Summary

  • The pilot must preregister its causal claims, measures, cohort rules, exclusions, matched controls, safety floors, benefit thresholds and analysis plan before recruitment or live migration. Post-hoc stories cannot turn an adverse result into success.
  • Failure has three distinct meanings: an immediate safety breach that stops live work, failure to achieve material benefits against the control after a defined period, and institutional failure when the common coordinator or provider market recreates unchecked monopoly power.
  • Rollback is a core experimental outcome, not an emergency improvisation. Every move needs a verified baseline, a serialized handback path, preserved restrictions, dependent-service reconciliation and a deadline for restoring an authorised provider without creating duplicate state.
  • Sample design must expose the proposition to difficult evidence. Small networks, legacy resources, transferred portfolios, public-sector holders, hosted and delegated RPKI users and lawfully restricted accounts belong in planned strata; easy volunteers cannot stand in for the number system.
  • An independent evaluator must control randomised or delayed entry, audit source data, publish exclusions and withdrawals, apply the stopping rules and issue the 2036 finding. Providers, incumbents, funders and advocates may respond but may not edit results.
  • Passing one stage grants no presumption of permanent authority. Any post-pilot service mandate requires a separate, transparent institutional decision by competent bodies, with new due process, conflict review and time-limited authorization.
  • Number Resource Society can advocate the test, represent authorised members, observe public evidence, research outcomes and accept a negative finding. It cannot run the registry service, qualify providers, select the evaluator, certify results, hold records, execute rollback or convert participation into a future operational mandate.

The counterfactual begins with a precise entity of choice

“Choose your registry” is too imprecise to test. It can describe at least four different changes: a holder moving its service account, a resource moving between regional records, a transfer from one holder to another, or an operator changing how it announces a route. Those actions have different legal and technical effects. Combining them would make every result uninterpretable.

The proposed choice concerns service sponsorship. A recognized holder appoints one qualified provider to maintain its current registration relationship under a shared coordination layer. The provider receives narrowly defined authority to authenticate instructions, maintain evidence, submit ordered changes, serve or arrange public registration data, support resource transfers and coordinate dependent services. A provider identifier in the common record shows who currently holds that service mandate.

The prefix or autonomous system number does not change merely because the provider changes. The holder does not change. The resource is not allocated twice. Existing disputes, sanctions restrictions, court restraints, transfer holds and evidence duties travel with the record. Routing remains a decision made by network operators and their counterparties. A provider cannot create reachability by editing an administrative record, and it cannot withdraw reachability merely because an account departs.

This separation follows the core described by RFC 7020: Internet numbers require global uniqueness and accurate registration, while routing operation sits outside the registry's direct control. The counterfactual preserves that core. It contests the assumption that every holder-facing service must be supplied indefinitely by one geographically assigned corporation.

Without this definition, a pilot could claim success by moving low-risk contact details while leaving every consequential dependency captive. Or it could fail theatrically by attempting to duplicate top-level authority. The unit of choice must be broad enough to alter bargaining power and narrow enough to preserve a single current state.

The baseline is a bundle, not merely an annual fee

The current comparison point is not zero choice. Operators can select consultants, brokers, hosted route-security services, upstreams, cloud platforms and legal advisers. They can sometimes transfer resources across regions or move a corporate presence. Regional Internet Registries differ in fees, membership structures, public services and implementation. These differences offer useful variation.

Yet the ordinary holder usually cannot appoint a different qualified institution to maintain the same resource under the same global position while remaining otherwise unchanged. Exit often requires a transfer, corporate restructuring, geographic eligibility, a change in resource status or the cooperation of the institution being left. The incumbent therefore supplies a bundle: authoritative registration, account administration, policy implementation, dispute handling, public data, technical dependencies, membership participation and institutional continuity.

A fair baseline must price and evaluate the whole bundle. The annual invoice is only one component. An operator also bears staff time, authentication friction, evidence reconstruction, delayed corrections, travel or participation cost, uncertainty during disputes, integration work and the expected loss from institutional failure. Conversely, the registry supplies benefits that may not appear on an invoice: maintained history, experienced staff, security investment, public coordination, training, policy support and mutual assistance.

The counterfactual cost is similarly broad. A cheaper provider that externalizes difficult cases to a common coordinator may not be cheaper in social terms. A provider with rapid onboarding but weak historical evidence may create costs later. A common layer funded through hidden levies can make retail prices look artificially low. The study must therefore compare quality-adjusted total cost and allocate shared costs openly.

Four claims must enter the protocol before a entity enters

The pilot should be registered as an evaluation protocol, not announced as a movement. Before recruitment, the sponsors should lodge a versioned public document containing the primary questions, exact outcome definitions, unit of analysis, cohort strata, control construction, observation windows, minimum detectable effects, missing-data rules, stopping boundaries, rollback deadlines and the authority responsible for each decision.

Amendments may be necessary after a genuine security discovery, but every amendment should preserve the old version, identify who requested the change and state whether the change was made before or after the affected data became visible.

The protocol should distinguish confirmatory outcomes from exploratory learning. Quality-adjusted cost, correction reliability, scope of provider discretion and continuity after failure are the four confirmatory domains. Interface preferences, new service combinations and entity anecdotes can generate later questions, but they cannot rescue a failed primary result. If twenty measures are collected and two move favourably by chance, sponsors should not present those two as the reason the pilot existed.

The hypotheses also need a direction and a deadline. A claim that costs will eventually fall, review will eventually improve or substitution will eventually work cannot be falsified within a ten-year trial. Each phase should state the effect expected by its closing date and the confidence interval that would be considered compatible with no useful improvement. A result can be safe yet ineffective; safety is a condition for continuing the experiment, not proof of benefit.

For each holder, total annual registry burden can be represented as five components: mandatory common-core cost, provider service price, internal compliance cost, expected error loss and expected continuity loss. The first component funds functions that must remain common, such as ordered uniqueness checks and authoritative provider discovery. The second covers the chosen provider's service. The third captures the holder's own staff and evidence burden. The final two convert low-frequency failures into expected cost using observed incidence and bounded loss estimates.

