Back to  home page

Introduction

        The Question Presented. Conflicts between trademark owners and
the holders of domain names issued on a first come first served
basis by those registering internet identifiers have triggered a
reassessment of basic questions regarding net governance. To the
surprise of many, it is just not clear who has the ultimate right
to set policy regarding the terms and conditions on which key net
identifiers -- IP addresses and domain names -- are issued,
"registered" and effectively reserved for continuing use (or,
indeed, revoked). Does a domain name holder have any right to
complain if the registry that reserved that address decides to
cancel it? Does a registry have a duty to cancel a block of
identifiers issued to an ISP that harbors illegal activity? Nobody
knows, because there is no consensus at the moment regarding any
particular set of terms and conditions that ought to apply as a
required condition for (1) operation of a domain name registry or
(2) the continued enjoyment of a domain name (or IP number) or
subsidiary address on the net. Thus, because owners of traditional
intellectual property in the "real world" have raised challenges
to the right of some to hold new forms of real estate and identity
in cyberspace, we now face a critical question: What terms and
conditions may (or must) be imposed, by whom, as a requirement for
granting or receiving and continuing to enjoy access to (and
identity on) the net?

        We should address this question now. To proponents of an
indefinite continuation of the form of anarchy that characterized
early development of the net, even raising the question regarding
minimum obligations for all owners of net IDs might seem like
treason or, at the least, a disastrous sign that civilization will
encroach on the freedoms that flourished online in early days. In
contrast, those who know that the current system of issuing online
identities is administered pursuant to contracts granted by the US
government, may consider the opportunity to rethink who controls
policies regarding online identity as a golden opportunity to pry
these basic questions out of the hands of unduly self-protective
bureaucratic authorities -- or to challenge the non-accountable
control actually exercised by a small technical elite. From either
perspective, the current challenge is both daunting, because it
involves figuring out the right relationship between
self-governance of the net and the application to online
activities of a multitude of local laws.  If we address the
question promptly, before local governmental authorities attempt
to extend their rules to cover the net, we may have a chance to
fashion a private contract regime that finds a workable balance
between centralized control and local diversity, that encourages
and allows experimentation while providing a stable environment
for online commerce, that protects both private property and civil
rights, and most importantly, that helps keep most of the
regulatory instincts of local governmental authorities at bay. If
we do not etsablish a private, contractually based self-governance
regime, using the allocation of net identifiers as the fundamental
legitimating and enforcement mechanism, we will face the growth of
conflicting, geographically-based regulatory regimes that impose
substantial costs and create uncertainty that will stunt the
growth of the new medium for global commerce and community.
Potential Sources of Conditions Imposed on Enjoyment of Access to
and Identity on the Net

        Traditional, geographically based laws cannot adequately
establish the conditions on net identity. It may come as a
surprise, perhaps even a dismaying one to some, that traditional
legal institutions are not well situated to control the issuance
and use of identities on the net. Obviously, each country
maintains authority to control the actions of those people and
properties (including registries) within its boundaries and over
which it has control. But, unless effectively prohibited by local
laws, a citizen of any country can establish an identity -- a
domain name or a subsidiary email address -- that is issued by
(and, directly or indirectly registered with) an authority located
in any other jurisdiction. There is no geographical limitation on
the holders of ".com" domains, much less on the location of those
to whom they in turn issue addresses and ID's. Indeed, there are
not even universal policies tying issuance of an identity based on
a top level domain tied to a particular country (e.g., ".ca" for
Canada or ".de" for Germany) in such a manner that its holder is
necessarily subject to the authority of that country. Various
countries may have registries that impose such conditions -- but
some may not.  Moreover, in theory at least, anyone anywhere in
the world can (unless local law prohibits this and is enforced)
set up a "registry" and associated lookup tables that map domain
names to IP addresses. If local ISP's point their domain name
resolution software at such root servers, then not even the
established administrators of internet technology could prevent
such an alternative registration system from arising. There is, in
short, no effective source in geographically based law for
regulation of the issuance of identities on the net.

