Confidentiality, or that lack thereof
Some long time ago, somebody (I can't remember who anymore) told me that "business information" given by a member to any RIR... which presumably included RIPE... was considered to be "confidential" and would not thereafter be shared by the RIR staff with any other or outside party. Now I am trying to figure out (a) if that is true and (b) if so, why it is true and (c) what the limits may be of that rather sweeping generalization, if any. At the moment, I am specifically and only interested in the answers to these three question with respect to RIPE. I hope that you will all forgive me for my apparent inability to find answers to these questions on my own. I have googled around a little bit, searching for such things as "RIPE" and "NDA" or "RIPE" and "disclosure" and I'm still not finding anything that jumps out at me as providing answers. I'm sure that it is my fault that I'm not able to find answers to these basic questions on my own, but I hope you all will bear with me anyway. In particular, I am looking at the current RIPE RSA, and I'm not finding anything in that that addresses confidentiality in any way: https://www.ripe.net/publications/docs/ripe-673 Did I just miss it? Is RIPE contractually committed to some specific sort of confidentialty with respect to materials received from members, or from prospective members? If so, where is that committment documented? I'm intested in this topic of confidentiality *in general*, but I have a special and particular interest in the contractual confidentiality commitments, if any, undertaken by RIPE with respect to bullet point #2 in Section 2.2 of the RSA: * A recent extract from the Commercial Trade Register or equivalent document proving the registration of the Member with the national authorities. Is RIPE obligated by either contract or policy to confidentiality with repsect to the mere corporate registrations of its members or prospective members? If so, by what rule? And where is that rule codified? Regards, rfg
On Mon, Aug 23, 2021 at 6:38 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Some long time ago, somebody (I can't remember who anymore) told me that "business information" given by a member to any RIR... which presumably included RIPE... was considered to be "confidential" and would not thereafter be shared by the RIR staff with any other or outside party.
Are you referring to this? https://www.ripe.net/publications/docs/ripe-733#31
On 24. Aug 2021, at 15:25, Leo Vegoda <leo@vegoda.org> wrote:
On Mon, Aug 23, 2021 at 6:38 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Some long time ago, somebody (I can't remember who anymore) told me that "business information" given by a member to any RIR... which presumably included RIPE... was considered to be "confidential" and would not thereafter be shared by the RIR staff with any other or outside party.
Are you referring to this?
The "Due Diligence" document https://www.ripe.net/publications/docs/ripe-748#5--confidentiality-and-priva... also contains a small section on this, together with a link to the RIPE privacy statement https://www.ripe.net/about-us/legal/ripe-ncc-privacy-statement Further, AFAIK any "business data" that relates to a natural person is additionally covered by GDPR, i.e. those rules are already codified in law. Cheers -Andi
In message <50A2DE7B-3184-406A-8AE0-78062A8074FE@v6x.org>, =?utf-8?Q?Andreas_H=C3=A4rpfer?= <ah@v6x.org> wrote:
The "Due Diligence" document
https://www.ripe.net/publications/docs/ripe-748#5--confidentiality-and-priva...
Thank you. Here is the relevant section: 5. Confidentiality and Privacy Issues The RIPE NCC maintains a duty of confidentiality towards the legal or natural persons that request Internet number resources. Information passed to the RIPE NCC is securely stored and will not be distributed further than is necessary. Details of the process of handling personal data by the RIPE NCC can be found in the RIPE NCC Privacy Statement. This forces me to just reiterate the various questiions I raised in my immediately preceeding post, e.g.: *) Where did this purported "duty of confidentiality" come from and what is the legal or policy basis of it? *) Does this alleged "duty of confidentiality" only apply selectively, in certain cotexts or with respect to certain information, such that the public WHOIS records do not run afowl of this duty?
