Dear RIPE DB-WG, Hope this email finds you in good health! Please see my comments below, inline... Thanks. Le mer. 26 oct. 2022 à 23:39, denis walker via db-wg <db-wg@ripe.net> a écrit :
Hi Frank
Thank you for some very useful information here. This is the type of input we need in these discussions. I have had many discussions with the RIPE NCC legal team about this proposal. They did point out to me there is a difference between processing personal data for the 'legitimate interest of the public' and processing it by consent of the data subject. I obviously didn't fully understand the consequences of such a change. Nor did I realise that certain phrases or comments would imply such a change has been made and that the change would then apply across the board.
Hi Denis, Thanks for your email, brother :-) ...i would like to join you in thanking Frank, for its *frank* expression of its valuable experience; shared by some others earlier.
Having read carefully what you have said here, I think we need to maintain the 'legitimate interest of the public' as the principle reason for processing personal data in the RIPE Database.
Thanks for agreeing, Denis.
It would seem this bypasses the need for explicit consent from the data
subject where public interest is involved.
Hey...my humble take, on it, is that the consent insentive would be just keeped where it's required: under the resource holder...i might be wrong though :-/ In fact a resource holder is still bound to: (i) the RIPE Database T&C (Terms & Conditions) [1]; (ii) the RIPE Database AUP (Acceptable Use Policy) [2]; (iii) the RIPE NCC Standard Service Agreement (SSA) [3]; __ [1]: deals with both insertion & query of data - <https://www.ripe.net/manage-ips-and-asns/db/support/documentation/terms> [2]: not deals with insertion, but only with query of data - <https://www.ripe.net/manage-ips-and-asns/db/support/documentation/aup> [3]: deals with acknowledgement of reading of all applicable policies - <https://www.ripe.net/publications/docs/ripe-745> <quote> 6.1 The Member acknowledges applicability of, and adheres to, the RIPE Policies <https://www.ripe.net/ripe-policies> and RIPE NCC procedural documents. The RIPE Policies and the RIPE NCC procedural documents are publicly available from the RIPE NCC Document Store. These documents, which may be revised and updated from time to time, form an integral part of and apply fully to the RIPE NCC Standard Service Agreement. Each revised document will receive a new document number and can be found on https://www.ripe.net. Below is a non-exclusive list of these documents: - IPv4 Address Allocation and Assignment Policies in the RIPE NCC Service Region <https://www.ripe.net/ripe/docs/ipv4-policies> (current version) - Autonomous System (AS) Number Assignment Policies and Procedures <https://www.ripe.net/ripe/docs/asn-assignment> (current version) - IPv6 Address Allocation and Assignment Policy <https://www.ripe.net/ripe/docs/ipv6-policies> (current version) - RIPE NCC Activity Plan <https://www.ripe.net/ripe/docs/ap> (current version) - RIPE NCC Charging Scheme <https://www.ripe.net/ripe/docs/charging> (current version) - RIPE NCC Billing Procedure and Fee Schedule <https://www.ripe.net/participate/billing/procedure> (current version) - Closure of LIR and Deregistration of Internet Number Resources <https://www.ripe.net/ripe/docs/closure> (current version) - Transfer of Internet Number Resources <https://www.ripe.net/ripe/docs/transfer> (current version) - The RIPE NCC Clearing House Procedure <https://www.ripe.net/ripe/docs/clearinghouse> (current version) - RIPE NCC Conflict Arbitration Procedure <https://www.ripe.net/ripe/docs/arbitration> (current version) </quote > No matter whois the practical maintainer...the resource holder is actually responsible. And the public interest is in keeping the internet running and identifying
the users of blocks of IP addresses.
