive details. The verification method should be public. The public record can identify evidence level: self-declared, staff-verified, independently verified, formally voted, legally documented or confidentially verified.

This prevents two abuses. The first is institutional dismissal: refusing to count protected evidence because it cannot be fully public. The second is unsupported assertion: claiming secret backing without any trusted verification. Both are damaging. A ledger gives confidential mandates a legitimate path while protecting the public from invented constituencies.

Confidentiality also requires scope discipline. A protected statement from small operators on one clause should not be cited as broad support for a governance package. Because the public cannot inspect the details, the ledger must be especially careful about what the evidence supports.

The Internet's operational communities have real reasons for discretion. A mandate ledger should make discretion compatible with accountability. It should not force a false choice between exposure and invisibility.

Votes are mandates only within the voting rule

Formal votes are clearer than meeting participation, but they still have scope. A member vote authorises a result under a defined rule. It does not automatically prove that all affected operators, customers or countries endorsed the policy. It does not prove that non-voting dependencies were represented. It does not prove that voters understood late changes unless the process gave them fair notice.

This distinction matters for board elections and registry governance. A board may be elected validly by the legal electorate. That is a strong mandate for occupying the seat. It is not a mandate to claim support from every network in the service region. A membership vote may approve a governance reform. That is authority under the bylaws. It may still leave public-interest concerns unresolved.

A mandate ledger would tie every vote to its rule: eligible electorate, record date, voting power, turnout, proxies, abstentions where available, challenged ballots, scope of resolution and legal consequence. It would also mark what the vote does not cover. For example, it may not include indirect customers, non-member resource users, excluded legacy holders or operators served through national registries.

This does not weaken votes. It strengthens them by preventing overclaim. A valid member vote is more defensible when it is described accurately. The institution can say: members authorised this decision under the published rule, and separate consultation evidence addressed operational impacts. Or it can say: member authority is strong, but user dependency evidence is limited. Both statements are better than a vague community mandate.

Votes also need expiry in a practical sense. A vote authorises a decision at a time. It may not authorise future interpretations, implementation expansions or unrelated reforms. If staff later use the vote to justify a broader practice, the ledger should show whether the original resolution allowed it.

The core lesson is that voting solves one mandate question, not all mandate questions. A ledger keeps the solved question from swallowing the rest.

Consensus needs an objection ledger beside the mandate ledger

Consensus-based systems require a different but related record. They do not always have formal principals in the same way voting systems do. They rely on open discussion, technical reasoning, chair judgment and objection treatment. A mandate ledger should not force consensus into a voting model. It should sit beside an objection ledger.

The objection ledger records material concerns, who raised them by role category, what evidence supported them, how the draft responded and whether the concern remains. RFC 7282's practical warning is that consensus is not a headcount and not the disappearance of tired objectors. The ledger operationalises that warning.

The mandate ledger records authority claims. If someone says an operator coalition supports a text, the mandate ledger shows the basis. If someone raises a technical objection without claiming a constituency, the objection ledger preserves the concern. If an association speaks for members and raises an objection, both ledgers may apply.

Keeping the ledgers separate prevents category errors. A brilliant technical objection should not be ignored because the objector lacks a formal mandate. A broad mandate should not automatically defeat a valid technical concern. A customer-impact warning should not be turned into operator authorisation. Each record has its function.

Decision-makers need both. A board or chair should see who is authorised, what evidence exists and which objections remain unresolved. It can then proceed with a clear statement: consensus exists, consensus is rough but objections are addressed, authority is formal but dissent remains, or the record is too thin for the claim being made.

Internet governance often collapses these findings into one phrase: community support. The ledgers would make that phrase unnecessary or at least precise.

Portability is where old claims become dangerous

Governance evidence travels. A statement made in a regional meeting appears in a global policy paper. A consensus call is cited in a board resolution. A board resolution is cited in a national consultation. A national consultation is cited by an industry association. Each movement can stretch the original claim.

Portability is useful when evidence is well labelled. An operator association's position on transfer safeguards can inform another forum considering similar rules. A registry's objection ledger can help NRS understand unresolved concerns. A formal member vote can demonstrate legal authority. But portability is dangerous when the evidence loses principal, scope and expiry.

A mandate ledger should therefore include a portability field. Can this mandate be cited only in the originating process? Can it be cited in related forums? Must the principal approve reuse? Does the mandate expire if the text changes materially? Is the statement public, confidential or summary-only? These questions prevent forum-shopping.

