Colleagues, Here are the draft minutes from the AA-WG meeting at RIPE 64 in Ljubljana. If you have any comments or corrections, please do let us know. https://www.ripe.net/ripe/groups/wg/anti-abuse/minutes/ripe-64 Draft RIPE Anti-Abuse Working Group Minutes -- RIPE 64 Thursday, 19 April 2012, 11:00-12:30, Ljubljana Co-Chairs: Brian Nisbet and Tobias Knecht Scribe: Fergal Cunningham Chat Monitor: Robert Kisteleki A. Administrative Matters Welcome The Anti-Abuse Working Group Co-Chair Brian Nisbet opened the session and welcomed the attendees. He thanked the scribe, chat monitor and stenographers and then introduced his co-chair, Tobias Knecht. Approve Minutes from RIPE 63 Brian noted that there was one comment on the posted minutes but it was not a request for a content change. There were no further comments so he declared that the RIPE 63 minutes were approved. Finalise Agenda There were no additions to the agenda. The agenda is available at: https://ripe64.ripe.net/presentations/189-AA-WG_RIPE_64.pdf B. Update B1: Recent List Discussion Brian noted that there was a lot of discussion on the mailing list since RIPE 63, and he encouraged people who had not subscribed to the mailing list to do so and participate in the discussions. He proposed to run through the main topics that emerged in the previous months. Abuse Reports/Allegations Brian said that a lot of the list discussion over the past months related to allegations of specific incidents of abuse. He said this can be a good thing and often highlights the working group's facility for exchange of information. He pointed out, however, that the mailing list was not the place to actually report abuse and that no direct action would come of that. He advised people to instead look at the hacking FAQs, see the new RIPE NCC reporting procedure and be careful about any language used to accuse people of wrongdoing. RIPE Database Bulk Access and Data Protection Task Force Legal Analysis Brian noted that there had been a lot of discussion on the mailing list about bulk access to the RIPE Database, what constituted public and private data, and what should be considered acceptable bulk access to the database. He said the rules on this matter were decided by the RIPE Data Protection Task Force. He said the RIPE NCC published the legal advice given to the task force and he said the working group would like to see more precise legal analysis containing reference to specific relevant legislation. Jochem de Ruig, Chief Financial Officer of the RIPE NCC, clarified that the report came from the Data Protection Task Force. Brian acknowledged this and said the working group would like to see the more detailed legal analysis. Peter Koch, DENIC, asked what the outcome of performing this more in-depth legal analysis would be. Brian said that the citation was requested and the working group was trying to provide it. He said the Data Protection Task Force did not arise out of the Anti-Abuse Working Group and he saw no reason for it to be formed again. He said this matter concerned the provision of information that was requested and, although he did not see the working group mailing list as the place to discuss this matter, he could not control what people talked about on the list. Peter thanked Brian for the clarification and noted that the RIPE NCC and operators work in an environment where consensus in a working group is not in a position to take precedence over the legal environment. Wilfried Woeber, ACOnet, said that in the RIPE framework, the task forces act in an advisory role and does not make a decision regarding what should be implemented. He said he appreciated the decision to improve the documentation but that task force is closed and it should not be half-heartedly resurrected. He recommended that if there were a justifiable need to cover this ground again, then it would be better to create a new task force or raise the issue in the RIPE NCC Services Working Group or the Anti-Abuse Working Group. ACTION: The RIPE NCC to provide more detailed legal analysis on the report of Data Protection Task Force. RIPE Policy Proposal 2011-06 Brian noted that this was a separate agenda item and Tobias would lead the discussion on this at the appropriate point. Community Self-help/Reputation Brian noted that there was some discussion on this matter on the working group mailing list but it seems to have died down after some useful responses were posted on the list. Spam FAQs and Community Interaction Brian noted with regard to the Spam FAQs that this was evidence that when the community feels that the RIPE NCC does something that is not good enough then it will react to feedback given and improve matters in consultation with people who are experts on the subject. He thanked the RIPE NCC for improving the documentation relating to spam. He said that, despite some comments on the mailing list, there is a dialogue going on and the RIPE NCC will be responsive. He noted that the updated Spam FAQs were now online. The RIPE NCC Reporting Procedure Brian noted that Laura Cobley from the RIPE NCC would present on the RIPE NCC Reporting Procedure later in the agenda so discussion could take place at that point. Data Verification Brian noted that the subject of data verification has popped up on the mailing list intermittently for some time. He said there was a relevant policy proposal in 2010 but this was withdrawn for a number of reasons, one of which was the establishment of the Abuse Management Task Force. He said the increased discussion about data verification recently indicates that there could be a relevant policy proposal put forward at some stage. He said the proposal could come out of the task force or it could come from an individual, but as chair of the task force he will work with the rest of the task force on this. B2: Updates CleanIT