The strange case of Africa’s stolen IP addresses


Elisa GreeneElisa Greene | Updated: 19-11-2021 14:09 IST | Created: 19-11-2021 14:09 IST
The strange case of Africa’s stolen IP addresses
Image Credit: Wikipedia

The legal battle surrounding AFRINIC, the Mauritius-based regional Internet registry for the African continent, continues to take twists and turns in the Mauritian court system, with the island nation’s High Court moving last month to annul a freeze it had itself placed on the non-profit’s accounts in July. Despite its highly technical nature, the dispute between AFRINIC and Seychelles-based Cloud Innovation has attracted media attention and controversy far beyond the shores of Mauritius, as it taps into broader questions surrounding Africa’s digital development and the levels of Internet inequality separating the African continent from its peers.

While some leading members of the global Internet community, like John Curran, claim the case “has potential for significant impact to the overall stability of the Internet number registry system,” others have been far more circumspect.

Beyond this individual dispute, the legal saga has also attracted renewed attention to past issues of corruption and a lack of transparency at AFRINIC, which saw top executive Ernest Byaruhanga abruptly fired from the organization in 2019 after a journalistic investigation discovered he had secretly sold off millions of dollars worth of valuable IP address blocks for personal gain.

AFRINIC’s complicated legacy

AFRINIC’s current legal predicament has its roots in one of the largest scandals to ever rock the little-known but critically important world of regional internet registries (RIRs). Ernest Byaruhanga, a Ugandan national who co-founded AFRINIC seventeen years ago, was at the core of what South African media dubbed the “Great African IP Address Heist,” in which over four million IPv4 addresses worth an estimated $80 million were misappropriated.

IPv4 addresses are the building block of Internet traffic today, corresponding to individual devices and allowing them to connect to the Internet. Since the emergence of this protocol in the early 1980s, however, the roughly four billion IPv4 addresses in existence have all already been allocated, requiring a progressive transition to a new generation of IP addresses known as IPv6. In the meantime, however, IPv4 remains an essential part of Internet connectivity, and IPv4 address blocks are regularly resold to meet demand.

That makes Byaruhanga’s misuse of his central position to profit off the share of blocks allocated to AFRINIC a major breach of trust. Byaruhanga, however, was not the only top employee to cast a shadow over the organization’s operations. As reporting from SouthAfrica’s MyBroadband and activist Ron Guilmette revealed earlier this year, AFRINIC’s head of IT and engineering from 2012 to 2016 was Neriah Sossou, who had been convicted of bank fraud in the United States in 1998 but was also a close associate of AFRINIC’s first CEO (and fellow Togolese national) Adiel Akplogan.

Did AFRINIC overplay its hand?

New CEO Eddy Kayihura has tried to repair the damage from these successive scandals, but in targeting firms who had legitimately secured IP addresses from AFRINIC and arbitrarily attempting to seize them back, he instead landed the organization into even hotter water.

As an in-depth analysis of the case published by internet governance experts at Georgia Tech’s Internet Governance Project in the United States explains, a comprehensive internal audit of AFRINIC’s address registrations prompted Kayihura to target Cloud Innovation (a company unconnected to the organization’s internal scandals) on the basis of a ‘policy violation’ because it was using IPv4 addresses procured from AFRINIC to support products and services provided outside of Africa.

The demands made by Kayihura of Cloud Innovation, however, would effectively position AFRINIC as a “Soviet central planner for African Internet access,” giving the RIR an unreasonable amount of power over every change an ISP might make to its address configurations. As such, according to the Georgia Tech experts, AFRINIC is thus bearing the consequences of an “overly aggressive assertion of policy righteousness based on bad policy ideas.”

The false promise of IPv4

Beyond the power grab represented by AFRINIC’s policies, the Georgia Tech experts point out a core fallacy in the organization’s arguments, namely that “the future of Africa’s internet development will not be greatly affected by reserving IPv4 addresses to regional use. The growth of Africa’s internet to its full potential... cannot be sustained by the remaining address resources of AFRINIC.”

While AFRINIC may insist their IP address blocks must only be used within African countries, they have nowhere near enough addresses to support the pace of growth that will allow African economies to match global levels of digital development. Beyond IP addresses, what Africa’s Internet development really needs first and foremost is a substantial amount of additional capital.

The World Bank estimates that the African continent as a whole needs $100 billion in investment to achieve universal Internet access by 2030, and as of March 2020, only 39.3% of Africa’s total population was able to connect to the Internet compared to 62.9% of those living outside of Africa. As findings from Google and the World Bank’s International Finance Corporation make clear, however, the payoffs for additional investment in African Internet connectivity will be substantial, with a 2.5% increase in GDP per capita for every 10% increase in digital connectivity.

When African ISPs allocate IP addresses to all those new electronic devices, they will not be using the legacy IPv4 addresses AFRINIC is currently risking its existence over. Instead, they will be allocating the IPv6 addresses that represent the future of the Internet, both inside and outside Africa.

(Devdiscourse's journalists were not involved in the production of this article. The facts and opinions appearing in the article do not reflect the views of Devdiscourse and Devdiscourse does not claim any responsibility for the same.)

Give Feedback