Summary
- A registry that alleges a policy or contractual breach should bear both the initial duty to produce evidence and the ultimate burden of establishing each disputed element before imposing a high-impact sanction.
- A member may properly be required to authenticate records within its control or establish a genuine affirmative defence, but only after the registry has made a specific, evidence-backed case; silence or incomplete rebuttal cannot create the missing violation.
- The standard of assurance should rise with the consequence, especially where account closure, deregistration, reverse-DNS changes or RPKI certificate revocation could affect customers and networks that were not accused of anything.
- Public RIR documents are useful evidence of stated powers and notice periods, not proof that a violation occurred in any individual case or that the published procedure was followed fairly.
- Number Resource Society should make burden allocation, evidence disclosure, reasoned decisions, continuity analysis and independent review measurable features of registry governance.
The sentence arrives before the case
An operator receives an email from its Regional Internet Registry. The message says that the operator has violated policy, must correct the violation within a short period and may lose registry services if it cannot show that there is no basis for further action. It identifies a broad policy family but not the operative clause. It refers to concerns in the registry's possession but discloses neither the original material nor a chronology. The operator is invited to respond.
That invitation looks like due process because the accused party can write back. In substance, however, the decisive step may already have occurred. The registry has converted a suspicion into a presumptive breach and assigned the holder the task of disproving it. If the holder cannot identify what event, representation, allocation, transfer or record is in dispute, its right to answer is largely theatrical. It is being asked to establish a negative against an allegation whose boundaries remain controlled by the accuser.
The institutional error is not merely discourtesy. It determines who bears uncertainty. If the registry must prove its allegation, an evidentiary gap prevents punishment. If the member must prove innocence, the same gap becomes a reason to punish. The choice is especially consequential in number-resource administration because the registry controls services on which third parties may depend: registration records, reverse delegation, route-authorisation certificates, transfer recognition and access to account functions.
An uncertain finding can therefore escape the bilateral dispute and alter the operating conditions of networks that were never heard.
No registry needs courtroom ceremony for every correction request. It does need a disciplined answer to a basic question: before a severe administrative measure is taken, who must establish the facts that justify it? The defensible answer is the institution proposing the measure. A holder can have duties of cooperation, candour and record production. Those duties do not relieve the institution of proving the violation it alleges.
Burden of proof is an allocation of institutional risk
The phrase sounds legalistic, but the underlying idea is practical. A burden of proof tells a decision-maker what to do when evidence remains incomplete or evenly balanced. It allocates the risk of error. In ordinary compliance administration, that risk should initially sit with the party asserting that a rule was broken and seeking to change another party's position because of it.
This allocation follows control as well as fairness. The registry chooses the charge, knows the policy it intends to apply, holds its own correspondence and audit notes, and controls the proposed sanction. It can specify the factual elements needed for a finding. The member controls different material: internal allocation records, corporate authority documents, customer assignments and communications. Requiring the member to produce relevant records may be sensible. Requiring it to invent the institution's case is not.
Two burdens should be distinguished. The burden of production is the duty to put forward enough evidence to make an allegation answerable. The burden of persuasion is the duty to establish that the allegation is more likely correct than not, or to whatever higher level the consequence requires. The registry should carry both for the elements of a violation. Once it produces a coherent case, the holder may bear a practical obligation to answer facts particularly within its knowledge. But if the answer is weak, the decision-maker must still ask whether the registry's evidence proves the charge.
A failed rebuttal does not turn an unsupported assertion into a fact.
This is not a demand that registries tolerate deception. It is a demand that they identify it. If an application contained a forged document, the institution should show which document, why it is inauthentic, who submitted it, which rule made authenticity material and how the conclusion was reached. The burden disciplines enforcement by making the path from evidence to consequence visible.
The registry's narrow purpose makes precision possible
RFC 7020 describes registration accuracy as a core requirement of the Internet Numbers Registry System. The registry should maintain unique allocations and accurate information about them. The same document notes that whether addresses are announced, and how they are advertised in routing, falls outside the registry system's scope. That boundary is useful. It means a registry need not decide every dispute associated with an address in order to enforce the obligations that genuinely belong to registration.
