Dear all,
I am a volunteer for DIVD, the Dutch Institute for Vulnerability Disclosure. We are a non profit organisation that aims to make the digital world safer by reporting vulnerabilities we find in digital systems to the people who can fix them. For this we heavily reply on whois and the underlying database like RIPE NCC’s DB. (For more information see
https://www.divd.nl and
https://csirt.divd.nl)
We are very concerned about the impact this proposal may have on us and on RIPE NCC.
The basis of the proposal is good. Let’s stop collecting and publishing PII in RIPE DB, especially where it doesn’t serve the purpose of the DB.
But RIP NCC is setting itself up for a lot of trouble by going to “permission” as the GDPR ground for processing instead of “legitimate interests pursued by the controller”
Especially this line in the proposal can be explained as such:
“All organisations holding resources allocated or assigned by the RIPE NCC, or documented in the RIPE Database, must sign a declaration that they have read and understood this policy and that either all the data for their organisation and resources contained in the RIPE Database is fully compliant with this policy or they are working towards full compliance.”
With this statement in the policy it is quite possible that RIPE NCC at some point will have to choose between two evils:
a) Either revoking all resources of those parties that did not sign a declaration
b) Removing all PII of those parties from the database.
What would the impact be?
I analyzed 7476 IP addresses that popped up in a certain case using ripeSTAT and whois (see attachment)
458 Afrinic
1052 APNIC
1277 ARIN
190 LACNIC
4090 RIPE
409 no RIR in ripeSTAT abuse finder API
I marked all email addresses that were not clearly a “function”/group/department mailbox as personal.
If we could not report to email addresses that were personal we would not be able to report abuse to 929 out of 7476 ip addresses. (~12%)
201 of these IP addresses belong to the rir RIPE. (of the 4090 marked as belonging to RIPE, about 5%)
180 of these come from the ripeSTAT API, so they come from a CONTACT record, not a PERSON record.
In only 21 cases I had to resort to whois to get a PERSON record.
Conclusion:
A small but significant portion of “abuse” addresses are “personal”
Most of these are in CONTACT records not PERSON records.
Besides these email addresses, RIPE NCC will have to do the work to be GDPR compliant for other PII anyway. IP addresses are considered PII in The Netherlands, a work/group phone number/email can still be PII, e.g. in the case where the company is a single person company or the company name can be traced back to a natural person, so going this route creates a lot of work and doesn’t actually reduce the compliance load on RIPE NCC.
Regards,
Frank Breedijk
+31643822637