... together with a link to the RIPE privacy statement
https://www.ripe.net/about-us/legal/ripe-ncc-privacy-statement
Please note that the RIPE privacy statement appears to be -exclusively- about -personal- information of natural persons. It seems that the two documents that you have provided links to are together performing a sort of coordinated linguistic/HTTP sleight of hand. In Section 5 of the first document it is alleged that there is a "duty" towards -both- natural persons and also towards any an all -other- legal entities, even as it refers the reader to the second document (the RIPE NCC Privacy Statement) which quite obviously talks only about the privacy that shall be accorded to natural persons. I do not and shall not take issue with GDPR. It is the law of the land and provides reasonable privacy protections to all natural persons. But I do believe that it is safe to say that the overwehlming majority of RIPE members are not natural persons, and it still appears to be rather entirely opaque to me what duties of confidentiality are owed to these non-natural entities. If thare exist yet other documents that might further clarify that, I would greatly appreciate being directed to them. Regards, rfg
In message <CAPfiqjaU+3g5X0beHNsWMxHD=tWJ7gWcL2o-fR8F4tPjSSpqgA@mail.gmail.com>, Leo Vegoda <leo@vegoda.org> wrote:
On Mon, Aug 23, 2021 at 6:38 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Some long time ago, somebody (I can't remember who anymore) told me that "business information" given by a member to any RIR... which presumably included RIPE... was considered to be "confidential" and would not thereafter be shared by the RIR staff with any other or outside party.
Are you referring to this?
Well, yes and no, by which I mean "I can't even tell." Here is section 3.1 of the above document: 3.1 Confidentiality Internet Registries (IRs) have a duty of confidentiality to their registrants. Information passed to an IR must be securely stored and must not be distributed wider than necessary within the IR. When necessary, the information may be passed to a higher-level IR under the same conditions of confidentiality. There are muliple reasons why the text above fails to answer my question. *) The first sentence makes a quite sweeping and a quite generalized assertion and yet provides exactly -zero- references to support the assertion. From whence does this alleged "duty of confidentiality" arise? From law? If so, which law and in which jurisdiction? Or did this purported "duty" spring, fully formed, like Athena from the brow of Zeus? *) Isn't the publication of WHOIS information a quite apparent and obvious violation of this purported "duty of confidentiality"? Or whould that be more accurately referred to as "the exception that proves the rule"? Could there be other and as-yet unenumerated exceptions to the general rule? *) Given that the title of the containing document is "IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region" may it be safely inferred that this purported "duty of confidentiality" applies only to "Information passed to an IR" at a point in time when some member actually requests one or more IP Address Allocations, and thereafter? More specifically, does it apply to "Information passed to an IR" at some point in time *before* a member requests IP or other number resource allocations, e.g. at a point in time when a *prospective* member is applying for membership in RIPE? My points above are, of course, pertaining only to information relating to legal entities other than natural persons, for whom GDPR is controlling. I should say also that although some may view me as nitpicking, these matters are of grave and serious concern, not just to me, but also to law enforcement and "open source" researchers everywhere. Regards, rfg
On Tue, Aug 24, 2021 at 10:50 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote: [...]
3.1 Confidentiality
Internet Registries (IRs) have a duty of confidentiality to their registrants. Information passed to an IR must be securely stored and must not be distributed wider than necessary within the IR. When necessary, the information may be passed to a higher-level IR under the same conditions of confidentiality.
There are muliple reasons why the text above fails to answer my question.
*) The first sentence makes a quite sweeping and a quite generalized assertion and yet provides exactly -zero- references to support the assertion.
From whence does this alleged "duty of confidentiality" arise? From law? If so, which law and in which jurisdiction?
The earliest reference I have found is in ripe-104, from 1993. "IRs will keep records of correspondence and information exchanges in conjunction with the registry function for later review and the resolution of disputes. IRs will hold this information in strict confidence and use it only to review requests and in audit procedures or to resolve disputes." [...]
*) Isn't the publication of WHOIS information a quite apparent and obvious violation of this purported "duty of confidentiality"? Or whould that be more accurately referred to as "the exception that proves the rule"?
Could there be other and as-yet unenumerated exceptions to the general rule?