A defined mandate makes a defined charge possible. The institution can allege that registration data is materially inaccurate, that an authorised contact cannot be verified, that a transfer representation was false, that a member failed a contractual payment duty, or that a resource request relied on fabricated evidence. Each allegation has elements that can be stated and tested. A vague accusation such as “policy non-compliance” has no equivalent discipline. It can absorb concerns about conduct, routing, business structure and staff responsiveness without saying which fact triggers which authority.
ICP-2, accepted in 2001 as criteria for recognising new RIRs, offers a broader governance frame. It calls for open and transparent policy development, impartial treatment, public documentation and records sufficient to make registry operations auditable. It does not create a global code for individual enforcement cases. Yet its institutional logic is hard to reconcile with unparticularised sanctions. Equal treatment cannot be demonstrated if the operative test is unstated. Auditability cannot exist if the record shows only a conclusion and the member's failure to disprove it.
These documents should be read with restraint. RFC 7020 is informational, and ICP-2 addresses recognition criteria rather than adjudicating a particular member dispute. Neither proves that a given registry has acted fairly. Together they show why accuracy, scope, impartiality and auditable records are native to number governance rather than foreign legal ornaments. A compliance function faithful to those principles should be able to say exactly what it claims happened.
A charge needs elements, not atmosphere
High-impact action should begin with a charge schedule written in ordinary language. It should identify the policy or contractual provision, the version in force at the relevant time, the conduct said to satisfy it, the evidence for each material fact and the consequence under consideration. This is not excessive formality. It prevents a case from changing shape whenever the holder answers.
Consider an allegation that a member supplied false information. The institution must distinguish falsity from error, and material error from an immaterial discrepancy. It should identify the representation, its date, its maker, why it was inaccurate and whether the applicable rule requires knowledge, recklessness or merely objective incorrectness. If the sanction depends on repeated conduct, the institution must prove repetition rather than restate one event several ways. If the issue is failure to cooperate with an audit, it should identify the requests, their authority, delivery, deadlines, relevance and the response actually received.
The same method applies to registration accuracy. The registry must say which record is inaccurate, what the accurate position is, why the difference matters and what correction would cure it. A database entry that no longer matches reality may warrant prompt amendment without implying dishonesty. Conflating correction with culpability tempts administrators to use the ease of proving an outdated field as a substitute for proving a more serious accusation.
An allegation should also be closed under reply. Once the member answers, the registry may amend the charge if new evidence genuinely requires it, but it should provide fresh notice and time. It should not retreat from a disproved allegation into a broader claim that the response itself “raised concerns”. Moving charges make rebuttal endless. The member can never establish the absence of wrongdoing because each answer generates a new, less specific demand.
An elements-based charge protects the registry too. Staff can tell whether the file is complete, reviewers can identify the actual dispute, and comparable cases can be treated comparably. Precision converts enforcement from a test of institutional confidence into a test of evidence.
Proving a negative is often an impossible assignment
“Show that no violation occurred” appears balanced because the holder knows its own affairs. The wording conceals several different impossibilities. A member cannot disprove conduct that has not been dated. It cannot prove the non-existence of a communication across every mailbox and staff account. It cannot show that no employee ever made an unspecified representation. It cannot authenticate an unknown copy held by the registry. Nor can it rebut a source whose reliability and actual claim have not been disclosed.
Negative propositions can sometimes be proved. A complete ledger may show no transfer on a stated date; access logs may show that a named account did not act; corporate records may establish that a supposed officer lacked authority. But those answers depend on a bounded proposition. The institution must first define the event, period, actor and rule. Without boundaries, the request expands to every possible fact and becomes a test of endurance rather than truth.
The asymmetry is aggravated by time. RIR relationships can span decades, corporate reorganisations and inherited address holdings. The registry may challenge a representation made under an earlier policy by staff who have left, through systems that no longer exist. A holder may have lawful retention limits. If the registry treats missing old records as proof of violation without showing what retention duty applied, it converts historical uncertainty into present guilt.
A fair inference rule is narrower. Where the registry establishes that a relevant record should exist under a known duty, that the member controls it, that a specific and reasonable request was delivered, and that no adequate explanation was given, the decision-maker may draw an adverse inference. The inference concerns the fact the record would illuminate. It does not prove unrelated misconduct, and it cannot repair a failure to identify the original charge. Institutional proof comes first; evidentiary cooperation follows.
