Re: [ripe-list] Confidentiality, or that lack thereof

[Athina Fragkouli]

Dear Ronald,

Thank you for your questions. As others have correctly noted, the RIPE NCC does 
have policies protecting the confidentiality of certain information provided by 
our members. Our duty in this department stems from the mandate given to us by 
the community in section 3.1 of the IPv4 policy [1], which we interpret as a 
broad duty to treat all information we receive from our members as confidential:

"Internet Registries (IRs) have a duty of confidentiality to their registrants. 
Information passed to an IR must be securely stored and must not be distributed 
wider than necessary within the IR. When necessary, the information may be 
passed to a higher-level IR under the same conditions of confidentiality."

Our treatment of confidential information is also described in section 5 of the 
RIPE NCC procedural document "Due Diligence for the Quality of the RIPE NCC 
Registration Data" [2], which states:

"The RIPE NCC maintains a duty of confidentiality towards the legal or natural 
persons that request Internet number resources. Information passed to the RIPE 
NCC is securely stored and will not be distributed further than is necessary."

Furthermore, in the RIPE NCC procedural document "Handling Requests for 
Information, Orders and Investigations from Law Enforcement Agencies” [3], we 
provide more clarity regarding what information we treat as confidential and 
what we can share with third parties (the document pertains to LEAs, but we 
apply this principle with any third party). According to this document:

"1. Requests for Information

The RIPE NCC distinguishes between the following two types of information:

• RIPE NCC member information that is publicly available
• RIPE NCC member information that is not publicly available, including 
members' personal and organisational information and any other non-public 
information

1.1. RIPE NCC Member Information that is Publicly Available

RIPE NCC member information that is public can always be accessed by third 
parties, including LEAs. Such publicly available information may be any 
information that is accessible through the RIPE NCC website, including 
information or records that are public on the RIPE Database at the time of the 
request.

1.2. RIPE NCC Member Information that is not Publicly Available

The RIPE NCC does not provide member information that is not publicly available 
to LEAs on a voluntary basis.
Non-publicly available member information will only be provided to LEAs, if a 
Dutch court order or other legally binding order is presented by a Dutch LEA."

Although it is not directly stated in this document, we consider publicly 
available information only the information that we make publicly available 
(i.e. publish) according to our mandate from the RIPE community and our legal 
obligations.

If, for example, an LEA asks for the legal address or the bank account of a 
member, we will not provide them with this information, even though it might be 
publicly available on that member’s website.

As mandated by the community's policies, our publicly available information 
about members is accessible on our website, the RIPE Database and other RIPE 
NCC maintained applications, while other information is kept confidential.

Regards,

Athina Fragkouli
Chief Legal Officer
RIPE NCC

[1] IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service 
Region:
https://www.ripe.net/publications/docs/ripe-733#31 
 

[2] Due Diligence for the Quality of the RIPE NCC Registration Data:
https://www.ripe.net/publications/docs/ripe-748#5--confidentiality-and-privacy-issues
 

 

[3] Handling Requests for Information, Orders and Investigations from Law 
Enforcement Agencies:
https://www.ripe.net/publications/docs/ripe-675 
 



> On 26 Aug 2021, at 21:22, Ronald F. Guilmette  wrote:
> 
> In message <48758939-bb53-43ff-8855-49c1af18b...@v6x.org>, 
> =?utf-8?Q?Andreas_H=C3=A4rpfer?=  wrote:
> 
>> I really have no idea where this discussion is heading, I am not a lawyer,
>> etc. etc, but let me play "devil's advocat" and be a bit provocative :-)
> 
> That's fair.
> 
>> * My ad-hoc assumtion for any organization would be that any partner/
>> member/customer information is confidential unless the affected parties
>> have agreed to make it public.
>> 
>> viz. https://www.ripe.net/publications/docs/ripe-733#31
> 
> I note again that you are citing a Section (3.1) of a document that relates
> to the IP address allocation process.  The title of the document is "IPv4
> Address Allocation and Assignment Policies for the RIPE NCC Service Region".
> 
>3.1 Confidentiality
> 
>Internet Registries (IRs) have a duty of confidentiality to their
>registrants. Information passed to an IR must be securely stored and
>must not be distributed wider than 

