ICANN/DNSO
DNSO Mailling lists archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Comments on ICANN Reform Recommendations


On Sun, Jun 02, 2002 at 11:43:45AM +1200, DPF wrote:
[...]
> Some ICANN insiders sneer at the idea and call it "global democracy
> experiments" when in fact it is nothing of the sort.  What should
> happen is as simple as what happens in millions of other organisations
> - you allow people to become members and allow members to elect most
> of their Board.  This is not an experiment - this is a model that is
> absolutely normal throughout the world.

That is not correct.  Direct elections in the ICANN context *are* an
experiment.  Here's a document I prepared as input to the ALSC that addresses 
that.  I apologize for the length, but it's a complex issue:



                          Election Issues


INTRODUCTION

Both the ALSC and the NAIS reports advocate direct Internet based
election of Board members.  This approach has serious problems that
neither report adequately addresses.  Unfortunately, the strong
emotional attachment to direct elections in some quarters has made it
extremely difficult to rationally discuss these problems, but they
remain a serious issue that must be addressed. 

In "direct elections", as contemplated by both the NAIS and ALSC
reports, a global base electorate directly elects at-large ICANN board
members, whereas in "indirect elections", the base electorate elects
intermediate regional bodies that in turn elect at-large board members. 
Both kinds of elections are tremendous overhead for the kind of entity
that ICANN is supposed to be, and a quite reasonable argument can be
made that a global scale election of directors, direct or indirect, is a
waste of time, money, and energy, with the additional serious negative
side effect of converting ICANN into a podium for amateur politicians. 

But if a choice is to be made, indirect elections provide much more 
accountability and transparency than direct elections (contrary to the 
claims made by many), and have significant practical advantages as 
well.

This short paper explores these issues.  Frequently I will respond to
the NAIS report, because it is most detailed in its advocacy of direct
elections, but the conclusions apply equally to the ALSC report.  At the
end of the paper is a short proposal for how indirect elections would be
easily inserted into the structure proposed in the ALSC report. 


"INDIRECT" VS "DIRECT" ELECTIONS IN THE NAIS REPORT

The NAIS report is quite adamant in its support of direct elections:

  "The ONLY [emphasis added] board selection mechanism that can assure
  ICANN's legitimacy is a direct election for At-Large seats on the
  board of directors." [section 3.5.1]

The NAIS report is quite cognizant of the problems with direct
elections, and in section 3.3.2 it conveniently lists some of the common
criticisms of direct elections.  I summarize the list of 4 criticisms as
follows; the NAIS report explains them in more detail:

 1) "Such elections provide only the illusion of representation."
 2) "Such elections are inherently subject to fraud and manipulation."
 3) "Such elections are expensive."
 4) "Such elections cannot be sustained over time as a valid means to
    select board members."

It is important to note that the report does not actually answer any of
these criticisms, and for good reason: every one of the problems
described are real, and very serious.  Instead, the the report proceeds
with the following very interesting argument.  (I interpose a couple of
immediate comments in square brackets):

  "The response to these problems is one that reframes the question. 
  The criticisms measure the representative "legitimacy" of ICANN
  elections using the same "yard stick" that is applied to democratic
  elections for governmental representatives.  [Clearly, however, this
  does not apply to the issue of expense.] But ICANN is not a
  government-it doesn't have the power to police, to send people to
  jail, or to raise armies.  Rather, the point of ICANN elections is to
  choose representatives who have the perspective of public users of the
  Internet, and who can speak in a public voice on issues of policy
  concern about the Internet.  [It should be noted that in fact the
  PRIMARY point of the ICANN elections is to elect board members for a
  corporation, not to choose representatives.  Moreover, ICANN's role is
  not general policy concerns about the Internet -- ICANN has a much
  narrower scope.]

  "In other words, ICANN elections could not - and are not meant
  to - replicate elections for governmental office, and they should not be
  judged by such a standard.  They serve a different purpose and will
  necessarily be conducted by a less stringent set of criteria than
  would be acceptable for governmental elections. 

  "What we seek is a proper "fit" between the functions of ICANN, the
  need for a public voice to provide legitimacy for those functions, and
  the kind of election that is practical and appropriate to serve that
  need.  One degree of "fit" would serve governments, but another can
  serve ICANN.  To confuse those different standards is to judge ICANN's
  elections by a measure that is unrealistic, unnecessary and unfair. 

  "Moreover, ICANN is a membership organization, not a government.  The
  elected At-Large directors are not meant to "represent" the entire
  worldwide public at large, nor even all Internet users.  The elected
  directors are chosen by the members of the organization and, in their
  service as Directors, are expected to bring the perspectives of those
  members to the Board."

