Colleagues, I just wanted to update you all on the current status of 2011-06, as those of you paying close attention to timings may have realised that there should have been some update over the recent Christmas period. Obviously there has been a lot of conversation about the proposal, some positive, some negative and many excellent points have been raised. I've been speaking to the NCC and Tobias about all of this and a course of action has been decided. It is our intent, as WG Chair and proposer, to sit down with the good folks from the NCC in early February and discuss a number of the topics and questions that have been raised by the WG. Out of this discussion will, I suspect and hope, come some revisions to the proposal and answers to some of the queries that have been raised. We hope that any updates to 2011-06 and any responses from the NCC should be with the WG during February. Thanks and a Happy New Year to you all, Brian. Co-Chair, RIPE AA-WG
* Brian Nisbet:
I just wanted to update you all on the current status of 2011-06, as those of you paying close attention to timings may have realised that there should have been some update over the recent Christmas period. Obviously there has been a lot of conversation about the proposal, some positive, some negative and many excellent points have been raised. I've been speaking to the NCC and Tobias about all of this and a course of action has been decided.
Is 2011-06 the result of the task force? As far as I know, it hasn't been labeled as such on the mailing list, and the wording in the proposal itself is ambiguous. I'm wondering if it made sense to pick up other issues discussed prior to the task force formation which aren't addressed in 2011-06 at all. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Florian, "Florian Weimer" wrote the following on 12/01/2012 10:05:
* Brian Nisbet:
I just wanted to update you all on the current status of 2011-06, as those of you paying close attention to timings may have realised that there should have been some update over the recent Christmas period. Obviously there has been a lot of conversation about the proposal, some positive, some negative and many excellent points have been raised. I've been speaking to the NCC and Tobias about all of this and a course of action has been decided.
Is 2011-06 the result of the task force? As far as I know, it hasn't been labeled as such on the mailing list, and the wording in the proposal itself is ambiguous.
Yes, 2011-06 came out of the work of the ACM-TF, but for various administrative and practical reasons Tobias is formally acknowledged as the proposer.
I'm wondering if it made sense to pick up other issues discussed prior to the task force formation which aren't addressed in 2011-06 at all.
The current feeling between the people looking at this proposal (the proposer, the NCC and myself as WG Chair) is that there are a number of very wide ranging issues that were raised, but that the best course of action is not to try to put them all together into one big proposal. It is likely that some of the issues, such as the NCC's point of view on data accuracy, will come up, but the main focus will be the content of 2011-06. Brian.
Hi! On 01/12/2012 10:56 AM, Brian Nisbet wrote:
We hope that any updates to 2011-06 and any responses from the NCC should be with the WG during February.
I already stated my thoughts on that, but what just strikes me is that 2.0 b) is still "Arguments opposing the proposal: None."... Regards, Chris
Chris, "chrish@consol.net" wrote the following on 12/01/2012 10:13:
Hi!
On 01/12/2012 10:56 AM, Brian Nisbet wrote:
We hope that any updates to 2011-06 and any responses from the NCC should be with the WG during February.
I already stated my thoughts on that, but what just strikes me is that 2.0 b) is still "Arguments opposing the proposal: None."...
From the point of view of the PDP 2011-06 is still in version 1.0, so section b) of the Rationale may or may not be changed in any new versions. (Yes, I'm being ambiguous here, because I'm not the proposer, but I want to make it clear that no changes have been made to the document since it was put to the WG in November.) Brian.
*2011-06: * *Rationale* *a. Arguments supporting the proposal* It provides a more efficient way for maintainers to organize their provided information and helps to increase accuracy and efficiency in routing abuse reports to the correct network contact. In addition to that, it helps all kinds of institutions to find the correct abuse contact information more easily. *b. Arguments opposing the proposal* None. --- At the same time RIPE is blocking access to abuse contacts claiming they need to protect the data. What exactly is this working group trying to do? Is it to make it easier to route complaints or protect the abuse contacts from spammers? I would also suggest that links be placed to pending proposals on the group's web page at https://www.ripe.net/ripe/groups/wg/anti-abuse. Thank You
russ@consumer.net wrote:
*2011-06: *
Russ,
At the same time RIPE is blocking access to abuse contacts claiming they
Sure, abuse contacts are currently mixed with personal contacts, there is currently no way to sperate public abuse contacts from personal contacts. And thats what the proposal tries to change. You will have no access restrictions for the abuse contact anymore and the new abuse-c will be filled in a very short period because it will be mandatory.
need to protect the data. What exactly is this working group trying to do? Is it to make it easier to route complaints or protect the abuse contacts from spammers?
There will be no restrictions on the abuse-c, this is an argument against the proposal, because abuse contacts will maybe be flodded a bit more with spam, specially because the spammers will find these "new" email addresses quite attractiv. But maybe they will not find them attractiv at all, because they know, that they will only reach professionals there, that can easily seperated spam from good mail and that are trained not to click every link in an email ;o) I would like to know, how much spam is really arriving at the abuse-mailbox addresses that currently exist. We are a small RIPE member and we receive only about 10 spams per month on our abuse-mailbox address (and our address is easily guessable anyway, so its likely, that spammers harvested it on a different way than looking it up via whois). So, how much spam is really arriving on abuse-mailbox address ? Maybe some on this list could check their maillogs and give an overview ? But anyway: it will be possible to protect personal contacts much better in the future, if the proposal gets through, because access restrictions could be raised here and thats a big point FOR the\ proposal.
I would also suggest that links be placed to pending proposals on the group's web page at https://www.ripe.net/ripe/groups/wg/anti-abuse.
Thank You
Kind regards, Frank -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
Hi! On 01/12/2012 01:54 PM, Frank Gadegast wrote:
You will have no access restrictions for the abuse contact anymore and the new abuse-c will be filled in a very short period because it will be mandatory.
The addresses entered into our ripe objects are not private data. They are public addresses for the purpose of ripe-stuff. Following your idea abuse-cs would always be copies of the admin-c. A reasonable approach towards what seems to be your communicated aim would be: Drop all *-c in favour of a single contact, which is meant as contact for ripe-stuff. This is of course public as it's meant that way. In case you actually wish for the possibility of multiple, specific contacts, the straightforward and all-compatible solution would be to add optional further specific contact data - that may be used by people who wish to direct mail to different specific addresses. Translated into the current state that would be: use an optional abuse-mailbox attribute (if this were mandatory, our objects would always just hold a copy of the e-mail attribute).
But maybe they will not find them attractiv at all, because they know, that they will only reach professionals there, that can easily seperated spam from good mail and that are trained not to click every link in an email ;o)
Yeah, that will certainly teach them.
But anyway: it will be possible to protect personal contacts much better in the future, if the proposal gets through, because access
Sorry, but it's just a stupid idea to put private data into public databases. Regards, Chris
chrish@consol.net wrote:
Hi!
Hi,
On 01/12/2012 01:54 PM, Frank Gadegast wrote:
You will have no access restrictions for the abuse contact anymore and the new abuse-c will be filled in a very short period because it will be mandatory.
The addresses entered into our ripe objects are not private data.
You are right, they are available for the public, but I meant the definition of public and privat data according to law (well, can only really speak for German law, but other countries see that the same way). So, they are public available, but they are no public data, they are private data, specially the email address. Its the same with e.g. domainowners, at least in Germany. The data of the resource/domain owner is private and has to be banned from automatic harvesting, thats why you need a captcha code to reveal it at denic.de Its the same with the admin-c in RIPEs resources. They should be private, but they are still available for automatic harvesting. This should be changed in a different approach. tech-c should stay public for routing issues. And the new abuse-c has to be public too for automatic reporting. Currently there is only some whois access restriction on some parts of some objects, but thats wrong and should be changed later. Some objects should be defined public including ALL their fields and some should be restricted completely.
They are public addresses for the purpose of ripe-stuff. Following your idea abuse-cs would always be copies of the admin-c.
Not at all, the owner of a resource is something different than the abuse team or the routing team.
A reasonable approach towards what seems to be your communicated aim would be: Drop all *-c in favour of a single contact
, which is meant as contact for ripe-stuff. This is of course public as it's meant that way. In case you actually wish for the possibility of multiple, specific contacts, the straightforward and all-compatible solution would be to add optional further specific contact data - that may be used by people who wish to direct mail to different specific addresses. Translated into the current state that would be: use an
Nope. "ripe-stuff" could be a lot of different things, and the plained three contacts seem to be the best way to always address the right contact for whatever purpose. optional abuse-mailbox attribute (if this were mandatory, our objects would always just hold a copy of the e-mail attribute).
But maybe they will not find them attractiv at all, because they know, that they will only reach professionals there, that can easily seperated spam from good mail and that are trained not to click every link in an email ;o)
Yeah, that will certainly teach them.
We do not know until we have some numbers ...
But anyway: it will be possible to protect personal contacts much better in the future, if the proposal gets through, because access
Sorry, but it's just a stupid idea to put private data into public databases.