Re: [ripe-list] Confidentiality, or that lack thereof

[Ronald F. Guilmette]

In message <48758939-bb53-43ff-8855-49c1af18b...@v6x.org>, 
=?utf-8?Q?Andreas_H=C3=A4rpfer?=  wrote:

>I really have no idea where this discussion is heading, I am not a lawyer,
>etc. etc, but let me play "devil's advocat" and be a bit provocative :-)

That's fair.

>* My ad-hoc assumtion for any organization would be that any partner/
>  member/customer information is confidential unless the affected parties
>  have agreed to make it public.
>
>  viz. https://www.ripe.net/publications/docs/ripe-733#31

I note again that you are citing a Section (3.1) of a document that relates
to the IP address allocation process.  The title of the document is "IPv4
Address Allocation and Assignment Policies for the RIPE NCC Service Region".

3.1 Confidentiality

Internet Registries (IRs) have a duty of confidentiality to their
registrants. Information passed to an IR must be securely stored and
must not be distributed wider than necessary within the IR. When
necessary, the information may be passed to a higher-level IR under
the same conditions of confidentiality.

I would argue that BY DEFINITION the above assurances relate to information
provided as part of a justification for IPv4 address space, and that they
thereore do not apply to information submitted to RIPE NCC, much earlier,
as part of the package of information that RIPE NCC requires in order to
transform a prospective new member into an actual RIPE member.  That trans-
formation, of a prospective member into an actual one, is clearly a separate
and different process, and one to which the confidentiality commitment
expressed in the above quoted passage cannot reasonably be construed to
apply.

>Jurisdiction, at least, is easy.  RIPE-673 (initially quoted by
>you but outdated) and all it's successor documents until the current
>RIPE-745 state in the very last section:
>
>  Article 11 - Governing Law
>
>  11.1 All agreements between the RIPE NCC and the Member shall be
>  exclusively governed by the laws of the Netherlands.

We agree.

Please note that The Netherlands does itself operate a *public* national
corporate registry, one from which anybody anywhere in the world can fetch
basic incorporation documents, albeit subject to a small fee per document.
(I myself have used this web-based public service on multiple occasions in
order to obtain various Dutch incorporation documents.)

It would seem that the jurisdiction of The Netherlands has no problem with
the notion of making basic incorporation documents public.  Why then should
RIPE deviate from that admirable national standard?  (That transparency
with respect to basic incorporation documents is not by any means unique
to the Netherlands, by the way.  Rather, this rudimentary transparency is
the widely-accepted norm throughout essentially the entire civilized world.)

>>   *)  Isn't the publication of WHOIS information a quite apparent and obvious
>>   violation of this purported "duty of confidentiality"?  Or whould that
>>   be more accurately referred to as "the exception that proves the rule"?
>>
>>   Could there be other and as-yet unenumerated exceptions to the 
>>   general rule?
>
>I would not consider this an exception.  What goes into WHOIS and/or
>into the RIPE database is well documented and can be known in advance
>by anyone applying for resources.

What are you saying, exactly?  Are you claiming that members, e.g. ones
allegedly incorporated in some of the world's more opaque jurisdictions,
such as Belize, etc., have either some expectation, or perhaps even some
right to expect that even the bare minimum facts regarding their corporate
existance shall be preserved as a deep dark secret, AND one which RIPE NCC
is somehow obliged to become a co-conspirator in hiding from the world?

As noted above, the people and the government of The Netherlands don't
appear to have any problem with making basic incorporation documents
public.  Why then should RIPE?  Is RIPE attempting to emulate the ignoble
example of FIFA by going out of its way to be opaque, and by so doing,
either tacitly or consciously facilitating God only knows what?

Basic incorporation documents are neither "sensitive" nor relevant to
the competitiveness of any given member.  As I have said, if you have
incorporated as "XYZ Widgets" in the Duchy of Grand Fenwick, how does
that information being public either hurt you or help your competitors?

Clearly it does neither, thus renderding any pointless and unnecessary
secrecy about such basic documents on RIPE's part, nothing other than an
additional tool in the toolboxes of bad actors, including some that, even
as we speak, are attempting to bring down the entire edifice of the global
system of Regional Internet Registries, including RIPE.


Regards,
rfg

Re: [ripe-list] Confidentiality, or that lack thereof

[Ronald F. Guilmette]

In message , 
Gert Doering  wrote:

>On Tue, Aug 24, 2021 at 05:18:06PM -0700, Ronald F. Guilmette wrote:
>> There is no question in my mind that the former category of information MUST
>> be held in confidence by RIPE NCC.  The latter category, maybe not so much.
>
>I agree that otherwise easily attainable information ("chamber of commerce")
>does not need to be treated as "confidential".

Thank you for what seems to be general agreement with my position on this
question/issue.

Unfortunately, the term "easily obtainable" may be somewhat misleading in
this context.

There are many jurisdictions scattered around the world, that have elected
to go out of their way to NOT make even such simple things as corporate
registration documents available to the public, and there are at least
a few RIPE member organizations that claim to be incorporated in each of
these Belize, U.A.E., the British Virgin Islands, the Isle of Man,
and the Seychelles Islands, just to name a few.

It may come as a surprise to some, although not to me, that over time there
has appeared to be some correlation between some of these entities and what
some might call "bad behavior".  Indeed, at the present moment, multiple
legal disputes currently ongoing in the courts of Mauritius threaten to
put one of the world's five Regional Internet Registries, AFRINIC, out of
business, and these legal cases have been brought by multiple companies
that are purportedly incorporated in the Seychelles:

   
https://www.internetgovernance.org/2021/08/19/a-fight-over-crumbs-the-afrinic-crisis/

Given the nature of the modern Internet, and its ever more central place
in the lives of ordinary people around the world, I personally feel that
the price of admission to this vast global and interconnected wealth-
generating machine should, at the very least, include making your basic
incorporation documents public.  It would be Good and Helpful, in my opinion,
if the five RIRs agreed with this simple and minimalist disclosure requirement.

>OTOH, maybe it's just the easiest approach to things - "keep *any* document
>submitted by the LIR as 'confidential'" - so there is no need for individual
>NCC employees to decide on the nature of a document...

I believe you are making this seem more complex that it really is.  I really
doubt that there are any staff members within RIPE NCC who are so blindingly
ignorant that they could not easily tell a corporate registration document
from a document showing user counts, equipment purchases, etc., of the kind
that has typically been required as part of a justification for IP space.
The latter is quite obviously "business confidential".  The former, not so
much.


Regards,
rfg

Re: [ripe-list] Confidentiality, or that lack thereof

[Gert Doering]

Hi,

On Tue, Aug 24, 2021 at 05:18:06PM -0700, Ronald F. Guilmette wrote:
> There is no question in my mind that the former category of information MUST
> be held in confidence by RIPE NCC.  The latter category, maybe not so much.

I agree that otherwise easily attainable information ("chamber of commerce")
does not need to be treated as "confidential".

OTOH, maybe it's just the easiest approach to things - "keep *any* document
submitted by the LIR as 'confidential'" - so there is no need for individual
NCC employees to decide on the nature of a document (especially given that
in RIPE land, something which might be "semi-public" in country A might
be not easily attainable in country B).

But I do not *know*, I'm just thinking out loud.

Gert Doering
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [ripe-list] Confidentiality, or that lack thereof

[Andreas Härpfer]

> On 25. Aug 2021, at 17:17, Ronald F. Guilmette  wrote:
> 
> In message 
> 
> Leo Vegoda  wrote:
>> 
>> Are you making a proposal for the RIPE NCC to change the way it
>> operates, or something else?
> 
> I only wish that I could even answer that question.  Sasdly, I cannot, for
> the simple reason that the various RIPE legal, policy, and procedure
> documents which I have seen so far, and which other people have been kind
> enough to point me to, have not served to clarify what the current policy
> with respect to corporate registration documents, or if there even exists
> a current policy with respect to those documents.  (My sense is that there
> currently exists -no- policy relating to those documents.)
> 
> It would be technically inaccurate, I think, and a misuse of the English
> language to say that I desire to see a change to something which does not
> now even exist.
> 
> 
> Regards,
> rfg


I really have no idea where this discussion is heading, I am not a lawyer,
etc. etc, but let me play "devil's advocat" and be a bit provocative :-)


* My ad-hoc assumtion for any organization would be that any partner/
  member/customer information is confidential unless the affected parties
  have agreed to make it public.

  viz. https://www.ripe.net/publications/docs/ripe-733#31


From one of your yesterday's emails:

>   *)  The first sentence makes a quite sweeping and a quite generalized 
> assertion
>   and yet provides exactly -zero- references to support the assertion.
>
>   From whence does this alleged "duty of confidentiality" arise?  From 
> law?
>   If so, which law and in which jurisdiction?

Jurisdiction, at least, is easy.  RIPE-673 (initially quoted by
you but outdated) and all it's successor documents until the current
RIPE-745 state in the very last section:


  Article 11 – Governing Law

  11.1 All agreements between the RIPE NCC and the Member shall be
  exclusively governed by the laws of the Netherlands.


https://www.ripe.net/publications/docs/ripe-673
https://www.ripe.net/publications/docs/ripe-745


>   *)  Isn't the publication of WHOIS information a quite apparent and obvious
>   violation of this purported "duty of confidentiality"?  Or whould that
>   be more accurately referred to as "the exception that proves the rule"?
>
>   Could there be other and as-yet unenumerated exceptions to the general 
> rule?

I would not consider this an exception.  What goes into WHOIS and/or
into the RIPE database is well documented and can be known in advance
by anyone applying for resources.

This

  
https://www.ripe.net/manage-ips-and-asns/db/support/highlighted-values-in-the-ripe-database

e.g. explicitly mentions the distinction between public and confidential
resource holder data.


> My points above are, of course, pertaining only to information relating to 
> legal
> entities other than natural persons, for whom GDPR is controlling.  I should 
> say
> also that although some may view me as nitpicking, these matters are of grave
> and serious concern, not just to me, but also to law enforcement and "open 
> source"
> researchers everywhere.

Hmmm ... to put it bluntly:

* If you are law enforcement, get a warrant.

* If you are an "open source researcher", why should RIPE feel any
  obligation to cater for your personal research needs?
  
  Just because there might be non-competitive information that the
  RIPE NCC is not obliged to keep confidential does not mean it is
  obliged to make it publicly available, either …

  … well, unless you are making a proposal for the RIPE NCC to
  change the way it operates, as suggested earlier :-)


As I said in the beginning, intentionally provocative (and not necessarily
my personal opinion everywhere) … just because I can.

Cheers
-Andi

Re: [ripe-list] Confidentiality, or that lack thereof

[Ronald F. Guilmette]

In message 
Leo Vegoda  wrote:

>On Tue, Aug 24, 2021 at 5:18 PM Ronald F. Guilmette
> wrote:
>> As you will see from my immediately prior post however I am of the opinion
>> that there is a clear and bright line between THAT sort of "sensitive"
>> information (which might be used, misused, or abused if it were to fall
>> into the hands of some business competitor) and the mere national corporate
>> registration document which all prospective new members that are not natural
>> persons must provide to NCC prior to even being accepted as new members.
>>
>> There is no question in my mind that the former category of information MUST
>> be held in confidence by RIPE NCC.  The latter category, maybe not so much.
>
>Are you making a proposal for the RIPE NCC to change the way it
>operates, or something else?

I only wish that I could even answer that question.  Sasdly, I cannot, for
the simple reason that the various RIPE legal, policy, and procedure
documents which I have seen so far, and which other people have been kind
enough to point me to, have not served to clarify what the current policy
with respect to corporate registration documents, or if there even exists
a current policy with respect to those documents.  (My sense is that there
currently exists -no- policy relating to those documents.)

It would be technically inaccurate, I think, and a misuse of the English
language to say that I desire to see a change to something which does not
now even exist.


Regards,
rfg

Re: [ripe-list] Confidentiality, or that lack thereof

[Leo Vegoda]

On Tue, Aug 24, 2021 at 5:18 PM Ronald F. Guilmette
 wrote:

[...]

> As you will see from my immediately prior post however I am of the opinion
> that there is a clear and bright line between THAT sort of "sensitive"
> information (which might be used, misused, or abused if it were to fall
> into the hands of some business competitor) and the mere national corporate
> registration document which all prospective new members that are not natural
> persons must provide to NCC prior to even being accepted as new members.
>
> There is no question in my mind that the former category of information MUST
> be held in confidence by RIPE NCC.  The latter category, maybe not so much.

Are you making a proposal for the RIPE NCC to change the way it
operates, or something else?

Kind regards,

Leo

Re: [ripe-list] Confidentiality, or that lack thereof

[Ronald F. Guilmette]

In message , Gert Doering  wrote:

>Leo has been around about as long as I have - and his understanding of
>the reasoning matches mine.

Excellent!  All three of us have the exact same shared understanding, it
seems.

>Let me illustrate this a bit: "back in the days", ISPs were given IPv4
>allocations based on network deployment *plans*.  Like "we intend to
>expand to neighbouring country , cities ,  and , and
>we expect to have  customers there by mid next year"

Right.  This is what I have termed "sensitive" and/or "competitive" information
in my immediately prior post.  And I am 100% supportive of the notion that
all such "sensitive" information should at all times be held in the strictest
confidence by NCC, even regardless of whether such confidentiality has been
formalized or not.  (It just makes good sense.)

As you will see from my immediately prior post however I am of the opinion
that there is a clear and bright line between THAT sort of "sensitive"
information (which might be used, misused, or abused if it were to fall
into the hands of some business competitor) and the mere national corporate
registration document which all prospective new members that are not natural
persons must provide to NCC prior to even being accepted as new members.

There is no question in my mind that the former category of information MUST
be held in confidence by RIPE NCC.  The latter category, maybe not so much.


Regards,
rfg

Re: [ripe-list] Confidentiality, or that lack thereof

[Ronald F. Guilmette]

In message 
Leo Vegoda  wrote:

>I have always understood that the confidentiality requirement was
>intended to apply to any business information supplied to justify an
>allocation of resources...

This has been my (informal) understanding also.  And it seems altogether
reasonable.

>I understood that the goal was to assure
>the businesses operating networks that chatty staff would not gossip
>about what those businesses planned but had not announced.

Yes.  This matches my uinderstanding also, and for whatever it may be
worth let me just say that I am in complete agreement with this rationale.

I quote now from an Internet source describing a once common phrase here
in the U.S., i.e. "Does Macy's tell Gimbels?":

The rhetorical question "Does Macy's tell Gimbels?" was a popular phrase
used throughout the 1930s-1960s which meant that business competitors
are not {going to} share trade secrets with one another. It comes from
the rivalry between the large upscale New York department stores Macy's
and Gimbels.

Obviously, -competitive- information of the kind used to request or justify
allocations of number resources is, and quite properly should be entirely
confidential.  I have no question about that.

But that sort of information... information relating to number resource
requests, allocations, or the justifications for those... are -not- the only
information that RIPE NCC holds in relation to any given member.

I refer again bullet point #2 in Section 2.2 of the RSA, which prospective
new members agree to even well before they either request or receive any
number resource allocations:

*  A recent extract from the Commercial Trade Register or equivalent
   document proving the registration of the Member with the national
   authorities.

I am persuaded that in the specific case(s) where the prospective new member
is *not* a natural person, a document which has been provided, by a prospective
new member, to RIPE NCC and which purports to attest to the mere valid legal
existance of some such corporate non-natural entity cannot reasonably be
classified as "competitive" or "proprietary" information of a type which
would be at all likely to render unfair advantage to some real or even
hypothetical business competitors.