Official procedure can disclose a burden inversion
The current RIPE NCC document on closure and deregistration, RIPE-858, illustrates why wording matters. It sets out grounds, notifications and time periods for closure and resource deregistration. In parts dealing with objections to imminent deregistration, it says a responding member may submit evidence that there is no reason for deregistration or request arbitration. The document also describes consequential measures, including changes to registry records, reverse delegation and RPKI certificates in specified circumstances.
The existence of notice, time and arbitration is important. It is not the end of the analysis. A procedure that invites the member to prove there is no reason for deregistration can place the decisive uncertainty on the respondent unless another part of the case requires the RIPE NCC first to establish sufficient grounds. The concern is structural, not an allegation about any unexamined case. Public wording tells readers what the formal route permits; it does not reveal how staff actually assemble evidence, whether arbiters interpret the burden differently or whether a particular member received fuller disclosure.
ARIN's Registration Services Agreement offers a different contractual example. Version 14.0 lists circumstances for suspension or termination, uses written-notice and cure provisions for some breaches, and allows a holder to dispute a termination or suspension through the specified dispute mechanism. The agreement shows that registry consequences can be attached to enumerated obligations and review rights. It does not, by itself, reveal the evidentiary standard applied by staff or prove that an alleged breach occurred.
Official RIR material therefore has two evidentiary uses and one sharp limit. It can establish the text of stated powers and procedures. It can expose where burden allocation is clear, ambiguous or inverted. It cannot be treated as independent confirmation of the institution's factual claims about a member. The institution authored the procedure and the accusation; publication does not turn either into proof.
Administrative law supplies an analogy, not a borrowed jurisdiction
RIRs differ in legal form and jurisdiction. Many are private, not-for-profit membership organisations operating through contracts, corporate law and community-developed policy. It would be careless to declare that every rule governing a public agency automatically binds every registry. The stronger argument is functional: when an institution investigates, finds a breach and imposes a serious consequence, mature systems place the burden on the proponent of that consequence for good reasons.
Section 556 of the United States Administrative Procedure Act is a useful, bounded example. In the formal hearings to which it applies, the proponent bears the burden, irrelevant or repetitive material may be excluded, and sanctions must rest on the evidentiary record. Its legal reach is limited to the proceedings defined by the statute. The provision does not govern RIRs merely because it expresses a sensible rule.
Its design lesson is nonetheless powerful. A body should not use its control over the forum to make the other side carry every uncertainty. The proponent is best placed to define the order sought and prove the facts supporting it. The record, rather than administrative conviction, should support the sanction. These principles also make review possible: a reviewer can ask whether the proponent met the burden instead of trying to decide whether the accused party eliminated every conceivable doubt.
Contractual institutions need this discipline precisely because public-law safeguards may not apply in full. A member may have fewer disclosure rights, less affordable review and no practical alternative provider for regional registry functions. The absence of a statutory command is not a licence for weak proof. It increases the need for explicit internal rules that members can inspect before a dispute arises.
The proper approach is not to imitate a courtroom. It is to adopt the parts of evidentiary reasoning that solve the registry's own problem: defined allegations, a proponent's burden, reliable material, reasons, proportional consequences and independent review.
Evidence quality begins with provenance and chronology
A persuasive compliance file should allow a reviewer to reconstruct the material event without trusting the investigator's summary. Every item needs provenance: who created it, when it was obtained, whether it is original or derived, how it was preserved and what proposition it supports. A chronology should separate the alleged conduct from later investigation and correspondence.
Registry systems generate strong first-party evidence for some questions. Account logs can show which authenticated user submitted a request. Ticket histories can show what the institution asked and when. Versioned registration records can show how an entry changed. Payment records can establish invoicing and receipt. Cryptographic validation and document metadata may help identify alteration. None is infallible, but each is more useful than an investigator's assertion that “the record indicates” a breach.
Third-party material requires additional care. A corporate registry extract may establish legal status on a date, but not beneficial control. An anonymous complaint may identify a lead without establishing its truth. Routing observations may show an announcement, but not who authorised it or whether the registry contract prohibits it. A court order may bind specified parties and determine stated issues; a news report about the litigation does neither. Evidence should be admitted for the proposition it can actually support.
Contradictory material belongs in the record. If two versions of a document exist, the institution should preserve both and explain why one is preferred. If its own earlier correspondence accepted a representation now called false, that history is material. An investigator should not construct a clean narrative by deleting uncertainty. The decision-maker's task is to evaluate it.
