Summary
- RIR elections count legal membership entitlements. They do not normally test whether the voter operates routers, employs network staff, serves customers or carries contractual continuity duties.
- Separation can be legitimate: groups centralise governance in a parent, outsource operations to specialists, hold resources in dedicated entities or authorise consultants to act. The legal member still owes its own contractual duties.
- Published rules prove that non-operational voting positions are possible, not how common they are. APNIC assigns an Associate Member with no chargeable address holdings one vote; RIPE NCC votes attach to the member even when operations and customer exposure sit elsewhere.
- Operational-risk weighting is not an easy cure. Traffic, address holdings and customer numbers can all privilege large incumbents or be manipulated. The better response is a second evidentiary layer: control disclosure, exposure statements, conflicts, customer-impact review and independent scrutiny.
- For routine corporate matters, the member ballot can remain decisive. For decisions threatening registration, certification, delegation or customer continuity, institutions should show that the affected operating surface was understood before treating the result as broadly legitimate.
A ballot arrives in the legal office
Imagine a ballot notice delivered to a holding company. The company owns several operating subsidiaries. One subsidiary runs a broadband network, another manages cloud infrastructure, and a third holds contracts with enterprise customers. Day-to-day routing is handled by a network operations team employed by one subsidiary and supported by an external consultant. The parent is the legal member of the regional registry. Its authorised contact casts the vote.
Nothing in that arrangement is inherently improper. Corporate groups routinely centralise contracts, treasury and governance. The parent can bear financial and fiduciary responsibility for the whole group. An authorised contact can act on valid instructions. Outsourcing can improve technical performance. The member remains answerable for obligations it accepted.
The problem begins when the ballot is described as the voice of the network. The ballot proves that a legal member exercised a constitutional right. It does not prove that the person choosing the vote runs a router, carries an on-call phone, negotiates customer continuity clauses or pays compensation after an outage. Legal authority and operational exposure can coincide. They can also separate.
That separation changes the meaning of election results. A majority can validly choose directors or approve accounts without representing a majority of customer-facing networks. A charging resolution can be lawful while distributing operational costs asymmetrically. A policy position supported by member contacts can be opposed by engineers responsible for implementation. Institutional legitimacy requires knowing which claim the vote can support.
Membership is a legal fact, not an operational diagnosis
RIPE NCC's Standard Service Agreement defines the member as the natural person or legal entity entering the relationship. Its Articles of Association assign one vote to each unsuspended member. These are admirably clear rules. They give election administrators an identifiable register and prevent a vague claim of community interest from replacing legal eligibility.
The rules do not ask whether the member itself operates a network. They do not require that the authorised voter work in network operations. They do not calculate customer exposure, traffic volume, critical-service dependency or the cost of renumbering. Those omissions are not oversights. A corporate constitution normally governs legal members rather than inspecting every business function behind them.
But the omissions constrain interpretation. The member register is a list of constitutional principals inside the association. It is not a map of the operating Internet. A legal entity can own resources and contract for services while another group company uses them. A consultancy can manage registry interactions. A corporate services provider can maintain contacts. An enterprise can hold resources for internal resilience without serving public customers. Each may possess a vote without sharing the same kind of operational risk.
Corporate status is therefore a categorical variable: member or non-member, suspended or unsuspended. Network risk is multidimensional. It includes probability of adverse change, number of dependent services, ease of substitution, customer obligations, restoration time and the severity of failure. One cannot be inferred from the other.
The member, LIR account and network are different units
RIPE NCC's own published counts help establish the distinction. At the end of 2024 it reported 19,993 active members and 20,991 active LIRs, noting that one member can hold more than one LIR. The June 2026 update reported 20,056 members and 20,782 LIR accounts. A member with several accounts still receives one General Meeting vote.
Those figures show that the constitutional unit and the account unit differ. They do not reveal the third unit: networks. One LIR account can support several autonomous systems, internal networks or customer relationships. One network can rely on resources administered through several accounts or regional relationships. The boundary of a legal company may cut across both.
An election report that counts members is accurate for the association. It becomes inaccurate only when the count is used as a proxy for networks. The same warning applies to address holdings, autonomous system numbers and registered entities. These can be useful indicators of scale, but none is a complete count of operating responsibility.