Under regional monopoly, the holder pays one bundled price and has limited ability to separate poor service from unavoidable common cost. Under choice, the common-core charge should be identical for equivalent resource conditions, while provider price and service terms can vary. Internal compliance cost could fall if providers compete on usable interfaces and support, or rise if common standards are weak. Error loss could fall through specialization and exit, or rise through underinvestment. Continuity loss should fall if provider substitution works, but could increase if the shared coordinator becomes a new single point of failure.

The model therefore predicts no universal price. It predicts decomposition. Mandatory common costs become visible; optional services become contestable; risk costs become attributable. A successful regime may leave some operators paying more because they select enhanced verification, multilingual support, managed routing-security custody or complex transfer assistance. The relevant question is whether an operator can select a proportionate service and whether the common core stops charging every holder for one institutional preference.

Four variables should be estimated separately: price, quality, scope and resilience. Collapsing them into a single satisfaction score would hide the central trade-offs. Registry choice is supported only if price or service improves without shifting unacceptable risk into uniqueness, accuracy, public accountability or crisis recovery.

Preregistered claim one: non-core cost should fall

The first prediction is deliberately modest. Choice should not eliminate the cost of maintaining trustworthy number records. It should reduce the cost of functions that do not require one supplier: routine account support, optional data products, customized reporting, transfer assistance, managed authentication, training, certification interfaces and other holder-facing services.

The pilot should define a standard service basket before providers submit prices. The basket would include a normal holder account, a fixed number of authorized contacts, routine updates, public registration service, a transfer-support allowance, ordinary incident support and export on exit. Complex litigation, unusual historical reconstruction and optional cryptographic custody would be priced separately under published categories. Every provider would disclose the common-core charge, its service charge, pass-through costs and contingent charges.

The primary fee measure should be the median quality-adjusted annual cost per holder and per managed resource set, not the lowest advertised price. Adjustment should account for response time, correction performance, security controls, exit readiness and the complexity of the holder portfolio. A second measure should track internal operator hours. A third should examine distribution: small networks, public-interest networks and holders with old or contested records may experience different effects from large, professionally staffed operators.

The prediction would be weakened if advertised prices fall while internal compliance hours rise by an equal amount, if the common layer absorbs growing unpriced work, or if providers avoid difficult holders. It would fail if total comparable cost does not fall after three years, quality does not improve, and no meaningful service differentiation appears. A ten percent saving in a narrow invoice accompanied by weaker recovery is not success.

Preregistered claim two: policy power should become narrower

Regional institutions often make rules for allocation, transfer, membership, fees, registration data, routing-security services and account conduct. Some coordination rules must remain common. Others reflect the fact that the same institution is rule maker, service provider, record custodian and gatekeeper. When exit is difficult, an administrative preference can become a condition of continued operational continuity.

Choice should force a classification. A rule belongs in the common layer only if incompatible provider behavior would threaten uniqueness, authoritative discovery, minimum evidence, lawful restraint, security interoperability or orderly succession. Rules about support packages, optional tools, meeting formats, consulting services, training, customer communication and many account features can be provider-level choices. Policy that affects holder rights should have a stated legal basis, affected-party analysis, review route and expiry or reconsideration date.

The policy-scope measure would count mandatory obligations by category, the number of pages or controls cannot be the main measure because concise rules can still be sweeping. Better indicators include how many provider decisions can suspend or materially impair service, how many obligations lack an external review route, how often a provider relies on an open-ended conduct clause, and what proportion of contested decisions are based on common safety rules rather than local preference.

The prediction is that portable service reduces the discretionary surface at provider level. It would be contradicted if the common coordinator accumulates every former regional rule, if providers form a cartel around identical terms, or if holders can move only after satisfying the losing provider's broad policy demands. Portability that merely relocates monopoly power upward has not narrowed power.

Preregistered claim three: correction should become faster and more credible

Registry errors range from a misspelled contact to a disputed holder identity or an unauthorized change. Speed cannot be pursued without accuracy. A provider that automatically accepts every claimant will post impressive response times and dangerous records. The useful measure separates acknowledgement, evidence collection, provisional protection, reasoned decision and final correction.

Choice changes incentives at two points. First, providers compete on ordinary accuracy and support. Second, a holder facing repeated failure can escalate to independent review or migrate after the disputed state has been safely preserved. The threat of exit should encourage clearer reasons, portable evidence and timely handoff. It should not permit a claimant to shop among providers until one accepts a false instruction.

Every contested matter therefore needs one case identifier at the common layer, one current protected state and a visible decision history. Moving the service account does not erase the case. The new provider receives the same restriction and evidence obligations. Independent review decides disputes that exceed routine correction. Providers are measured on time, completeness and compliance, not on whether they favor the customer.

The main outcomes are median time to correct verified routine errors, time to impose a protective hold after credible compromise, proportion of decisions with adequate reasons, reversal rate, repeat-error rate and time to execute a remedy. A high reversal rate may show poor first decisions; a near-zero rate may show inaccessible review. Both require interpretation. The prediction fails if portability increases inconsistent outcomes, evidence loss or strategic provider shopping.

Preregistered claim four: institutional crisis should become smaller

The strongest case for registry choice is not a slightly lower annual fee. It is the possibility that failure of one corporation no longer threatens every holder assigned to its territory. Insolvency, governance paralysis, sanctions, a destructive court restraint, data corruption, key compromise or prolonged service outage could be handled as provider failure rather than regional constitutional emergency.

That benefit exists only if records and authority are separable before the crisis. Providers must maintain standardized exports, independently witnessed change history, escrowed or otherwise protected evidence, known dependent-service states and pre-qualified substitutes. Funding for emergency operation must be available outside the failing provider's ordinary control. Activation must preserve restraints and disputed claims rather than copying only clean accounts.