Good provenance also reduces disclosure disputes. The registry can provide an index, originals where lawful, and reasons for any redaction. The holder can challenge authenticity or context specifically. The resulting exchange is shorter than a series of broad demands because both sides know which fact each item is meant to prove.
Silence is not a universal admission
Registry procedures understandably rely on response deadlines. Accurate contact information is central to administration, and an institution cannot wait indefinitely. Yet silence can prove only so much. It may establish that no answer arrived through a specified channel by a specified time. It does not automatically prove that the underlying accusation is true.
Delivery must first be established. A message sent to an outdated contact may reveal a registration defect, but not deliberate refusal. An automated receipt may show that a server accepted mail, not that an authorised officer saw it. Cross-border holidays, language, illness, spam filtering and corporate transitions can affect response without resolving the merits. The institution should use multiple registered channels before attaching severe meaning to silence, especially where it already has reason to doubt the primary address.
Even deliberate non-response has a limited evidentiary role. A member that ignores a clear, authorised request may violate a cooperation duty. The registry can prove that separate violation by showing the request, authority, delivery, reasonable deadline and absence of response. It should not use the cooperation breach to deem every substantive allegation admitted. Otherwise a missed email about one uncertain claim becomes proof of fraud, false registration and unauthorised use all at once.
Default decisions may be necessary. They should still contain a prima facie case. Before acting, a decision-maker should verify that the allegation is within mandate, the charge was properly notified and the institution's own evidence satisfies each element without relying solely on silence. The reasoned decision can then state what was proved independently and what inference, if any, followed from non-cooperation.
Reopening should be available where the holder promptly shows non-delivery or another serious impediment. Reopening is not indulgence; it is a correction mechanism for a system that depends heavily on electronic contact. Finality matters, but a registry should prefer an accurate decision before irreversible reissue or cascading operational change.
Records within the member's control do not reverse the whole burden
Members often possess facts the registry cannot obtain directly. They know who controlled a corporate account, why a transfer occurred, how customer assignments were recorded and which internal approvals supported an application. The institution may need those records to test compliance. Burden allocation should encourage production without pretending that exclusive possession proves guilt.
The registry should first establish relevance. A request should identify the rule, disputed fact, period, record class and secure method of submission. It should explain any authenticity requirements and allow reasonable alternatives where records no longer exist. A demand for “all documents showing compliance” is too broad because it assumes the conclusion and gives the institution no stopping point.
The member then has a duty to search reasonably, preserve responsive material and explain gaps candidly. It should not hide behind the registry's ultimate burden while withholding decisive records. If it relies on an affirmative defence—such as consent, corrected authority, force majeure or an approved exception—it may fairly bear the burden of establishing the facts peculiar to that defence. That allocation is different from making it disprove the alleged breach itself.
Where records are missing, the decision-maker should ask why. Was there a stated retention rule? Was the material destroyed before notice in an ordinary course, lost through an incident or withheld after a preservation request? Does independent evidence corroborate the missing fact? An adverse inference should be proportionate to the demonstrated failure and should not exceed the likely content of the record.
This approach gives cooperation real force. It also preserves the central rule. The registry proves the charge; the member produces relevant material under its control; each party establishes any affirmative proposition it advances. The fact that evidence is distributed across two institutions does not justify assigning the entire risk of uncertainty to the weaker one.
Fraud allegations require proof of identity, falsity and materiality
Fraud is the category most likely to collapse careful reasoning. It carries stigma, implies intent and can trigger urgent action. It is also used loosely to describe forged documents, inaccurate applications, unauthorised account access, abandoned companies and disputes over historic entitlement. Those are not the same case.
A registry alleging fraudulent acquisition should identify the person or organisation whose representation is attributed to the holder. Account credentials alone may not prove authority; compromised access and service-provider submissions are possible. It should establish what was represented, that the statement was false when made, that the holder knew or was responsible for the falsity under the applicable rule, and that the representation was material to the registry's decision. If the policy imposes strict accuracy without requiring intent, the finding should be called an accuracy breach rather than fraud.
Document examination must go beyond appearance. A mismatch in fonts, dates or file properties can justify inquiry, but it is not conclusive without provenance and context. Corporate documents vary by jurisdiction, scanning alters metadata and translated copies may be reformatted. Verification with an issuing authority, a traceable certified copy or other independent evidence carries more weight. If the institution relies on confidential verification, it should disclose the substance and method sufficiently for a challenge without exposing protected data.
