Re: [ncc-services-wg] 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder)
All, On Thu, Sep 27, 2018 at 03:10:46PM +0200, Marco Schmidt wrote:
Dear colleagues, A new RIPE Policy proposal, 2018-05, "Publication of Legal +Address of Internet Number Resource Holder", is now available for +discussion.
I really wish these announcements included the text of the proposal to make it easier to address it without having to copy&paste the meat of the proposal into the response. as for the proposal: - this proposal ignores completely the fact that not all resource holders are companies. - publishing the "legal" address details of natural persons likely conflicts with the GDPR for the EU and quite possibly with national data protection regs in the non-EU service region. - The "legal registered address" of a company will only rarely have anything to do with the location of their network management. In fact it often is no more than a lawyer's or accountant's office. This is even more true where a business has many locations for network administration. I'll address arguments as they pertain to legal persons exclusively below as I think the civil rights of *natural* +persons override any and all arguments you could make here. specific arguments:
To make it more difficult for malicious actors to hijack block +of IP addresses and therefore play a preventive role in protecting the community against malicious actors;
Please provide reasoning how this would be achieved. I see no logical route to this assertion.
Assisting businesses, consumer groups, healthcare organizations and other organisations combating fraud (some of which have mandates to electronically save records) to comply with +relevant legal and public safety safeguards;
Please provide exactly which legal requirements and public safeguards require a central, PUBLIC, database of all resource holder address details.
Competent authorities to serve legal process to the party responsible for the resources;
Competent authorities already have a route to this information via the RIPE NCC or via national companies' reg offices.
To reduce delays in serving legal process, avoiding lost leads and evidence.
"Delays" such as having to procure a warrant for this data or having to look a business up in the national companies' office databases?
The RIPE Database is made for technical troubleshooting and not for legal purposes. Counter-argument: In the wake of large-scale cyber incidents, there is a strong need to enhance cross-border cooperation related to preparedness. Responding to cybersecurity incidents may take many forms, ranging from identifying technical +measures which may entail two or more entities jointly investigating the technical causes of the incident (e.g. malware analysis) or identifying ways through which organisations may assess whether they have been affected (e.g. indicators of compromise), to operational decisions on applying such measures and, +ultimately, to be able to reach out across different jurisdictions in a +fast fashion. Every national registry has different rules, languages and formats. The availability of the data clustered in one DB with one format will help for troubleshooting.
Again, I cannot see the logic behind the assertion that a PUBLIC database of legal registered company addresses, insofar as it doesn't already exist in most jurisdictions, solves any problem related to technical troubleshooting. I'm sure in only the tiniest minority of cases will the lawyer or company secretary this address points to be able to, or even know whom to ask for, help with technical troubleshooting.
The information will become out of date if the RIPE NCC can't ensure current accuracy. Counter-argument: Information is the lifeblood of organisations such as the RIPE NCC. Impure data is like impure blood �\200\223 +not good for the system. The quality of data held in IT systems +will deteriorate unless steps are taken to maintain its accuracy and consistency.
This is not an argument, it is merely a re-statement of the position that data quality is important. Also, while everyone who knows me will know that I am the last person to demand political correctness in debate; I do question the need for the language and rhetoric of "Mein Kampf" in a policy proposal.
Therefore, it is of utmost importance to keep data +qualitatively accurate. Poor data quality can lead to organisations taking decisions based on inaccurate or out-of-date in-formation, potentially with expensive consequences.
see above, not an argument, just restatement.
The achievements don't justify the needed efforts/costs. Counter-argument: Network and information systems and services play a vital role in society. Their reliability and security +are essential to economic and societal activities and in particular to the functioning of modern societies and economies. A culture of security is being shared across sectors which are vital for our economy and society and will have to comply with the +security and notification requirements being discussed in the RIPE NCC service region.
Again, the "counter-argument" is a boiler-plate politcal +statement and does not address the the effort/cost argument against. For the avoidance of doubt, the above constitutes opposition to this proposal. Kind Regards, Sascha Luck
We encourage you to review this proposal and send your comments +to <ncc-services-wg@ripe.net> before 26 October 2018.
Hereby done.