The pilot should stage failures. One provider becomes unreachable. Another loses authority after repeated control failures. A third suffers selective record corruption rather than total outage. A fourth remains technically available while its directors cannot lawfully act. In each case the evaluator measures time to establish a trusted last state, time to appoint temporary service, percentage of records reconciled without holder reconstruction, public-data continuity, reverse-DNS continuity, routing-security effects and time until holders can exercise ordinary choice again.

The counterfactual predicts lower tail loss: fewer holders affected, shorter interruption and less dependence on saving the incumbent legal entity. It fails if every crisis still requires improvised political agreement, if the shared coordinator cannot act without the failed provider, or if substitute operation creates contested duplicate authority.

Analogies establish possibility, not equivalence

Several sectors separate a durable identifier or account relationship from the current service provider. ICANN's Transfer Policy assigns duties to gaining and losing domain registrars and to the registry operator while the domain remains unique. Telephone-number portability uses common coordination and deadlines so a subscriber can retain a number after changing provider. The United Kingdom's Current Account Switch Service places the new bank in the lead and provides redirection and a guarantee. Energy supplier-of-last-resort arrangements preserve service when a supplier fails.

These examples matter because they reject a false binary between permanent provider assignment and uncontrolled duplication. They show recurring design elements: a common authoritative layer, authenticated consent, narrow denial grounds, transaction clocks, gaining-provider responsibility, continuity duties, compensation or remedy and arrangements for provider failure.

They are not proof. Domain names have contractual and technical structures unlike IP address and autonomous system number administration. Telephone numbers sit within national regulation and carrier systems. Bank accounts involve payment redirection rather than a global routing-security hierarchy. Energy supply is territorial and heavily regulated. Number resources combine global uniqueness, regional history, scarce transferable IPv4 value, reverse DNS, public registration data and RPKI.

The proper use of analogy is to derive questions. Can denial grounds be limited? Can a gaining provider lead? Can shared coordination remain neutral? Can the old provider fail without trapping the user? Can compensation attach to delay? The pilot then answers those questions in the number-resource setting.

The cohort must be able to make the idea look bad

Voluntary participation creates selection bias. Operators already dissatisfied with an incumbent, technically sophisticated holders and operators sympathetic to NRS's advocacy may enter first. Providers may select clean records. Incumbents may improve service when observed. A comparison between enthusiastic movers and the whole regional population would overstate effects.

The evaluation should use a phased, matched design. Eligible holders volunteering for the first live cohort would be matched with similar non-moving holders by resource type, portfolio size, transfer history, organization age, region, dispute status, routing-security use and staff capacity. Where demand exceeds safe capacity, randomized timing can determine which matched applicants move first. This creates a delayed-entry comparison without denying eventual participation.

Baseline observations should cover at least twelve months. The evaluator should record fees, internal hours, update volume, correction time, security incidents, complaints, transfer activity, service availability and holder confidence before any move. Providers should undergo shadow operation using synchronized test records and simulated instructions before touching current authority. Live exposure should expand only after reconciliation and exit tests pass.

Results must be published by cohort, including operators that withdraw, providers that fail qualification and cases excluded for safety. Success cannot be inferred from aggregate satisfaction among survivors. The denominator is every admitted resource set and every attempted move.

Strata should be fixed before providers see individual applicants. At minimum, the sampling frame should separate IPv4, IPv6 and ASN portfolios; legacy and policy-issued resources; recent transfers and long-stable records; small and large organisations; public-sector and private networks; simple and multi-jurisdictional corporate histories; hosted and delegated RPKI arrangements; and accounts with documented lawful restraints. A pilot that quietly removes the groups most likely to reveal evidence, identity or continuity problems has selected a demonstration rather than a test.

Exclusion can still be legitimate. An active fraud investigation or unresolved corporate-control case may make a first-phase move unsafe. The evaluator should publish the exclusion rule, count every excluded case, retain its baseline characteristics and test whether exclusions cluster by provider or cohort. Where live inclusion is unsafe, shadow processing can reveal whether a proposed provider would reconstruct the same protected state without granting it authority. The hard cases must remain in the evidence even when they cannot yet enter the live arm.

The control group should not be a static portrait of the regional model in 2026. Matched controls need contemporaneous observation because incumbents, fees, global policy and security practice will change during the decade. Delayed-entry cohorts offer a useful design: applicants are matched, a randomised or independently administered sequence determines when eligible holders enter, and those waiting provide a temporary control. The method does not eliminate selection bias, but it makes the timing of exposure less dependent on enthusiasm or provider preference.

Attrition is itself an outcome. A holder that abandons migration after evidence demands, a provider that withdraws when difficult accounts arrive and a entity that returns to an incumbent cannot disappear from the denominator. The protocol should distinguish voluntary preference, technical failure, legal barrier, provider refusal, safety intervention and evaluator-directed rollback. Each reason bears on a different claim, and collapsing them into “entity withdrawal” would hide the institutional result.

The evaluator must be independent before it sees a result

Independence requires more than appointing a respected person after the design is complete. The evaluator should be selected through an open conflict process before recruitment, receive a protected multi-year budget that no provider or sponsor can withhold after an adverse interim report, and control the statistical analysis, incident classification and publication timetable. Its legal mandate should guarantee access to references under confidentiality controls and protect its right to publish findings that sponsors dispute.

No RIR, candidate provider, common coordinator, commercial funder, NRS or participating holder coalition should control evaluator appointment or removal. Each may nominate expertise and challenge a disclosed conflict, but the final selection should sit with a plural body whose members cannot benefit from pilot expansion. Technical, legal, security, statistical and holder-impact reviewers should be separated where one firm cannot credibly cover every domain.

The evaluator should maintain an auditable data chain. Provider dashboards are inputs, not findings. Samples of change records, notices, holds, correction files, RPKI observations, RDAP responses, reverse-DNS transitions, invoices and internal-hour surveys should be tested against common definitions. Where confidentiality prevents publication of a case, the evaluator should publish the reason, the category and whether protected evidence was independently inspected. “Confidential” cannot become a bucket in which bad outcomes disappear.