Remedy should follow the proved mechanism. A forged authority letter affecting one transfer may justify reversing or freezing that transaction while related title is examined. It does not automatically prove that every resource held by the organisation was improperly obtained. A compromised account calls for credential containment and record restoration. A dissolved company raises succession and registration questions, not necessarily deception.
The higher the stigma, the more exact the reasons should be. Public or inter-registry communications should avoid the word fraud unless the decision actually establishes its elements. Institutional shorthand can outlive an appeal and contaminate future dealings long after a narrower finding would have sufficed.
The required assurance should rise with the consequence
Not every administrative act needs the same evidentiary threshold. A registry may open an inquiry on credible information that would be limited public evidence for a final sanction. It may ask for updated contact details on evidence of bounced mail. It may temporarily protect an account after a plausible credential compromise. The cost of waiting and the reversibility of the step matter.
Final high-impact measures are different. Account closure, deregistration, withdrawal of reverse delegation, removal of registry records and revocation of RPKI certificates can affect routing operations, customers, transfers and the value of scarce resources. The institution should require a correspondingly strong degree of assurance, based on reliable and corroborated evidence. This does not necessarily require a criminal standard. It requires more than an untested complaint, unexplained suspicion or the member's inability to prove a negative.
Severity has three dimensions. The first is breadth: how many resources and services are affected? The second is reversibility: can the measure be undone before third parties change routing or commercial arrangements? The third is propagation: will other registries, networks, banks, courts or customers treat the status as a finding of misconduct? A nominally administrative action may be severe because its signal travels.
The standard should be published in functional terms. Routine correction may require reasonable grounds and a chance to update. A temporary protective hold may require credible evidence of imminent risk, narrow scope and frequent review. A final finding leading to deregistration should require the institution to be firmly satisfied on the complete record, with material conflicts resolved in reasons. Where accusations of dishonesty or illegality are central, stronger corroboration should be expected.
The point is not to create verbal formulas. It is to prevent the same thin material from justifying both an inquiry and the ultimate punishment. Evidence that warrants asking a question is not necessarily evidence that answers it.
Interim measures must not become findings by endurance
Emergencies create the hardest case for burden allocation. A registry may detect an apparent account takeover, conflicting transfer instructions or falsified authority while a transaction is pending. Waiting for a complete hearing could allow irreversible changes. A temporary hold may be justified before the full case is proved.
The exception needs strict boundaries. The institution should identify the imminent harm, show why ordinary timing is inadequate, limit the hold to the affected function and state when it expires. It should preserve existing routing and registry continuity where doing so does not compound the identified risk. The member should receive rapid notice of the substance, a channel to provide decisive evidence and review by someone who did not order the hold.
An interim measure proves nothing about the merits. Public statuses and internal records should call it protective, not disciplinary. Staff should not cite the existence or duration of the hold as corroboration of the original suspicion. That circularity is common: the account was frozen because it looked risky, and it later looks risky because it has been frozen for months.
Time shifts the burden back to the institution. As days pass, the registry must either assemble a charge and prove it or lift the measure. The member may have to authenticate authority or explain anomalous activity, but delay in doing so cannot justify an indefinite restriction unrelated to the evidence. Automatic expiry forces a fresh decision rather than passive continuation.
Continuity analysis belongs at the start. If a dispute concerns one account credential, there may be no reason to alter route-authorisation certificates or reverse DNS. If a transfer is contested, registry records can be locked without declaring either claimant fraudulent. Narrow measures protect the integrity of the ledger while the institution carries out the investigation needed for a final decision.
Disclosure is what makes rebuttal real
A notice that names the rule but withholds the evidence is only half a notice. The member needs the substance of the case: material documents, relevant excerpts from logs, dates, the origin and reliability of third-party claims, and the inferences the investigator proposes to draw. Without that information, a response is guesswork.
Registries have legitimate confidentiality concerns. They handle identity documents, commercial information, security data, complaints and material from public authorities. Disclosure need not mean unrestricted publication or release of every internal note. It does mean finding a way to communicate the decisive substance. Redaction, confidentiality undertakings, summaries and independent counsel can protect sensitive details, but a sanction should not rest on a proposition the holder had no meaningful chance to test.
