Re: [anti-abuse-wg] personal data in the RIPE Database

[Hans-Martin Mosner via anti-abuse-wg]

Am 04.06.22 um 02:05 schrieb Ronald F. Guilmette:

In message ,
Hans-Martin Mosner  wrote:


For resources allocated to legal entities (companies, organizations, etc.)
an identification of the organization should be mandatory.

Would you agree also that such identification of non-person legal entities
that are the registrants of number resources should be:

 a)  public, and

 b)  accurate and consistant with the bona fides that were submitted to
 RIPE NCC at the time the member was made a member, and at any & all
 times thereafter when the non-person member requested or was granted
 number resources?
Yes, with the addition that whenever the identification of a legal entity changes, it needs to be updated. "Accurate" 
and "consistent" may be at conflict when initial information was inaccurate, I'd prefer accurate over consistent.

If you say yes to both, then I am compelled to point out there there is,
as far as I understand it, *no* requirement, within the RIPE region, at
present for there to be *any* correlation between what appears in any
public RIPE WHOIS record and the actual bona fides of the corresponding
member, the -actual- identity o which remain secret & hidden behind an
opaque wall of stony silence, backed up by RIPE's legal counsel.


I can't really judge this, but I see why that is your point of view.

To be clear, I am just a participant in this mailing list, have never taken part in WG meetings, don't have the 
slightest insight into why certain information is withheld from public view, and as such I can only guess. Organizations 
with numerous stakeholders having different interests tend to be blocked by unanimous consensus and veto rules, so it's 
no surprise that RIPE seems to be afflicted by this, too.


What such organizations need to come up with is a mechanism that allows them to deal with problem members without being 
blocked by them and their allies, while not succumbing to a dictatorship of the majority (majority decisions aren't 
always the best) or some central authority. As you point out, this is an issue with other organizations, too, but it's 
by far not limited to the ones you listed.


I still believe in reason to a certain extent, although it takes a big leap of 
faith in light of reality.

Cheers,
Hans-Martin


--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] personal data in the RIPE Database

[Ronald F. Guilmette]

In message , 
Hans-Martin Mosner  wrote:

>For resources allocated to legal entities (companies, organizations, etc.)
>an identification of the organization should be mandatory.

Would you agree also that such identification of non-person legal entities
that are the registrants of number resources should be:

a)  public, and

b)  accurate and consistant with the bona fides that were submitted to
RIPE NCC at the time the member was made a member, and at any & all
times thereafter when the non-person member requested or was granted
number resources?

If you say yes to both, then I am compelled to point out there there is,
as far as I understand it, *no* requirement, within the RIPE region, at
present for there to be *any* correlation between what appears in any
public RIPE WHOIS record and the actual bona fides of the corresponding
member, the -actual- identity o which remain secret & hidden behind an
opaque wall of stony silence, backed up by RIPE's legal counsel.

In short, everything you see in any and all public RIPE WHOIS records is
subject to the whims of the corresponding member, whose true identity
may be well and truly hidden, and thus, the WHOIS data often is nothing
more than totally made-up bovine excrement.

I hasten to add that this is due not to any single mistake or specific
deliberate policy choice on the part of RIPE or its members or its legal
counsel.  Rather it is due entirely to the fundamental nature of RIPE
which is a -private- member-based corporation, the membership of which
is composed almost entirely of -private- corporate entities whose most
sincere and fervent wish is to be accountable to, answerable to, and
transparent to absolutely no one, and often times not even to their own
shareholders[1] and/or Boards of Directors[2].

In short, I have some time ago given up entirely in the idea that RIPE
could be gradually "refomed" to be more accountable, e.g. to the billion+
ordinary people who now rely on the number resources that it distributes.
Reform isn't possible for an organization that has stealthy secrecy and
deliberate opacity baked in, as a guiding principal, from its very inception.



Regards,
rfg


[1] The mere existance of "activist" investors like Carl Icahn illustrates
the point that corporate entities many times do not even feel any special
obligations to be honest, open, and transparent with their own shareholders,
let alone the "unwashed masses" of the public at large.

[2]  The now well-known story of the rise and fall of the U.S. corporation
known as "Theranos" and its all-too-clever former CEO, Elizabeth Holmes,
vividly demonstrates that management sometimes (often?) has incentives to
keep even a company's own Board of Directors in the dark.  And if management
isn't telling the truth to its own Board, then they quite certainly are not
likely to be truthful, open, honest or transparent with the public at large.

-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] personal data in the RIPE Database

[Matthias Merkel]

I agree that it must be possible to identify people who hold resources. Not 
just for other network operators but also so that organizations such as law 
enforcement are able to do so in emergency situations where contacting RIPE 
could be too slow.

It is worth noting however that there now is a relatively large number of 
people operating networks as a hobby outside of any business activity.

At RIPE 84 I mentioned the possibility of publishing a name and city only and 
having RIPE hold the full address. This would likely be enough to unique 
identify a person (or at least a small number of potential people in a single 
city that would be few enough for law enforcement to all check out) while not 
publishing the full addresses of people who could be at risk for various 
reasons. It would also be enough information to identify multiple objects 
belonging to the same person, for example to block traffic from all of their 
networks. The full address could still be obtained from RIPE with a court order 
if required.