        The technical community has not provided a complete alternative
source of policy guidance or dispute resolution.  There are well
established and functioning non-governmental institutions that
have, albeit sometimes acting under contracts with governments,
operated to administer the issuance of IP addresses and domain
name registrations.  Despite the theoretically open nature of the
internet standard, as a practical matter control over the issuance
of internet identities has been exercised by a limited number of
private parties (such as IANA, InterNIC, RIPE-NCC and AP-NIC, the
latter two of which are private consortia).  But, perhaps again
surprisingly to those newly aware of the important policy
questions raised by net-based activities, these organizations have
functioned by choice primarily as technical and ministerial bodies
-- not as policy making forums. NSI (working as the agent of
InterNIC) has promulgated some policies for dealing with trademark
disputes. But the thrust and obvious goal of its efforts has been
to avoid liability for its actions as a registry, rather than to
clarify more generally the terms and conditions applicable to
holding an online identity or owning an online space. When IP
addresses and domain names seemed in ample supply and "policy
neutral", the technical groups established first-come first-served
allocation. Now that legal conflicts have started to arise, these
same allocation mechanisms are understandably unable to help
formulate and resolve those disputes. The general attitude of the
techies who have run the net has been: "We'll obey a court order,
but keep us out of law and politics." The result has been a policy
vacuum that invites litigation and accelerates questions regarding
who, if anyone, has jurisdiction over disputes about identities
and activities on the net.

        The top level registries could establish a contract that
establishes core policies and creates an enforcement and dispute
resolution mechanism.  Another potential source for conditions to
be imposed on the ownership and use of net identities might be
contracts entered into both (1) among registries and (2) between
the registries and those who receive registered blocks of IP
numbers and particular domain name addresses. There is already in
place an informal set of agreements among registries and between
the registries and major internet service providers,  to the
effect that all will accept IP numbers allocated by the current
procedure and that all will point their domain name lookup tables
to the same roots.  The net itself arises from protocols, such as
TCP/IP, that gain their validity from widespread adoption by
individual network owners -- the kind of "agreement" that an open
standards process produces. These types of de facto agreements
among those who operate the net and the IP address block
allocation process and the domain name registries have not, yet,
addressed the question whether continued enjoyment of a domain
name or IP address ought to be conditioned upon compliance with
any particular minimum contractual terms and conditions. But they
could readily do so, simply by including such conditions in the
contracts already at least implicitly in place.

        The Internet Services Providers also impose conditions on access
to net identities, but they want and need to impose a diverse set
of policies.  Most individuals who gain access to the net obtain
an email address or space for a web page from an internet service
provider. And most ISPs require that the user sign a contract
including various conditions on continued access to that
identifier or, indeed, reserving the right to cancel the ID at any
time for any reason. But these conditions are not uniform. Some
ISPs (like AOL) have elaborate "terms of service" and actively
enforce at least some content and online conduct standards. Others
are much more permissive policies or, at the extreme, promise
users not to monitor or interfere in any way even with otherwise
"public" online activities. Some ISPs demand extensive informaton
regarding the real world identities of their users; some require
no information at all. Moreover, users dissatisfied with the
policies of one ISP can relatively quickly move to another
provider. As more people invest more time and effort in building
up the reputation attached to a particular online identity (an
email address or screen name), there will be some questions
regarding a right to portability or a right to due process before
extinction of an online name. But, for the moment, the mobility of
online users and the number of competing sources for individual
online identifiers means that ISPs could not themselves serve as
the source of any standardized, minimum uniform set of terms and
conditions attached to online access or identity. The work of
creating a core set of obligations associated with online access
-- establishing the "price of netizenship" -- will have to be
done, if at all, by the central registries that hand out blocks of
IP addresses and register domain names.

What ought to be the Price of Netizenship?

        The adoption by most registries of some minimal set of terms and
conditions attaching to the continued use of a net ID -- and an
agreement on the procedures to be used to apply those terms to
specific situations and to resolve disputes -- would create the
foundation for an enforceable regime of self-regulation for the
net.  But the governments of the world would only defer to such a
regime if it were considered "responsible". And the private
participants would only go along with this regime if it served
their interests in facilitating the new electronic trade. What can
we say, in advance, regarding which contractual terms would be
likely to meet these criteria -- gaining widespread agreement from
private parties and convincing governments to accept the results?
Let's examine that question at two different levels: (1) the
conditions registries are likely to want to impose on one another,
and (2) the conditions they are likely to agree to impose on
registrants (and, indirectly, on the registrants' subsidiary
grantees).