Surely right. But what do you do, if the email address of the company owner needs to be entered ? Do you define and publish one, thats not read anyway ? Do you enter one that does not exist ? Or do you do it right and put the privat email address of the owner in ? There should be a way to seperate public and private data and thats whats the proposal plans. And if private data can be protected much better, everybody could decide to put in, whatever he likes, even the right thing ;o) Kind regards, Frank
Regards,
Chris
-- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
Sure, abuse contacts are currently mixed with personal contacts,
As I understand it all the contacts in the database are a situation where the person agreed to list their information in the public database. Every privacy law I have ever seen exempts such information from the protection schemes. What RIPE and others on this list do is make some vague reference to some privacy law somewhere and some unnamed legal adviser put forth some kind of opinion that does not seem to be written down anywhere. The real story, as i see it, is that people want certain types of contacts. If they get a message about their ip address block then they want the message. If it is spam then they don't want it. They don't want to accept the fact that you can't have it both ways. If your contact information is publicly available for whatever reason then the spammers are going to get it. In any case I have contacted the Dutch Data Protection Authority and I have asked them to review the situation and provide a ruling. These offices are usually full of red tape so if someone locally can follow up maybe we can get a ruling. Thank You
In any case I have contacted the Dutch Data Protection Authority and I have asked them to review the situation and provide a ruling.
I got another answer from RIPE. They won't even acknowledge getting a ruling from the Dutch Data Protection Authority. They just repeat their same "party line" without addressing any of the substantive issues. It seems to me they don't want a legitimate review. Maybe they don't want to be exposed for misleading the RIPE community? In any case you will never have "community consensus" if the community is uniformed, or worse, intentionally misinformed by the authority.
Russ, "russ@consumer.net" wrote the following on 13/01/2012 15:47:
In any case I have contacted the Dutch Data Protection Authority and I have asked them to review the situation and provide a ruling.
I got another answer from RIPE. They won't even acknowledge getting a ruling from the Dutch Data Protection Authority. They just repeat their same "party line" without addressing any of the substantive issues. It seems to me they don't want a legitimate review. Maybe they don't want to be exposed for misleading the RIPE community? In any case you will never have "community consensus" if the community is uniformed, or worse, intentionally misinformed by the authority.
Without expressing on my behalf any opinion on what you're saying above, if you are going to make accusations regarding NCC behaviour on the mailing list, could you please do so with proof? I'm sure the NCC would be happy (after you've checked with them) for you to copy any correspondence you've had on this matter to the mailing list. I'm sure we'd all also love to see anything official from the Dutch Data Protection Authority. Thanks, Brian, Co-Chair, RIPE AA-WG
Without expressing on my behalf any opinion on what you're saying above, if you are going to make accusations regarding NCC behaviour on the mailing
Why don't you just them to respond to the list and address the issues? They just point me to the AUP and won't address that the requests are not coming from me. They say to use -r in my requests but won't address the the fact the requests would not give abuse contacts or that requests would then have be different to RIPE than the other RIR's. They won't address the issue that the abuse contacts involve all regions and not just RIPE. They won't name the legal advisor or point to any written opinion. There is no way to tell anything that happened or why they did it. Here is the information that is available to the "community" http://meetings.ripe.net/ripe-57/presentations/De_Ruig-Update_from_Data_Prot... http://www.ripe.net/ripe/groups/tf/dp/report-of-the-ripe-data-protection-tas... If they had a legitimate process a report would contain references, discussions of the issues being raised, the identity of the legal adviser, etc. The presentation is so full of acronyms that most people would have no idea what is discussed. The report is so vague that you really can't determine, for the most part, what was done or why. Common sense issues like whether the contacts agreed to have their information posted in a public database is not even mentioned. These decisions affect millions of people around the word and not just a few insiders on this list or in these groups that have all these meetings that most people cannot attend (even if they did attend they would be driven out by the insiders in short order). You show me where the general Internet community can make heads or tails of any of this. A few comments I got from visitors to my web site this week: "On the link for RIPE .. and I still wonder what drives them to block you guys ..." "Does the EU even begin to comprehend the effect of this as related to e-crime?" "Seems the EU is good for some things, maybe .. but is going a bit overboard on this one. Keep us posted. " It seems this community consensus thing isn't getting across to the users being affected.
I'm sure we'd all also love to see anything official from the Dutch Data Protection Authority.
We'll see. So far not even an acknowledgement. Thank You
On 13 Jan 2012, at 18:03, russ@consumer.net wrote:
Without expressing on my behalf any opinion on what you're saying above, if you are going to make accusations regarding NCC behaviour on the mailing
Why don't you just them to respond to the list and address the issues?
Read the list archives. RIPE NCC staff will reply to the list when they feel that they need to
They just point me to the AUP and won't address that the requests are not coming from me. They say to use -r in my requests
So they're telling you what to do, but since you don't like it you come onto this list to whinge and whine?
but won't address the the fact the requests would not give abuse contacts or that requests would then have be different to RIPE than the other RIR's.
Each RIR has its own database. If you can't handle the different formats then that's your problem, not RIPE's
They won't address the issue that the abuse contacts involve all regions and not just RIPE.
