Fouad
As a representative of the Noncommercial SG I think you were missing Chuck's point completely. Of course ICANN is _not_ a commercial, profit-making entity, nor does anyone want it to be.

The point is that private companies have much stronger, better accountability arrangements than ICANN. Verisign is subject to checks and balances in the following ways:
- it is subject to market competition (ICANN is not)
- it has shareholders who elect its board (ICANN has no members, which is the equivalent of shareholders in nonprofits)
- its modification of the root zone is subject to USG approval (ICANN still is, but some folks don't want it to be any more).

So if we are to make ICANN accountable, we need to develop similar mechanisms, such as:
- recurring, regular competitive bidding for the IANA contract (which sort of functions like competition, though more weakly)
- empowering ICANN's participants with real membership/voting status

You expressed concerns that Contract Co approach might make ICANN commercial. This is FUD. It won't. The contracting entity would have a very limited function - to award the IANA contract. ICANN's nature as the nonprofit California corporation wouldn't change, whether it got the IANA contract or not.

-----Original Message-----
From: Fouad Bajwa [mailto:fouadbajwa@gmail.com]
Sent: Sunday, January 18, 2015 7:42 PM
To: Gomes, Chuck
Cc: David Conrad; Milton L Mueller; cwg-stewardship@icann.org
Subject: Re: [CWG-Stewardship] NTIA's Role in Root Zone Management

Publicly owned business?
What do businesses do?
Businesses make profits through business and profitable activities in the
market?
Verisign is a business, it has a board, indeed, that also looks primarily at how
the company is performing and if its making money for its shareholders and
further on its stakeholders or further on its customers that are buying its
products or services?

I wonder how the analogy about a publicly owned company that sells and
generates profits for its shareholders, board members and customers can be
applied to ICANN?

This worries me, thats what contractor co. might think of the overall IANA
system in the first place.

Organisational behaviour of private/public companies is very different from
private/public organisations?

This discussion has actually made me very uncomfortable. This is a very
micro-view approach.

On Mon, Jan 19, 2015 at 5:04 AM, Gomes, Chuck <cgomes@verisign.com>
wrote:

Please excuse the much delayed response to this string of messages.
Like David, I have been super busy and I wanted to have a little more
time to respond, especially since Verisign was mentioned.



Thanks for raising this issue David. It presents an opportunity for
the community to study what kinds of accountability mechanisms work -
such as those that public companies in the US must comply with. I
think you’ll see from what follows that Verisign (and any public
company) is highly motivated to put in place and enforce mechanisms to
protect against anyone going “stark raving mad” and doing harm.



As a US public company, Verisign has shareholders who ultimately
control the company and can hold the company accountable.  Those
shareholders elect a Board of Directors, who, under US law owe
fiduciary duties to the shareholders to manage the company
effectively.  Any breach of those duties could result in lawsuits
against the Board of Directors by the shareholders or removal and
replacement of the Board by those same shareholders.  For example, if
the Board has not provided oversight of important network functions
then the Board might be liable in court or might be replaced by the
shareholders.  In addition, the Board appoints the executive officers
of the company, who also have fiduciary duties  and under various
regulatory regimes such Sarbanes Oxley and Dodd Frank, have additional

obligations and in some cases personal liability should they fail to uphold
their duties.

So, if executive officers were negligent in hiring an employee, or
failed to establish proper network access controls, those officers
could be sued in court, or replaced by the Board, or both.
Furthermore, external and internal auditors review and investigate on
a regular basis compliance with key controls designed to ensure effective

management of the company.

Verisign is also subject to disclosure requirements under the
Securities and Exchange Act and other regulations that require
transparency of the company’s financial condition, compensation,
risks, legal proceedings, and more.  If for example Verisign failed to
disclose a particular risk to its network that should have been
disclosed under the securities laws, then the shareholders or the SEC
could bring legal actions against the company, its Board, or individual

employees for damages and to obtain management reforms.

