HI In April 2016 the RIPE NCC announced they had 'locked' 850,000 personal data sets in the RIPE Database. I raised a number of issues and my last set of questions were never answered. As I predicted, the issue has dropped off the table. I will give you the bottom line first: -this action was based on a false premise -it breaks the Dutch data protection rules -it bypasses the RIPE NCC's legal personal data removal procedure -it has left the RIPE NCC (and possibly the Executive Board members personally) liable for consequential losses -it was claimed to be a temporary action but neither the RIPE NCC nor the WG co-chairs have facilitated or driven a discussion with any urgency -it is becoming another of those issues that just drift from year to year with no one pushing for a solution I previously suggested in an email to: 1/ Immediately unlock these objects and revert the responsibility for them back to the resource holders who reference them, as they have no direct maintainer. 2/ Immediately remove any references to unmaintained objects where references to other, maintained, objects fulfil syntax and business rules. 3/ Ensure the auto deletion of unreferenced personal data objects after 90 days is re-enabled. 4/ Aggressively pursue the resource holders who reference the remaining unmaintained objects to maintain or replace them. ----------------------------------------------------------- For those who can't read long emails you can move on now. Following is the detail that supports the bottom line above. From the original announcement: https://www.ripe.net/ripe/mail/archives/db-wg/2016-April/005139.html "the RIPE NCC proactively locked 848,986 unmaintained PERSON objects and 1,206 unmaintained ROLE objects on 6 April 2016". The Data Protection Task Force (DPTF) was formed in 2006 and made a final report in 2010 referring to these unmaintained objects. That is not very 'proactive'. "In addition, unmaintained PERSON and ROLE objects are an issue with regards to data protection obligations." If it took 10 years to take action it wasn't much of an issue. "Exposing this issue without taking adequate measures would have left the RIPE NCC liable to third party damages." The issue has been known about for many years without any (adequate) measures being taken. The RIPE NCC could be liable for much worse damages now. "The proposed solution we outline below is a starting point, to be discussed by the community." which like so many other issues raised over the last couple of years has just faded away because no one is monitoring these things or driving them forward. "In recent years, given the scarcity of IPv4 address space, there is a higher risk of people searching for unmaintained PERSON or ROLE objects in order to pose as a resource holder to sell IPv4 space." This perception of risk was totally refuted by Piotr in his message: https://www.ripe.net/ripe/mail/archives/db-wg/2016-April/005156.html "All unmaintained ROLE and PERSON objects are now locked. As the RIPE NCC will not be able to correctly check all claims on unmaintained database objects, unlocking is not available." "The locked objects can remain as they are." This bypasses the RIPE NCC's legal personal data removal procedure and breaks data protection rules. "In time, all locked PERSON or ROLE objects no longer referenced by other objects could be automatically deleted" This process may take another 10+ years. It is already 10 years since the DPTF highlighted the issue. "This solution puts control back into the hands of the object owners." Absolute nonsense! The 'object owners' is now the RIPE NCC. The people that matter are the data subjects who are excluded from this process by the refusal of the RIPE NCC to unlock these objects. From the RIPE Database Terms & Conditions: https://www.ripe.net/manage-ips-and-asns/db/support/documentation/terms Article 6.2 says "The Maintainer is responsible for keeping all data maintained by him accurate and up-to-date, including correct Contact Details." Because the 'urgent security issue' did not exist, the RIPE NCC cannot claim it acted as Data Controller to lock objects that posed a security or hijack risk. So the RIPE NCC has not 'locked' these objects it has simply put it's own MNTNER object as the "mnt-by:" for these objects, thereby becoming the Maintainer. So according to Article 6.2 they have taken over responsibility for the accuracy of these 850k+ objects. The liability exception and indemnity of Article 7.2 applies to the use of the RIPE Database as a service provided by the RIPE NCC. It does not cover the RIPE NCC in regard to it's responsibility for data it managers contained within the RIPE Database. So the RIPE NCC has taken responsibility for 850k+ personal data sets related to people they have no relationship or contact with. They have also made it clear they will not unlock this data as they can't identify any data subject. They have also accepted that this data may be held statically in the database for 'some time'. This breaks every notion of personal data protection. This is currently dubious, stale data that the RIPE NCC cannot do anything about. They have accepted they don't know who it relates to, will not accept anyone's claim it relates to them, will not unlock it, cannot delete it, data subject cannot remove it, don't know if it is accurate, don't know if consent was given to enter it, and everything 'just works' with it sitting there so the members who reference it don't need to do anything. The worst possible, self created scenario. The scale of the issue, almost a million personal data sets, makes this a serious problem. The RIPE NCC's legal analysis: https://www.ripe.net/ripe/mail/archives/db-wg/2016-April/005181.html and my unanswered questions on this analysis: https://www.ripe.net/ripe/mail/archives/db-wg/2016-April/005182.html "The RIPE NCC is by default the "data controller" of the personal data in the Database (i.e. it has liability by law) but in practice it has no control over all these personal data. The DPTF, representing the RIPE community, decided that this responsibility should be contractually (via the RIPE Database Terms and Conditions) transferred to those that have actual control over the personal data. In the RIPE Database, these persons are identified by the maintainer object (referenced by the “mnt-by:” attribute in any data object)" The fact that the RIPE NCC now maintains these objects means you do control them and therefore by your own definition the RIPE NCC IS liable for this data. "Although the RIPE NCC allowed some time for the community members to add a mandatory "mnt-by:" to their so-far unmaintained personal data, there were still unmaintained personal data in the RIPE Database." This time was 10 years. After that period of time you cannot argue there was any urgency to take action as data controller. "The RIPE NCC was alerted by third parties that this data could be hijacked in order to facilitate illegal activities." This point was discussed with Piotr and he said the risk of hijacking has been known about for many years and has nothing to do with personal data being maintained or not. He said it is very easy to 'get' id to match any maintained personal data in the database. "It was the RIPE NCC's responsibility to inform the RIPE community of this security risk and initiate a community discussion on possible ways to handle it. At the same time, the RIPE NCC could anticipate that if we were merely exposed the security risk without taking any measures to prevent it, we would alert malicious people and the hijacking attempts would increase." The community has known about this risk for decades and any discussion without this action would not have increased any risk of hijacking. You may have initiated a community discussion, but quickly allowed it to fade away without any conclusion or action plan. "Therefore, we considered that locking the objects, until the community could discuss a proper way forward, would be an adequate measure to prevent possible hijacking cases in the meantime," a measure which, as we have already established does not prevent possible hijacking. "This action was in line with the RIPE NCC's obligations by law." If the RIPE NCC thought it had any legal obligation here it was 10 years too late in taking action. "If people would like to have their locked personal data removed from the RIPE Database, they can submit a request to the RIPE NCC." It was made clear in the original announcement that the RIPE NCC will not unlock any of these objects as it is not possible to identify the data subjects. So by what criteria are you going to accept deletion requests? So to sum up the RIPE NCC has created a data protection problem on a massive scale, based on an old and false premise which was approved directly by the executive board and then allowed the issue to just fall off the table. I don't know much about Dutch corporate law but I suspect that could pass some liability onto the members of the board. All you need is one person to point out one of these objects being related to them that did not have their consent to be added, containing inaccurate data that has caused them some consequential loss....the RIPE NCC (and possibly the board members) will be liable for those losses. cheers denis