The registry should maintain an evidence index showing disclosed, withheld and unavailable items. For withheld material, it should state the category, the reason and whether the decision-maker relied on it. A reviewer can then assess whether the redaction prevented an effective answer. Undisclosed evidence should not quietly supply the missing element of a charge.
Exculpatory material deserves equal treatment. Investigators should disclose facts that materially weaken their theory, including inconsistent timestamps, earlier approvals, alternate account users and failed third-party verification. The institution is not counsel for a complainant. Its duty is to reach an accurate registry decision.
Disclosure also improves the quality of admissions. A member may accept an outdated record once shown the precise entry, saving months of argument. It may identify a compromised account when presented with a timestamp. A broad accusation encourages broad denial; a documented allegation encourages a useful answer. Fairness and administrative efficiency are often allies.
A reasoned decision must show who proved what
The final decision should be intelligible without access to the investigator's mind. It should state the charge, applicable rule, material facts, contested issues, evidence accepted and rejected, burden and level of assurance. It should then explain why the remedy follows from the proved breach and how unrelated continuity interests were considered.
A list of documents is not reasoning. Nor is a paragraph saying that the member's explanations were unsatisfactory. The decision-maker should address the strongest contrary evidence and explain any adverse inference. If the member failed to produce a record, the reasons should identify the duty to retain or provide it and the limited conclusion drawn from its absence. If credibility matters, the reasons should point to contradiction, corroboration or conduct rather than demeanour alone.
Each finding should have a status. Some facts may be established; others may remain uncertain; a third group may be irrelevant to the operative rule. The institution should resist turning every concern into a violation. A narrow, proved finding is more legitimate than a comprehensive narrative held together by suspicion.
The remedy section should be equally exact. What harm does the measure prevent or cure? Why would a warning, correction, transaction lock or service-specific restriction be limited public evidence? Which third parties may be affected? When will the measure be reviewed or lifted? If deregistration is chosen, the reasons should confront the possibility that the sanction will alter operations before any external tribunal can act.
Written reasons create a durable constraint. They allow members to compare cases, boards to inspect administration and reviewers to identify error. They also improve policy. If staff repeatedly struggle to prove an element, the answer may be better evidence collection or a clearer rule—not a presumption against the holder.
Review must test the case, not merely the correspondence
An appeal is weak if it asks only whether staff followed the published steps. A member may receive every email on time and still be sanctioned on inadequate evidence. Review should examine jurisdiction, charge definition, burden allocation, evidence quality, factual findings, proportionality and continuity effects.
The reviewer should be institutionally separate from the original investigator and decision-maker. Complete external independence may not always be affordable, but the reviewer should have no stake in defending the earlier outcome and should be able to order disclosure, pause a measure and substitute or remit the decision. A review body that sees only staff summaries cannot test the proof.
Urgency should correspond to harm. A routine billing dispute may tolerate an ordinary timetable. Deregistration, RPKI change or public fraud status may require an automatic pause and expedited determination. If a measure is irreversible in practice before review concludes, the formal right of appeal is an empty one.
The member should not carry a new burden to prove the decision irrational. The institution should place the evidentiary record before the reviewer and show that the established burden was met. The appellant can identify errors and provide new evidence, but the original absence of proof cannot be cured by demanding a perfect appellate case from the holder.
Review outcomes should be reasoned and, with necessary redactions, published or summarised. The useful data include findings set aside for limited public evidence evidence, charges narrowed, sanctions reduced and continuity errors corrected. Reporting only decisions that uphold enforcement gives members no view of the system's error rate.
Courts and arbitration remain important backstops, but cost and delay make them incomplete substitutes for sound first-instance administration. The registry should aim to produce a record that can survive external scrutiny, not rely on the fact that few members can afford to challenge it.
Rules and evidence must be tied to the right point in time
The period since 2000 has seen substantial change in RIR policy, contracts, scarcity, transfer markets, registry databases and routing-security services. A present-day compliance team may examine conduct that occurred under an earlier document or institutional assumption. Temporal discipline is therefore part of proof.
The charge should identify the policy and contract in force when the relevant act occurred. A later clarification may help explain terminology but should not be applied as though it created an earlier duty. If an obligation continued over time, the institution should distinguish the original act from a present failure to correct. That distinction can change notice, evidence and remedy.
Historical records need context. A sparse application from the early allocation era may have met the documentation practice of its day. A later corporate merger may have changed names without changing operational control. Legacy resources may sit under different service relationships. The absence of a modern record format does not itself prove that an old representation was false.
