Hello, Tore

Thanks for your message,

I dare keep my message in the loop as there is for us a fundamental point here,

I take note of yours, and may understand your wish to advance in the debate…

However,…

excluding this matter from the discussion should still depend on the certainty that there are no consequences on the way the data will be processed…

…As I read the various inputs, I observe that the below statement (“no impact on end user data available”) and the relevancy of still discussing this point (or not), is not a matter of consensus in the group…

some of our investigators, assessing the proposal, also observe a risk of future losses of information that are highly considered on EU side, to be honest…

I remember that the loss of granularity was also acknowledged by another member of the group (who seemed to consider it as a collateral damage), in the chat I had during the latest RIPE session on November

Considering the challenges for companies on processing IPV4, any simplification will damage identification effort.

in the content your quote below, a possible option is mentioned about a separate policy proposal to clarify the internal aggregation processes at company level,…

so as to ensure a right process, achieving this one would then ideally be a pre-condition before considering the current one we discuss.

from our views, we need to check precisely the extend of the reality of “no impact on the end user data available” as it will fully condition our views on the measure…and could have a real impact on the way to grant security matters for citizens.

Here a fair debate with all, using the necessary time, would really help, so as to fully clarify it..

in the past, on various occasion, new measures have been taken in various international groups,…identification capacities got weakened and we observed increasingly more obstacles (identification gaps) in our investigation, but it was then too late, once the measure implemented, …and what disappears is by definition harder to precisely measure and fully prove,…!! it does not mean the damage does not exist.

Thanks for your understanding of my position, as the matter also interests various services and authorities at EU level (Law enforcement, Justice, and also digital matters)

Best regards

Emmanuel Kessler

Europol

From: Tore Anderson <tore@fud.no>
Sent: 15 January 2024 12:08
To: Kessler, Emmanuel <Emmanuel.Kessler@europol.europa.eu>
Cc: Šileris, Edvardas <Edvardas.Sileris@europol.europa.eu>; 'BAUER-BULST Cathrin' <Cathrin.BAUER-BULST@ec.europa.eu>; Azofra Martínez, Álvaro <Alvaro.Azofra-Martinez@europol.europa.eu>; Frank Breedijk <f.breedijk@divd.nl>; Maria Stafyla <mstafyla@ripe.net>; Jeroen Lauwers <jlauwers@a2b-internet.com>
Subject: Re: [address-policy-wg] @EXT: RE: 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)

This email originated from outside Europol. Do not click links or open attachments unless you recognize the sender and know the content is safe.
The external address that sent the message is: tore@fud.no

Hello Emmanuel,

I removed the AP-WG mailing list from the CC list here, because the Working Group chairs have declared the subject of end user contact details as being out of scope for this proposal.

The chairs state:

«It should therefore be clear that 2023-04 does not in fact change anything regarding how end-user details will actually be registered in PA Assignments»

Please see: https://www.ripe.net/ripe/mail/archives/address-policy-wg/2024-January/013982.html

We hope you will take this into consideration as you continue your evaluation of this policy proposal.

Best regards,

Tore & Jeroen

On 15/01/24 11:31, Kessler, Emmanuel wrote:

Dear all,

we keep analysing the possible consequences of the measure on our LEA capacity to identify IPV4

It takes time as it interests various EU official partners and Law enforcement services, ...thanks for your understanding.

We still identify two issues in the measure

- about the process to access to data : as ending the direct access at RIPE level, it will not ease the work for some investigators who uses it as a convenient tool, although accessing the data at LIR level still remains partly an option.

- about the granularity of the data as aggregated, and we think there is here a very strong question, with a large potential impact.

As you know, EUROPOL has worked for years on the CGN-NAT challenge on IPV4, advocating for limiting this mutualisation of IPV4 addresses that regularly hampers investigation capacities.

we observe the aggregation measure as having a real negative impact on the granularity of the answers that will be collected.

it is also linked with internal practices in the companies that remain various...we know that.

Situation with IPV4 is different than the one with IPV6.

Consequently, we keep all our reserve about the proposal that raises concerns amongst many colleagues.

We fully understand the code of conduct in RIPE debate, and still appreciate good discussion with constructive and realistic people...

However, getting all the truth of the situation requires contradictory debate that can progress through the exchange of still more detailed explanations,....

As the matter is of real importance, we hope that the measure would not be adopted without this clarification with all opinions/arguments around the table,...

We would be also in favour of postponing the deadline of the debate, to take time to exchange and check all the explanations as necessary.

Thank you for your exchange and cooperation

Regards

Emmanuel Kessler

European Cybercrime centre

EUROPOL