Interim reports should appear on a fixed schedule and after every stopping event. Providers and advocates can attach responses, but they cannot negotiate the finding into different language. Factual corrections should be logged. Analytical disagreements should remain visible. The evaluator's credibility will depend less on claiming neutrality than on making influence and amendment detectable.

Phase one, 2026-2027: preregister the test and construct the baseline

The first phase should not move authoritative service. It should define roles, data fields, event semantics, security controls, dependent services and evaluation measures. Incumbent registries, operators, prospective providers, IANA-linked technical experts and independent reviewers should map which functions are genuinely common and which can vary. Before the first live cohort is named, the evaluator should freeze the confirmatory protocol and publish the exact conditions for starting, pausing, rolling back, resuming and ending the trial.

A representative sample should include IPv4, IPv6 and autonomous system number holders; small and large operators; public-sector networks; multinational organizations; holders using hosted and delegated RPKI; old records with complex history; recent transfer recipients; and accounts with lawful restrictions. Excluding difficult records would produce an elegant but irrelevant demonstration.

Shadow providers would ingest protected copies, execute simulated updates and produce exports. Their results would be compared field by field with the current authoritative record. The tests would include identity changes, contact correction, transfer requests, disputed instructions, provider failure, partial data loss, reverse-DNS changes and route-security custody transitions. No shadow answer would be published as current.

Phase one passes only if every provider can reproduce state and history to the defined tolerance, explain every discrepancy, export without proprietary loss and complete a substitute-provider exercise. The output is a measurable baseline and a safe technical envelope, not a declaration that choice has succeeded.

Phase two, 2028-2029: permit limited live sponsorship

The first live cohort should be small enough for individual review but varied enough to expose real complexity. A plausible ceiling is several hundred holders across at least two existing service regions, with caps by resource type and aggregate IPv4 quantity. At least three qualified providers should participate, including an incumbent if it accepts the common conditions. No provider should begin with a dominant cohort share.

Each move would use authenticated holder consent, an independent status check and an ordered common commit. The old provider's authority ends when the new provider's authority begins. Dependent services use explicit transition plans. RPKI custody should remain unchanged in the earliest cases unless its transition is the specific tested function. Disputed transfers and active fraud cases should enter only after routine moves establish the safety baseline.

Entities receive a direct correction and compensation route. They can return to the former provider if qualified, select another provider or enter temporary common service. Fees and material incidents are published in comparable form. The pilot authority cannot require a entity to endorse the institutional model as a condition of service.

Expansion pauses automatically after a duplicate-authority event, an unexplained resource-state divergence, a material unauthorized change, evidence loss, a provider insolvency without successful substitution or a move-attributable routing-security incident above the pre-set threshold.

A stopping rule is different from a verdict

The protocol should distinguish a pause, a provider-specific stop, a function-specific stop and termination of the entire trial. A contained interface defect may justify pausing new enrolment while existing authoritative state remains with its current provider. A provider that conceals a material incident may lose its pilot mandate without invalidating evidence from other providers. Repeated RPKI transition failures may end that function while ordinary registration sponsorship continues under observation. Duplicate current authority that cannot be isolated and reconciled may require ending all live work.

Each boundary needs a named decision maker and an objective trigger. “Material” cannot be left to the sponsor's judgment after an incident. The protocol should define severity through the scope of resources affected, duration, reversibility, unauthorised authority exercised, impact on relying parties and evidence integrity. It should identify the monitoring source, maximum time for classification, public notice requirement and the vote or independent determination needed to resume.

A pause is not evidence that the thesis is false, just as a safe quarter is not evidence that it is true. The evaluator should publish both the operational response and the inferential consequence. If a provider causes a duplicate-state event, the immediate response is containment and handback; the analytical consequence depends on cause, detectability, recovery and recurrence. If the same class appears across different implementations, the claim that portability can preserve uniqueness becomes progressively weaker.

Sponsors should not be allowed to evade a boundary by renaming the pilot, moving entities into an “extended observation” programme or treating a stopped function as ordinary production. The institutional mandate should make the stopping decision effective across every system that received pilot authority. Continuing the same service outside the protocol would destroy the meaning of preregistration.

Rollback must be tested before live authority moves

Rollback is not a promise to reconstruct the old state after failure. Before each move, the authorised operators should create a signed baseline that identifies the holder, resource scope, current provider, legal holds, open cases, dependent services, current RPKI arrangement, reverse-DNS state, public-discovery endpoints and evidence commitments. The gaining provider should demonstrate that it can return an export in the same semantics. The losing provider or designated fallback should confirm that it can ingest the return without interpreting it as a new allocation.

The protocol needs separate rollback paths for several causes: entity choice, provider service failure, security compromise, evaluator-directed safety stop, loss of legal capacity and failure of the common coordinator. A clean voluntary return may be fast. A compromise may require freezing changes, selecting a trusted historical point and replacing credentials. A corporate-control dispute may require temporary read-only continuity while a competent court or review body decides authority. One generic “restore backup” procedure cannot address these conditions.

Handback must be serialized. At no time may the old and new provider both possess valid authority to change the same scope. The common record should show a single transition sequence, with an effective cutover, acknowledgement by the receiving authorised provider and a public status that relying services can reconcile. If the return cannot complete within the preregistered recovery objective, the evaluator records a failed rollback even if staff eventually improvise a solution.

Dependent services need their own return evidence. RDAP discovery, reverse DNS, RPKI publication and hosted key custody do not necessarily move together. Early cohorts may leave RPKI unchanged; later cohorts should state whether a rollback restores prior custody, uses a newly authorised custodian or temporarily freezes certificate actions. Independent monitors must observe what relying parties actually received, not only what the providers' internal systems reported.

Rollback also protects the validity of a negative conclusion. Entities should not be trapped in a failing arrangement merely to preserve the sample, and sponsors should not keep live mandates running because ending them would look embarrassing. A test is ethically and institutionally admissible only if every entity has a safe destination after the evidence turns against the design.

Phase three, 2030-2032: test difficult exits and real failure

Routine switching is the easiest case. The third phase should admit old records, complex organizations, cross-border holders, active but bounded disputes, hosted RPKI transitions and large portfolios. It should also trigger the resolution arrangements of one willing provider through an announced exercise and one unannounced operational simulation overseen by the evaluator.

The aim is to discover whether the common layer can preserve truth without becoming a full-service monopoly. Can it identify the current provider, validate an ordered change, preserve restrictions and direct public discovery while leaving support and optional services contestable? Can a temporary provider operate from independently verified material? Can holders move again after temporary service?

Incumbent registries should be compared not only with entrants but with their own pre-choice performance. If they reduce fees, improve exports, narrow rules or accelerate review in response to credible exit, that is evidence for the counterfactual even when few holders actually move. Contestability can alter behavior before market share changes.

This phase also tests concentration. If one low-cost provider captures most easy accounts, minimum operational reserves, risk-based common charges and portfolio caps may be needed. A portable market that creates a new dominant provider has changed the name of the problem, not solved it.

Phase four, 2033-2036: decide whether the institution deserves scale

By the final phase, the evidence should cover ordinary years and at least one serious substitute-operation exercise. The decision is not binary. Some functions may prove portable while others remain common or require longer transitions. RDAP presentation and ordinary account service may support broad choice; certain RPKI custody changes may require specialized accreditation; adjudication should remain independent of every provider.

Expansion should depend on sustained results over several cohorts, not a single launch year. The evaluator should examine whether initial price gains persist, whether common charges grow, whether providers merge, whether difficult accounts remain served, whether correction quality improves and whether holders retain meaningful ability to move a second time.

The regional baseline must also be observed. Incumbent institutions may reform substantially, global policy may change, IPv6 use may alter portfolio complexity, and new security demands may increase common cost. Difference-in-differences estimates can help distinguish pilot effects from global change, but they will not eliminate every confounder. Conclusions should state uncertainty rather than convert ten years of mixed institutional evidence into one triumphant number.

Preregistration removes the sponsor's escape routes

Sponsors should publish the principal measures, estimands, comparison methods, uncertainty ranges and stopping rules before live migration. The registered protocol should receive a stable identifier and public hash, with amendments appended rather than replacing the original. Otherwise every outcome can be redefined as success. The following scorecard makes the central claims falsifiable.

Cost measures include the comparable service basket, common-core charge, internal operator hours, exceptional-case charges and exit cost. Quality measures include accuracy, unauthorized-change incidence, correction time, reason quality, service availability and complaint recurrence. Scope measures include provider-level mandatory obligations, uses of open-ended authority, independently reviewable decisions and policy volume placed in the common layer. Resilience measures include export completeness, substitute activation time, percentage of records requiring holder reconstruction and continuity of dependent services.

Market measures include provider concentration, switching rate, second-switch success, rejection rate by holder complexity, entry and exit of qualified providers, and the share of common cost paid by each cohort. Distribution measures compare small networks, public-sector users, recent entrants, legacy holders, transferred resources and accounts with disputes.

The central safety floor is stricter than the benefit threshold. There should be no tolerated duplicate current allocation, no unresolved contradictory provider authority and no material degradation in authoritative discovery. A single contained operational error does not necessarily end the entire study, but it triggers pause, disclosure, restoration and root-cause review. Repeated or concealed integrity failures end the responsible provider's authority.

Benefit thresholds should be material rather than ceremonial. For example, a sustained reduction of at least fifteen percent in quality-adjusted non-core cost for the median matched holder, a meaningful improvement in verified routine correction time, and successful substitution within the defined recovery window would support expansion. These values should be debated and sensitivity-tested. What matters is that they are set before outcomes are known and cannot be replaced by testimonials.

Fees will probably separate before they fall

The earliest observable effect may be price transparency rather than a lower total. Today, membership charges can support a mixture of registration, policy development, technical services, meetings, outreach, reserves and projects. Under choice, the common coordination charge, provider service charge and optional-service price would need separate justification.

That separation could reveal that some functions are more expensive than assumed. Historical evidence reconstruction, secure credential recovery and complex transfer review require expertise. A provider serving many small or recently formed networks may have higher support costs than one serving established institutions. Risk-based charges can be legitimate if they reflect controllable service cost rather than the market value of the resource.

Competition should bear most strongly on standardized, repeatable and optional work. Incumbents may remain efficient because they already have scale, experienced staff and mature systems. If they win customers under equal portability rules, the result supports their performance rather than their territorial exclusivity. The policy objective is not an entrant quota. It is credible comparison and exit.

The model would be refuted if common charges steadily absorb every function while provider prices become cosmetic, or if providers finance low prices by selling privileged treatment in record correction. Transparent cost allocation and audited related-party transactions are therefore part of the evidence.

Policy restraint should be visible in reasons and boundaries

Power is difficult to measure through institutional charts. It is easier to observe at moments of refusal. Why was an update denied? Which rule authorized the denial? Could a different provider reach a different service decision without threatening the common state? Was the holder able to obtain independent review? Did the provider bear a consequence for an unlawful or negligent refusal?

A portability regime should produce shorter, more specific grounds for blocking a move: credible fraud, disputed holder authority, a binding legal restraint, an active transfer conflict or a narrowly timed security lock. Unpaid charges for unrelated optional services should not trap the authoritative relationship. General disagreement with a holder should not become a continuity sanction.

The evaluator should sample denials and code their grounds, duration, evidence quality and review outcome. It should publish provider comparisons without exposing sensitive evidence. A falling number of open-ended denials and a rising share of reasoned, reviewable decisions would support the policy-restraint prediction.

There is a contrary possibility. Providers may compete by promising laxity, forcing the common layer to issue more detailed rules. If so, rule volume may rise even as provider discretion falls. The analysis must distinguish useful common constraints from accumulated bureaucracy. The constitutional question is who may impair continuity, on what evidence and with what remedy.

Crisis evidence is more important than smooth-day availability

High availability during normal operation is necessary but weak evidence. Modern providers can maintain public endpoints reliably. The contested question is whether authority, evidence and service survive when management is absent, records are suspect or legal control is disputed.

Exercises should therefore avoid the convenient assumption that the latest copy is trustworthy. One scenario should introduce a selectively altered transfer history. Another should make recent credentials suspect. A third should prevent the provider's directors from authorizing release. A fourth should place ordinary funds beyond reach. The substitute must reconstruct a justified current state from independently held history, holder receipts, public observations and preserved restrictions.

Success is not a fast restart of every function. Some discretionary changes may pause while registration data and existing authority continue. The evaluator should distinguish essential continuity from unsafe haste. It should measure whether affected operators can keep proving their authority, maintain valid route-security entities where appropriate, update emergency contacts and obtain a hearing.

If choice turns a regional crisis into the failure of one replaceable provider, the result would be constitutionally significant. If every substitute still depends on rescuing that provider's directors, proprietary systems or private interpretation, the counterfactual has failed its strongest test.

RPKI can invalidate an otherwise persuasive demonstration

Registration portability is easier to describe than route-security continuity. RFC 6480 ties resource certificates to an allocation hierarchy, and operational services may combine certificate authority, key custody, repository publication and holder interfaces. Moving one element carelessly can revoke or invalidate entities that networks rely on.

The pilot should separate registration-service sponsorship from RPKI service. Early entities can keep existing RPKI arrangements while moving ordinary registration service. Later tests can examine delegated arrangements, publication transitions and hosted custody under dedicated controls. The move plan must state which keys remain, which certificates change, how Route Origin Authorizations are compared, what validators will observe and how rollback works.

No provider should advertise “one-click” movement if the click hides key replacement and publication risk. Independent monitors should observe validity before, during and after each transition. The safety measure is not merely whether the provider says the move completed; it is whether relying parties saw the expected valid state and whether no unauthorized authorization appeared.

A persistent rise in invalidity, stale entities or emergency revocations attributable to movement would argue against expanding that part of choice. This would not necessarily refute portable account service. It would show that institutional functions should be unbundled according to evidence rather than ideology.

Courts and sanctions must remain effective without creating captivity

Portability is not a route around law. A valid court order directed at a resource, holder or transaction must remain attached to the authoritative state when service changes. Sanctions screening and fraud controls cannot disappear at the border between providers. The common layer needs a restrained mechanism for recording the existence, scope, issuing authority and duration of a legal hold.

At the same time, a provider should not convert its own litigation position into a universal lock. Orders must be interpreted by competent authority, contested through available legal process and limited to their terms. A claim against the provider does not automatically justify impairing every holder. A disputed invoice does not justify extinguishing continuity.

The pilot should include mock legal notices, conflicting notices from different jurisdictions and an actual independent review channel for live administrative disputes. Measures include time to recognize a valid restraint, rate of overbroad holds, time to lift expired restraints, preserved access to evidence and whether the holder can move unaffected services.

The counterfactual predicts that power becomes more precise: lawful constraints travel, while provider-specific conflict loses its capacity to trap unrelated operations. Evidence of systematic remedy shopping, inconsistent restraint recognition or easy evasion would falsify that prediction.

Incumbents should be competitors, witnesses and fallbacks

The proposed trial should not be designed as a prosecution of Regional Internet Registries. They hold decades of operational knowledge, historical records, policy experience, security capability and relationships with IANA and one another. Excluding them would weaken the test and make continuity harder.

Incumbents should be able to offer portable service outside their traditional territory if they meet the same qualification, data, price and review rules. They should also provide baseline evidence subject to privacy protection and participate in common technical design without holding a veto over entry. Their current regional portfolios can remain under existing arrangements during early phases.

This creates three useful comparisons: entrant against incumbent, incumbent portable service against its territorial service, and the whole trial against unchanged regions. An incumbent may prove that scale and experience outperform new providers. It may also discover that explicit exports, narrower terms and independent review improve its existing service.

Mutual assistance remains valuable, but it should become a tested substitute capability rather than an emergency promise among peers. A qualified incumbent may be the best temporary provider when another fails. The important change is that the role, authority, data access, funding and exit are defined before the crisis.

NRS can advocate the test, not become the tested provider

Number Resource Society advances an operator-centered view in which registries act as accountable bookkeepers rather than territorial governors. That direction fits the portability hypothesis, but advocacy does not make NRS a candidate registry, registrar, identity verifier, record custodian, transfer operator, RPKI provider, evaluator or appeals body. The operational proposition must be demonstrated by the RIRs and other lawfully authorized registry-service operators that actually hold those duties, with independent reviewers testing their evidence.

NRS can make a constructive contribution by researching failure modes, convening affected operators, supporting members, representing organizations that have granted it power of attorney in RIR governance and campaigning for a test whose measures are fixed in advance. It can publish evidence-led comparisons of incumbent and authorized-provider performance. It cannot submit authoritative changes, hold the common state, qualify providers, certify migration, execute transfers or offer the fallback service described in this counterfactual.

NRS should have no control over evaluation, qualification, common charging, record custody or dispute review. Its public claims should be treated as hypotheses and tested against independently published operator evidence. A member can withdraw an advocacy mandate or power of attorney, but that relationship is not a registry-service account and must never be presented as one. Any pilot execution remains with competent RIRs, lawfully appointed operators, courts and independent review bodies.

That role clarity strengthens the positive case for NRS as an advocacy organization. It can demand that operational institutions be replaceable without asking to inherit their authority, whether now or under a speculative future mandate.

Adverse selection could defeat the market

Providers may seek recent, well-documented holders with simple portfolios and avoid legacy blocks, complex mergers, sanctions exposure, active disputes or expensive support needs. Incumbents would then retain the hardest accounts while entrants advertise lower prices. The apparent efficiency gain would be selection, not innovation.

The pilot should require transparent acceptance criteria and report rejection by complexity class. Risk-based prices may be allowed, but each factor must correspond to expected service cost and be reviewable. A common residual facility can provide temporary service where no provider accepts an account, funded by a levy that does not reward rejection.