The missing map is consequential. Suppose a resolution receives two thousand member votes. The result says nothing, by itself, about how many customer-facing networks those members operate. A smaller coalition could carry a larger share of continuity obligations. Conversely, a few large providers should not automatically be allowed to overrule many smaller legal members merely because they serve more users. Different denominators support different judgments.
Outsourcing creates expertise without transferring the franchise
Consultants occupy an important boundary. A registry consultant may prepare applications, maintain records, monitor policy discussions, advise on transfers and help an organisation participate in elections. The consultant can understand the system better than the member's directors. It may also support several members whose operational interests differ.
There is no defect in using expertise. Complex institutions depend on professional advisers. The legal question is authorisation: did the member appoint the contact or representative in accordance with the rules? The legitimacy question is disclosure: whose instructions and interests shaped the vote?
A consultant acting for several members can become an informal concentration point even when each authorisation is valid. It may recommend the same candidate or position across clients. That does not prove control; clients can make independent decisions. Yet an election register that shows only legal members cannot reveal whether decision-making has been delegated to a common adviser.
Proportionate conflict declarations can address this without exposing commercial advice. A person authorised to vote or campaign for several unrelated members could disclose the number of mandates and any candidate role. Members could attest that instructions were independently approved. Election auditors could inspect evidence where coordinated action is credibly alleged. The aim is not to stigmatise consultants. It is to avoid mistaking a distributed set of credentials for a distributed set of judgments.
Holding companies can carry real risk and still obscure its location
The phrase holding company can sound accusatory. It should not. A parent may guarantee debts, insure subsidiaries, appoint directors and bear the ultimate economic loss from service failure. Centralising registry membership can reduce duplicate administration and create clear accountability. A parent vote may reflect a genuine group-wide decision.
Nevertheless, the parent often experiences network risk indirectly. Customer contracts sit with subsidiaries. Engineers report to operating companies. Regulatory duties attach by jurisdiction. A service interruption can harm one subsidiary more than another. The parent may prioritise consolidated financial cost while an operator prioritises restoration speed or local legal compliance.
Governance should not assume either unity or conflict. It should request a bounded statement of where operational responsibility sits. For a high-impact proposal, a member could identify whether it is itself an operator, a parent of operators, a resource-holding entity, an internal enterprise network, a consultant-managed account or another category. It could report ranges for dependent customers and critical services without publishing sensitive topology.
Such disclosure would not change the member's vote. It would change the evidence available to the board and the public. A resolution supported mainly by non-operating parents might still be correct, but decision-makers would know that direct operator evidence was thin. A coalition of operating members could show where consequences would land. Legitimacy would rest on an examined distribution rather than an assumed one.
APNIC's Associate tier supplies a clean boundary case
APNIC's membership tier rules provide a concrete demonstration that a vote need not imply number-resource operation. The Associate tier is defined with no chargeable address holdings and receives one vote. Higher tiers receive progressively more votes according to holdings, from two through 64.
An Associate Member can therefore hold a constitutional vote without chargeable IPv4 or IPv6 holdings. That does not mean the member has no connection to Internet operations. It may possess expertise, use non-chargeable resources, participate in policy or have a legitimate institutional interest. The rule simply defeats the inference that every APNIC vote corresponds to a member currently bearing risk proportional to chargeable holdings.
The boundary case is valuable because it separates argument from suspicion. No investigation of a secret shell is required. The published rule itself recognises a voter with no chargeable address tier. APNIC has chosen to include that interest and assign it the minimum weight.
The same rule also shows the limits of resource weighting. Higher holdings increase votes, but holdings do not necessarily equal customer-continuity risk. A large internal enterprise allocation and a smaller provider network can have different affected populations. The tier is an administrable proxy, not a complete moral measure.
AFRINIC draws the boundary differently
AFRINIC allows Associate Membership for individuals and organisations with substantial interest in number-resource management that do not use assigned resources under the registration service relationship. Its published guidance makes that class an observer at member meetings rather than an ordinary electoral voter. Resource and Registered Members hold the central voting powers.
