Seven people have physical keys that control the internet: myth or reality?

For the past decade, many media outlets have spread a sort of legend that seven people hold the “keys of the Internet.” These physical keys would also form the core of a kind of ceremony that would take place four times a year.

A little true and a lot false

With all the fake news and conspiracy theories, it’s pretty hard these days distinguish the true from the false. For example, in the 2010s, many media outlets such as Business Insider (United States), The Guardian (United Kingdom) or even ABC News (Australia) published articles about some kind of urban legend. Once every four months, seven people, each with a secret physical key, come together for a “ceremony”. The goal would be to secure the web by generating a new password.

According to the cited sources, the seven individuals in question belong to the Internet Corporation for Assigned Names and Numbers (ICANN). This is the organization responsible for domain name management (DNS) in the whole world. In theory, the ICANN database provides the ability to control the Internet. There are rumors that if malicious people had access to it, they would be able to: redirect users to fake addresses.

However, ICANN regularly updates the master encryption key which is located in a data center where the security level is very high. To gain access, the seven people must join use their physical keys to open a safe.

ICANN logo
Credits: ITU Images/Wikipedia

A fairly limited power

The sources described the famous ceremony that would resemble that of a cult. The seven people must pass through a series of doors locked with codes and iris scans. Only then do they receive their key in a hermetically sealed bag. All of this is true, however, but needs to be nuanced somewhat, which ICANN did in a press release published in 2017 to put an end to the legend.

The “keys to the Internet” do exist, but they keep the web from working. They are used only in one case and in very limited circumstances. After all, the system only secures a small part of the internet, namely the deepest layer of DNS : The hardware security module (HSM). However, it turns out that the web is also based on other systems.

Physical recovery keys are only used if a serious event renders the HSM unusable. For example, it can be a catastrophic error in internet software, a rather unlikely incident according to experts. In addition, the physical keys are used to activate the codes stored in the secure installation. So they do not directly contain the cryptographic keys in the root zonewhich ultimately gives them quite limited power.