In other words, the report concedes the criticisms, but argues that they
aren't important, because the elections aren't important, and
consequently we don't need to judge the elections by very high
standards.

This is, to put it mildly, an amazingly weak argument, and in fact it
directly contradicts the thrust of the report.  Indeed the report makes
a lengthy argument that because ICANN's activities have a "public
policy" component, ICANN needed the legitimacy and accountability
appropriate to a body that develops public policy.  That is, the report
claims that because ICANN engages in important governmental type
activities, it needs mechanisms for accountability and legitimacy
appropriate to a governmental body -- which they feel can only be
supplied by direct elections. 

This is a serious contradiction: on the one hand the claim is that we
don't need to worry about the terrible problems with direct elections
because ICANN isn't really a government, and thus the elections really
aren't important; and on the other hand, we really need direct
elections, because ICANN carries out important quasi-governmental
policy-making, and only direct elections provide enough of an appearance
of accountability and legitimacy. 

Even more: not only are these two arguments in contradiction, but they
are also individually incoherent:

1) In fact, ICANN doesn't have to be a government for the elections to
matter.  Flawed elections do not convey accountability and legitimacy,
no matter how unimportant they may be.  If the technology and
infrastructure to support direct elections in an accountable manner
simply doesn't exist (and it doesn't, as I demonstrate below), then it
is ludicrous to argue that direct elections will enhance the
"accountability" of ICANN, or that they will add to the "legitimacy" of
ICANN.  In fact, they would subtract from the legitimacy of ICANN.

2) And even if ICANN were involved in substantive quasi-governmental
activity, that in itself does not argue for direct elections.  There are
a myriad unelected government agencies that make public policy (eg, the
National Forest Service in the US); there are a myriad unelected PRIVATE
organizations that effectively make public policy (eg, the American
Medical Association in the US [AMA]).  None of these bodies are elected
through general public elections, direct or indirect.  Contrary to the
claims of the NAIS report, elections, direct or indirect, are NOT a
necessary conditions for the legitimacy of bodies that make public
policy -- there are many mechanisms that such bodies use to account for 
the publics concerns. 


DIGRESSION ON ICANN'S POLICY MAKING POWERS

I should note that the NAIS and the ALSC reports share a serious
confusion on the issue of ICANN's public policy role.  They both speak
of ICANN as having a broad public policy role, but in fact the public
policy in ICANN's purview is tightly constrained and of very limited
scope -- ICANN has a much more restricted range of policy impact than
the US Forest Service mentioned above, for example, and probably even
less than the AMA. 

This confusion stems, I believe, from the fact that both reports ignore
a critical distinction between two very different things:

  1) the range of discretion for policy decisions;
  2) the range of entities that are affected by those decisions. 

The fact that a decision may affect large numbers of people does not
make it a public policy decision requiring direct public representation
-- millions of people around the world were affected when Microsoft
removed "Clippy", the helpful little cartoon paper clip advisor [Clip],
from its software, but they weren't affected enough to call it a public
policy issue.  Even when Microsoft engages in monopolistic practices
affecting millions of people we don't make a public policy issue out of
it -- the policy is already established in anti-trust law, and that is
what is being followed.  And of course, we don't call for Microsoft's
Board to be elected in a grand public election -- instead we call in the
trustbusters, themselves UN-elected government officials. 

Examination of ICANN's range of discretion for policy decisions reveals
that it is in fact extremely constrained, and a more accurate
description of its role to date would be that of an *implementor* of the
high level policies established in the White Paper and the founding
contracts with the USG.  I support this point by looking at the common
examples used to support the argument that ICANN has wide policy
discretion: 1) registrar/registry competition policy and 2) the UDRP. 

Indeed, ICANN does make decisions that affect registry/registrar
competition, but ICANN's discretion at a policy level is quite limited. 
The White Paper established the policy that there would be registry
competition, the founding contracts continue that policy, and ICANN has
essentially no choice but to follow it -- the USG is directly involved
in all contracts with NSI/Verisign, and this exerts very strong indirect
constraints on all other registry/registrar contracts. 

Moreover, from the perspective of competition policy, domain name
registries/registrars are an infinitesimal and very tightly constrained
segment of the global economy. 

As far as the UDRP is concerned:

  1) most of the details concerning the DRPs are in fact worked out
  elsewhere, ie, WIPO;
  2) that there be a UDRP was mandated by the USG and not a matter of choice 
  for ICANN; and
  3) from the perspective of "the public" the DRP has in fact *very*
  limited effect: the number of UDRP cases worldwide is of the same
  magnitude as the number of people struck by lightning. 