Hi Sascha, I believe there is a bit of confusion on the scope of the proposal in relation to individuals. It is my understanding (also based on the implementation of GDPR at RIPE) that the large majority of resources is composed by companies, which are not subject to the protection of their personal data because, of course, they are not people. It is absolutely true instead that the safeguards put in place by GDPR and other national regulations will be protecting the fundamental rights of those individuals who are in the scope of this policy. I hope to have clarified this! Indeed, the policy is not interested in pointing to a location the network management or any technical team of any sort. The aim of this policy is to have an address where a company is registered legally, so to have a juridical location reference in all those cases where the necessity of serving a legal order or engaging in any kind of non purely technical interaction is needed. A legally registered company is less likely to be a fraud, or criminal. Most countries publish a record of legal entities and companies that anybody can consult, and it helps citizens not to fall victims of fraudsters, Competent authorities will be facilitated by the existence of such record as if a competent authority has to serve a legal order, or send an official letter, with this DB entry it will be easier and faster to know to which country (and to which legal system). Sending official requests cross border is not as straightforward, and having one specific address to address instead of surfing through several possible addresses is indeed a better use of everyone’s resources. I hope to have addressed your main concerns, and that we can continue this fruitful discussion. For the political considerations you make, I believe this is not the correct forum - the mention here is to the life-saving dialysis process needed to clean up blood from toxins. Kind regards, Sara Marcolla Typed with a very tiny keyboard this mistakes can occur From: Sascha Luck [ml] <lists-ripe@c4inet.net<mailto:lists-ripe@c4inet.net>> Date: Thursday, 27 Sep 2018, 4:29 PM To: ncc-services-wg@ripe.net <ncc-services-wg@ripe.net<mailto:ncc-services-wg@ripe.net>> Subject: Re: [ncc-services-wg] 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder) All, On Thu, Sep 27, 2018 at 03:10:46PM +0200, Marco Schmidt wrote:
Dear colleagues, A new RIPE Policy proposal, 2018-05, "Publication of Legal +Address of Internet Number Resource Holder", is now available for +discussion.
I really wish these announcements included the text of the proposal to make it easier to address it without having to copy&paste the meat of the proposal into the response. as for the proposal: - this proposal ignores completely the fact that not all resource holders are companies. - publishing the "legal" address details of natural persons likely conflicts with the GDPR for the EU and quite possibly with national data protection regs in the non-EU service region. - The "legal registered address" of a company will only rarely have anything to do with the location of their network management. In fact it often is no more than a lawyer's or accountant's office. This is even more true where a business has many locations for network administration. I'll address arguments as they pertain to legal persons exclusively below as I think the civil rights of *natural* +persons override any and all arguments you could make here. specific arguments:
To make it more difficult for malicious actors to hijack block +of IP addresses and therefore play a preventive role in protecting the community against malicious actors;
Please provide reasoning how this would be achieved. I see no logical route to this assertion.
Assisting businesses, consumer groups, healthcare organizations and other organisations combating fraud (some of which have mandates to electronically save records) to comply with +relevant legal and public safety safeguards;
Please provide exactly which legal requirements and public safeguards require a central, PUBLIC, database of all resource holder address details.
Competent authorities to serve legal process to the party responsible for the resources;
Competent authorities already have a route to this information via the RIPE NCC or via national companies' reg offices.
To reduce delays in serving legal process, avoiding lost leads and evidence.
"Delays" such as having to procure a warrant for this data or having to look a business up in the national companies' office databases?
The RIPE Database is made for technical troubleshooting and not for legal purposes. Counter-argument: In the wake of large-scale cyber incidents, there is a strong need to enhance cross-border cooperation related to preparedness. Responding to cybersecurity incidents may take many forms, ranging from identifying technical +measures which may entail two or more entities jointly investigating the technical causes of the incident (e.g. malware analysis) or identifying ways through which organisations may assess whether they have been affected (e.g. indicators of compromise), to operational decisions on applying such measures and, +ultimately, to be able to reach out across different jurisdictions in a +fast fashion. Every national registry has different rules, languages and formats. The availability of the data clustered in one DB with one format will help for troubleshooting.
Again, I cannot see the logic behind the assertion that a PUBLIC database of legal registered company addresses, insofar as it doesn't already exist in most jurisdictions, solves any problem related to technical troubleshooting. I'm sure in only the tiniest minority of cases will the lawyer or company secretary this address points to be able to, or even know whom to ask for, help with technical troubleshooting.
The information will become out of date if the RIPE NCC can't ensure current accuracy. Counter-argument: Information is the lifeblood of organisations such as the RIPE NCC. Impure data is like impure blood �\200\223 +not good for the system. The quality of data held in IT systems +will deteriorate unless steps are taken to maintain its accuracy and consistency.
This is not an argument, it is merely a re-statement of the position that data quality is important. Also, while everyone who knows me will know that I am the last person to demand political correctness in debate; I do question the need for the language and rhetoric of "Mein Kampf" in a policy proposal.
Therefore, it is of utmost importance to keep data +qualitatively accurate. Poor data quality can lead to organisations taking decisions based on inaccurate or out-of-date in-formation, potentially with expensive consequences.
see above, not an argument, just restatement.
The achievements don't justify the needed efforts/costs. Counter-argument: Network and information systems and services play a vital role in society. Their reliability and security +are essential to economic and societal activities and in particular to the functioning of modern societies and economies. A culture of security is being shared across sectors which are vital for our economy and society and will have to comply with the +security and notification requirements being discussed in the RIPE NCC service region.
Again, the "counter-argument" is a boiler-plate politcal +statement and does not address the the effort/cost argument against. For the avoidance of doubt, the above constitutes opposition to this proposal. Kind Regards, Sascha Luck
We encourage you to review this proposal and send your comments +to <ncc-services-wg@ripe.net> before 26 October 2018.
Hereby done. ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. *******************
participants (2)
-
Marcolla, Sara Veronica
-
Sascha Luck [ml]