Hi Bijal, I am strongly against this recommendation and see the "cost" as being extremely high for the "benefit".
There are quite a few issues and potential issues I can see here, with seemingly quite little in terms of benefits. You note this potential benefit: > This will clarify which organisation holds which Internet number resources > and ensure quick action from incident responders such as CSIRTs and LEAs in > case of abuse. However, I would like to suggest that this seems like a bad idea, as the motivation here is for LEAs to have a way to get this information without following the established legal procedures to get it via court order from the RIPE NCC or the sponsoring LIR. Just starting with this, as far as I know, the address is published in almost all cases for LIRs already[1]. Also I would think in most cases when it comes to legal entities, LEAs can easily look up the legal address by having the company name. And in the cases that they can't, that is possibly due to there being a process to get this info, and I don't believe the NCC should provide a shortcut here. You mention a potential problem like: > This also includes corner cases such as SMEs using their home addresses as > their legal addresses. Of course this is very difficult to measure, but I would doubt this is a corner case. Just looking at the list of members operating in NL[2] you can see a number of different things which stick out to me. Such as the high number of member names that look to be a person name or person name followed by "trading as [...]". I would assume that a rather high number of the listed addresses for these members are also homes. So I would propose that if this kind of recommendation was ever to be implemented, we should have a solution to this before we consider implementing it. It is not a super rare case. With regards to non-LIRs you have 3 main categories afaik. 1. You have legacy resource holders with no formal relationship with the RIPE NCC. 2. You have legacy resource holders with a formal relationship with the RIPE NCC. 3. And then you have ASN/PI/legacy resource holders that have a formal relationship through a LIR. With regards to category 1. I feel that this recommendation is a total "no go", they don't have a formal relationship so trying to force them to publish accurate details or the NCC publishing details without their consent seems unfeasible. With regards to category 3. the NCC probably has an address for the end user. (I am not sure what the exact details are for agreements that were made a long time ago etc) However, that address could very well be outdated and was not always verified by the NCC. Thinking about potential legal things, the NCC publishing the address of a registered company maybe isn't an issue even if it is also a home address. But there are members and resource holders (like myself) who are not legal entities or registered businesses, yet the current system would require that my address is published if I was a member rather than just an end user. I know some people will defend it in the name of transparency, but privacy laws don't just get invalidated by saying "transparency". Also the NCC doesn't seem to do a good job at determining what is and isn't a legal entity so far with regards to partnerships, limited partnerships etc. As an example, I see one Swedish member that is a limited partnership, that is listed as "<name> trading as <company name>". Then I see 2 Swedish members who are general partnerships who are listed as "<company name>". For context, all of these are legal entities in Swedish law, and the different liability for the different owners is the only difference between them. Once again, there are so many issues here for such little potential benefit. And while the latter part of this email could be dismissed by saying that it shouldn't be like that and were mistakes etc, sure, but it is still an issue. And we should not rely more on it until it actually works. All of this together seems like a very high cost and a very large amount of manual labor for a very small potential benefit that at least I would question if it is a benefit or not due to there already being procedures for LEAs. And if it for whatever reason it should still be implemented, I think we need an effective way of dealing with physical persons vs legal entities before doing so. So then the NCC could start by evaluating that and implementing it for LIRs. -Cynthia [1]: there are a few exceptions such as the UK Ministry of Defense for example: https://www.ripe.net/membership/indices/data/uk.mod.html [2]: https://www.ripe.net/membership/indices/NL.html On Wed, Apr 14, 2021 at 3:11 PM Bijal Sanghani via db-wg <db-wg@ripe.net> wrote: > > Dear colleagues, > > > > As part of our work in the RIPE Database Requirements Task Force (DBTF), we > are trying to evaluate if we should recommend that the RIPE NCC publish the > legal address of resource holders in the RIPE Database. It will include > everybody that is directly receiving resources from the RIPE NCC. This > information is already stored in the RIPE Registry but not available in the > RIPE Database. However it’s good to note that since the implementation of > NWI-10, a new attribute was added to the ORGANISATION object with the Country > Code for the country in which the resource holder is legally based. > > As a reminder, this is our current recommendation: > “The task force recommends that the legal address of resource holders who are > legal persons be published in the RIPE Database. This will clarify which > organisation holds which Internet number resources and ensure quick action > from incident responders such as CSIRTs and LEAs in case of abuse.” > > The task force is aware that there are legal and technical constraints > attached to this recommendation. The main challenge is to find a system that > can clearly separate natural and legal persons across our service region, so > that the privacy of natural persons in the RIPE Database is respected. This > also includes corner cases such as SMEs using their home addresses as their > legal addresses. > > We are looking specifically for arguments pro or against this recommendation. > > We’ll then discuss each argument with the task force and make a decision. > > > > Kind regards, > Bijal on behalf of the DBTF >
