Hi Denis, All,
(Please see inline, CSIRT hat=ON)
On Sun, 5 Jun 2022, denis walker wrote:
(...)
However, besides wanting to contact someone, there is a legitimate need to
identify bad actors and shun them with
whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes,
whatever). I do not want to communicate with
them, just as I don't want to discuss with burglars about their actions!
This is starting to explain reasons why we need to identify resource
holders, even natural persons.
Exactly!
When we are talking about companies, GDPR doesn't even apply.
When we are talking about natural persons GDPR applies, but there is
**purpose** and a minimal set of information **needs** to be available.
So, a mere contact database (which could contain fully anonymized forwarding addresses
through a "privacy provider",
like it's nowadays common for whois entries) would work for the purpose of
contacting someone, but it does not work for
identifying who can be held accountable for abuse emitted from a network range.
I think there is general agreement that as long as a contact is
contactable there is no need to identify the natural persons operating
in that role.
No. No. No.
That is the general agreement for those who prefer to ignore
network abuse, or for those who have business models based in abusing
other people's networks.
Accountability, and any subsequent enforcement action, needs an
identity. This is the key element of why resource holders, even
natural persons, need to be identifiable. Further questions still need
to be answered like to what degree should they be identifiable, by
what means and to who?
Authorities, at least.
For resources allocated to legal entities (companies, organizations, etc.) an
identification of the organization should
be mandatory. This does not need to include personal data on employees that
happen to be responsible for network or
abuse issues, I'm fine with role accounts here. So in this case, no objection
to eliminate personal data (which often
becomes stale anyway after some years).
Again I think there is general agreement that for resource holders
that are NOT natural persons the name, address and legal country must
be included in the public data.
Yes. But...
Please explain how the legal country of a natural person may help anyone
determine accurately how to identify a single natural person. Because i
don't see how. Even for micro-countries/economies.
Simply by having the accurate (and verified by the RIPE NCC) legal country
would be a big help in determining **which** is the legal jurisdiction the
offender is on.
However, resources allocated to private persons are a bit different. I suppose
very few private persons hold a /24
network range, and if they do, they probably fall squarely in the area of
operating a business or other publicly visible
enterprise under their personal name, and in many jurisdictions they are
required to do so with identifying information.
For example, in Germany you can't even have a web page without an imprint
containing the names of people responsible for
the content if you address the general public, and if you do business of any
kind and you're not a corporation, you must
do so under your name.
There are far more natural persons holding resources than you think.
Yes, i know.
Looking at the membership list on the RIPE NCC's website, all the
members are listed and you can see the natural persons. It has been
argued that even if a natural person's details are listed on some
other public business register, that alone is not a reason to publish
those details in the RIPE Database.
Again, there is **purpose**.
So what personally identifiable info should we publish about a natural
person holding resources and what should we do with the rest of the
currently available public info? Would it be reasonable to publish the
name but not publish the (full) address publicly?
The full (verified by the RIPE NCC) address -- at least for LIRs -- would
probably be more useful while determining legal jurisdiction, which is
imho, the number 1 issue.
Now I looked back at a presentation made by EUROPOL at RIPE 73
https://ripe73.ripe.net/archives/video/1501/
They were very clear that the address of resource holders is also very
important to LEAs in their investigations. So I am going to make a
controversial suggestion here. Currently we have two categories of
registry data, Private and Public. The Public data is available to
LEAs and their use of it is covered by agreed purposes of the RIPE
Database defined in the Terms & Conditions. For Private data they need
to get a court order, which is an expensive and time consuming
process. Suppose we add a middle category Restricted data. This could
be data like the address of natural persons who hold resources. Data
that is now public but we are proposing to take out of the public
domain. We could allow LEAs (and maybe other recognised public safety
agencies) to continue to have access to this Restricted data without a
court order. (There are technical ways of doing this which are out of
scope for this discussion.)
That sounds a step in the right direction.
Court orders usually have one problem, you'll need to be sure about the
legal jurisdiction. It's completely a waste of time to ask for a court
order in jurisdiction X when the offender is sitting in jurisdiction Y.
I know a lot of people have ideological phobias about allowing the
police access to non-public data. They will be screaming at me right
now for this suggestion...'it's giving the police a back door entry',
'it's the thin end of the wedge', 'where will it stop'... I understand
those concerns.
I manage a LIR for ~20 years. Hell, if someone is misusing our
infrastructure/numbers, having LEA asking us questions so the abuse
(and abusers) can be identified and stopped is a good thing, because
our reputation is also at stake (as a service provider).
But I see allowing LEAs continued access to what is
now public data as different from giving LEAs access to private data
that they have never had access to in the past. It is a different
direction.
There is a lot of abuse and criminal activity on the
internet.
Yes there is. Glad we agree on that :-)))
LEAs have a job to do. They need this data and often need it
quickly. But we also have privacy concerns. So we are now considering
taking out of the public domain some of that data that LEAs need.
And that's wrong. And data quality is also an issue -- that should be
tackled!
When we see (in an object) an address from country X, phone from country
Y, the country field with country Z, and a clearly bogus postal code,
there is a long road to go in terms of data quality...
I see this as a compromise to allow LEAs continued access to what is now
public data so they can do their job effectively, but also increase
general privacy by taking this bit of data out of the public domain.
Yes. And i can support that compromise, but i suspect the only viable
option for some business models is to block that compromise solution.
I suppose that RIPE operates mostly on the level of legal entities that can be
identified without naming individual
persons. As such, it would be proper to clearly state that every database entry
pertaining to a resource allocated
through RIPE must contain truthful and usable identifying information of the
resource holder. In German, that's
"Ladungsfähige Anschrift" which was basically required to be an actual place of
presence, but it appears that "virtual
office" providers have succeeded in letting their addresses count as "Ladungsfähige
Anschrift". I'm not a legal expert,
I think this is wrong, but jurisprudence isn't always compatible with reason.
Since RIPE isn't bound by German law, they may choose contractual wording that
provides reasonable value for all parties
involved. If all identifying information is lost, the abusers have won, as they
have with domain whois already.
Domain whois is a real mess, and yes abusers have won on that front, as
they are also winning on this :/
But you also raise an important issue. It's already very complex to manage
the 27 EU national laws, but the RIPE NCC has not only to live with a 70++
service region, and beyond that also with LIRs that are based outside the
service region -- which are also "allowed".
And as we know, a part of those are really just the result of some
"opacity engineering".
A situation we need to avoid.
I entirely agree, Denis.
On Fri, 3 Jun 2022 at 10:41, Matthias Merkel
<matthias.mer...@staclar.com> wrote:
I agree that it must be possible to identify people who hold resources. Not
just for other network operators but also so that organizations such as law
enforcement are able to do so in emergency situations where contacting RIPE
could be too slow.
I hope my controversial compromise above will do that.
It is worth noting however that there now is a relatively large number of
people operating networks as a hobby outside of any business activity.
Some people may consider spamming or hacking a hobby.
And on some legal jurisdiction it might be a hobby, in others it might be
against the law. Hence accurately determining which legal jurisdiction is
key.
At RIPE 84 I mentioned the possibility of publishing a name and city only and
having RIPE hold the full address. This would likely be enough to unique
identify a person (or at least a small number of potential people in a single
city that would be few enough for law enforcement to all check out) while not
publishing the full addresses of people who could be at risk for various
reasons. It would also be enough information to identify multiple objects
belonging to the same person, for example to block traffic from all of their
networks. The full address could still be obtained from RIPE with a court order
if required.
I think 'city' is too identifiable. If it is London, Paris, Berlin you
could get away with this. If it is a village or very small town you
will definitely identify people with that granularity. Perhaps a
county, region, province would work. But either way the database makes
no separation of address elements. All parts of an address are entered
into "address:" or "descr:" attributes. Separating them out would be
technically difficult.
What about the postal code? In which situations can a postal code identify
*one* person?
It sounds unfeasible to split "address:" into "street/door:" and
"region/province:" ?
Regards,
Carlos
cheers
denis
proposal author
?
Matthias Merkel
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg