PERSON objects in the RIPE Database
Colleagues, I will start with a blunt question, then give some arguments for my concern. In May the RIPE NCC told me there are more than 2 million PERSON objects in the RIPE Database. That is almost 25% of the objects in the database. Who are these people and why do we hold so much personal data? At RIPE 76 the RIPE NCC legal team gave a presentation on GDPR and the RIPE Database. The basis of that presentation seemed to be that Article 3 of the RIPE Database Terms and Conditions defined one of the purposes of the database as: Facilitating coordination between network operators (network problem resolution, outage notification etc.) It was argued that this justifies the inclusion of personal data in the RIPE Database so that these people can be contacted in the event of network operational issues, even by people who have no business relationship with these contacts. But this Article makes no mention of 'personal' contact information. It was also mentioned that some personal data is included for policy reasons. The IPv4 Address Allocation and Assignment Policy makes a couple of references to contact data. In 4.0 Registration Requirements it says: All assignments and allocations must be registered in the RIPE Database....Registration data (range, contact information, status etc.) must be correct at all times This clearly associates contact information with the necessary registration. But this does not specify that it has to be 'personal' contact information. In 6.2 Network Infrastructure and End User Networks it says: When an End User has a network using public address space this must be registered separately with the contact details of the End User. Where the End User is an individual rather than an organisation, the contact information of the service provider may be substituted for the End Users. This clearly has the intent of avoiding the need to enter 'personal' data as contact information. In the IPv6 Address Allocation and Assignment Policy it is even more vague saying in 3.3 Registration: Internet address space must be registered in a registry database accessible to appropriate members of the Internet community. This is necessary to ensure the uniqueness of each Internet address and to provide reference information for Internet troubleshooting at all levels, ranging from all RIRs and IRs to End Users. The goal of registration should be applied within the context of reasonable privacy considerations and applicable laws. 'Reference' information and concerns about privacy again clearly indicate that the intent is to avoid using 'personal' data for the contacts. This does raise a number of questions: -Should I believe that we really do have more than 2 million individual people in this region who can seriously address technical or administrative questions on Internet resources or network operational issues? -Why is it considered necessary for contacts to be identifiable people rather than roles? -Abuse-c was intentionally designed to reference a ROLE object, which no longer needs to have any referenced PERSON objects, to avoid the need to enter personal data, why can't technical matters be addressed in the same way? The purpose in the Terms and Conditions may define a reason for holding contact information, but it doesn't justify this level of personal data being held in the database. Perhaps it's time to review what is meant by 'contact information'. What is really needed to satisfy this purpose? For example, why do we need an address for a technical contact who may need to be contacted in the event of an operational issue? No one is going to go to that address or post a letter. As always your thoughts and opinions are welcome... cheers denis co-chair DB WG
On 20/09/2018 15:04, denis walker via db-wg wrote:
Colleagues,
I will start with a blunt question, then give some arguments for my concern. In May the RIPE NCC told me there are more than 2 million PERSON objects in the RIPE Database. That is almost 25% of the objects in the database. Who are these people and why do we hold so much personal data?
At RIPE 76 the RIPE NCC legal team gave a presentation on GDPR and the RIPE Database. The basis of that presentation seemed to be that Article 3 of the RIPE Database Terms and Conditions defined one of the purposes of the database as: Facilitating coordination between network operators (network problem resolution, outage notification etc.)
It was argued that this justifies the inclusion of personal data in the RIPE Database so that these people can be contacted in the event of network operational issues, even by people who have no business relationship with these contacts. But this Article makes no mention of 'personal' contact information.
It was also mentioned that some personal data is included for policy reasons. The IPv4 Address Allocation and Assignment Policy makes a couple of references to contact data. In 4.0 Registration Requirements it says: All assignments and allocations must be registered in the RIPE Database....Registration data (range, contact information, status etc.) must be correct at all times
This clearly associates contact information with the necessary registration. But this does not specify that it has to be 'personal' contact information. In 6.2 Network Infrastructure and End User Networks it says: When an End User has a network using public address space this must be registered separately with the contact details of the End User. Where the End User is an individual rather than an organisation, the contact information of the service provider may be substituted for the End Users.