Of course, ICANN has little or no such mechanisms in place, only the
AoC (which can be ended by ICANN) and the IANA non-renewal threat,
which is why we’re all here. While no one expects ICANN to become a
public US company, the accountability imposed on public companies like
Verisign should inform the community as to what ‘good’ can look like.
For Verisign, that accountability has led to an excellent operational
record of 17 years of uninterrupted uptime for .COM.



I want to again thank David for bringing this important issue to our
attention. What can the CWG learn from this? ICANN has stated clearly
that it sees its obligations being to the corporation, which has no
members or shareholders, so the accountability mechanisms for public
companies, or those with shareholders or members, are not available to
us, and so we cannot expect ICANN to behave as if they were. What
stops an ICANN employee from going 'stark raving mad’ or a
post-transition ICANN from going ‘stark-raving-greedy’? It's obvious
that the accountability that drives Verisign and other US public
companies would be welcome here.  How can the CWG learn from this and

apply similarly effective accountability to ICANN?

Chuck



From: cwg-stewardship-bounces@icann.org
[mailto:cwg-stewardship-bounces@icann.org] On Behalf Of David Conrad
Sent: Friday, December 19, 2014 12:53 PM
To: Milton L Mueller
Cc: cwg-stewardship@icann.org
Subject: Re: [CWG-Stewardship] NTIA's Role in Root Zone Management



[Sorry for the slow response — a bit busy]



Milton,



You are asserting that the RZM (currently, Verisign) can unilaterally
change the root zone? But of course this is not true because of its
cooperative agreement with NTIA.



Actually, it is true.  Technically, the only entity on the planet
today who can change the root zone is Verisign.  They



1.        Maintain the root zone database ("the root zone file");

2.        Hold the Zone Signing Key

3.        Run the hidden master from which the root server operators pull
the root zone

This gives the Root Zone Maintainer the unilateral ability to both
modify the root zone and have that zone published.  Currently, there
are NO technical limitations on what they can do with the root zone,
only administrative limitations — if Verisign went stark raving mad
and (say) decided to remove all competing TLDs from the root zone,
they could do so (for those resolvers that query the root servers
while the edited zone remained up).  Of course, it is likely that in
very short order, they would
(a) no longer be the Root Zone Maintainer and (b) no longer be a
viable going concern due to the myriad of lawsuits that would instantly

appear.

However, pragmatically speaking, the fact that the Root Zone
Maintainer would turn into a smoldering crater is a bit like closing
the barn door after the horse has bolted.



Perhaps that is what you mean by “legal repercussions.”



Yes. While it is true that the Root Zone Maintainer is under
contractual terms to get explicit authorization from the Root Zone
Administrator prior to making changes, there is no technical mechanism
by which that is enforced.



In terms of how the accountability model changes, I think many of us
are viewing the Verisign Cooperative Agreement as a legacy arrangement
that should disappear after the transition.



An interesting assumption.



Which means that the IANA functions operator would either be the
contracter for the RZM function, or the Contract Co would contract for it

directly.

Between those two options it’s clear that there are significant
differences in the accountability model, and either of those is
significantly different from the status quo, which relies on the NTIA.
So again I don’t quite grasp what you are asking about.



I was asking about Jordan's response to the scenario in which the IANA
Function Operator and the Root Zone Maintainer are merged (which
again, I neither support nor oppose), thus creating a single entity
that receives, validates, and implements change requests.  I gather he
feels the accountability mechanism would be vastly different than if
the IFO and RZM are separate. Since there is a single entity in both
scenarios that, pragmatically speaking, holds all the cards and that
entity is restrained only by contractual terms which would presumably
be essentially the same in both cases, I'm not seeing a whole lot of

difference.

Regards,

-drc




_______________________________________________
CWG-Stewardship mailing list
CWG-Stewardship@icann.org
https://mm.icann.org/mailman/listinfo/cwg-stewardship

--
Regards.
--------------------------
Fouad Bajwa
ICT4D and Internet Governance Advisor
My Blog: Internet's Governance: http://internetsgovernance.blogspot.com/
Follow my Tweets: http://twitter.com/fouadbajwa

_______________________________________________
CWG-Stewardship mailing list
CWG-Stewardship@icann.org
https://mm.icann.org/mailman/listinfo/cwg-stewardship