So ICANN's range of policy discretion in the case of the UDRP is also 
very tightly constrained.

Both the NAIS and the ALSC reports speak to the possibility that ICANN's
role might grow.  Neither considered the obvious alternative: that we
should all work to be sure that ICANN's role does NOT grow, and in fact,
should probably work to reduce it.  In that regard it is interesting
that the existence of large scale elections will tend to expand ICANN's 
policy role, not constrain it.


ADVANTAGES OF INDIRECT ELECTIONS

The NAIS report lists several reasons why it considers direct elections
better than indirect (section 3.4):

  1) "Properly managed" direct elections achieve a higher standard of
  accountability. 
  2) Direct elections encourage participation.
  3) Direct elections are more resistant to capture "...since the
  electorate with real decision-making power is significantly larger in
  size."

None of these points stands serious scrutiny.

Number 1: 

Indeed, in the ideal (as the NAIS report states: "Properly managed")
direct elections might achieve a higher level of accountability.  But
for the concrete form of direct elections implementable by ICANN, with
all the problems that the NAIS report concedes and provides no solutions
for, this is simply not true: direct elections give *less*
accountability, not more accountability.  That is, the ICANN elections
were not, and cannot be "properly managed", because the infrastructure 
and technology to support proper management doesn't exist.

The reason for this is simple: the only practical way to do direct
elections is over the Internet, but, as discussed below, Internet
elections are simply too insecure to provide a defined electorate.  The
base electorate cannot be reliably identified, and therefore,
accountability through direct elections over the Internet is an
oxymoron. 

The interposition of a level of indirection, however, allows use of a
direct election with an unaccountable and unidentifiable electorate to
select identifiable, real people who will actually elect directors. 
That is, the first stage of direct election solves the identification
and authentication problems for the second stage election.

Also, the scale of the directors election is vastly reduced.  This makes
the election process used for board elections is open to scrutiny and
audit to a degree that global direct elections simply cannot manage.

There have been complaints about the DNSO director elections, but in
fact these complaints are possible *because* the DNSO elections are
completely open and accountable -- we know every one of the NC members
are real people that we can communicate with; we know every detail of
the voting that took place.  In contrast we have only shadowy
statistical information about the at-large election. 

Number 2:

While it is possible that direct elections may encourage participation,
the exact opposite conclusion is perhaps more likely -- indirect
elections give opportunity for more people to be elected, and that in
itself is an incentive for larger participation. 

Number 3: 

The claim that indirect elections are more susceptible to capture is
also weak.  The "direct decision making power" is at least one level of
indirection away in any case -- it is the directors who have
decision-making power, not the electorate.  And in the context of global
Internet elections, there are many opportunities for capture that don't 
exist in normal elections.


In sum, the NAIS report is confusing the abstract with reality.  From
the perspective of practical reality, direct elections in the ICANN
context cannot be "properly managed", and they can't provide the 
accountability and transparency that indirect elections can provide.



SECURITY PROBLEMS WITH DIRECT ELECTIONS

While, as mentioned above, the NAIS report in section 3.3.2 provides a
very nice summary of some of the problems with direct elections, both
the NAIS report and the ALSC report failed to address the intrinsic
technical security problems with direct elections.  This is a major
oversight, in my opinion, so the following section addresses it in more
depth.

The problems with Internet elections are in fact very well known. 
Lauren Weinstein, a noted privacy advocate, Co-Founder of People For
Internet Responsibility, and moderator of the Privacy Forum, published
the "PFIR Statement on Internet Voting":

    Trust in the election process is at the very heart of the world's
    democracies.  Internet voting is perhaps the perfect example of an
    application where rushing into deployment could have severe negative
    repercussions of enormous importance. 
    (http://www.pfir.org/statements/2000-02-26)


Dan Geer is CTO of a firm specializing in Internet security
applications, and very well-known expert in security and cryptography. 
He says, in a discussion of physical voting booths vs Internet voting:

    Internet voting is anti-democracy and those who cannot bestir
    themselves to be present upon that day and place which is never a
    surprise to do that which is the single most precious gift of all
    the blood of all the liberators can, in a word, shut up. 

That quote came from a cryptography email list.  In that thread other
security experts -- expressed substantial agreement and similar
sentiments, though not as vehemently.  Peter Trei, for example, said:

    I would like to see all elections decided by paper ballots stuffed
    in a box, after being marked in a way which is private, and
    publicly observable to be private.  The ballots should be counted
    with representatives of all candidates present. 