This clearly has the intent of avoiding the need to enter 'personal' data as contact information. In the IPv6 Address Allocation and Assignment Policy it is even more vague saying in 3.3 Registration: Internet address space must be registered in a registry database accessible to appropriate members of the Internet community. This is necessary to ensure the uniqueness of each Internet address and to provide reference information for Internet troubleshooting at all levels, ranging from all RIRs and IRs to End Users. The goal of registration should be applied within the context of reasonable privacy considerations and applicable laws.
'Reference' information and concerns about privacy again clearly indicate that the intent is to avoid using 'personal' data for the contacts.
This does raise a number of questions: -Should I believe that we really do have more than 2 million individual people in this region who can seriously address technical or administrative questions on Internet resources or network operational issues? -Why is it considered necessary for contacts to be identifiable people rather than roles? -Abuse-c was intentionally designed to reference a ROLE object, which no longer needs to have any referenced PERSON objects, to avoid the need to enter personal data, why can't technical matters be addressed in the same way?
The purpose in the Terms and Conditions may define a reason for holding contact information, but it doesn't justify this level of personal data being held in the database. Perhaps it's time to review what is meant by 'contact information'. What is really needed to satisfy this purpose? For example, why do we need an address for a technical contact who may need to be contacted in the event of an operational issue? No one is going to go to that address or post a letter.
As always your thoughts and opinions are welcome...
cheers denis co-chair DB WG
I think HOHO-RIPE would tend to disagree. -Hank
Hi Hank As they said in the legal presentation at RIPE 76, GDPR considerations are not finished, they are only just starting. A data controller is required to review if the personal data they hold is justified. I don't think the purpose of the RIPE Database can justify 2 million+ PERSON objects or holding personal data when a corporate role is all that is needed. cheersdenisco-chair DB-WG From: Hank Nussbacher via db-wg <db-wg@ripe.net> To: db-wg@ripe.net Sent: Thursday, 20 September 2018, 14:28 Subject: Re: [db-wg] PERSON objects in the RIPE Database On 20/09/2018 15:04, denis walker via db-wg wrote: Colleagues, The purpose in the Terms and Conditions may define a reason for holding contact information, but it doesn't justify this level of personal data being held in the database. Perhaps it's time to review what is meant by 'contact information'. What is really needed to satisfy this purpose? For example, why do we need an address for a technical contact who may need to be contacted in the event of an operational issue? No one is going to go to that address or post a letter. As always your thoughts and opinions are welcome... cheers denis co-chair DB WG I think HOHO-RIPE would tend to disagree. -Hank
a heretical view on whois: [ by whois, i do not mean the irr. the ripe db confounds the two. ] back in the day, when some anomalous behavior hit one of my servers or services, i used whois (yes, i still have a paper copy of the last edition of the manager's handbook somewhere) and wrote or called to warn that their system appeared to be compromised. folk were responsive and appreciative. as the malicious incident volume grew, this did not scale along many dimensions. folk found the inbound report load excessive and of poor quality. reporters were having so many incidents that reporting them was not worth the time. extrapolate to today. i no longer care about whois, either for domains or addresses. i also do not have a telephone book. so feel free to take it away. randy
denis walker via db-wg wrote on 20/09/2018 13:04:
This does raise a number of questions:
the requirement for admin-c and tech-c derive from what was thought to be useful information to have at hand at the time when network registrations were starting out at the InterNIC, way back in the late 1980s. These token made their way into ripe81 as machine-parseable fields, then into ripe181. This dates from the time when we all had fingerd enabled, for example, and when SMTP ETRN and VRFY usually returned something useful, and when gopher was hot stuff and when 2mbit/s links were so outrageously fast that it was normal to boast about the speed in the DNS PTR records for your router interface IP addresses. Thankfully we've moved on from at least some of these things, but they all shared one characteristic: "it seemed like a good idea at the time". Really we have three questions: is what we have both legal and fit for purpose? (hard to tell), could we bang heads together to come up with a new schema which would be comfortably legally compliant and technically fit for purpose? (probably yes), and can we come up with a migration plan from one to the other which can be implemented before the heat death of the universe? (highly unlikely). Nick