This is a different constitutional judgment from APNIC's. APNIC gives its no-chargeable-holdings Associate tier a vote. AFRINIC recognises an interested non-resource class but limits it to notice, attendance and specified services. Neither arrangement follows inevitably from network architecture.
The comparison clarifies the design choice. Institutions decide whether expertise or interest without resource operation deserves a ballot, a voice, or observer status. They should defend that decision in terms of the association's purpose. If non-operational expertise receives votes, conflicts and representational claims need scrutiny. If it receives no votes, open participation and reasoned consideration become more important.
Again, the question is not whether one region has found the universally correct answer. It is whether the legal electorate is described honestly. A Member list is not automatically an operator list, even when the constitution reserves votes for Resource Members, because resource holding and customer-facing operation can still be separated within a group.
The authorised contact is not the constituency
Every organisational vote needs a human hand. Election systems therefore rely on authorised contacts, corporate representatives and, in some systems, proxies. These people are necessary instruments of legal personality. They should not be confused with the people represented by the decision.
An authorised contact may work in finance, legal, public policy, executive management or technical operations. The role can change. Contact records can become stale. A person can follow formal instructions or exercise broad discretion. Election reports rarely state which function supplied the voters.
That information matters when governance choices concern operational detail. A board election may turn on views about certification, abuse handling, sanctions, transfers or closure procedures. Legal and policy staff can assess many of those issues capably, but engineers and customer-support teams may hold different evidence about failure modes.
The solution is not occupational qualification for voting. Requiring every voter to be a network engineer would wrongly exclude legitimate corporate judgment. A better rule is internal attestation for consequential ballots: the member confirms that it considered relevant operational and customer impact, identifies the approving organ, and discloses material conflicts. The corporate vote remains intact while its evidentiary basis improves.
Dormant resources and dormant companies complicate the picture
A legal member can retain resources or accounts that support little current traffic. Another may hold resources for future deployment, resilience or corporate transactions. Public routing data can suggest activity but cannot prove operational use. A prefix absent from global routing may be used privately, reserved for failover or temporarily withdrawn. An announced prefix may be originated by a contractor or customer rather than the member.
Corporate records are equally ambiguous. A special-purpose entity can be a genuine risk partition required by lenders or regulators. A company with few employees can own valuable infrastructure operated under contract. Describing it as a shell can imply illegitimacy that the evidence does not support.
For these reasons, a public attempt to label every voter "operator" or "non-operator" from routing and company data would produce false certainty. The categories should be self-reported under clear definitions and subject to confidential audit. Relevant questions include who controls the member, who operates the resources, who contracts with customers, who bears outage liability and whether the member is active in the affected service.
Risk classification should use ranges and functions rather than a moral label. The aim is to understand exposure, not to disqualify lawful corporate forms.
Customer continuity is the risk voting data does not show
The most important missing exposure belongs to customers. An LIR or parent company may vote on charging, service or policy matters while customers bear the cost of address changes, record errors or interrupted support. The member can internalise some of that cost through lost revenue and contractual liability, but not always fully.
Customers vary. A household broadband subscriber does not administer the provider's number resources. An enterprise using provider-assigned addresses may face significant renumbering costs. An End User with independent resources under a sponsoring LIR has a more distinct legal and technical position. A cloud customer may depend on addresses without knowing which registry relationship supports them.
Election credentials disclose none of this. A member with one vote can serve millions of users. Another with one vote can operate an internal network for a small company. Equality between the members is not equality of consequence.
This does not make user-weighted voting attractive. Counting end users would hand extraordinary power to the largest access providers and create verification problems. It does mean that high-impact decisions require customer-impact assessment outside the ballot. The vote decides; the assessment informs and constrains.
Legal liability only partially follows operational harm
One defence of member voting is that the contracting member bears legal liability. If it fails to maintain records or serve customers, those parties can sue under their contracts. The member therefore has an incentive to vote responsibly even if operations are outsourced.
The incentive is real but incomplete. Contracts often limit liability. Customers may face proof, jurisdiction and litigation costs. Harm can exceed recoverable damages. An outage affecting public services creates social costs beyond the member's balance sheet. Some customers lack direct contractual rights against the registry, and the member may itself be unable to recover from the institution.