Institutional memory also changes. Staff summaries, migrated tickets and reconstructed databases may not preserve every qualification in the original decision. The registry should state when evidence is incomplete because of its own retention or migration choices. It cannot fairly treat its missing archive as the holder's failure to prove compliance.
At the same time, age does not immunise fraud. Independent records may establish that a document never existed, a company had been dissolved or an asserted signatory lacked authority. The evidentiary question remains specific. What proposition can the surviving material prove, under which rule, and with what level of confidence?
A statute-of-limitation style rule may be useful even where law does not supply one. Members need finality; registries need accurate records. Old cases could be reopened for deliberate fraud or continuing misregistration while lesser procedural defects expire after a defined period. Such limits reduce opportunistic archaeology and focus resources on present integrity.
Cross-registry consistency should concern method, not identical law
The five RIRs operate under different corporate forms, agreements, policies and legal systems. Their enforcement powers are not interchangeable. A common burden-of-proof discipline does not require identical sanctions or a supranational tribunal. It requires a shared minimum method for consequential factual findings.
That method would begin with a defined charge and institution-held evidence. It would separate registry accuracy, contractual duty, fraud, routing conduct and third-party legal claims. It would disclose the substance, permit a bounded answer, require reasons and provide review before measures propagate unnecessarily. Each registry could then apply its own lawful standard and remedy.
Consistency matters because number-resource relationships cross regions. Corporate groups hold resources under several registries; transfers move records; inter-registry communications can spread a suspicion. One institution may receive another's status and treat it as verified fact. Unless provenance travels with the claim, repetition creates false corroboration.
An inter-registry referral should therefore state what was alleged, what was proved, by whom, under which rule, on what date and whether review is pending. A mere label such as “non-compliant” or “fraud concern” is limited public evidence. The receiving registry should make its own decision under its own authority rather than outsource proof to an ambiguous foreign status.
Common metrics would improve accountability. Registries could report high-impact cases opened, allegations abandoned before charge, findings by violation type, sanctions, review requests, reversals, average duration and continuity incidents. The purpose is not a league table of punishment. It is to reveal whether institutions distinguish inquiry from proof and whether review catches error.
Methodological consistency would also make genuine legal differences easier to see. Members could identify where one contract permits immediate suspension, another requires cure, or a jurisdiction imposes public-law duties. Transparency about difference is more credible than pretending that regional variation eliminates the need for evidence.
Membership accountability begins before an individual case
Members should not decide whether a competitor violated policy. Individual adjudication requires confidentiality, expertise and insulation from faction. Membership accountability belongs at the constitutional level: defining burdens, evidence standards, powers, review and reporting before a dispute identifies winners and losers.
Policies should say which party bears production and persuasion for each class of allegation. They should identify when adverse inferences are permitted, how confidential evidence is handled, which interim measures are available and what assurance is required for high-impact action. Material changes should receive open consultation rather than emerge through enforcement practice.
Boards should inspect aggregate performance and a confidential sample of files. The audit should test whether notices specified charges, whether the institution produced evidence before demanding rebuttal, whether exculpatory material was recorded, and whether remedies matched findings. It should also compare large and small members. A formally neutral procedure may burden a small operator more heavily if document demands are unlimited and review costs prohibitive.
Funding matters. Independent reviewers, secure disclosure and good record systems cost money. Those are not optional extras when the institution can alter valuable and operationally significant registrations. Members pay not only for allocation services but for legitimate stewardship of the authority they collectively sustain.
Public consultation should include network operators, resource holders, technical experts and users affected by registry continuity. Their roles differ. Complainants can explain evidentiary access; operators can explain downstream effects; lawyers can test review rights; engineers can identify which measures are actually reversible. No group should receive a shortcut around proof.
Accountability is strongest when it reduces the need for heroic appeals. Clear burdens improve first decisions, help staff refuse political pressure and give members a reason to cooperate with precise requests. Governance then operates through predictable rules rather than the endurance of whoever can litigate longest.
Number Resource Society can make proof operational
Number Resource Society can treat evidentiary discipline as part of reliable number administration. Its compliance charter should begin with a simple rule: the institution bears the burden of establishing every element of a violation used to justify a sanction. The respondent bears only clearly defined affirmative propositions and reasonable production duties for relevant records under its control.