Without portability controls, institutions can launder weak authority. A workshop summary becomes community agreement. Community agreement becomes regional position. Regional position becomes global mandate. By the time the claim returns to affected operators, it has acquired institutional weight far beyond its origin.

Portability also affects media and public communication. A press release may simplify process language. A journalist may describe a technical consensus as industry support. A policymaker may cite the article as evidence. The ledger cannot control every reuse, but it can give careful readers and decision-makers a stable reference.

For NRS, portability should be central. If NRS claims to carry operator authority across forums, it must show how mandates travel. Otherwise it risks becoming another venue where attendance and affiliation are converted into broad representation without proof.

A ledger can be lightweight and still useful

The mandate ledger need not be an elaborate platform at first. A structured table attached to major decisions would improve current practice. The columns could be: claim, principal type, representative, authority evidence, scope, version, start date, expiry, confidentiality level, revocation route, portability, related objection and status.

Entries could use categories rather than personal data where public detail is unnecessary. For example: "Regional ISP association; board-approved position; scope limited to transfer-review timeline; expires when proposal version changes materially; public statement linked." Or: "Confidential small-operator coalition; independently verified; scope limited to abuse-contact implementation burden; no public signatory list; expires after final call."

The ledger should distinguish self-declared affiliation from verified authority. Self-declaration is not worthless; it is often the only feasible input in open forums. But the record should not treat it as equal to a formal vote or delegated mandate. Evidence levels allow readers to weigh claims without excluding informal contribution.

Maintenance can be proportional. Major governance reforms, board elections, transfer rules, RPKI trust changes and accountability policies deserve detailed records. Routine editorial policy updates may need little. The threshold should depend on the power of the decision and the breadth of the legitimacy claim.

The ledger should be machine-readable enough for comparison but human-readable enough for public oversight. It should link to minutes, comments, statements, vote reports and decision papers. It should record unresolved uncertainty rather than hide it. If the institution does not know the mandate behind a claim, the entry should say unknown.

This is not a request for perfect data. It is a request that governance stop pretending not to need the data at all.

The ledger protects individual contributors

Some people may fear that a mandate ledger would reduce open participation by demanding credentials. It should do the opposite. By separating expertise from representation, it protects the individual contributor's right to speak without being turned into someone else's mandate.

A researcher can contribute evidence as a researcher. A network engineer can describe operational risk without binding an employer. A student can ask a question without representing a country. A civil-society advocate can raise user concerns without pretending to speak for all users. The ledger lets the record say exactly that.

This matters because institutions sometimes exploit ambiguity. A diverse set of individual comments can be cited as stakeholder support. A personal technical contribution can be attributed to the contributor's employer. A newcomer from an underrepresented region can be treated as regional endorsement. These conversions may flatter the process but they disrespect the people involved.

The ledger also protects formal representatives. If an employee has authority only for a specific issue, the record shows the limit. If an association position was divided, the caveat travels with it. If a government observer did not endorse the final text, the ledger prevents accidental attribution. People are less likely to participate when they fear being misquoted as principals.

Open forums thrive when roles are clear. Credentials should be required only for authority claims, not for speech. Anyone can contribute; not every contribution is authorisation. That principle lowers the stakes of entry and raises the quality of mandate claims.

In this sense, the ledger is democratic in the practical Internet-governance meaning of the term. It widens speech while narrowing unsupported power.

The ledger would improve board accountability

Boards often receive compressed summaries. Staff papers say that consultation occurred, comments were reviewed and the community broadly supported an outcome. Board members may not have time to read months of archive material. They rely on the summary's integrity. A mandate ledger would give them a better oversight instrument.

Before approving a major decision, a board could ask: Which authority claims support this? Which are verified? Which principals are absent? Which objections remain? Which claims expired before the final text? Which confidential mandates were independently checked? Which affected operator categories were notified but silent? Which customer dependencies were inferred rather than evidenced?

These questions do not require board members to micromanage policy. They require boards to distinguish legitimacy evidence from process volume. A long consultation with weak mandate evidence should not be treated the same as a shorter process with clear principals and answered objections. A popular meeting should not outweigh a documented formal electorate where the issue requires legal authority.

The ledger also helps after disputes. If a decision is challenged, the board can show what it relied on. If the record was thin, the institution can learn. If a representative overstated authority, the error can be corrected. If staff overgeneralised a consultation, the summary practice can improve.