I have always understood that the confidentiality requirement was intended to apply to any business information supplied to justify an allocation of resources and not the outcome, which is published in the RIPE Database and elsewhere. I understood that the goal was to assure the businesses operating networks that chatty staff would not gossip about what those businesses planned but had not announced. If you believe there is a need to add clarity, you are welcome to start a discussion in the Address Policy WG. Kind regards, Leo Vegoda Address Policy WG co-chair
Hi, On Tue, Aug 24, 2021 at 11:26:12AM -0700, Leo Vegoda wrote:
I have always understood that the confidentiality requirement was intended to apply to any business information supplied to justify an allocation of resources and not the outcome, which is published in the RIPE Database and elsewhere. I understood that the goal was to assure the businesses operating networks that chatty staff would not gossip about what those businesses planned but had not announced.
Leo has been around about as long as I have - and his understanding of the reasoning matches mine. Let me illustrate this a bit: "back in the days", ISPs were given IPv4 allocations based on network deployment *plans*. Like "we intend to expand to neighbouring country <x>, cities <a>, <b> and <c>, and we expect to have <z-1000> customers there by mid next year" - this sort of information is something I would not like my competitors to have, and thus I always found it reassuring that the NCC would not share these strategic details. The end result ("1.2.0.0/16 allocated to XYZ inc.") is - and needs to be - public, so some coarse information about growth plans is/was visible, but not the details. Gert Doering -- LIR contact since too many years -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
(please see below) On Tue, 24 Aug 2021, Gert Doering wrote:
Hi,
On Tue, Aug 24, 2021 at 11:26:12AM -0700, Leo Vegoda wrote:
I have always understood that the confidentiality requirement was intended to apply to any business information supplied to justify an allocation of resources and not the outcome, which is published in the RIPE Database and elsewhere. I understood that the goal was to assure the businesses operating networks that chatty staff would not gossip about what those businesses planned but had not announced.
Leo has been around about as long as I have - and his understanding of the reasoning matches mine.
Let me illustrate this a bit: "back in the days", ISPs were given IPv4 allocations based on network deployment *plans*. Like "we intend to expand to neighbouring country <x>, cities <a>, <b> and <c>, and we expect to have <z-1000> customers there by mid next year" - this sort of information is something I would not like my competitors to have, and thus I always found it reassuring that the NCC would not share these strategic details.
The end result ("1.2.0.0/16 allocated to XYZ inc.") is - and needs to be - public, so some coarse information about growth plans is/was visible, but not the details.
Hi Gert, Leo, All, This is perfectly understandable. But i guess the issue is dramatically different -- it's about knowing ** WHO ** is really the ISP, i.e. which company from which jurisdiction. Cheers, Carlos
Gert Doering -- LIR contact since too many years -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
In message <YSVL8HPaE8010uXS@Space.Net>, Gert Doering <gert@space.net> wrote:
Leo has been around about as long as I have - and his understanding of the reasoning matches mine.
Excellent! All three of us have the exact same shared understanding, it seems.
Let me illustrate this a bit: "back in the days", ISPs were given IPv4 allocations based on network deployment *plans*. Like "we intend to expand to neighbouring country <x>, cities <a>, <b> and <c>, and we expect to have <z-1000> customers there by mid next year"
Right. This is what I have termed "sensitive" and/or "competitive" information in my immediately prior post. And I am 100% supportive of the notion that all such "sensitive" information should at all times be held in the strictest confidence by NCC, even regardless of whether such confidentiality has been formalized or not. (It just makes good sense.) As you will see from my immediately prior post however I am of the opinion that there is a clear and bright line between THAT sort of "sensitive" information (which might be used, misused, or abused if it were to fall into the hands of some business competitor) and the mere national corporate registration document which all prospective new members that are not natural persons must provide to NCC prior to even being accepted as new members. There is no question in my mind that the former category of information MUST be held in confidence by RIPE NCC. The latter category, maybe not so much. Regards, rfg
On Tue, Aug 24, 2021 at 5:18 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote: [...]
As you will see from my immediately prior post however I am of the opinion that there is a clear and bright line between THAT sort of "sensitive" information (which might be used, misused, or abused if it were to fall into the hands of some business competitor) and the mere national corporate registration document which all prospective new members that are not natural persons must provide to NCC prior to even being accepted as new members.