The charter could divide action into four levels. A verification request would require an identified discrepancy and seek correction without a culpability finding. A formal inquiry would require credible evidence of a defined breach and provide disclosure. A temporary protective measure would require imminent risk, narrow scope, expiry and rapid review. A final high-impact sanction would require a complete reasoned record, strong assurance and continuity assessment.
Every case file should contain a charge table linking rule, fact, evidence, response, finding and remedy. The table would not replace narrative reasoning; it would expose missing links. Decision-makers should certify that they did not treat silence as proof beyond a cooperation breach, did not rely on undisclosed material for a decisive fact and did not apply a later rule retrospectively.
Technical safeguards can support the legal design. Account and record changes should be versioned, evidence preserved with access history, and service effects mapped before approval. High-impact actions should require a second authorised decision-maker. RPKI, reverse DNS, public registration and account access should be treated as distinct services, so a finding affecting one does not automatically disable all.
The society should publish anonymised decisions and statistics, including cases closed for limited public evidence evidence. Members need to see that the institution can conclude “not proved” without pretending the concern never existed. That outcome is a sign of functioning judgment, not enforcement failure.
Finally, review should be accessible. Filing should be simple, urgent continuity cases fast, and costs predictable. The record should move automatically to the reviewer, with the institution retaining its burden. A registry that can defend its finding on the evidence loses nothing from this arrangement. One that cannot should not impose the sanction.
A practical test for the next allegation
Imagine that a registry suspects a member used falsified corporate authority to obtain approval for a resource transfer. A defensible case starts by preserving the submitted document, account logs, ticket history, policy version and transfer record. The institution verifies the supposed issuer independently and records the method. It identifies the representation, its materiality and the account or person to whom it is attributed.
The registry then sends a charge, not a cloud of concern. It discloses the disputed document and the substance of the verification, subject to necessary protection. It asks the member to authenticate authority and provide specified records within its control. If account compromise is plausible, it temporarily locks the transfer and credentials without altering unrelated registrations or route-authorisation services.
The member may show that an authorised agent submitted a translated copy, that the issuing authority changed its format, or that credentials were stolen. It may fail to answer. In every event, the institution evaluates its own evidence. It decides whether identity, falsity, responsibility and materiality are established. A missing response may support a separate cooperation finding or a bounded inference; it does not fill every gap.
The decision states the findings and chooses a remedy tied to them. If the transfer request was false but existing holdings are unaffected, the transfer can be refused and the account secured. If evidence proves a broader scheme, broader action may follow with specific reasons. If falsity is not proved, the protective hold ends. The file records that conclusion without branding the member innocent of all possible conduct or guilty by suspicion.
This sequence is neither slow nor indulgent. It directs effort toward decisive facts, contains immediate risk and produces a decision that can be reviewed. Most importantly, it keeps the institution's authority connected to what the institution can establish.
The unproved violation is an institutional choice
A policy violation is not proved because it is serious, repeated in correspondence or difficult for a member to rebut. It is proved when reliable evidence establishes the elements of a defined rule to the level justified by the consequence. Everything else is suspicion, inquiry or unresolved dispute.
Registries will sometimes face missing records, evasive members and urgent threats. They need powers to preserve the ledger and protect accounts. Burden discipline does not disable those powers. It separates temporary protection from final punishment, a request for cooperation from a finding of dishonesty, and an inaccurate field from a theory of fraud.
The alternative is deceptively efficient. State a broad violation, demand that the holder show there was none, interpret incomplete production as confirmation and use the registry's control over services to close the case. That method saves the institution the cost of proof by transferring uncertainty to the member and operational risk to everyone dependent on the resources. It is efficient only if error is treated as someone else's problem.
Since 2000, the RIR system has combined community policy, private agreement, public technical responsibility and increasing operational reach. Scarcity and routing-security services have made registry decisions more consequential, not less. The governance response should be better evidence and review, not broader presumptions.
The rule is therefore straightforward. The party proposing a high-impact sanction proves the breach. The holder answers a concrete case, produces relevant records and establishes genuine defences. The decision-maker explains who proved what. Review occurs before avoidable continuity damage. Official documents establish powers and stated procedures, but the facts of each case must stand on their own evidence.
When an institution cannot meet that standard, the honest conclusion is not that the member failed to prove innocence. It is that the policy violation was never proven.