Perry Metzger (moderator of the cryptography list) said, in reference to
the US polling system:

    The system is far from perfect, but in general, the low technology,
    adversarial approach taken seems to work quite well.  This should
    not be a surprise.  The system developed over two and a quarter
    centuries of experience with attempts at fraud by experts at
    conducting such frauds.  Every time a major fraud was uncovered, the
    system was tuned to reduce the probability of a future fraud
    succeeding. 

    Electronic voting schemes make me extremely nervous.  They smack of
    the "this is new and therefore better" fallacy.  In general, they
    lack all of the checks and balances the system I just outlined
    possess.

The highly respected MIT/CalTech voting study likewise concluded that
traditional voting methods were surprisingly robust, in ways that
Internet elections currently are not.

A paper by Avi Rubin, a researcher at ATT labs, is referenced on the
ALSC web site -- quoting from the abstract:

    This paper discusses the security considerations for remote
    electronic voting in public elections.  In particular, we examine
    the feasibility of running national federal elections over the
    Internet.  The focus of this paper is on the limitations of the
    current deployed infrastructure in terms of the security of the
    hosts and the Internet itself.  We conclude that at present, our
    infrastructure is inadequate for remote Internet voting. 

(It should be noted that crypto people in general tend to be strongly
supportive of privacy, individual rights, and so on.  These are not
people one would normally accuse of being "anti-democracy".)

The California Internet Voting Task Force concluded that Internet voting
would be possible at some future time, but that there are substantial
issues that must be addressed before it can be used.  (The report is
online at http://www.ss.ca.gov/executive/ivote/final_report.htm). 

The bottom line is that from a purely technical standpoint there are
serious questions as to the feasibility of running large-scale,
elections over the Internet.  Despite the marketing claims of companies
like election.com, and the fervent hopes of Internet Democracy
Enthusiasts, large-scale Internet elections at this point cannot be
considered as any better than experiments.  [Common Counterexamples]

It is important to realize that all the above studies and comments were
related to political elections within a single regional administrative
domain.  All the studies and comments referenced above assumed the
context of a uniform legal system, where the election workers are
legally accountable, a web of accountability and trust that has been
established through long practice, and a well-established linguistic and
cultural environment.

That is, even with these conditions met, security experts don't think
that elections over the Internet are currently feasible, and *none* of
these conditions are met for the large scale, global elections
contemplated by either the NAIS study or the ALSC report -- the problems
of Internet elections are compounded by a complete absence of the
fundamental infrastructure required to hold fair elections at all. 

The security problems the above references concern themselves with are
well-explained in the Rubin paper.  But there is perhaps an underlying
point that I would like to mention: It is precisely the speed and
connectivity of the Internet that makes Internet voting so problematic. 
Computers, operating over the network can manipulate or create or delete
*lots* of votes, very quickly, without being detected, and without
leaving a trace.


These are not theoretical concerns.  The ICANN election had several
examples of possible irregularities.  Consider the following example
[ICANN Example]:

In late June, by chance, it was noticed that 1500 registrations came
from a single IP address, apparently located in Japan.  This raised a
red flag; there was considerable discussion among the ICANN staff about
what to do.  Ultimately it was decided that there really wasn't anything
that could be done -- while the situation was decidedly suspicious,
there were possible legitimate scenarios that could explain the
behavior, and there was no way of checking.  

That is, ICANN decided to accept 1500 possibly fraudulent registrations,
because there was no way to check. 

This was not a light decision -- it was just prior to the period of
overload; from what people could know at that time, 1500 votes likely
would have been decisive. 

On the face of it, 1500 registrations from the same address was a
suspicious event.  If ICANN were a government, and such a thing happened
in its jurisdiction, then it would have been able to do something effective
about it.  But ICANN is not a government, and there was no infrastructure
in place that allowed it to investigate.

The 1500 registrations from a single address was one of several odd
behaviors that ICANN observed.  In the logs there were also odd entries
from computers that, on inspection, were using email-to-web gateways to
register people.  How these sites were managed, how they publicized
their interface, and why they were set up isn't known.  Also, some
organizations set up their own "ICANN" sites and acted as proxies for
ICANN.  In some cases these appeared to be simply translations of the
ICANN materials, but they were in languages nobody on the ICANN staff
could read, so there was no easy way to know.  These sites were for the
most part only discovered by accident, because someone happened to
notice something in the logs they thought was odd. 