There is no question in my mind that the former category of information MUST be held in confidence by RIPE NCC. The latter category, maybe not so much.
Are you making a proposal for the RIPE NCC to change the way it operates, or something else? Kind regards, Leo
In message <CAPfiqja8gfitNzuaVCtxFyowvngiSq7Ft8pq8fEWf91+Tq2_YA@mail.gmail.com> Leo Vegoda <leo@vegoda.org> wrote:
On Tue, Aug 24, 2021 at 5:18 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
As you will see from my immediately prior post however I am of the opinion that there is a clear and bright line between THAT sort of "sensitive" information (which might be used, misused, or abused if it were to fall into the hands of some business competitor) and the mere national corporate registration document which all prospective new members that are not natural persons must provide to NCC prior to even being accepted as new members.
There is no question in my mind that the former category of information MUST be held in confidence by RIPE NCC. The latter category, maybe not so much.
Are you making a proposal for the RIPE NCC to change the way it operates, or something else?
I only wish that I could even answer that question. Sasdly, I cannot, for the simple reason that the various RIPE legal, policy, and procedure documents which I have seen so far, and which other people have been kind enough to point me to, have not served to clarify what the current policy with respect to corporate registration documents, or if there even exists a current policy with respect to those documents. (My sense is that there currently exists -no- policy relating to those documents.) It would be technically inaccurate, I think, and a misuse of the English language to say that I desire to see a change to something which does not now even exist. Regards, rfg
On 25. Aug 2021, at 17:17, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In message <CAPfiqja8gfitNzuaVCtxFyowvngiSq7Ft8pq8fEWf91+Tq2_YA@mail.gmail.com> Leo Vegoda <leo@vegoda.org> wrote:
Are you making a proposal for the RIPE NCC to change the way it operates, or something else?
I only wish that I could even answer that question. Sasdly, I cannot, for the simple reason that the various RIPE legal, policy, and procedure documents which I have seen so far, and which other people have been kind enough to point me to, have not served to clarify what the current policy with respect to corporate registration documents, or if there even exists a current policy with respect to those documents. (My sense is that there currently exists -no- policy relating to those documents.)
It would be technically inaccurate, I think, and a misuse of the English language to say that I desire to see a change to something which does not now even exist.
Regards, rfg
I really have no idea where this discussion is heading, I am not a lawyer, etc. etc, but let me play "devil's advocat" and be a bit provocative :-) * My ad-hoc assumtion for any organization would be that any partner/ member/customer information is confidential unless the affected parties have agreed to make it public. viz. https://www.ripe.net/publications/docs/ripe-733#31 From one of your yesterday's emails:
*) The first sentence makes a quite sweeping and a quite generalized assertion and yet provides exactly -zero- references to support the assertion.
From whence does this alleged "duty of confidentiality" arise? From law? If so, which law and in which jurisdiction?
Jurisdiction, at least, is easy. RIPE-673 (initially quoted by you but outdated) and all it's successor documents until the current RIPE-745 state in the very last section: Article 11 – Governing Law 11.1 All agreements between the RIPE NCC and the Member shall be exclusively governed by the laws of the Netherlands. https://www.ripe.net/publications/docs/ripe-673 https://www.ripe.net/publications/docs/ripe-745
*) Isn't the publication of WHOIS information a quite apparent and obvious violation of this purported "duty of confidentiality"? Or whould that be more accurately referred to as "the exception that proves the rule"?
Could there be other and as-yet unenumerated exceptions to the general rule?
I would not consider this an exception. What goes into WHOIS and/or into the RIPE database is well documented and can be known in advance by anyone applying for resources. This https://www.ripe.net/manage-ips-and-asns/db/support/highlighted-values-in-th... e.g. explicitly mentions the distinction between public and confidential resource holder data.
My points above are, of course, pertaining only to information relating to legal entities other than natural persons, for whom GDPR is controlling. I should say also that although some may view me as nitpicking, these matters are of grave and serious concern, not just to me, but also to law enforcement and "open source" researchers everywhere.