—
Matthias Merkel
[https://cdn.staclar.com/logos/novecore/newlogo.png]
[Sent from Front]
On June 3, 2022, 10:29 AM GMT+2 
anti-abuse-wg@ripe.net wrote:

Am 31.05.22 um 15:12 schrieb denis walker:

> Colleagues
>
> I have raised an issue on the DB WG mailing list about publishing in
> the database the identity of natural persons holding resources.

Hi, this mail triggered the expected avalanche of controversial responses, 
which quickly devolved into name-calling, so
I prefer to respond to the original instead of any of the later responses.

There are conflicting interests at work here. In your proposal, you mention the 
need to contact resource owners, which
is probably accepted by most.

However, besides wanting to contact someone, there is a legitimate need to 
identify bad actors and shun them with
whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, 
whatever). I do not want to communicate with
them, just as I don't want to discuss with burglars about their actions!

So, a mere contact database (which could contain fully anonymized forwarding 
addresses through a "privacy provider",
like it's nowadays common for whois entries) would work for the purpose of 
contacting someone, but it does not work for
identifying who can be held accountable for abuse emitted from a network range.

For resources allocated to legal entities (companies, organizations, etc.) an 
identification of the organization should
be mandatory. This does not need to include personal data on employees that 
happen to be responsible for network or
abuse issues, I'm fine with role accounts here. So in this case, no objection 
to eliminate personal data (which often
becomes stale anyway after some years).

However, resources allocated to private persons are a bit different. I suppose 
very few private persons hold a /24
network range, and if they do, they probably fall squarely in the area of 
operating a business or other publicly visible
enterprise under their personal name, and in many jurisdictions they are 
required to do so with identifying information.
For example, in Germany you can't even have a web page without an imprint 
containing the names of people responsible for
the content if you address the general public, and if you do business of any 
kind and you're not a corporation, you must
do so under your name.

I suppose that RIPE operates mostly on the level of legal entities that can be 
identified without naming individual
persons. As such, it would be proper to clearly state that every database entry 
pertaining to a resource allocated
through RIPE must contain truthful and usable identifying information of the 
resource holder. In German, that's
"Ladungsfähige Anschrift" which was basically required to be an actual place of 
presence, but it appears that "virtual
office" providers have succeeded in letting their addresses count as 
"Ladungsfähige Anschrift". I'm not a legal expert,
I think this is wrong, but jurisprudence isn't always compatible with reason.

Since RIPE isn't bound by German law, they may choose contractual wording that 
provides reasonable value for all parties
involved. If all identifying information is lost, the abusers have won, as they 
have with domain whois already.

Cheers,
Hans-Martin

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] personal data in the RIPE Database

[Hans-Martin Mosner via anti-abuse-wg]

Am 31.05.22 um 15:12 schrieb denis walker:

Colleagues

I have raised an issue on the DB WG mailing list about publishing in
the database the identity of natural persons holding resources.


Hi, this mail triggered the expected avalanche of controversial responses, which quickly devolved into name-calling, so 
I prefer to respond to the original instead of any of the later responses.


There are conflicting interests at work here. In your proposal, you mention the need to contact resource owners, which 
is probably accepted by most.


However, besides wanting to contact someone, there is a legitimate need to identify bad actors and shun them with 
whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, whatever). I do not want to communicate with 
them, just as I don't want to discuss with burglars about their actions!


So, a mere contact database (which could contain fully anonymized forwarding addresses through a "privacy provider", 
like it's nowadays common for whois entries) would work for the purpose of contacting someone, but it does not work for 
identifying who can be held accountable for abuse emitted from a network range.


For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should 
be mandatory. This does not need to include personal data on employees that happen to be responsible for network or 
abuse issues, I'm fine with role accounts here. So in this case, no objection to eliminate personal data (which often 
becomes stale anyway after some years).


However, resources allocated to private persons are a bit different. I suppose very few private persons hold a /24 
network range, and if they do, they probably fall squarely in the area of operating a business or other publicly visible 
enterprise under their personal name, and in many jurisdictions they are required to do so with identifying information. 
For example, in Germany you can't even have a web page without an imprint containing the names of people responsible for 
the content if you address the general public, and if you do business of any kind and you're not a corporation, you must 
do so under your name.


I suppose that RIPE operates mostly on the level of legal entities that can be identified without naming individual 
persons. As such, it would be proper to clearly state that every database entry pertaining to a resource allocated 
through RIPE must contain truthful and usable identifying information of the resource holder. In German, that's 
"Ladungsfähige Anschrift" which was basically required to be an actual place of presence, but it appears that "virtual 
office" providers have succeeded in letting their addresses count as "Ladungsfähige Anschrift". I'm not a legal expert, 
I think this is wrong, but jurisprudence isn't always compatible with reason.


Since RIPE isn't bound by German law, they may choose contractual wording that provides reasonable value for all parties 
involved. If all identifying information is lost, the abusers have won, as they have with domain whois already.


Cheers,
Hans-Martin


--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg