Hi Ronald On 06/11/2015 22:44, Ronald F. Guilmette wrote:
In message <563C8773.7000804@yahoo.co.uk>, denis <ripedenis@yahoo.co.uk> wrote:
It may seem like I am quibbling over a minor semantic point here, and perhaps I am, but I think that it is somewhat inaccurate to say that there's no relationship at all between RIPE / RIPE NCC and the entities whose data is in the data base.
It is not a semantic point it is a legal point. (I am sure the RIPE NCC legal team will correct me if I am wrong :) ) The RIPE NCC is the Data Controller for this database. They manage the service and facilitate its use by other parties. Some of the RIPE NCC members in some countries satisfy their local laws by documenting every customer in the RIPE Database. This results in hundreds of thousands of INETNUM/PERSON object pairs created in the RIPE Database.
The RIPE NCC has no relationship of any sort with these people. Their personal information is in this database because they consented to it being put their by someone they have signed a contract with. The RIPE NCC has no knowledge of that contract or it's terms.
Please excuse my feeble attempts to "drill down" as it were, and understand the facts and nuances of what you've just said. (I'll admit up front a substantial level of ignorance, if that will help to make clear that I _am_ attempting to understand, and not just simply being disagreeable.)
On the one hand, you say that all these entities (both people and businesses) have consented to have RIPE NCC store and distribute their contact data. On the other hand you say that RIPE NCC has no knowledge of the terms and conditions of the contracts they have signed. Given that RIPE NCC is bound by European privacy laws, wouldn't it be fair to say that RIPE NCC is 100% confident of the content of at least one part of the contracts that all of these entities have individually signed, i.e. the part in which they consent to have RIPE NCC store and distribute their data?
It would seem to be that case that RIPE NCC is a formal, legal, and an explicitly named third party in all those contracts. Is that statement innacurate? Haven't each and every one of these individual entities, in their contracts, granted certain rights to RIPE NCC as partial compensation for the number resources they are given? If not, then how can RIPE NCC get away with what appear to be rather massive and ongoing breaches of European privacy laws? If so however, then is it at all accurate to say that RIPE NCC has "no relationship" to all of these individual entities?? (It would appear that in fact RIPE NCC has direct contractual relation- ships with each and every one of them.)
OK lets look at this again. I re-read the policy that Sander referred to. I admit I am a little rusty on some of these policies. But there are still issues here. The RIPE Database has three categories of resources in it: 1/ There are allocations made to RIPE NCC members. These are subject to a direct contract with the RIPE NCC. 2/ There are end user independent resources that are typically subject to a contract with a member, but may be directly contracted by the RIPE NCC. As Sander pointed out there is a contractual relationship with the RIPE NCC even when a member has a contract with the end user. The policy says: "End Users of provider independent resources are responsible for maintaining a contractual link to the RIPE NCC either through a sponsoring LIR or else directly to the RIPE NCC for the purposes of managing these resources." 3/ There are assignments made by members to end users from the allocations made to the member by the RIPE NCC. For category 1 it is clear. The RIPE NCC not only has a contract with these people, but has regular contact with them as they pay an annual fee. For category 2 there is mostly a contract between a member and the end user which includes some contractual commitment with the RIPE NCC to keep the contact data up to date. So the RIPE NCC "can confirm that the End User exists, continues to exist and that they continue to fulfil their obligations to comply with the original assignment conditions." These end users must pay an annual fee to the member to maintain this link. So as far as contact details are concerned everything looks good. And in most cases we know most people do the right thing anyway. But what can people do who want to intentionally misuse these resources? These end users have full control over the resource. So they have the authority to create ROUTE objects. Either the RIPE NCC or the member can validate the contact details, but I am not sure how you check they "comply with the original assignment conditions". If the registered end user doesn't use the resource and later claim the password must have been cracked, then some untraceable person is actually using it. At some point that will be discovered and the RIPE NCC can take back the resource. But the registered end user has simply broken a commercial contract by not using the resource. They are not the one engaged in some criminal activity using the resource. You can't prove they gave away (or sold) the password allowing it to be misused. So I am not sure what benefit you gain by regularly validating contact details that are correct if that doesn't ensure the contacted person is using the resource. When the RIPE NCC takes the resource back they can just get another one under a different name. For category 3, these are the ones I referred to where the RIPE NCC has no direct contractual relationship with at all. They are the customers of a RIPE NCC member. The member can grant the customer the authority to create their own ROUTE objects and maybe even allow them to handle their own abuse complaints. If the member (intentionally) does not include a contract clause to not allow the resource to be reassigned by their customer it is not hard to lose track of who is actually using it. So even if all the contact data proves to be valid you may not be talking to the person actually using the resource. cheers denis