Hmmm ... to put it bluntly: * If you are law enforcement, get a warrant. * If you are an "open source researcher", why should RIPE feel any obligation to cater for your personal research needs? Just because there might be non-competitive information that the RIPE NCC is not obliged to keep confidential does not mean it is obliged to make it publicly available, either … … well, unless you are making a proposal for the RIPE NCC to change the way it operates, as suggested earlier :-) As I said in the beginning, intentionally provocative (and not necessarily my personal opinion everywhere) … just because I can. Cheers -Andi
In message <48758939-BB53-43FF-8855-49C1AF18B017@v6x.org>, =?utf-8?Q?Andreas_H=C3=A4rpfer?= <ah@v6x.org> wrote:
I really have no idea where this discussion is heading, I am not a lawyer, etc. etc, but let me play "devil's advocat" and be a bit provocative :-)
That's fair.
* My ad-hoc assumtion for any organization would be that any partner/ member/customer information is confidential unless the affected parties have agreed to make it public.
I note again that you are citing a Section (3.1) of a document that relates to the IP address allocation process. The title of the document is "IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region". 3.1 Confidentiality Internet Registries (IRs) have a duty of confidentiality to their registrants. Information passed to an IR must be securely stored and must not be distributed wider than necessary within the IR. When necessary, the information may be passed to a higher-level IR under the same conditions of confidentiality. I would argue that BY DEFINITION the above assurances relate to information provided as part of a justification for IPv4 address space, and that they thereore do not apply to information submitted to RIPE NCC, much earlier, as part of the package of information that RIPE NCC requires in order to transform a prospective new member into an actual RIPE member. That trans- formation, of a prospective member into an actual one, is clearly a separate and different process, and one to which the confidentiality commitment expressed in the above quoted passage cannot reasonably be construed to apply.
Jurisdiction, at least, is easy. RIPE-673 (initially quoted by you but outdated) and all it's successor documents until the current RIPE-745 state in the very last section:
Article 11 - Governing Law
11.1 All agreements between the RIPE NCC and the Member shall be exclusively governed by the laws of the Netherlands.
We agree. Please note that The Netherlands does itself operate a *public* national corporate registry, one from which anybody anywhere in the world can fetch basic incorporation documents, albeit subject to a small fee per document. (I myself have used this web-based public service on multiple occasions in order to obtain various Dutch incorporation documents.) It would seem that the jurisdiction of The Netherlands has no problem with the notion of making basic incorporation documents public. Why then should RIPE deviate from that admirable national standard? (That transparency with respect to basic incorporation documents is not by any means unique to the Netherlands, by the way. Rather, this rudimentary transparency is the widely-accepted norm throughout essentially the entire civilized world.)
*) Isn't the publication of WHOIS information a quite apparent and obvious violation of this purported "duty of confidentiality"? Or whould that be more accurately referred to as "the exception that proves the rule"?
Could there be other and as-yet unenumerated exceptions to the general rule?
I would not consider this an exception. What goes into WHOIS and/or into the RIPE database is well documented and can be known in advance by anyone applying for resources.