If I am your business competitor, and if I find out that you have incorporated
your business using the name "XYZ Widgets" in the national jurisdiction of
The Duchy of Grand Fenwick (google it) then how does my knowing those two
rather rudimantary bits of information either (a) help me or (b) hurt you?

I do not believe that it can be reasonably argued that it does either, since
your mere legal existance as a legal corporate entity does not provide me
with any notable competitive advantage.  Besides which, if you have been
honest and truthful, then this same information should be appearing also
in your public corporate "ORG" WHOIS record anyway, right?

So, may we agree that there exists "sensitive" competitive information, of the
kind that might be submitted as part of a justification for number resources,
and which must be held in confidence by RIPE NCC, and that there is also 
an additional and separate category of "non-sensitive" non-competitive
information which NCC is -not- obliged to hold in confidence, especially as
it has no bearing on either requests for, or assignments of number resources?

>If you believe there is a need to add clarity, you are welcome to
>start a discussion in the Address Policy WG.

Well, I do thank you for the suggestion, but as I have been at pains to note
above, from where I am sitting this doesn't really bear on address policy
*at all*.

Yes, when a member that has been accepted as a member requests number resources
then they must submit "sensitive" information to NCC and that information must
thenceforth and forever after be held in confidence by NCC.  But what about
the corporate registration document that a prospective member must submit
even well before they even become a member, and also, by implication, well
before they are even in a position to request number resources?


Regards,
rfg

Re: [ripe-list] Confidentiality, or that lack thereof

[Carlos Friaças via ripe-list]

(please see below)


On Tue, 24 Aug 2021, Gert Doering wrote:


Hi,

On Tue, Aug 24, 2021 at 11:26:12AM -0700, Leo Vegoda wrote:

I have always understood that the confidentiality requirement was
intended to apply to any business information supplied to justify an
allocation of resources and not the outcome, which is published in the
RIPE Database and elsewhere. I understood that the goal was to assure
the businesses operating networks that chatty staff would not gossip
about what those businesses planned but had not announced.


Leo has been around about as long as I have - and his understanding of
the reasoning matches mine.

Let me illustrate this a bit: "back in the days", ISPs were given IPv4
allocations based on network deployment *plans*.  Like "we intend to
expand to neighbouring country , cities ,  and , and
we expect to have  customers there by mid next year" - this
sort of information is something I would not like my competitors to
have, and thus I always found it reassuring that the NCC would not
share these strategic details.

The end result ("1.2.0.0/16 allocated to XYZ inc.") is - and needs to
be - public, so some coarse information about growth plans is/was visible,
but not the details.


Hi Gert, Leo, All,

This is perfectly understandable.

But i guess the issue is dramatically different -- it's about knowing 
** WHO ** is really the ISP, i.e. which company from which jurisdiction.



Cheers,
Carlos




Gert Doering
   -- LIR contact since too many years
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [ripe-list] Confidentiality, or that lack thereof

[Gert Doering]

Hi,

On Tue, Aug 24, 2021 at 11:26:12AM -0700, Leo Vegoda wrote:
> I have always understood that the confidentiality requirement was
> intended to apply to any business information supplied to justify an
> allocation of resources and not the outcome, which is published in the
> RIPE Database and elsewhere. I understood that the goal was to assure
> the businesses operating networks that chatty staff would not gossip
> about what those businesses planned but had not announced.

Leo has been around about as long as I have - and his understanding of
the reasoning matches mine.

Let me illustrate this a bit: "back in the days", ISPs were given IPv4
allocations based on network deployment *plans*.  Like "we intend to
expand to neighbouring country , cities ,  and , and
we expect to have  customers there by mid next year" - this
sort of information is something I would not like my competitors to
have, and thus I always found it reassuring that the NCC would not
share these strategic details.

The end result ("1.2.0.0/16 allocated to XYZ inc.") is - and needs to
be - public, so some coarse information about growth plans is/was visible,
but not the details.