Portfolio obligations could require every provider above a size threshold to serve a representative mix or contribute proportionately to difficult-case service. This must be designed carefully: forcing an inexperienced entrant to accept a highly disputed portfolio can increase risk. Qualification levels may permit specialization while preventing the specialist label from becoming an easy-account loophole.

The prediction of lower non-core cost survives only if equivalent cohorts improve. Publishing one low average across a selected portfolio would be misleading. The matched design and distributional scorecard are therefore central, not methodological decoration.

The common coordinator could become the new monopoly

Portable providers need a shared mechanism to serialize changes, identify current sponsorship and direct authoritative discovery. That mechanism has structural power. If it expands into identity adjudication, pricing, optional services, policy advocacy, training, market data and every dispute, provider competition becomes a decorative layer beneath a stronger monopoly.

The common coordinator should have a closed list of functions, published interfaces, independently witnessed history, audited cost allocation, separated management and external review. Its own operation must be replaceable through tested successor activation. Specifications and necessary state should be available to more than the incumbent operator under strict controls.

IANA's numbering role offers a bounded comparison: top-level coordination and allocation records can remain global while regional and local services operate below. The IANA Numbering Services service-level arrangement also demonstrates that performance measures, escalation and successor concepts can be expressed contractually. It does not authorize the proposed model, but it shows that global coordination need not be described as the permanent identity of one contractor.

The pilot fails constitutionally if holders gain a choice of provider but no remedy against the common coordinator. Replaceability must extend upward.

Security competition can improve controls or produce a race to convenience

Providers may differentiate through hardware-backed authentication, delegated administration, multilingual verification, incident response and recovery. That could improve security. They may also compete by reducing friction, accepting weaker evidence or marketing rapid transfers to holders who do not understand the risk.

Minimum controls should cover organizational authority, multi-person approval for high-risk changes, credential recovery, transaction-bound authorization, anomaly detection, evidence retention, staff access, incident disclosure and independent testing. Providers can exceed the floor, but they cannot market an unsafe shortcut around it.

Security outcomes should be normalized by transaction volume and portfolio risk. Measures include attempted and successful unauthorized changes, time to protective action, recovery completeness, credential-reset abuse, insider incidents and unreported discrepancies discovered by independent monitoring. A provider's security claims should not substitute for observed results.

Common controls must remain outcome-focused where possible. Mandating one vendor or interface would freeze innovation and favor incumbents. Yet pure outcome regulation is limited public evidence when a hidden failure may not appear for years. A combination of minimum process, technical conformance and incident evidence is justified.

Market concentration must be treated as an outcome, not an afterthought

Registry service has scale economies. Secure systems, specialized staff, around-the-clock response, legal expertise and common integrations are expensive. Operators may prefer a familiar global provider. The market could converge rapidly on two or three suppliers, or one.

Concentration is not automatically failure if exit remains real, the common layer is neutral and the leading provider wins through superior service. It becomes dangerous when vertical control, proprietary data, switching friction or common-governance influence makes leadership self-reinforcing. Market share should therefore be observed alongside second-switch success, export quality, interoperability and provider entry.

Structural remedies might include separation between the common coordinator and retail providers, nondiscriminatory interfaces, portability deadlines, data-use limits and restrictions on tying unrelated services. A market-share cap may be useful during a pilot to preserve learning but is a blunt permanent tool. It can shelter weak providers and fragment expertise.

The counterfactual predicts narrower power, not endless provider count. A concentrated but contestable service market may be better than five captive territorial institutions; a global private gatekeeper may be worse. Evidence about actual exit decides the distinction.

Public-sector and small-network continuity are distribution tests

Large operators can retain lawyers, security teams and registry specialists. A portability right that works only for them would reproduce the current asymmetry. Small ISPs, community networks, universities, public agencies and critical-service operators should be included from the first live cohort with dedicated observation.

Public bodies may require procurement, archival and jurisdictional assurances. Small networks may lack historical documents or staff continuity. The provider should offer usable evidence export and assisted migration without gaining discretion over the truth of the record. Subsidized assistance can be funded transparently through the common charge or public-interest funds.

Distributional measures include time spent by the holder, need for outside counsel, documentation failures, service interruption, complaint access and effective price as a share of operating scale. The trial should report whether gains accrue mainly to sophisticated traders or extend to operators using number resources to provide ordinary connectivity.

The positive prediction is that standardized portability reduces dependence on personal relationships and institutional familiarity. If small holders face more rejections, longer delays or higher risk after choice, the design needs revision before expansion.

Failure is an admissible final result

Institutional proposals often protect themselves by treating every failure as evidence that more authority is needed. A credible counterfactual names the conditions under which its central claim should be rejected.

The portability thesis is disproved in its proposed form if, after adjustment for cohort and service quality, non-core total cost does not materially improve; provider-level discretionary power is not reduced; verified corrections do not become faster or more reliable; substitute operation cannot meet the recovery objective; or the common coordinator accumulates equivalent unchecked power.

It is also disproved if duplicate authority cannot be prevented, unauthorized changes materially increase, RPKI transitions create persistent invalidity, lawful restraints are routinely evaded, difficult holders become unserved, or concentration makes second exit impractical. Some failures may reject only one implementation. Repeated failures across materially different designs would weigh against portability itself.

The baseline can also fail. If incumbent institutions suffer crises, impose rising costs or produce slow remedy during the same period, that evidence belongs in the comparison. The study is not required to preserve the regional model as an unquestioned control. Both arrangements are judged by the same outcomes.

An adverse result should be stated without euphemism. “More research is needed” may be true at the edge of the confidence interval, but it is not an adequate description when the preregistered benefit threshold is missed or a safety class recurs across providers. The final report should identify which claim failed, whether failure was specific to a function or general to the proposed architecture, how strongly the evidence supports that conclusion and what live authority must end as a result.