Corporate groups can also distribute liability. The voting parent may not be the customer counterparty. Guarantees may be limited. A special-purpose holder can contain risk. These are lawful structures, but they weaken the assumption that the voter internalises every consequence.
Governance should therefore ask where liability lands rather than assume it follows membership. An impact statement can identify contractual responsibility, insurance, continuity plans and downstream exposure in aggregate. This is not a substitute for legal rights. It is evidence about whether the electorate carries the costs it authorises.
A valid vote can still be a weak legitimacy signal
Corporate validity and institutional legitimacy operate at different levels. If the Articles give each unsuspended RIPE NCC member one vote and the election follows the rules, the result is valid within the association. The absence of operator weighting does not void it.
But the same result may be weak support for a broader claim such as "the operators of the region approved." To make that claim, the institution would need evidence that voters were operationally representative or that affected operators had another effective channel. The member ballot alone cannot provide it.
This distinction protects both law and criticism. Critics should not call every mismatch unlawful. Institutions should not use corporate legality to close debate about consequence. A decision can be properly made and still require stronger reasons, transition safeguards or review because its burdens fall outside the electorate.
The appropriate response depends on subject. Electing auditors or approving ordinary accounts may need no special exposure analysis. Deregistering resources, changing certification services, altering sponsor obligations or restructuring fees can affect continuity and may justify it. Institutional design should scale with impact.
Why network-weighted voting is a dangerous shortcut
Once the mismatch is visible, the tempting cure is to weight votes by operational risk. Every proposed measure creates new problems. Address holdings reward scarcity and historical accumulation. Traffic volume favours dominant carriers and can fluctuate or be concealed. customer count gives mass-market providers control over enterprise and infrastructure interests. Revenue rewards wealth. Autonomous system count can be multiplied. Critical-service status invites contested classifications.
Any single metric can turn the electorate into an incumbency machine. Large operators already possess staff, travel budgets and policy expertise. Formal weighting could make their advantage permanent. Smaller networks often introduce innovation and serve remote or specialised communities. Their equality as legal members is worth preserving.
Operational data are better used as evidence than as automatic ballots. A board should know whether a proposal disproportionately affects small access networks, large carriers, independent-resource users or public infrastructure. It can then modify timelines, remedies and transition support. The member vote can remain equal while consequences are treated unequally where fairness requires.
A bicameral or double-majority design could be considered only for narrowly defined existential decisions. Even then, the exposure chamber would need audited definitions, caps and anti-duplication rules. Complexity should not be introduced without evidence that ordinary safeguards fail.
An exposure statement can be modest and useful
The minimum reform is not a public inventory of networks. It is a standard exposure statement completed by members for major consultations and elections. The statement could classify the member's role, in ranges: direct network operator, parent of operators, internal enterprise, resource-holding entity, public institution, consultancy or other.
It could identify whether the member serves external customers, whether resources support critical services, whether operations are outsourced and whether the authorised voter advises other members. Customer and employee counts could be bands rather than exact figures. Sensitive details would remain with an independent auditor.
Aggregate results would accompany decisions. Readers might learn that a proposal was supported by a majority of voting members but opposed by most respondents directly operating customer-facing networks. That fact would not automatically reverse the vote. It would require a reasoned explanation and perhaps a longer transition.
The statement should be voluntary for routine matters and mandatory only where constitutional authority and service consequences justify the burden. False declarations should have proportionate sanctions and a right of appeal. The design should gather only what the decision requires.
Control disclosure belongs beside exposure disclosure
Operational separation often follows corporate control. A member may be controlled by a parent that also controls other members. The immediate topic is not multiplication of votes; it is whether the person appearing on the register is the level at which risk decisions are made.
A bounded control declaration can answer that question. It should identify the ultimate controlling person or public body to an election auditor, significant affiliated members and the internal organ that approved the vote. Public disclosure can use group names or concentration bands where privacy and security require restraint.
The declaration would show whether several legal voters depend on one central governance team or whether subsidiaries make independent decisions. It would also identify conflicts when candidates, consultants or officers influence votes across groups.
