In message <CAKvLzuEroujO_bor2DNwCA44cLPP_NVda3uQU1tYTQk69a3zfA@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
Nice to read that you vigorously support parts of my policy proposal at least.
I am only too happy to do so, provided that (a) at least some responses to the "who", "when", and "how" questions I have raised with respect to the VERIFICATION half of the proposal are provided _and_ edited into a subsequent draft of the proposal, and provided that (b) the VERIFICATION half of the proposal is split off into a separate and independent proposal from the REDACTION half of the proposal, which is altogether appropriate since these two halves aim to accomplish two very different goals. Are you willing to undertake either of these adjustments? If not I will have to say that the apparently artificial conjoining of VERIFICATION and REDACTION into a single proposal is being done in bad faith and with an understanding that the REDACTION half of the proposal could only achieve consensus by being spliced together with an otherwise admirable, but totally unrelated proposal to perform reasonable and necessary VERIFICATION things. Note that I am not asking you to _remove_ any part of either proposal. I am simply requesting that that the separate issues of VERIFICATION and REDACTION should receive separate consideration by the membership and the WG, which is an altogether reasonable and minimal request.
The policy proposal is about processing personal data. That easily covers verifying that entered data is correct. It does not cover verification of 'all' data. Only the clearly specified data.
Forgive me, but that first sentence, to my ears, sounds a little bit like saying "This proposal only covers the consumption of meat on planet earth." That is quite obviously an _extremely_ broad area of multiple/numerous different concerns, each of which may have varing levels of importance to various different parties and constituencies. Law enforcement and private security researchers will, in general, be extremely happy to have WHOIS data verified. Law enforcement and private security researchers will, in general, be extrement UNhappy to have WHOIS data needlessly removed. For this reason, a single proposal covering the extremely broad subject of "processing personal data" is inappropriate, and would artifically force people who might be on the fence to accept Bad Stuff they don't want in order to get the Good Stuff that they do want.
Who exactly is going to be tasked with verifying 100% of the names, email addresses, phone numbers, and street addresses already present in the data base and what procedures and criteria will be used for this process? Will NCC be tasked to do this huge amount of work? Is there a a target completion date? 2029 perhaps?
Not all these data elements are covered and not 100% of others either. As you pointed out, some of the data elements you mention above cannot be verified and that's why they are not covered.
So what fields, exactly, actually _will_ be verified under the VERIFICATION half of this proposal? And who will do it? And when? And how?
How data can or should be verified is an implementation issue. This policy proposal is concerned with establishing principles.
I cannot help but be reminded of an old joke in the industry where a manager, upon being asked how some complex goal is to be achieved, simply waves his arms and declares "Oh, that's simply a matter of software!" Principals are Good. Principals are Admirable. But why didn't you just elect to draft a more all-encompasing principal-based proposal to the effect that "All parties should behave honorably." That also is an unambiguously noble principal, but the devil is in the details, and it would be altogether Helpful if you didn't simply dismiss such important considerations as mere "implementation issues". I mean _somebody_ is going to have to do all of this verification and/or redaction, right? I don't believe it is inappropriate to ask who that will be, how much it will cost, and how long it will take.
This policy proposal, quite correctly, makes no mention of cancelling membership or de-registering any resources. Just as the abuse-c policy doesn't. It is about establishing the principles that will govern the way data is processed. Most RIPE policies don't define enforcement procedures.
Actually, as far as I know, none of them do. And some of us out here, at least, think that is a problem, and that it makes a lot of official RIPE policies nothing more than paper tiger jokes. Now, it would appear, you want to add yet another feckless paper tiger on top of the mountain of feckless paper tigers that already comprise most of what passes for official policy in the RIPE region. (I'm sorry, this is nothing personal, but it is somewhat difficult for me to take any RIPE official policies too awfully seriously since RIPE has no policy on the books that would require the expulsion from the membership of even proven crooks, con men, and murders.. a fact that was explained to me multiple times when I caught people outright stealing IP space. that provably didn't belong to them.)
That is clearly outside the scope of defining principles.
All members and contracted resources are already bound by agreements that require them to enter correct data into the database.
Fine. What is the remedy in case�they don't? May either law enforcement or a private security researcher email NCC, inform them of a reasonble belief that some specific WHOIS record contains inaccurate and perhaps even deliberately fradulent data, and then ask NCC to put the correct data into the WHOIS record instead? And if such a request is made, will it be honored? Regards, rfg