In message <CAPfiqja6fi8FzCUrgEoeaRbv-dGyKp2n7yRQTdXVoYgrc4rhFw@mail.gmail.com>, Leo Vegoda <leo@vegoda.org> wrote:
I will love to have in the policy that they must be investigated and acted upon, but what I heard from the inputs in previous versions is that having that in policy is too much and no way to reach consensus
I don't understand the value of requiring organizations who do not intend to investigate abuse reports to spend resources publishing an address from which they can acknowledge the reports - only to then delete those reports without doing anything.
It creates hope for reporters and wastes the RIPE NCC's and the reporters' resources by forcing unwilling organizations to spend cycles on unproductive activity.
Why not give networks two options?
1. Publish a reliable method for people to submit abuse reports - and act on it 2. Publish a statement to the effect that the network operator does not act on abuse reports
This would save lots of wasted effort and give everyone more reliable information about the proportion of networks/operators who will and won't act on abuse reports.
There might be some value in having the RIPE NCC cooperate with networks who want help checking that their abuse-c is working. But this proposal seems to move the RIPE NCC from the role of a helpful coordinator towards that of an investigator and judge.
Leo Vegoda has made a lot of very good points, and there is a lot to unpack on this whole topic. Unfortnately, I don't think that I personally have enough time to unpack it all myself today. But I cannot avoid offering a few observations. It certainly appears to me to be the case that few want RIPE NCC to enter into the role of investigator, let alone judge, except when it comes to the allocation of resources. As I have been informed, time and time again, matters of network abuse are out of scope for the organization, and this is not at all likely to change. Nonetheless, and regardless, ever since the day that RIPE NCC first published an abuse reporting address in the data base, it has, in effect, injected itself, even if only to a minimal degree, into the relationship between a network abuse victim and the relevant resource holders that have clear connections to the abuse source, i.e. the IP block registrant and the relevant AS registrant. It is a bit late in the day now to undo this. Abuse reporting addresses have been published, and abuse victims now have a reasonable expectation that using any one of them will have some finite and non-zero effect. Whenever that is not the case, the relevant abuse victim may reasonably ask "Why did you, RIPE NCC, publish this abuse reporting email address when sending to it was clearly an utter waste of my time?" This is false advertising on the face of it. You cannot stand in the town square with a large sign that says "Free money!" and then not deliver. Even if it is not illegal per se, it is exceptionally rude and anti-social, and responsible adults should not go into the tiown square with such signs if they cannot or will not deliver. On the other hand, resource holders in teh RIPE region, and also, quite certainly, elsewhere continue to cling with almost religious fervor to what they claim to be their God-given rights to be irresponsible. They are not by any means alone, and are simply the Internet verssions of gun manufacturers and coal companies. The planet is awash in both corporate entities and individuals that will defend to the death their "rights" to be irresponsible. This will not change anytime soon, and the attitude among many network operators, both in the RIPE region and elsewhere, can perhaps best be summed up by paraphrasing a famous pronouncement made years ago by the former head of the National Rifle Association (NRA) here in the U.S. "You can have my social irresponsibility when you pry it from my cold dead hands!" It has been shown, repeatedly, that it is utterly futile to try to engage any of the folks holding this general point of view, or to try to reason with them and explain that in the long run, their enterprises and the public reputations of those enterprises will be materially harmed by their unwillingness to give a damn. An old adage is appropriate here -- "You can lead a horse to water, but you can't make him drink." It is empirically demonstratable that a nearly religious fervor, borne, I'm sure, of the demented ideology of Ayn Rand, when coupled with a determined and short- sighted self interest, cannot be undone by words alone. Thus we have an arguably untenable situation. RIPE NCC has irreversably injected itself into the expectations of millions of network abuse victims worldwide, even has it has less than zero authority to actually do anything truly meaningful with respect to their issues. And this impass is made even more blatantly intractable by the adamant insistance of some network operators that they have a divine right to be irresponsible if they so choose. Where then lies a solution for this thorny dilemma? Despite the seemingly intractable nature of this apparent conflict, the internet itself is already rife with solutions to exactly such problems. My hope is that it will not have escaped the attention of anyone here that eBay long ago developed and fielded a kind of social responsibilitty index for both buyers and seller on that platform. This is represented as a running "feedback" score for each of eBay's now innumerable market participants. It isn't perfect, but in practice it works surprisingly well. Bad actors on the platform are identified early and often, and sellers with poor feedback ratings are studiously avoided by astute buyers. Furthermore, all this occurs with surprisingly little manual intervention on the part of eBay staff. RIPE NCC, having already permanently and irrevokably inserted itself into the relationship between network abuse consumers and network abuse producers is obligated now, in my opinion, to do at least -something- to qualify its implicit recommendations regarding abuse reporting addresses. To fail to do so would represent, as I have said, false advertising, if not in letter then at least in spirit. Now we are engaged in a debate which asks how far RIPE NCC should go in order to try to insure that the abuse reporting addresses it is publishing, and that it has been publishing for some time now, actually have any practical value in specific individual cases. I would submit that a proper assesment of this is neither amenable to automation nor would the results of any such assesment continue to be valid over time. If I am correct that there exists no univerally applicable means to automate such assesments, then the answer is clear. Humans and not machines must provide the assesments. The humans in question can either be RIPE NCC staff... assuming that RIPE NCC is given a budget and mandate several times as large as what it currently enjoys on an annual basis... or it can be the vast hoards of Internet users themselves who feel motivated to take the time to raise an objection to a case of network abuse. The choice here is a no-brainer. I doubt that there exists on the entire continent of europe a sufficient number of qualifed technical people, as would be needed for RIPE NCC to conduct detailed assesments of its some 25,000 direct customers and their ability and willingness to handle network abuse reports in anything approaching a responsible manner. In contrast, the combined wisdom of what amounts to a crowd- sourced opinion bank would cost very little to implement, would require only modest and rare manual interventions, and would likely provide useful ratings, not easily subject to gaming strategies, and ones that might even be more accurate than whatever NCC could manage on its own, even if it were given budget for an additional 1,000 talented professionals to perform resource holder abuse handling assements as their one and only assigned task. Free market Milton Friedman acolytes should, I think, find this idea irresistable. "Let the free market decide." Network abuse and the responses to it are unambiguously social problems. The best, most efficient, and fairest solution to most social problems, I'm convinced, has been known since the time of Gutenberg. We need only avail ourselves of the tools at hand, collect information into a single unified and convenient repository, and then publish, in order to shine a light on all of the relevant information which is currently hidden from general view due to being dispersed and disorganized. RIPE NCC could do this, and the Internet would be better for it. Regards, rfg