...right! and, as it should stand :-) Is it covering all the below section of text quoted from the T&C (Terms & Conditions) of the RIPE Database [1]? <quote> Article 3 -Purpose of the RIPE Database The RIPE Database contains information for the following purposes: - Ensuring the uniqueness of Internet number resource usage through registration of information related to the resources and Registrants - Publishing routing policies by network operators (IRR) - Facilitating coordination between network operators (network problem resolution, outage notification etc.) - Provisioning of Reverse Domain Name System (DNS) and ENUM delegations - Providing information about the Registrant and Maintainer of Internet number resources when the resources are suspected of being used for unlawful activities, to parties who are authorised under the law to receive such information. - Scientific research into network operations and topology - Providing information to parties involved in disputes over Internet number resource registrations to parties who are authorised under the law to receive such information. </quote>
But, beyond this principle, I still see a need to change the elements of personal data that are processed for the different purposes of the database.
And yes, it matters! imho. ...my, humble & free, advice would still be: __ Please propose a BCOP (Best Current Operational Practice) to try to address it. ¯¯
I understand what you say about IP addresses being
considered as PII, as well as the business phone number of a 1 person company. So let me try to expand on my underlying thoughts. It seems we are all now surrounded by a multitude of PII elements. Name, home address, personal/private phone number and email, business related phone number and email, your IP addresses, etc. Even though all of it can be considered to be PII, which parts do you never want to end up in the public RIPE Database registry and what absolutely must be in the database?
Most people accept that your name is a must, either as a resource holder or a contact. If you work from business premises the address is no problem, but if you work from home your full address should be an absolute no, although it is currently published.
You might want to add an exceptional possibility in case of clear demonstrated risks on the side of the home business owner. And that means, imho, to: (i) an authorization request with documented evidences, and (ii) approval to have the personal contact masked by an email address alias within the RIPE NCC mailing system, such as "contact$ContactId at privacy-protection·ripe.net" Many people say we cannot separate personal phones from business phones.
But that is simply not true. Suppose we work for a 2 man business. This week I am on call 24/7 to fix network problems, next week you are on call. We both have a personal phone with us. If we also have a business phone (number) that can be routed to either phone, this is the only number that needs to be published in the RIPE Database. So no one can call me at 3am to fix a problem if I am not on call as they don't have my personal number. Calling the published business number will be routed to you. Maybe this business number is still technically PII. But there is a clear distinction between our core personal details and our business personal details. To maintain a healthy work/life balance no one should be forced, coerced, pressured into having their core personal details published in the RIPE Database, not even based on public interest regardless of what they want.
This is what I mean by separating personal details from business details and only publishing business details in the database.
Denis, it appears that you have already at least one really good thing to include inside the draft of BCOP you should propose, imho ;-) Whether this can be expressed in general legalistic, or even in
practical, terminology I don't know (yet). I believe the intent of this proposal is good (although some would disagree), but I don't think the current wording is good enough.
...imho! this proposal, have now been at least demonstrated to: |1. not be able to fairly address the problem targeted; |2. have a problem which may oppose to the purpose of the RIPE DB. ...therefore, imho, it should be withdrawn asap. Shalom, --sb. cheers
denis proposal author
On Wed, 26 Oct 2022 at 20:11, Frank Breedijk <f.breedijk@divd.nl> wrote:
[...]
Agree. I’m worried that this policy will have a negative impact in the
long run.
[...]
-- Best Regards ! baya.sylvain [AT cmNOG DOT cm] |cmNOG's Structure <https://cmnog.cm/dokuwiki/Structure>|cmNOG's Surveys <https://survey2.cmnog.cm/> Subscribe to the cmNOG's Mailing List <https://lists.cmnog.cm/mailman/listinfo/cmnog/> __ *#LASAINTEBIBLE|#Romains15:33«*Que LE #DIEU de #Paix soit avec vous tous! #Amen!*»#MaPrière est que tu naisses de nouveau. #Chrétiennement«*Comme une biche soupire après des courants d’eau, ainsi mon âme soupire après TOI, ô DIEU!*» (#Psaumes42:2)*