Conditions for Operating A Registry -- to be Agreed Upon Among
Registries

        Coordination. The most obvious term of agreement among registries
-- which is already in effect as a practical matter -- is
agreement to stay within the bounds of the blocks of IP addresses
and domain name spaces allocated to them. No one in the business
of registering net identifiers would want to be involved in a
system in which two different registries, in an uncoordinated
fashion, could give the same address to two different people (or
map the same domain name to two different IP addresses, or reserve
a port number for two incompatible services). This is not to say
that there might not be competition among registries to issue
addresses drawn from a central registry. There may be room for
competition on service even with regard to issuance of the same
block of potential addresses. But, ultimately, identifiers must be
unique to be useful and, therefore, those who seek to add value to
the online world will want to coordinate to produce useful,
non-confusing, consistent identifiers and associated
registrations.

        Payment of Fees. A second goal shared by all registries is the
enforcement of obligations to pay any fees due for the
registration (and policy making) service. There might be price
competition among those who charge fees for registration services
-- and there might be multiple parties with authority to issue
identities drawn from the same general block (with coordination by
means of a central meta-registration database). But, even if there
were some competition, all involved would want to make sure that
the fees they charged could be collected. So all might agree, for
example, that a domain name ought not be allowed to be transferred
from one IP address to another such address if they payments
clearly due to the previous registry have not been made.

        Security.  Insofar as net identifiers are used to authenticate
messages, it will become increasingly important to be able to be
sure that the source of a message is accurately reflected in the
identifying data. And it will be correspondingly important to
limit access to the right to change contact information and other
indicia of ownership of online identities. The registries will
thus have an incentive to cooperate to establish minimum security
practices.

        Dispute Resolution. Another key issue on which most registries of
internet addresses and identities will want to agree is how to
resolve disputes.  By contract among themselves (and, as more
fully discussed below, by means of contracts they agree to enter
into with their customers as a condition for registration), the
registries could require resort to some form of arbitration --
perhaps online arbitration that looks to a uniform body of law
developed with a view to fostering the growth of the net. Such
private agreements requiring arbitration are broadly enforceable
in the international context -- more easily enforced, in fact,
than the judgments of local courts. Most or all registries will
have an interest in obtaining the agreement of most or all
registries to impose such conditions -- because some of the
challenges aimed at any particular registry may come from parties
that have a need for registration with another authority. If
access to net identifiers is generally conditioned on a promise to
arbitrate disputes relating to the net, then the registries and
their customers will be spared lots of expensive litigation.

        Rules Designed to Preempt "Real World" Disputes.  It may turn out
to be advantageous for registries to adopt uniform practices
designed to defuse controversies with those who feel threatened by
online activity. For example, disputes and law suits regarding
alleged "infringement" or "dilution" of trademark rights might be
kept to a minimum by a set of practices that reserve domain names
that resemble "famous" marks for registration by those who have
obtain the most extensive protection of such marks in the "real
world" (by registering the marks in multiple jurisdictions). Such
practices might be adopted by registries taking action
independently from one another. But a uniform "trade practice"
would have some advantages in providing protection to those who
adopt it -- insofar as it serves as a measure of what actions are
commercially reasonable.

Minimum Terms Applicable to Registrants -- to be Established as
Conditions for Access, by Ageement Among Participating Registries

        The most important question posed for the registries as a group
is what set of terms and conditions, if any, to agree, mutually,
to establish as requirements for registration of net addresses and
identifiers. One possibility is that there might be no agreement
on any such "mandatory minimum" terms. This would maximize
innovation and diversity -- but it would also cripple any effort
to persuade local governments to refrain from regulation of the
net. If there is no "price of netizenship", then there is no
credible claim that the net is engaged in responsible
self-regulation or that the most serious forms of misconduct that
might be engaged in online will not be harbored for long but will
instead by rooted out by means of banishment.  At the other
extreme, an elaborate contract that established detailed
conditions for net access would be difficult to sell. No global
consensus could be achieved on many issues. So any agreed-upon
"flow down" conditions must be carefully limited.  Consider the
following areas on which agreement to impose minimum requirements
as a condition for issuance of a net identity might be reached:

        Fraud Prohibited. It is not now an express condition for
obtaining an IP address or domain name that the recipient promises
not to engage in or facilitate fraud. On the other hand, most ISPs
would quickly terminate the email address of a user found to have
engaged in such activity. Fraud differs from other controversial
online activities because the presence of such activity undermines
confidence in the entire online marketplace.  Of course, it should
quickly be noted that different people and cultures may have
differing views regarding what constitutes self-interested
deception. But those differences would not necessarily prevent the
entry into and enforcement of an agreement, and associated dispute
resolution procedures, that are designed to stamp out at least
those kinds of activities that most obviously threaten confidence
in online commerce. There will be serious questions of due process
and line drawing. But it seems likely that holding and using an
online address, obtained from a mainstream registry, will become
conditioned an on express undertaking not to engage dishonest
actions for personal gain (and an accompanying commitment to
submit disputes to a particular dispute resolution process.)