Control is not the same as operational exposure. Both should be reported. A parent can control several independently operated networks; an operator can manage resources owned by an unrelated entity. Keeping the axes separate avoids another false proxy.
Decision records should state what the electorate could not show
A disciplined board paper would include an evidence-boundary section. It would state the number of eligible members and ballots, the distribution of disclosed operating roles, the customer-impact evidence received, and the categories for which data remain unknown. It would not say that voters represented all operators unless the evidence supported that claim.
Reasons should address concentrated burdens. If directly exposed members oppose a proposal, the board should explain why their evidence was rejected or how harms were mitigated. If non-operating members supply useful legal or financial analysis, that should also be acknowledged. Expertise is not invalid because it is non-operational.
This record performs an administrative-law function without pretending the association is a government. It disciplines relevance, consistency and explanation. It creates material for later review. It makes future correction possible when predicted risks prove wrong.
The practice would also improve elections. Candidates could state how they understand the difference between member mandate and regional consequence. Voters could judge whether a candidate treats operational evidence seriously rather than claiming universal authority from a narrow ballot.
Independent review should focus on facts, not substitute policy
When a high-impact decision is challenged, an independent reviewer should not simply rerun the election or impose its preferred policy. Its role should be narrower: verify eligibility, conflicts, evidence disclosure, consistency with the governing instruments and rational treatment of material operational risk.
If the board ignored a documented continuity hazard, the reviewer could require reconsideration and temporary preservation. If exposure data were materially false, it could order correction. If the disagreement is merely about policy merits after a fair process, the member decision should stand.
This distinction keeps review legitimate. Courts and arbitrators are poorly placed to design routing policy, but they can test whether a private institution followed its own rules and considered relevant evidence. Specialist review panels can add technical competence if their appointment and independence are credible.
Remedies should be proportionate: reasons, disclosure, reconsideration, delayed effect or interim continuity before invalidation. The objective is reliable institutional judgment, not judicial management of every registry choice.
What public evidence can and cannot prove
Published constitutional documents prove that votes attach to legal members and authorised representatives. Tier rules prove that APNIC recognises a minimum-vote Associate class with no chargeable address holdings. RIPE NCC statistics prove that members and LIR accounts are not the same denominator. End User requirements prove that continuity obligations can sit in downstream relationships.
They do not prove how many voters are holding companies, consultants or non-operating entities. They do not identify a named member as a shell. They do not reveal the instructions behind a ballot or establish that operators would have voted differently. Public routing data cannot fill those gaps reliably.
The conclusion must remain bounded: the institutional rules allow legal membership and operational risk to diverge, and current public reporting does not measure the divergence. That is enough to reject expansive claims about what a ballot represents. It is not enough to allege capture.
The uncertainty is itself a governance finding. An institution that invokes operator legitimacy should collect evidence capable of supporting it. If it chooses not to collect that evidence for privacy or cost reasons, it should narrow its claims.
Preserve the ballot, improve the claim
The strongest reform is modest. Keep the legal member ballot for ordinary corporate governance. Do not award power mechanically by addresses, traffic or customers. Add an exposure and control layer for consequential decisions. Require conflicts from multi-member advisers. Publish aggregate operating-role data. Give affected customers and engineers a direct evidentiary channel. Record reasons and preserve continuity during credible review.
This design respects association law while acknowledging infrastructure effects. It does not declare consultants unfit, holding companies illegitimate or small internal networks unimportant. It asks only that each kind of entity be counted for what it is.
In future institutional models, Number Resource Society's emphasis on treating operators as principals offers a useful direction if translated into verifiable representation, privacy-protecting disclosure and real continuity safeguards. Operator language alone is not enough; the same mismatch can recur under a new name unless voting, control and exposure are separately audited.
The voter who bears no network risk may be a lawful and valuable member. The error is not admitting that voter. The error is allowing a valid corporate ballot to certify facts it was never designed to measure. A mature registry should be able to say: these members decided, these operators were exposed, these customers carried the consequences, and this is how all three were heard.
Elections need a map of non-operating influence
The most sensitive cases are not ordinary non-operating members. A university holding internal resources, a parent company coordinating group policy, or an enterprise with resilient internal networks can all have legitimate interests. The harder cases arise when non-operating influence becomes systematic and invisible.
If several members outsource their registry positions to the same adviser, if related companies vote separately while sharing a single control centre, or if a resource-holding entity votes on questions whose costs will fall almost entirely on another operating company, the association may still count valid ballots while losing sight of who is shaping the decision.
The cure is not a public accusation register. It is a map of influence categories. An election administrator can ask whether the authorised voter is an employee, officer, group officer, external adviser or other representative. It can ask whether that person is authorised for more than one member. It can ask whether the voting member directly operates a network, controls an operating network, holds resources for internal use, or acts primarily as a resource-holding vehicle. These categories do not disclose routes, customers or trade secrets. They show whether the electorate is broad in substance or only in legal names.
The map should be published in aggregate before consequential votes and after board elections. Members would know whether the ballot was driven mainly by direct operators, group offices, consultants, internal enterprises or holding entities. Candidates would know which constituencies they had failed to reach. Boards would know where to seek more evidence before claiming that the region's operators have spoken.
The same information would make abstention more interpretable. A low turnout among direct operators has a different meaning from a low turnout among non-operating holding entities. A high turnout among advisers acting for many members has a different meaning from high turnout among independently staffed network companies. Legitimacy improves when the institution can describe the electorate it actually had.
Customer exposure is not represented by member risk alone
Even an operating member may not carry all downstream risk. A broadband provider, cloud platform, hosting company, public-sector network or enterprise service provider often passes registry consequences to customers that have no direct relationship with the registry. A change in certification, reverse delegation, contact validation, transfer policy or account standing can appear to the institution as a member issue while appearing to customers as broken access, failed compliance evidence, delayed migration or address-change cost.
This point matters for non-operating voters because they can be even farther from customers. A parent can approve a registry position after reviewing finance and legal exposure while the operating subsidiary understands service-level harm. A consultant can assess process risk while a downstream customer faces implementation cost. A holding entity can focus on preserving resource value while the live network needs quick correction.
No voting system can represent every customer directly. Direct customer voting could multiply constituencies, expose private contracts and overwhelm the registry with unverifiable claims. But customer exposure can be measured and heard without becoming a ballot. Members can submit impact statements by customer class. Associations can require specific consultation where a proposal predictably changes customer continuity. Independent-resource users and sponsored parties can receive notice when their records, credentials or sponsor relationship may be affected.
The important institutional statement is that member risk is not automatically customer risk. A member may internalise customer consequences through contracts and reputation. It may also underweight them when customers are locked in, dispersed or uninformed. Evidence should decide which situation exists.
Why equal voting still deserves a defence
Equal legal voting is not a mistake merely because it is incomplete. It prevents large incumbents from converting scale into permanent constitutional dominance. It gives smaller holders and new entrants a formal position. It gives the association a stable electorate that can be audited without measuring every packet, customer or corporate-control chain. It is administratively legible, and legibility has value.
The critique is therefore not that one-member-one-vote should be discarded. It is that equal voting should not be asked to carry every legitimacy claim. It is a fair rule for choosing directors and approving ordinary association business. It is a weaker rule for decisions that operate like infrastructure sanctions, market-entry gates or continuity shocks. The same ballot can be valid for one purpose and limited public evidence as evidence for another.
This distinction allows reform to be conservative. Keep the ballot. Add exposure evidence. Keep equality. Add conflict and control disclosure. Keep representative boards. Add reasoned impact records. Keep open policy forums. Add specific notice to affected non-members. The aim is not to turn registries into parliaments or utilities. It is to stop a private association from mistaking corporate form for a complete map of public consequence.
Number Resource Society's future-facing value, if it develops into a practical alternative, will depend on preserving this lesson. Operator language can become as vague as member language if it does not specify who operates, who controls, who pays, who can exit and who bears customer harm. A new institution should not merely replace the voter label. It should disclose the relationship between voter, network and risk from the beginning.
The boundary should also be revisited after each major institutional stress. A crisis, failed transfer, court order, suspended account or emergency certification change can reveal that the person entitled to vote was not the person best placed to explain consequence. Those episodes should be used to improve the exposure map, not to shame lawful voters after the fact.

