Hi Karolina

I have some concerns with the Terms & Conditions (T&C) as written. Let's start with the recent changes, then move on to some more general points.

"5.6. The Registrant or the Maintainer may report any identified incident via the 24/7 Technical Emergency Hotline."
There are several million INETNUM objects in the RIPE Database. That is a lot of Registrants and Maintainers. So which one is 'the' Registrant and 'the' Maintainer? Maybe you mean "A Registrant or a Maintainer.." or perhaps "Any Registrant or any Maintainer.."? Or do you mean "The Registrant or the Maintainer may report any identified incident concerning their resources..? But is this reporting limited to only Registrants and Maintainers? Can a 'User' not report incidents to this hotline? That could be someone who queries data but doesn't have the right to update the database. I guess it depends what type of incident you are referring to. That is also not clear.

The same arguments apply to 5.7.

"5.9. The RIPE NCC may perform security checks and/or audits to the RIPE Database. The RIPE NCC may share any available report of such checks and/or audits upon request by the Registrant or the Maintainer and subject to a non-disclosure agreement."
Are these checks and audits going to be applied to the whole RIPE Database, or some sub section of the database, or to a specific resource? As you don't define what checks you are going to do, could they apply to secondary objects or routing or domain data rather than resources? Who will you share a report with? You have the same problem with 'the' Registrant/Maintainer.

"8.6. The RIPE NCC shall publish information regarding the integrity, privacy and confidentiality of the data it processes in the RIPE NCC Trust Portal"
These are the T&C for the RIPE Database. This is a public database. Anyone can use it and query any of the data contained therein. There is no privacy or confidentiality with respect to any of this data. Most of the data is entered into the database by resource holders. The RIPE NCC has no control over, or ability to check, the integrity of this data. So I don't see any relevance to this clause.

"2.6. A Maintainer may only Update the RIPE Database with these types of data:"
This line ends with a ':'. That suggests there should be a list following it. There is no list. If you change ':' to '.' then the sentence makes no sense.

The policy proposal 2023-04 introduced the concept of aggregation. A consequence of that was to make IPv4 assignments optional. I believe that violates the T&C. To understand this point you need to cross reference several clauses of the T&C.

"3.1. The RIPE Database contains information for the following purposes:
- Providing information about the Registrant and Maintainer of Internet number resources when the resources are suspected of being used for unlawful activities, to parties who are authorised under the law to receive such information."

Now let's look at "Article 1 - Definitions"
"Internet number resources - globally unique address space (IPv4 and IPv6) and Autonomous System Numbers (ASNs) issued by any Internet Number Registry."
Note it says 'any' Internet Number Registry. An LIR is a Local 'Internet (Number) Registry'. So 'Internet number resources' covers address space issued by an LIR. These are assignments.
So one of the defined purposes of the RIPE Database is to 'Provide information about the Registrant and Maintainer of assignments when the assignments are suspected of being used for unlawful activities'. This information can be provided 'to parties who are authorised under the law to receive such information', ie the police.
By making assignments in the RIPE Database optional, the database can no longer fulfill this purpose for IPv4 address space, as defined in the T&C.

cheers
denis