Project But Klaasen from the Ministry of Security and Justice in the Netherlands gave a presentation on the CleanIT Project. The presentation is available at: https://ripe64.ripe.net/presentations/199-Ljubiljana.pdf Max Tuleyev, NetAssist, asked for the definition of terrorism that the project uses because it is a very broad term. But said the definition being used was the legal definition as used by the European Commission, which is available on the European Commission website. He added that the main concentration was currently on Al Qaeda-influenced matters because that was where they identified the main threat as coming from. He said this threat was mainly to disrupt society using ideological methods. Pascal Gloor, Finecom Telecommunications, asked about Facebook's real identity policy. But said he knew Facebook was in favour of a real name identity policy because it feels that Facebook works properly if the person whose profile you see is actually a real person, so they have a policy to enforce this. Pascal said that in Switzerland, there was a website where people could report illegal activity to the police and if it's interesting, the police can investigate further. But said that a number of countries had set up websites such as this and sometimes it proved successful and sometimes it did not. He said this was something countries should look to develop and he noted that France has a useful way of allowing people to make these notifications. He said it was difficult to evaluate if the activity reported is really illegal and there are also language problems that can prevent the information from getting to the authorities in the proper manner. Patrick Tarpey, OFCOM, asked But if he saw a conflict between the aims of the CleanIT Project and proposed draft regulations on privacy, particularly the notion of privacy by design for websites and also the idea of the right to be forgotten online. But confirmed that he thought such a conflict did exist, and he said this is why he wanted people to participate in the discussions to find solutions. He added that the main challenge of the project was to establish a correct border between freedom on the Internet on one side and effective law enforcement on the other side. Brian said he was encouraged to hear But's comments that website blocking is not effective at a company or state level. He lamented the fact that the Irish state was lagging somewhat in this regard as it thought website blocking would solve many of its problems. But concluded by noting that further information was available on the CleanIT website, which also included relevant definitions regarding terrorism: http://www.cleanitproject.eu/ Wilfried Woeber, ACOnet, said Austria was also involved in similar activities to some degree but the governments across the EU were not acting in an entirely consistent way. He said he hoped projects such as this one would have a trickle-up effect to governments because the methods used to fight terrorism can then be applied to fight something such as child pornography and then copyright violations and then other things. He said the presenter should not expect support with one particular goal if you punish that community using the same methods. But said this comment underlined the main challenge of the project. He said they were trying to position their work between the public and private sectors, and this is one of the reasons the project has its own website separate from any ministry. He said they could receive recommendations for the private sector and for governments, and he is aware that governments don't always work so efficiently. He said it is a non-legislative process, but if industry as well as governments support it, he believes it is a project that can grow. He agreed with Wilfried that what works for anti-terrorism might not be applicable to other areas. Patrick Tarpey, OFCOM, said that the project used the European Commission definition of terrorism, and he asked whether it might be more useful to use a United Nations definition, for example, as the Internet community covered a much larger area that the European Union. But said this was a valid point but that they had to be pragmatic. He said the project began in the Netherlands and it was not possible to introduce it on a worldwide level. He said the next obvious step was to move to a European Union level, but he agreed that moving to a more global level should be the next logical step. RIPE NCC Reporting Procedure Laura Cobley, RIPE NCC Customer Services Manager, presented on the RIPE NCC Reporting Procedure. The presentation is available at: https://ripe64.ripe.net/presentations/197-lauracobley.pdf Peter Koch, DENIC, asked if the maintainer of the object or the sponsoring LIR was the responsible party when incorrect data in the RIPE Database was reported. Laura said this depended on whether the resource was directly assigned by the RIPE NCC or it was a direct assignment via a sponsoring LIR. She said in all cases either the member or the DAU was contacted. Peter said some of the objects are maintained by people who are not members, so this channel is not available in those cases. He said that sometimes the person who is maintaining the object is the one who has entered incorrect data, so this leads to a deadlock. Laura said there was a contractual requirement for members to maintain the data and to make sure that End Users keep the data up to date. She said this was the proper channel to begin with and if this does not work, then the RIPE NCC would have to look at alternative means of communicating. Peter asked if this meant that the RIPE NCC used information that was not available publicly in the RIPE Database in order to contact people. Laura said they would first use the public data contained in the organisation object, for example, but sometimes the