This is especially relevant for registry crises and election disputes. When trust is low, informal assurance is not enough. A ledger gives auditors, members and communities a shared record. It does not end politics, but it reduces the space for invented mandates.

Boards should welcome this because it protects them from governing on vibes. Authority becomes inspectable before it becomes a headline.

NRS can build the missing layer first

Number Resource Society does not need to inherit every habit of older institutions. If it is meant to return operator authority and accountability to the centre of number governance, it should build mandate records before it builds slogans. The old model already has meetings, panels, mailing lists and attendance charts. The missing layer is verifiable authority.

An NRS mandate system could be simple at first. Operators and other principals define representatives, scope, expiry and portability. Public-interest groups define evidence roles and boundaries. Associations disclose their constituency and approval route. Confidential mandates receive independent verification. Positions published by NRS include a denominator card showing principals, operational exposure, unresolved objections and expiry.

The design should avoid making only large operators comfortable. Small networks need low-cost delegation tools. Associations need a way to carry member positions without exposing sensitive details. User and customer evidence needs a proper category. Revocation should be easy. Renewal should be explicit. Mandates should not be locked into one platform if principals choose exit.

This would let NRS claim less at first and more credibly over time. It could say: these operators authorised this narrow position through this date; these customer dependencies were considered; these objections remain; this position may be reused in these forums. That sentence is stronger than a broad claim that the operator community supports an agenda.

If NRS skips the ledger, it will be tempted by the same shortcuts: attendance, endorsements, country counts, familiar experts and vague community language. The institution would look new while repeating the old failure. A mandate ledger is the difference between a forum that gathers opinion and a system that carries authorisation.

The missing ledger is why arguments repeat

Many Internet governance arguments recur because the mandate record is unstable. One side says the community agreed years ago. Another says the affected operators were never properly consulted. A third says the issue was settled in a working group. A fourth says the working group lacked authority. Everyone may be partly right because each refers to a different evidence type.

A ledger would not stop disagreement, but it would stop some arguments from restarting at zero. It would show that a past meeting produced discussion, not authorisation. Or that a member vote authorised a specific action but not a later expansion. Or that an association position expired when the text changed. Or that an objection was unresolved and carried into implementation review.

This memory is valuable for newcomers. Instead of being told to read years of archives, they could see the status of each mandate and objection. They could contribute where the record is open rather than relitigating settled facts. Experienced actors would lose the ability to win by selective memory.

The ledger would also support translation and accessibility. A structured record can be translated more reliably than scattered mailing-list threads. It can show affected groups what authority is being claimed in their name. It can invite correction before the claim hardens.

Institutional memory should not belong only to those who were there. If governance decisions affect durable infrastructure, the evidence of authority should be durable too.

The Internet never built this layer because early communities relied on trust, technical reputation and relatively small circles. Scale has changed the cost of that omission. The mandate ledger is no longer a luxury; it is a basic accountability tool.

Authority should be narrower than legitimacy rhetoric

The mandate ledger would force Internet governance to write narrower sentences. That may be uncomfortable. Instead of "the community supports," the record might say "authorised representatives of several resource-holding organisations support," or "the open consultation produced no unresolved technical objection from active contributors," or "customer dependency evidence remains limited." These sentences are less dramatic. They are also more honest.

Narrower authority does not mean weaker governance. It means decisions rest on evidence that can bear the weight. If the evidence is formal, say formal. If it is expert, say expert. If it is public-interest concern, say concern. If it is attendance, say attendance. If it is unknown, say unknown. The public can handle specificity. What corrodes trust is broad language that collapses every role into one word.

Registry governance, board elections and NRS design all face the same choice. They can keep using open participation as a flexible legitimacy reservoir, drawing from it whenever a mandate is needed. Or they can build records that distinguish speech from authority, access from consent and geography from representation.

The second path is harder because it limits rhetoric. It is also more durable. A decision made with a clear mandate can survive criticism. A decision made with clear unresolved objections can be reviewed intelligently. A decision made with inflated community language will be challenged whenever the affected principals discover they were counted without permission.

The mandate ledger Internet governance never built is not a database for its own sake. It is a promise that participation will no longer be converted into authorisation by implication. That promise is overdue.

A ledger would make claims easier to correct

Governance systems need correction paths. A representative may be listed under the wrong organisation. A mandate may be overstated. A coalition may lose members. A draft may change beyond the original scope. An institution may cite a support statement after expiry. Without a ledger, these errors become hard to locate and harder to repair because they are scattered through minutes, slides and public summaries.

A mandate ledger gives corrections a home. The principal can request correction. The institution can mark the old claim as superseded. A public note can explain whether the correction changes the decision record. If the mistake was material, the board or chair can decide whether further review is needed. The correction does not need to become a scandal; it becomes maintenance.

This matters because Internet governance often relies on cumulative legitimacy. A claim made once is repeated in later documents. If the first claim was wrong, the error multiplies. A ledger can mark derivative uses and notify later processes that relied on the evidence. That is far more efficient than asking every reader to discover the error independently.

Correction also encourages participation. Operators and associations may be more willing to provide mandates if they know they can amend them. Individuals may be less worried about being misattributed. Confidential actors may trust the process if verification records can be updated without public exposure. A rigid archive discourages cautious principals; a ledger with correction rights invites them.

The correction function reinforces the larger point. Authority is not a timeless aura attached to a familiar name. It is a current, scoped and maintainable record. If it cannot be corrected, it should not be used to authorise durable decisions.

The ledger would expose when no mandate exists

One of the most useful entries in a mandate ledger would be empty. For some claims, the ledger would show that no mandate exists. The process may have attendance, expertise, public comments and informal support, but no principal authorised a representative to bind an organisation or operator group. That finding is not failure. It is clarity.

Many governance outcomes do not require formal mandate from every affected actor. A technical discussion can produce useful guidance. A public consultation can inform a board. An open meeting can surface risks. The problem is not acting without universal mandate; the problem is claiming mandate when the evidence is something else.

An explicit "no mandate claimed" status would improve public writing. Staff could say that the document reflects expert consultation and open comments, not authorisation from affected operators. A chair could say that consensus was assessed as technical rough consensus, not member approval. NRS could say that it is gathering operator evidence and has not yet made an authority claim. These statements are credible because they resist inflation.

The empty ledger also highlights where a mandate is necessary. If a decision changes legal obligations, election rules or resource rights, the absence of mandate may be a serious gap. If a decision is exploratory or advisory, it may be acceptable. The same evidence can be sufficient or limited public evidence depending on the power exercised.

By exposing absence, the ledger would teach institutions to match process to consequence. It would make overclaim visible before it hardens into public legitimacy language.

The public should see the chain, not just the conclusion

Public trust improves when people can follow the chain from evidence to conclusion. Today, many governance summaries give the conclusion first: broad support, community consensus, extensive engagement, successful consultation. The reader must trust that the chain exists. A mandate ledger would reverse the burden. The chain would be visible enough to inspect.

For a major registry decision, the reader could see that formal member authority came from a vote, operator evidence came from scoped mandates, expert concerns came from an objection ledger, customer dependency evidence came from specified sources and unresolved gaps were acknowledged. The conclusion would then be a judgment about that record, not a substitute for it.

This is especially important where public and member interests diverge. A member-approved decision may still create downstream user risk. A public-interest recommendation may lack operator implementation support. A regulator's position may conflict with resource-holder evidence. Showing the chain lets readers understand the tradeoff instead of fighting over the word community.

The chain also disciplines journalism, advocacy and institutional memory. People can cite the ledger rather than turning a nuanced process into a slogan. If they overstate it, others can point to the record. That is how transparent governance should work: not by eliminating interpretation, but by making interpretation answerable to evidence.

Internet governance has always asked the public to trust process. A mandate ledger would let the public verify more of the process before trust is requested.

The first version can start with high-risk claims

Institutions do not need to ledger every conversation on day one. The first version can target high-risk claims: board-election endorsements, resource-rights changes, transfer-policy mandates, routing-security obligations, accountability reforms and statements that claim operator or public support. These are the places where unsupported authority does the most damage.

Starting with high-risk claims makes adoption easier. Staff do not need to redesign every meeting. Contributors do not need credentials for ordinary speech. The ledger appears only when someone asks the institution to rely on authority, not merely listen to input. Over time, the same structure can expand to other decisions if it proves useful.

This phased approach also tests the method. Which fields are essential? Which confidentiality rules work? Which evidence levels confuse readers? Which correction paths are used? A mandate ledger should be governed like any other accountability tool: start where risk is highest, publish the method, review performance and improve.