Hi Nick I agree the situation we are in is historic. Let me just address your third question "can we come up with a migration plan from one to the other which can be implemented before the heat death of the universe? (highly unlikely)." The RIPE NCC legal presentation at RIPE 76 made it clear that the responsibility for this personal data is shared between the RIPE NCC and the (mostly) members who put the data into the database. Now collectively I don't believe we can justify holding 2million personal data sets in this database and hide behind the Terms and Conditions's defined purpose as the justification. Now everyone can bury their heads in the sand and pretend this problem doesn't exist and the law on personal data in public databases never changed. But, should you need one, that is not a very good legal defense. So really the only question that must be answered is "Can we justify holding this amount of personal data on the basis of contacts for administrative and technical issues relating to internet resources and network operations?" If the answer is 'no' then change MUST happen, long before the universe dies. cheersdenisco-chair DB-WG From: Nick Hilliard via db-wg <db-wg@ripe.net> To: denis walker <ripedenis@yahoo.co.uk> Cc: DB-WG <db-wg@ripe.net> Sent: Tuesday, 25 September 2018, 23:46 Subject: Re: [db-wg] PERSON objects in the RIPE Database denis walker via db-wg wrote on 20/09/2018 13:04:
This does raise a number of questions:
the requirement for admin-c and tech-c derive from what was thought to be useful information to have at hand at the time when network registrations were starting out at the InterNIC, way back in the late 1980s. These token made their way into ripe81 as machine-parseable fields, then into ripe181. This dates from the time when we all had fingerd enabled, for example, and when SMTP ETRN and VRFY usually returned something useful, and when gopher was hot stuff and when 2mbit/s links were so outrageously fast that it was normal to boast about the speed in the DNS PTR records for your router interface IP addresses. Thankfully we've moved on from at least some of these things, but they all shared one characteristic: "it seemed like a good idea at the time". Really we have three questions: is what we have both legal and fit for purpose? (hard to tell), could we bang heads together to come up with a new schema which would be comfortably legally compliant and technically fit for purpose? (probably yes), and can we come up with a migration plan from one to the other which can be implemented before the heat death of the universe? (highly unlikely). Nick
denis walker wrote on 25/09/2018 23:55:
So really the only question that must be answered is "Can we justify holding this amount of personal data on the basis of contacts for administrative and technical issues relating to internet resources and network operations?" If the answer is 'no' then change MUST happen, long before the universe dies.
I.e. "is what we have [...] legal"? DBWG probably needs to get a legal opinion on this. Nick
Hi Nick, Athina Perhaps the RIPE NCC legal team can give us some advice on this issue. In your presentation at RIPE 76 you said the justification for personal data in the RIPE Database was for contacting people about operational issues. If many of these 2 million people whose personal data is held in the RIPE Database are not contacts, is there any legal justification for having this amount of personal data in the database? Also if 'contacts' can be roles rather than identifiable people, can we justify holding this personal data simply because, historically, PERSON objects were used instead of ROLE objects? cheersdenisco-chair DB-WG From: Nick Hilliard <nick@foobar.org> To: denis walker <ripedenis@yahoo.co.uk> Cc: DB-WG <db-wg@ripe.net> Sent: Sunday, 7 October 2018, 14:56 Subject: Re: [db-wg] PERSON objects in the RIPE Database denis walker wrote on 25/09/2018 23:55:
So really the only question that must be answered is "Can we justify holding this amount of personal data on the basis of contacts for administrative and technical issues relating to internet resources and network operations?" If the answer is 'no' then change MUST happen, long before the universe dies.
I.e. "is what we have [...] legal"? DBWG probably needs to get a legal opinion on this. Nick
participants (4)
-
denis walker
-
Hank Nussbacher
-
Nick Hilliard
-
Randy Bush