Hi, I just want to start out by saying that I have been quite busy lately so I can't reply to all points in this thread but I mostly agree with denis and what I have previously said in the db-wg. I have replied to rfg below. On Tue, Jun 7, 2022 at 12:36 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In message <CAKvLzuG7PPTtQDwx2GoDgULdmLZdz5FzWTwa2pUVQWRqGHfQig@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
We are talking about restricting access to one piece of data, the address of natural persons. I accept that a lot of abuse may come from address space held by natural people. I understand that a lot of investigation work is done by companies and individuals. How much of an impact would it be on your activities to not know the private address of these natural people?
Just a second. Let's pause here for a moment and look at this question of the "physical address" information as it relates to WHOIS records.
One of the many things that have, over the past several years, rendered almost all of the information that is now available in *domain name* WHOIS records virtually entirely worthless was the decision, some considerable time ago, by ICANN, to permit the use of essentially anonymous P.O. box addresses in the WHOIS records for domains registered within the gTLDs. Additional commonly used methods of obfsucation in these domain name WHOIS records include but are not limited to (a) the use of "proxy" registrants and (b) the use of addresses of incorporation agents and (c) use of the addresses of attorneys. (I have not surveyed the policies of the various ccTLDs with regards to their level of acceptance of such shenanigans but I have no reason to doubt that even the .US TLD allows for all of these clever methods of "hiding the ball" with respect to the actual physical location of the domain name registrant. Hell! The policies governing the .US domain are crystal clear in prohibiting non-US legal entities from registering .US domains, but the operators of the .US registry demonstratably make no attempt whatsoever to check for conformance with even this minimal requirement.)
While not that important for this point, I would argue that the policy is in no way "crystal clear" in prohibiting non-US legal entities from registering .US domains as the following category exists in the policy:
A foreign entity or organization that has a bona fide presence in the United States of America or any of its possessions or territories [Nexus Category 3]. https://www.about.us/cdn/resources/ebooks/policies/usTLD_Nexus_Requirements_...
So, as I have listed above, there are many different frequently-used ways that any natural person may use to obfsucate their actual physical location when registering a domain name.
This prompts a rather obvious question: Do there exist any policies, rules, or regulations which would prevent a natural person from using any one of the several techniques I have listed above to obfsucate their actual physical location when they generate their RIPE organization WHOIS record? And more to the point, is it true or false that, as I have previously asserted, any member can put literally any inaccurate garbage they want into their public-facing RIPE WHOIS records with no consequence whatsoever?
AFAIK the "org-name" attribute on the organisation object does get verified if the organisation is a LIR or an end user that has received resources directly from the RIPE NCC (through a sponsoring LIR). (and possibly a few other cases like legacy resource holders with service agreements) I believe there are also many policies that say that information should be accurate, and while this might not be actively verified for the most part, it is still policy in many cases.
If the answer to *either* question is "yes", then it seems to me that enlisting RIPE NCC to embark upon a deliberate program to hide personal information in public-facing WHOIS records EVEN WHEN THE CORRESPONDING REGISTRANTS HAVE NOT THEMSELVES REQUESTED THAT is not only clearly unnecessary, but actually and demonstratably counterproductive. Should a natural-person who actually WANTS to be directly contacted for any and all issues relating to their RIPE number resources have that opportunity closed out, perhaps without even their knowledge or consent, by some small over-agressive cabal of GDPR fanatics acting unilaterally? I think not.
Part of the issue is that the RIPE NCC has some responsibility for this under the GDPR and it can be really difficult to do this correctly, but I think the legal team could explain those details better.
As noted above, if any RIPE registrant wants to have their physical address info obfsucated then there appears to be any number of simple alternatives available to the registrant themself to achieve exactly that. Thus, this new push to get RIPE NCC to hide information in public-facing WHOIS records seems to be a solution in search of a problem, and just another misguided top-down enforcement of an extremist view of "privacy", pushed onto the community whether the people actually affected, i.e. the registrants themselves, like it or not.
I run a hobby network and have an ASN and a /48 of PI assigned to me from RIPE NCC (through a sponsoring LIR) and also know many other people who are in a similar situation. Many people who do this are uncomfortable with having to publish their home address in the RIPE database, but are probably totally fine with the RIPE NCC having it in the private part of the registry. Sure, I could go and get a PO box for ~€650/year and just let the RIPE NCC have that address instead but that seems a bit silly to me when instead the address could just be hidden from the public.
(Note: I am not intending to pick specifically on RIPE here. To the best of my current knowledge there are -no- policies or rules in -any- RIR globally that explicitly prohibit the use of P.O. boxes, proxy registrants, or the addrsses of associated corporate registration agents or lawyers within public-facing number resource WHOIS records. Nor do any RIRs have any clear policies which would have the effect of requiring there to be -any- clear correlation between what appears in a registrant's public-facing WHOIS records and anything corresponding to objective reality.)
I just want to say that assuming PO boxes are illegitimate is kinda odd and also varies by country I would think. As an example, in Sweden your company's registered address can be a PO box, which is quite common for many legitimate organisations. I also believe that having registered agents for companies is a very common practice for legitimate businesses in places like the US. (though correct me if I am wrong as I am not an American) My point here is mostly just that such a policy doesn't make a lot of sense to me, I am not sure if you are suggesting that such a policy should exist or not, but I think it would be a bad idea to implement such a policy.
I can only think of three reasons why you would need the full address. You intend to visit them (unlikely), you want to serve legal papers on them or you attempt some kind of heuristics with the free text search in the database to match up resources with the same address.
I agree with this list of possibilities, 1, 2, 3.
So which of these three are you attempting to hobble?
I would say that reason 1 is a terrible reason to require an address to be published. There is no good reason for some random person to be knocking on my door about my AS or IP space. I would argue that this is more of a reason to not publish the address than to publish it.
Are you in favor of making it harder to serve people with legal papers? If so, why would you do that and who would be the beneficiaries of that?
It is not really about preventing it, it is more just if that potential benefit outweighs the privacy implications.
Are you in favor of making it harder for open-source researchers to search the data base for textual correlations that might provide clues to untoward activities? If so, why would you do that and who would be the beneficiaries of that?
Pretty much the same as for the legal papers one, I don't want to prevent that, but I very don't think it outweighs the negatives of publishing the addresses. I can think two things are good but if they are in direct conflict with one another, then I have to decide which one I think weighs more heavily, and I think privacy weighs more heavily here than making it easier for people to do this kind of research. I am someone who has done similar kinds of research* (although I don't think it was ever with natural persons) but I still think that it is far from important enough to override the privacy issues. * = not any published research, more just me looking into something I was curious about -Cynthia