That doesn't even make any sense
They won't name the legal advisor or point to any written opinion. There is no way to tell anything that happened or why they did it. Here is the information that is available to the "community"
http://meetings.ripe.net/ripe-57/presentations/De_Ruig-Update_from_Data_Prot...
http://www.ripe.net/ripe/groups/tf/dp/report-of-the-ripe-data-protection-tas...
If they had a legitimate process a report would contain references, discussions of the issues being raised, the identity of the legal adviser, etc.
If you're not happy with the processes then why don't you address this directly during a RIPE meeting? That's where most other people do it when they're not happy.
The presentation is so full of acronyms that most people would have no idea what is discussed.
RIPE is by its nature a technical organization. Like any technical organization it will have its own jargon and acronyms. Most people aren't that interested in what RIPE does and those that are take the time to learn what the acronyms mean.
The report is so vague that you really can't determine, for the most part, what was done or why. Common sense issues like whether the contacts agreed to have their information posted in a public database is not even mentioned.
These decisions affect millions of people around the word and not just a few insiders on this list or in these groups that have all these meetings that most people cannot attend
Huh? RIPE meetings are public. Anyone can attend. If you want to make attacks on RIPE at least make an effort to get basic facts right.
(even if they did attend they would be driven out by the insiders in short order). You show me where the general Internet community can make heads or tails of any of this.
You'd need to define "the general internet community" before anyone could even try to address that query. Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Russ, "russ@consumer.net" wrote the following on 13/01/2012 18:03:
Without expressing on my behalf any opinion on what you're saying above, if you are going to make accusations regarding NCC behaviour on the mailing
Why don't you just them to respond to the list and address the issues? They just point me to the AUP and won't address that the requests are not coming from me.
I don't feel it is up to the NCC or anyone else to reply on this mailing list to accusations that, right now, have no back up. If you wish to discuss this privately you're more than welcome to mail Tobias and I at aa-wg-chairs@ripe.net and we can discuss the matter with the NCC with an eye to a public and transparent resolution to this.
They say to use -r in my requests but won't address the the fact the requests would not give abuse contacts or that requests would then have be different to RIPE than the other RIR's. They won't address the issue that the abuse contacts involve all regions and not just RIPE.
There is, right now, no formal requirement for members to supply abuse contact information. And the regional DBs are not linked. I don't think there's any question that abuse is a global problem and I don't feel the NCC are ignoring this, but without specific details it's hard to say.
They won't name the legal advisor or point to any written opinion. There is no way to tell anything that happened or why they did it. Here is the information that is available to the "community"
http://meetings.ripe.net/ripe-57/presentations/De_Ruig-Update_from_Data_Prot...
http://www.ripe.net/ripe/groups/tf/dp/report-of-the-ripe-data-protection-tas...
And remember, the DP-TF was a community effort. If this is something the community feels needs to be revisited and there is legitimate reason to do so, then it should be revisited.
These decisions affect millions of people around the word and not just a few insiders on this list or in these groups that have all these meetings that most people cannot attend (even if they did attend they would be driven out by the insiders in short order). You show me where the general Internet community can make heads or tails of any of this.
An awful lot of work has been done over the years to make the RIPE community as open as possible. We have all of our discussions on these mailing lists, the meetings are streamed live with an option for public participation and while I realise people may dismiss my words on this matter with the accusation of be being some sort of "insider" the recent feedback we've got is that new attendees at meetings *don't* feel that way. However things can always be improved and the Working Group Chairs Collective is always open to suggestions and the like. Brian.
Something to think about regarding 2011-06. I recently complained to ARIN that the email contact information for an assignment was incorrect and autoreplied with that the email will not be read. The reply I received was that there is no policy against this. As far as I can see, there is nothing in the 2011-06 proposal that prevents the same thing from happening. Any proposal suggesting that an email address is mandatory should also require that the email is being read and responded to by a human person if it cannot be processed by a robot. I don't want to receive email autoreplies with "please go to this URL, register with your complete details, receive PIN-code on your mobile, type in the CAPTCHA words, verify with link in email, login and fill out this 26-field abuse form" in order to complain. In cases like these, the remark:-field in the ripe db would be much more suitable than an abuse-c:-handle for abuse contact information because it would save me time reading how to complain. From arin: --- Hello, Contact information that is functional (meaning email sent to the listed email address is received) is considered to be valid. The community of network operators in the ARIN region has never indicated to ARIN that any specific response should be expected other than successful receipt of email. If there's a consensus some other definition of "valid" should be used, that change needs to be proposed by someone either via ARIN's Policy Development Process or ARIN's Consultation and Suggestion Process: https://www.arin.net/policy/pdp.html https://www.arin.net/participate/acsp/index.html ---
participants (7)
-
Brian Nisbet -
chrish@consol.net -
Florian Weimer -
Frank Gadegast -
Jørgen Hovland -
Michele Neylon :: Blacknight -
russ@consumer.net