Note that the logs were huge, and there simply wasn't time to examine
more than a tiny fraction of them, so it is probably the case that there
were many more odd things in the logs.  Note also that web logs show a
dynamic history -- a referral may come from a page that two days later
no longer exists.  A web page that implemented some kind of election
fraud would likely disappear immediately after the election -- there is
no way to be sure that what you see now is what the potential voter saw. 
We have no guarantee that the potential voter even knew that they were
registering to vote. 

One further very important lesson that can be drawn from the ICANN
elections: regardless of reason, the obvious geopolitical competition
that took place indicates that some people and countries can take the
ICANN elections very seriously, and that therefore a strong potential
motive for fraud does exist.  The fact that this geopolitical
competition is based on what many consider a fundamental
misunderstanding of ICANN is not really relevant, since that kind of
competition does not need a rational motive. 


CONCLUSION AND RECOMMENDATION

Both the NAIS and ALSC reports recommend global direct elections,
without sufficient recognition of either the practical difficulties or
the security problems involved.  Even more important, both studies have 
missed the strong advantages that indirect elections provide.

This is a situation that is easily remedied: The at-large councils
described in the ALSC report are quite suitable bodies for election of
directors, and that responsibility could simply be given to them.  In
addition, instead of redefining the region structure of ICANN, the
proposed ALSO could have 5 regional councils, each of which would elect
a director; and a single global council, which would also elect a
director. 

In addition to solving the problems of direct elections, this scheme 
also avoids the difficulties of changing the region structure of ICANN, 
which is potentially a more difficult task than might appear on the surface:
1) the notion of five regions is now embedded in many other documents
(eg, constituency charters), and changing the number of regions will
require at the very least a re-evaluation of those documents; and 2) the
assignment of countries to regions is potentially a messy political
process.  [Regions]

In sum, then: direct elections of directors are impossible to do in a
secure manner, and that experience has shown that people are interested
enough in the ICANN elections to make the possibility of undetectable
election fraud quite high.  Therefore indirect elections should be 
employed, which will move the election of directors to a much more 
accountable and transparent level.

I propose further that the number of regions remain at five, and
directors be elected by the at-large councils.

Kent Crispin


================================================================

Notes:

[ICANN Example] The discussion of the events concerning the ICANN
election come from personal experience: I was employed as a contractor
to provide emergency technical support for the members web server
(members.icann.org), and helped with some of the software. 

[AMA] The American Medical Association is an organization with 
membership restricted to medical professionals.  It certainly has 
internal elections, but not *public* elections.

[Common Counterexamples]: Three common examples brought up to counter
the above arguments are 1) corporate proxy votes are in fact done over
the Internet these days; 2) the recent Arizona Democratic Party primary
vote supported Internet voting, through a system run by election.com
(the same company that did the ICANN vote); and 3), the CIRA elections
for directors.  These examples, however, suffer from a variety of problems 
that lessen their appropriateness for the present concerns:

  1) Corporate proxy votes have been heavily criticized -- see
  http://www.vortex.com/privacy/priv.09.14.  More important, however, is
  the fact that proxy votes are intrinsically different from political
  votes -- votes are explicitly *purchased* in proxy votes, so the
  incentive of the rich buying an election is explicitly catered to, the
  voters are identified with their votes (ie, there is no strong secret
  ballot requirement). 

  2) The election.com Arizona vote was an *optional* means of voting,
  conducted as an *experiment*; the traditional ballots and booths were
  used as well, and in fact were explicitly referenced in the
  election.com materials as a fall-back in case of problems with the
  online experiment. 

  3) The Canadian Internet Registry Authority (CIRA) elections for board
  members have been carried out through online elections.  The CIRA
  election system simply doesn't address many of the concerns that
  others have raised, and the turnout for the 2001 election was not
  encouraging: only about 3% (3,000 voters out of 90,000 members) bothered 
  to vote, in spite of the fact that the vote was tied to a $15000 
  lottery.   


[Clip] For those who may not be familiar with it, "Clippy" was an
animated cartoon figure in the shape of a paper clip that some Microsoft
products would pop up at odd times, and offer helpful suggestions.  This
was an attempt to make the products more user friendly; it was latter
shelved as a bad (or at least unpopular) idea. 

[Regions] It should be noted that any assignment of all countries to a
small number of regions is going to involve many essentially arbitrary
choices, and that consequently the value of the "region" notion is not
of a representational structure, but rather as a capture prevention
mechanism -- in fact, the system would work just as well if we called
the regions "buckets", and arbitrarily assigned countries to buckets. 

-- 
Kent Crispin                               "Be good, and you will be
kent@songbird.com                          lonesome."  -- Mark Twain

--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html



<<< Chronological Index >>>    <<< Thread Index >>>