Gert Doering
-- LIR contact since too many years
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [ripe-list] Confidentiality, or that lack thereof

[Leo Vegoda]

On Tue, Aug 24, 2021 at 10:50 AM Ronald F. Guilmette
 wrote:

[...]

> 3.1 Confidentiality
>
> Internet Registries (IRs) have a duty of confidentiality to their 
> registrants.
> Information passed to an IR must be securely stored and must not be 
> distributed
> wider than necessary within the IR. When necessary, the information may be
> passed to a higher-level IR under the same conditions of confidentiality.
>
> There are muliple reasons why the text above fails to answer my question.
>
> *)  The first sentence makes a quite sweeping and a quite generalized 
> assertion
> and yet provides exactly -zero- references to support the assertion.
>
> From whence does this alleged "duty of confidentiality" arise?  From 
> law?
> If so, which law and in which jurisdiction?

The earliest reference I have found is in ripe-104, from 1993.

"IRs will keep records of correspondence and information exchanges in
conjunction with the registry function for later review and the
resolution of disputes. IRs will hold this information in strict
confidence and use it only to review requests and in audit procedures
or to resolve disputes."

[...]

> *)  Isn't the publication of WHOIS information a quite apparent and 
> obvious
> violation of this purported "duty of confidentiality"?  Or whould that
> be more accurately referred to as "the exception that proves the 
> rule"?
>
> Could there be other and as-yet unenumerated exceptions to the 
> general rule?

I have always understood that the confidentiality requirement was
intended to apply to any business information supplied to justify an
allocation of resources and not the outcome, which is published in the
RIPE Database and elsewhere. I understood that the goal was to assure
the businesses operating networks that chatty staff would not gossip
about what those businesses planned but had not announced.

If you believe there is a need to add clarity, you are welcome to
start a discussion in the Address Policy WG.

Kind regards,

Leo Vegoda
Address Policy WG co-chair

Re: [ripe-list] Confidentiality, or that lack thereof

[Ronald F. Guilmette]

In message <50a2de7b-3184-406a-8ae0-78062a807...@v6x.org>, 
=?utf-8?Q?Andreas_H=C3=A4rpfer?=  wrote:

>The "Due Diligence" document
>
>https://www.ripe.net/publications/docs/ripe-748#5--confidentiality-and-privacy-issues

Thank you.  Here is the relevant section:

   5. Confidentiality and Privacy Issues

   The RIPE NCC maintains a duty of confidentiality towards the legal or natural
   persons that request Internet number resources. Information passed to the 
RIPE
   NCC is securely stored and will not be distributed further than is necessary.

   Details of the process of handling personal data by the RIPE NCC can be found
   in the RIPE NCC Privacy Statement.

This forces me to just reiterate the various questiions I raised in my 
immediately
preceeding post, e.g.:

   *)  Where did this purported "duty of confidentiality" come from and what is
   the legal or policy basis of it?

   *)  Does this alleged "duty of confidentiality" only apply selectively, in
   certain cotexts or with respect to certain information, such that the
   public WHOIS records do not run afowl of this duty?

>... together with a link to the RIPE privacy statement
>
>  https://www.ripe.net/about-us/legal/ripe-ncc-privacy-statement

Please note that the RIPE privacy statement appears to be -exclusively- about
-personal- information of natural persons.

It seems that the two documents that you have provided links to are together
performing a sort of coordinated linguistic/HTTP sleight of hand.  In Section 5
of the first document it is alleged that there is a "duty" towards -both- 
natural
persons and also towards any an all -other- legal entities, even as it refers
the reader to the second document (the RIPE NCC Privacy Statement) which quite
obviously talks only about the privacy that shall be accorded to natural 
persons.

I do not and shall not take issue with GDPR.  It is the law of the land and
provides reasonable privacy protections to all natural persons. But I do
believe that it is safe to say that the overwehlming majority of RIPE members
are not natural persons, and it still appears to be rather entirely opaque
to me what duties of confidentiality are owed to these non-natural entities.

If thare exist yet other documents that might further clarify that, I would
greatly appreciate being directed to them.