        Other Crimes Against the Net Prohibited.  There may well be other
actions that are generally agreed to be so disruptive of online
commerce that most or all registries will agree to make their
registrants promise not to engage in such actions.  The
intentional launching of destructive software code might be one
such example. It is the equivalent of the use of "force" --
because, unlike the passive software filters and labels to which
others can readily response with technological countermeasures,
destructive code is specifically designed to defeat
self-protective measures and to impose the will of the individual
propounder on the net as a whole.  Surely, any registry or ISP
found harboring a person who regularly sends out computer viruses
would be cut off from the central cooperating domain. Elimination
of net identifiers (and establishment of filters to stop all
incoming messages from "outlaw" domains) may be the best way to
control such activity -- likely more effective than any
geographically based law enforcement.

        Dispute Resolution and Enforcement. The registries would probably
agree to require all registrants to resolve all disputes regarding
use of the net by means of the same international arbitration
process the registries use to resolve disputes among themselves.
This would increase efficiency, of course, but its other primary
positive effect would be to produce a consistent "law" applicable
to all participants in the net.  Moreover, because many of those
who now use traditional courts to challenge the right to hold and
use particular net identifiers (e.g., on trademark grounds) want
to obtain such identifiers themselves, imposing an obligation to
arbitrate disputes about online activities as a condition of
access to net identity could serve to prevent a good deal of
counterproductive litigation that might produce inconsistent and
confusing results. Much attention will need to be paid to making
any such arbitration regime fair and expert and reasonably
responsive to the interests of key constituencies. But a regime of
arbitration established by private contract seems likely to be the
most responsive and effective means of deploying the power of
"banishment" to counter the two great evils of  "fraud" and
"force" online.

        Disclosure of Rules. Even if the central registries did not agree
to impose an elaborate set of  standardized conditions on all
registrants, they might nevertheless agree that each separate
registry, operating at its own discretion within the resulting
realm of permissible options, must disclose clearly the conditions
it has imposed on registrants. And another such condition might
well be a requirement that registrants themselves clearly identify
the conditions they impose on and enforce against their subsidiary
grantees.  The key to reconciling meaningful self-regulation with
diversity may be mandatory disclosure -- designed to allow all
concerned to adjust their own behavior based on the known
practices of others.  For example, it may be impossible (and might
be unwise) to reach general agreement on a single set of rules
applicable to authentication of users, protection of the privacy
of information about or communications by users, the rights of
participants in online forums to copy or republish material
originating in such forums, the rights of certain types of
organizations to own and operate online identities as a group, or
the standards applicable to content control. What is critical, for
responsible self-regulation of the net, is not that such rules be
uniform, but, rather, that the rules applicable to any particular
online space be clearly disclosed and conveniently ascertainable
by those who might want to avoid (or seek out) particular rule
sets (or who might want to avoid contact with those who follow, or
decline to follow) particular practices.

        Candidates for mandatory disclosure include all the issues that
press the hot buttons of governments and net users. For example,
even if we allow some users to remain anonymous, each holder of an
online identity might well be required to indicate in some fashion
whether or not information about the "real world" identity of the
user is available, directly or from the sysop or higher level
domain name holder, and upon what terms and conditions such
information is available. That way, those who want to avoid
dealing with anonymous parties can set their own software to
filter out such communications. Local government that want to
allow or prohibit their local citizenry to engage in anonymous
communications can do so without seeking to regulate the entire
net. And, while the resulting mixed regime will likely please no
one, it will allow diversity and empower individual choice.
Insofar as users of the net can readily determine with whom they
deal, the resulting diversity will best serve the growth and free
flow of global commerce, while also allowing those who seek to
live within a specific set of rules governing online trade to do
so.

Constraints on this Contracting Process

        Should we be concerned that, once registration contracts contain
any conditions at all they will evolve to include oppressive
limitations on the rights of all net users? I don't think so. The
ultimate decision-maker as to which activities are so seriously
wrongful that they ought to be cause for banishment would be the
collection of registries, which would seek to serve the interests
of a diverse, global constituency. If a substantial minority of
registries disagreed with a majority, they would be free to form
their own coalition with different rules.  That might be a painful
choice -- but the pain would also be felt by those from whose
coalition the dissenters defect. Because relatively widespread
agreement on a few enforceable core rules will be most valuable to
the majority of registries and their constituents, those
attempting to press for conditions that go beyond the core
consensus (prohibiting "fraud" and "force") will likely fail.
(Even an effort to agree on a general formula, such as a required
promise not to use the net to "conspire to violate applicable
local law", would soon unravel as participants realized that (1)
what is unlawful in one country may be constitutionally protected
in another and (2) determining which local government's law should
apply to activities online is a very difficult if not inherently
incoherent exercise.) The need for an agreement among a large
number of international actors will tend to keep the power of the
central registries in check.

        Perhaps the contracting process would prove partially
ineffective.  As noted, no registry can be forced (by the rest) to
go along with any particular version of the contract. On the other
hand, there is reason to think that a generally acceptable set of
agreements would gain widespread acceptance -- in part because the
ISPs and users who agree to live within one particular set of
rules and dispute resolution procedures might well decide to
filter out messages from, and to avoid, online spaces living under
a different regime. While there is a risk that some registry might
become a haven for wrongdoers, such an online venue could be
shunned as a "den of thieves" and the IDs it creates would likely
be filtered out. If an outlaw registry persisted in issuing net
identities that could not be so filtered or that were designed to
be confusing or to conflict with those issued by others, the
coalition of registries would be justified in seeking the help of
local law enforcement authorities to eliminate this practice. And
the registry that tolerated such activity would, unlike individual
wrongdoers, be relatively easy to find and discipline.

        A key remaining question is whether a contractually-based
self-governance regime constructed in this way would, ultimately,
be deemed "responsible" by the governments that would otherwise
feel impelled to regulate online activity. Only time will provide
the answer to this question. But there is reason for hope that
governments can be persuaded to defer to such a regime. For
starters, the power of the registries to banish users provides a
much more effective enforcement tool than might otherwise be
available to any particular government. Moreover, the contractual
regime decentralizes (and largely privatizes) all the costs of
enforcement and dispute resolution. Some governments may want to
become a party to any contractual regime, insofar as they
administer their own top level domains (e.g., ".gov") and need to
coordinate with other registries. It would be hard for governments
to both agree to the contract and to challenge this contractually
based regime.  In addition, the contracting parties in aggregate
possess the necessary mastery of technical issues and the ability
to react quickly to fast developing policy issues, to a much
greater degree than do governmental bodies. Most importantly, the
private contracting parties can determine what key provisions the
governments consider to be essential and take action to defuse
threatened confrontations. An ongoing conversational process among
registries, governments, and end users, will probably lead to
contractual provisions that protect the vital interests that
governments seek to protect, without imposing new enforcement
burdens on limited government resources and without sacrificing
the fundamental freedoms (any assault on which would cause
netizens to move on to less regulated territory).

Conclusion

        The dispute between domain name registries and trademark owners,
seemingly a minor quarrel of interest primarily to a small group
of intellectual property lawyers and techies, has opened up a
series of vital questions regarding who governs the net. Because
online identifiers and addresses are the core requirement for
participation in the net, the conditions that may or may not be
imposed on their use are fundamental to the preservation of both
property rights and individual freedoms in this new sphere of
human endeavor. Because local governments lack jurisdiction -- and
a clue -- we cannot look to them to set applicable rules. In
contrast, because the central ID registries and their sysop
registrants hold the on-off switches that provide a means of
enforcement, we can look to agreements among these private parties
as the source of responsible self-regulation of net based
commerce.  We will need to redefine due process in this new
context, because the procedures for making the law of the net will
not resemble the assembly of legislatures, the issuance of binding
court decrees or even the solemn entry into international
treaties. To the contrary, the law of the net will be made around
a bargaining table, by private agreements, among those who, more
than any others, wish the net well. Perhaps the most fundamental
protection for freedom, in this context, will remain the ability
of the user -- and even the ISP and registry -- to refuse to agree
to any particular set of contractual provisions.   The "price of
netizenship" will mostly likely be (1) an agreement not to engage
in fraud or actions destructive to the net as a whole and (2)
continuous  involvement in a negotiation process -- between users
and sysops, between sysops and address dispensers, between address
dispensers and registries, and ultimately among registries -- a
new form of collective "eternal vigilance", if you will -- that in
aggregate determines the terms and conditions under which online
identities and addresses are made available and revoked.