RIPE NCC had more specific contact information that could be used if necessary. Kaveh Ranjbar, RIPE NCC Database Manager, said that if a member does not directly maintain a resource, the RIPE NCC would go to the hierarchy to find the responsible party. He said this should work in the majority of cases but obviously not all cases. C. Policies Discussion on RIPE Policy Proposal 2011-06 Tobias Knecht, Anti-Abuse Working Group co-Chair, gave an update on RIPE Policy Proposal 2011-06, Abuse Contact Management in the RIPE NCC Database. He said the proposal to introduce an "abuse-c:" contact attribute in the RIPE Database was made about a year ago and following some good discussion on the mailing list a second version was posted before the RIPE 64 Meeting. He said the new proposal concentrates on the creation of the "abuse-c:" attribute in the RIPE Database and the implementation details can be proposed by the RIPE NCC in the next step. Tobias said the proposal was more or less for a role object with a mandatory "abuse-c:" attribute that should be available without query restrictions on all systems. He said there was discussion on the mailing list about data accuracy and it was proposed to include data accuracy provisions in the proposal, but it was felt by Brian, Tobias and the Abuse Management Task Force that this would be too complicated and it would be better to concentrate on the "abuse-c:" attribute for the moment. He said the data accuracy issue should cover the entire RIPE Database and not just the "abuse-c:" attribute. He noted that the proposal was still some way from the Final Phase but good progress had been made. Emilio Madaio, Policy Development Officer for the RIPE NCC, said that the proposal would go through the RIPE Policy Development Process in the standard way. He said the RIPE NCC would provide and impact analysis and he asked that as many people as possible contribute to the discussion on the mailing list so the RIPE NCC could provide a comprehensive analysis. Tobias said that even if people had no objections to the proposal, they should voice their support on the mailing list to help achieve broad consensus. Brian noted that he would act as the relevant working group chair regarding the proposal because Tobias was involved in drafting the proposal. D. Interactions Working Groups Brian said there was welcome interaction with the RIPE Database Working Group concerning RIPE Policy Proposal 2011-06. He noted that if a data verification proposal were made, it would be wide reaching and would necessarily involve the RIPE NCC Services, DNS and RIPE Database Working Groups. He said such a policy would probably not arise out of the Anti-Abuse Working Group but there would be a lot of interaction across a number of working groups. Legal Enforcement Agency (LEA) Interactions Brian said the RIPE NCC Roundtable Meeting for LEAs took place in March and he said he represented the Anti-Abuse Working Group at that meeting. He said it was a very productive meeting that showed good awareness from LEAs of the role of the RIRs and their communities. He thanked the UK's Serious Organised Crime Agency for its work in this area. He said LEAs were not as concerned about IPv6 issues as they were a year ago but there was a lot of concern expressed over technical issues such carrier grade NATs. He said, whatever people think about lawful interception and issues like that, this is another problem highlighted by technology moves towards using carrier grade NATs. He reiterated the advice to configure IPv6 as soon as possible. Brian said the desire to interact was demonstrated in issues such as the DNS changer conversation, which was largely covered in the DNS Working Group and RIPE NCC Services Working Group. He said the freezing of resources in the RIPE Database on the back of the Dutch police order means that the RIPE NCC is taking the Dutch state to court to clarify what exactly the procedure should be in the future. He said he was encouraged by comments from the RIPE NCC that it would not react in the same way if there were a similar occurrence or request again without first being fully aware of the implications and receiving a Dutch court order. He said the DNS changer issue was overall a positive thing for both RIPE and ARIN and should improve the way law enforcement works with the RIRs. Brian noted that the Cyber Crime Working Party (CCWP) also had some interactions in London and the CCWP continues to be a place where law enforcement and the RIR communities can come together to discuss issues of common concern. Pascal Gloor, Finecom Telecommunications, asked in relation to RPKI and the DNS changer issue whether it would be useful to diversify the source under different authorities. Brian said this was a big question and this working group might not be the correct forum to discuss it. He said, speaking personally, that he trusted the RIPE NCC to do the right thing. Pascal said he proposed that, with RPKI, the five RIRs would be independent authorities giving the advantage that you could use a majority system so it would be more difficult for authorities to invalidate a certificate. Brian thanked Pascal for the comment and said this issue could not be fully discussed at this point. X. A.O.B. There was no other business to discuss. Z. Agenda for RIPE 65 Brian noted that with the dynamic RIPE Programme Committee, items for the RIPE Meeting agendas were being received earlier each meeting. He asked attendees to consider if they might have something to present in Amsterdam in September 2012. He asked that people mail the list with suggestions or contact himself or Tobias. Brian thanked everyone for attending and he closed the session at 12:28 (UTC +2). The webcast recording and stenography transcripts from this session are available at: https://ripe64.ripe.net/archives/#Thursday