The pilot can fail safely and still be valuable. It may establish that ordinary account interfaces are portable while authoritative change control is not; that costs become clearer without becoming lower; that substitution works for public data but not for hosted RPKI; or that the common coordinator reproduces the very discretion the design sought to discipline. Those are institutional findings that would not exist without a bounded trial.

Sponsors must also accept a conclusion that the regional baseline remains preferable under the tested conditions. NRS may contest the interpretation, represent members who experienced poor incumbent service and propose a different future experiment, but it cannot convert advocacy into a power to continue a failed operational design. RIRs and authorised providers must execute the stop and rollback rules; the evaluator must publish the evidence; competent bodies decide whether any materially different proposal deserves a new process.

Passing a phase creates no permanent entitlement

Success would be less dramatic than advocates may expect. One authoritative state remains intact. Most routes continue without visible change. Several providers offer distinguishable services. Common charges are explicit. Routine corrections improve. Operators can move within a predictable period. An institutional failure activates temporary service without a global argument over who owns the record.

Incumbent registries may retain a large share because they perform well. Members supported or represented by NRS may participate as holders if they independently meet the pilot's eligibility rules, while their RIR or another lawfully authorized operator continues to perform every registry-service act. Some RPKI functions may remain specialized. Independent review may overturn providers from every camp. Difficult cases may cost more but receive clearer reasons and continuity protection.

The constitutional gain would be that authority becomes conditional. A provider is trusted because it meets common requirements, serves holders, preserves evidence and can hand over safely, not because geography made exit unrealistic. Policy is narrower because providers cannot use continuity as leverage over unrelated behavior. Crisis correction is faster because the service can outlive the corporation.

Such a result would not prove that every region should change at once. It would justify wider cohorts, stronger interoperability and negotiated transition. Qualified success preserves the right to learn again.

Even the strongest result remains evidence from a bounded population, period and authority instrument. Providers may have behaved differently because they knew they were observed. Subsidies may have hidden durable costs. A small cohort may not expose concentration or long-tail disputes. Technology and law may change after the observation window. Pilot performance therefore supports consideration of a service model; it does not confer a franchise.

Every pilot mandate should expire on a stated date. A provider that performs well may apply in a separate process for a time-limited post-pilot role, but the application must identify the legal and institutional authority able to grant it, disclose conflicts, invite affected-party comment and include review and exit. The record may cite pilot evidence while also addressing scale, funding, liability and conditions that the experiment did not test.

No entity should obtain a preference simply because rollback would be inconvenient. That would turn the trial's own implementation into the source of permanent power. The handback design exists precisely so a competent institution can decide the future without being told that operational dependence has already settled the question.

The pilot sunsets before the 2036 institutional judgment

At the end of the period, pilot authority should sunset under the protocol rather than continue while institutions debate the report. An independent body should publish the full comparative record, its methods, known confounders, security incidents, excluded cases and distributional results. Providers and incumbents should be able to submit responses, but none should edit the findings. Operators whose experiences are summarized should have a route to correct factual errors.

The decision should address each function separately: ordinary registration sponsorship, public data service, transfer assistance, reverse-DNS coordination, RPKI custody, dispute administration, emergency continuity and common coordination. It should say which functions support broader choice, which require further limits and which should remain shared.

If the evidence is positive, any proposal for expansion should enter a new authorization process that includes periodic requalification, open interfaces, independent review and tested successor operation. If it is mixed, competent institutions can consider retaining useful standards without carrying forward the pilot providers' authority. If it is negative, the trial should close safely, preserve records and publish why. In all three cases, the pilot itself ends; only a separately reasoned mandate can begin something else.

The registry-choice pilot is worth attempting because the existing regional settlement was itself an institutional response to scale, geography and administrative burden. It was not a law of nature. But historical contingency is not enough to justify replacement, and experimental participation is not enough to justify permanence. A credible process earns public attention by specifying how it can lose, return every live record safely and leave the final allocation of authority to a later lawful decision.

Sources and analytical limits

  • RFC 7020, The Internet Numbers Registry System supports the requirements for globally unique number distribution, accurate registration and the distinction between registry administration and network routing. It does not require or authorize the portable-provider design assessed here.
  • IANA Number Resources and IANA number-resource allocation data describe the existing global coordination and allocation hierarchy. They are used to identify the common core that a trial must preserve.
  • ICANN Transfer Policy and RFC 9154 provide comparisons for gaining-provider duties, limited transfer controls and narrow transaction authorization in the domain sector. Domain sponsorship is not treated as legally or technically equivalent to Internet number administration.
  • FCC Local Number Portability Administrator technical requirements and Article 106 of the European Electronic Communications Code support the comparison with neutral coordination, continuity, switching rights, anti-abuse controls and remedies in telecommunications.
  • Current Account Switch Service supports the comparison with gaining-provider leadership, timed switching, redirection and a service guarantee. It is evidence of an institutional mechanism, not evidence that number-resource movement will achieve the same results.
  • FCA Regulatory Sandbox and its eligibility criteria support limited live testing with defined benefit, readiness, safeguards, scale and duration. The proposed phases and measures are original applications to number governance.
  • Ofgem's explanation of protection when energy firms collapse supports the supplier-substitution comparison for continuity after provider failure. Energy regulation and Internet number coordination remain materially different.
  • RFC 6480, RFC 8181 and RFC 9224 identify RPKI architecture, publication interaction and authoritative RDAP discovery that make a number-service move more demanding than an ordinary account switch.
  • IANA Numbering Services service-level agreement supports the limited comparison with measured performance, escalation and successor continuity at a global coordination layer.
  • NRS Charter is used only for NRS's stated operator-freedom, accurate-record and accountability direction. It is advocacy evidence and supplies no basis for treating NRS as a current or prospective registry-service provider, qualifier, identity authority, record custodian, RPKI operator, independent reviewer or continuity operator.

The fee effects, thresholds and 2026-2036 outcomes are hypotheses. No live portable number-registry market presently supplies the longitudinal evidence required to confirm them. Sector comparisons identify feasible controls and possible failure modes, while the staged design states what evidence would support, qualify or reject the institutional proposition.