Regards,
rfg

Re: [ripe-list] Confidentiality, or that lack thereof

[Ronald F. Guilmette]

In message ,
Leo Vegoda  wrote:

>On Mon, Aug 23, 2021 at 6:38 PM Ronald F. Guilmette
> wrote:
>>
>> Some long time ago, somebody (I can't remember who anymore) told me that
>> "business information" given by a member to any RIR... which presumably
>> included RIPE... was considered to be "confidential" and would not
>> thereafter be shared by the RIR staff with any other or outside party.
>
>Are you referring to this?
>
>https://www.ripe.net/publications/docs/ripe-733#31

Well, yes and no, by which I mean "I can't even tell."

Here is section 3.1 of the above document:

3.1 Confidentiality

Internet Registries (IRs) have a duty of confidentiality to their 
registrants.
Information passed to an IR must be securely stored and must not be 
distributed
wider than necessary within the IR. When necessary, the information may be
passed to a higher-level IR under the same conditions of confidentiality.

There are muliple reasons why the text above fails to answer my question.

*)  The first sentence makes a quite sweeping and a quite generalized 
assertion
and yet provides exactly -zero- references to support the assertion.

From whence does this alleged "duty of confidentiality" arise?  From 
law?
If so, which law and in which jurisdiction?

Or did this purported "duty" spring, fully formed, like Athena from the
brow of Zeus?

*)  Isn't the publication of WHOIS information a quite apparent and obvious
violation of this purported "duty of confidentiality"?  Or whould that
be more accurately referred to as "the exception that proves the rule"?

Could there be other and as-yet unenumerated exceptions to the general 
rule?

*)  Given that the title of the containing document is "IPv4 Address 
Allocation
and Assignment Policies for the RIPE NCC Service Region" may it be 
safely
inferred that this purported "duty of confidentiality" applies only to
"Information passed to an IR" at a point in time when some member 
actually
requests one or more IP Address Allocations, and thereafter?

More specifically, does it apply to "Information passed to an IR" at 
some
point in time *before* a member requests IP or other number resource
allocations, e.g. at a point in time when a *prospective* member is
applying for membership in RIPE?

My points above are, of course, pertaining only to information relating to legal
entities other than natural persons, for whom GDPR is controlling.  I should say
also that although some may view me as nitpicking, these matters are of grave
and serious concern, not just to me, but also to law enforcement and "open 
source"
researchers everywhere.


Regards,
rfg

Re: [ripe-list] Confidentiality, or that lack thereof

[Andreas Härpfer]

> On 24. Aug 2021, at 15:25, Leo Vegoda  wrote:
> 
> On Mon, Aug 23, 2021 at 6:38 PM Ronald F. Guilmette
>  wrote:
>> 
>> Some long time ago, somebody (I can't remember who anymore) told me that
>> "business information" given by a member to any RIR... which presumably
>> included RIPE... was considered to be "confidential" and would not
>> thereafter be shared by the RIR staff with any other or outside party.
> 
> Are you referring to this?
> 
> https://www.ripe.net/publications/docs/ripe-733#31
> 


The "Due Diligence" document

  
https://www.ripe.net/publications/docs/ripe-748#5--confidentiality-and-privacy-issues

also contains a small section on this, together with a link to
the RIPE privacy statement

  https://www.ripe.net/about-us/legal/ripe-ncc-privacy-statement

Further, AFAIK any "business data" that relates to a natural person
is additionally covered by GDPR, i.e. those rules are already codified
in law.

Cheers
-Andi

Re: [ripe-list] Confidentiality, or that lack thereof

[Leo Vegoda]

On Mon, Aug 23, 2021 at 6:38 PM Ronald F. Guilmette
 wrote:
>
> Some long time ago, somebody (I can't remember who anymore) told me that
> "business information" given by a member to any RIR... which presumably
> included RIPE... was considered to be "confidential" and would not
> thereafter be shared by the RIR staff with any other or outside party.

Are you referring to this?

https://www.ripe.net/publications/docs/ripe-733#31