What are you saying, exactly? Are you claiming that members, e.g. ones allegedly incorporated in some of the world's more opaque jurisdictions, such as Belize, etc., have either some expectation, or perhaps even some right to expect that even the bare minimum facts regarding their corporate existance shall be preserved as a deep dark secret, AND one which RIPE NCC is somehow obliged to become a co-conspirator in hiding from the world? As noted above, the people and the government of The Netherlands don't appear to have any problem with making basic incorporation documents public. Why then should RIPE? Is RIPE attempting to emulate the ignoble example of FIFA by going out of its way to be opaque, and by so doing, either tacitly or consciously facilitating God only knows what? Basic incorporation documents are neither "sensitive" nor relevant to the competitiveness of any given member. As I have said, if you have incorporated as "XYZ Widgets" in the Duchy of Grand Fenwick, how does that information being public either hurt you or help your competitors? Clearly it does neither, thus renderding any pointless and unnecessary secrecy about such basic documents on RIPE's part, nothing other than an additional tool in the toolboxes of bad actors, including some that, even as we speak, are attempting to bring down the entire edifice of the global system of Regional Internet Registries, including RIPE. Regards, rfg
Dear Ronald, Thank you for your questions. As others have correctly noted, the RIPE NCC does have policies protecting the confidentiality of certain information provided by our members. Our duty in this department stems from the mandate given to us by the community in section 3.1 of the IPv4 policy [1], which we interpret as a broad duty to treat all information we receive from our members as confidential: "Internet Registries (IRs) have a duty of confidentiality to their registrants. Information passed to an IR must be securely stored and must not be distributed wider than necessary within the IR. When necessary, the information may be passed to a higher-level IR under the same conditions of confidentiality." Our treatment of confidential information is also described in section 5 of the RIPE NCC procedural document "Due Diligence for the Quality of the RIPE NCC Registration Data" [2], which states: "The RIPE NCC maintains a duty of confidentiality towards the legal or natural persons that request Internet number resources. Information passed to the RIPE NCC is securely stored and will not be distributed further than is necessary." Furthermore, in the RIPE NCC procedural document "Handling Requests for Information, Orders and Investigations from Law Enforcement Agencies” [3], we provide more clarity regarding what information we treat as confidential and what we can share with third parties (the document pertains to LEAs, but we apply this principle with any third party). According to this document: "1. Requests for Information The RIPE NCC distinguishes between the following two types of information: • RIPE NCC member information that is publicly available • RIPE NCC member information that is not publicly available, including members' personal and organisational information and any other non-public information 1.1. RIPE NCC Member Information that is Publicly Available RIPE NCC member information that is public can always be accessed by third parties, including LEAs. Such publicly available information may be any information that is accessible through the RIPE NCC website, including information or records that are public on the RIPE Database at the time of the request. 1.2. RIPE NCC Member Information that is not Publicly Available The RIPE NCC does not provide member information that is not publicly available to LEAs on a voluntary basis. Non-publicly available member information will only be provided to LEAs, if a Dutch court order or other legally binding order is presented by a Dutch LEA." Although it is not directly stated in this document, we consider publicly available information only the information that we make publicly available (i.e. publish) according to our mandate from the RIPE community and our legal obligations. If, for example, an LEA asks for the legal address or the bank account of a member, we will not provide them with this information, even though it might be publicly available on that member’s website. As mandated by the community's policies, our publicly available information about members is accessible on our website, the RIPE Database and other RIPE NCC maintained applications, while other information is kept confidential. Regards, Athina Fragkouli Chief Legal Officer RIPE NCC [1] IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region: https://www.ripe.net/publications/docs/ripe-733#31 <https://www.ripe.net/publications/docs/ripe-733#31> [2] Due Diligence for the Quality of the RIPE NCC Registration Data: https://www.ripe.net/publications/docs/ripe-748#5--confidentiality-and-priva... <https://www.ripe.net/publications/docs/ripe-748#5--confidentiality-and-privacy-issues> [3] Handling Requests for Information, Orders and Investigations from Law Enforcement Agencies: https://www.ripe.net/publications/docs/ripe-675 <https://www.ripe.net/publications/docs/ripe-675>
On 26 Aug 2021, at 21:22, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In message <48758939-BB53-43FF-8855-49C1AF18B017@v6x.org>, =?utf-8?Q?Andreas_H=C3=A4rpfer?= <ah@v6x.org> wrote:
I really have no idea where this discussion is heading, I am not a lawyer, etc. etc, but let me play "devil's advocat" and be a bit provocative :-)
That's fair.
* My ad-hoc assumtion for any organization would be that any partner/ member/customer information is confidential unless the affected parties have agreed to make it public.
I note again that you are citing a Section (3.1) of a document that relates to the IP address allocation process. The title of the document is "IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region".
3.1 Confidentiality
Internet Registries (IRs) have a duty of confidentiality to their registrants. Information passed to an IR must be securely stored and must not be distributed wider than necessary within the IR. When necessary, the information may be passed to a higher-level IR under the same conditions of confidentiality.
I would argue that BY DEFINITION the above assurances relate to information provided as part of a justification for IPv4 address space, and that they thereore do not apply to information submitted to RIPE NCC, much earlier, as part of the package of information that RIPE NCC requires in order to transform a prospective new member into an actual RIPE member. That trans- formation, of a prospective member into an actual one, is clearly a separate and different process, and one to which the confidentiality commitment expressed in the above quoted passage cannot reasonably be construed to apply.
Jurisdiction, at least, is easy. RIPE-673 (initially quoted by you but outdated) and all it's successor documents until the current RIPE-745 state in the very last section:
Article 11 - Governing Law
11.1 All agreements between the RIPE NCC and the Member shall be exclusively governed by the laws of the Netherlands.
We agree.
Please note that The Netherlands does itself operate a *public* national corporate registry, one from which anybody anywhere in the world can fetch basic incorporation documents, albeit subject to a small fee per document. (I myself have used this web-based public service on multiple occasions in order to obtain various Dutch incorporation documents.)
It would seem that the jurisdiction of The Netherlands has no problem with the notion of making basic incorporation documents public. Why then should RIPE deviate from that admirable national standard? (That transparency with respect to basic incorporation documents is not by any means unique to the Netherlands, by the way. Rather, this rudimentary transparency is the widely-accepted norm throughout essentially the entire civilized world.)
*) Isn't the publication of WHOIS information a quite apparent and obvious violation of this purported "duty of confidentiality"? Or whould that be more accurately referred to as "the exception that proves the rule"?
Could there be other and as-yet unenumerated exceptions to the general rule?
I would not consider this an exception. What goes into WHOIS and/or into the RIPE database is well documented and can be known in advance by anyone applying for resources.
What are you saying, exactly? Are you claiming that members, e.g. ones allegedly incorporated in some of the world's more opaque jurisdictions, such as Belize, etc., have either some expectation, or perhaps even some right to expect that even the bare minimum facts regarding their corporate existance shall be preserved as a deep dark secret, AND one which RIPE NCC is somehow obliged to become a co-conspirator in hiding from the world?
As noted above, the people and the government of The Netherlands don't appear to have any problem with making basic incorporation documents public. Why then should RIPE? Is RIPE attempting to emulate the ignoble example of FIFA by going out of its way to be opaque, and by so doing, either tacitly or consciously facilitating God only knows what?
Basic incorporation documents are neither "sensitive" nor relevant to the competitiveness of any given member. As I have said, if you have incorporated as "XYZ Widgets" in the Duchy of Grand Fenwick, how does that information being public either hurt you or help your competitors?
Clearly it does neither, thus renderding any pointless and unnecessary secrecy about such basic documents on RIPE's part, nothing other than an additional tool in the toolboxes of bad actors, including some that, even as we speak, are attempting to bring down the entire edifice of the global system of Regional Internet Registries, including RIPE.
Regards, rfg
Hi, On Tue, Aug 24, 2021 at 05:18:06PM -0700, Ronald F. Guilmette wrote:
There is no question in my mind that the former category of information MUST be held in confidence by RIPE NCC. The latter category, maybe not so much.
I agree that otherwise easily attainable information ("chamber of commerce") does not need to be treated as "confidential". OTOH, maybe it's just the easiest approach to things - "keep *any* document submitted by the LIR as 'confidential'" - so there is no need for individual NCC employees to decide on the nature of a document (especially given that in RIPE land, something which might be "semi-public" in country A might be not easily attainable in country B). But I do not *know*, I'm just thinking out loud. Gert Doering -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
In message <YSabD/PVFudA1GIS@Space.Net>, Gert Doering <gert@space.net> wrote:
On Tue, Aug 24, 2021 at 05:18:06PM -0700, Ronald F. Guilmette wrote:
There is no question in my mind that the former category of information MUST be held in confidence by RIPE NCC. The latter category, maybe not so much.
I agree that otherwise easily attainable information ("chamber of commerce") does not need to be treated as "confidential".
Thank you for what seems to be general agreement with my position on this question/issue. Unfortunately, the term "easily obtainable" may be somewhat misleading in this context. There are many jurisdictions scattered around the world, that have elected to go out of their way to NOT make even such simple things as corporate registration documents available to the public, and there are at least a few RIPE member organizations that claim to be incorporated in each of these.... Belize, U.A.E., the British Virgin Islands, the Isle of Man, and the Seychelles Islands, just to name a few. It may come as a surprise to some, although not to me, that over time there has appeared to be some correlation between some of these entities and what some might call "bad behavior". Indeed, at the present moment, multiple legal disputes currently ongoing in the courts of Mauritius threaten to put one of the world's five Regional Internet Registries, AFRINIC, out of business, and these legal cases have been brought by multiple companies that are purportedly incorporated in the Seychelles: https://www.internetgovernance.org/2021/08/19/a-fight-over-crumbs-the-afrini... Given the nature of the modern Internet, and its ever more central place in the lives of ordinary people around the world, I personally feel that the price of admission to this vast global and interconnected wealth- generating machine should, at the very least, include making your basic incorporation documents public. It would be Good and Helpful, in my opinion, if the five RIRs agreed with this simple and minimalist disclosure requirement.
OTOH, maybe it's just the easiest approach to things - "keep *any* document submitted by the LIR as 'confidential'" - so there is no need for individual NCC employees to decide on the nature of a document...
I believe you are making this seem more complex that it really is. I really doubt that there are any staff members within RIPE NCC who are so blindingly ignorant that they could not easily tell a corporate registration document from a document showing user counts, equipment purchases, etc., of the kind that has typically been required as part of a justification for IP space. The latter is quite obviously "business confidential". The former, not so much. Regards, rfg
In message <CAPfiqjaBkBc=fi32EvK1JyCd3seRxFbwVmaNX_FAx7Mz_apL_g@mail.gmail.com> Leo Vegoda <leo@vegoda.org> wrote:
I have always understood that the confidentiality requirement was intended to apply to any business information supplied to justify an allocation of resources...
This has been my (informal) understanding also. And it seems altogether reasonable.
I understood that the goal was to assure the businesses operating networks that chatty staff would not gossip about what those businesses planned but had not announced.
Yes. This matches my uinderstanding also, and for whatever it may be worth let me just say that I am in complete agreement with this rationale. I quote now from an Internet source describing a once common phrase here in the U.S., i.e. "Does Macy's tell Gimbels?": The rhetorical question "Does Macy's tell Gimbels?" was a popular phrase used throughout the 1930s-1960s which meant that business competitors are not {going to} share trade secrets with one another. It comes from the rivalry between the large upscale New York department stores Macy's and Gimbels. Obviously, -competitive- information of the kind used to request or justify allocations of number resources is, and quite properly should be entirely confidential. I have no question about that. But that sort of information... information relating to number resource requests, allocations, or the justifications for those... are -not- the only information that RIPE NCC holds in relation to any given member. I refer again bullet point #2 in Section 2.2 of the RSA, which prospective new members agree to even well before they either request or receive any number resource allocations: * A recent extract from the Commercial Trade Register or equivalent document proving the registration of the Member with the national authorities. I am persuaded that in the specific case(s) where the prospective new member is *not* a natural person, a document which has been provided, by a prospective new member, to RIPE NCC and which purports to attest to the mere valid legal existance of some such corporate non-natural entity cannot reasonably be classified as "competitive" or "proprietary" information of a type which would be at all likely to render unfair advantage to some real or even hypothetical business competitors. If I am your business competitor, and if I find out that you have incorporated your business using the name "XYZ Widgets" in the national jurisdiction of The Duchy of Grand Fenwick (google it) then how does my knowing those two rather rudimantary bits of information either (a) help me or (b) hurt you? I do not believe that it can be reasonably argued that it does either, since your mere legal existance as a legal corporate entity does not provide me with any notable competitive advantage. Besides which, if you have been honest and truthful, then this same information should be appearing also in your public corporate "ORG" WHOIS record anyway, right? So, may we agree that there exists "sensitive" competitive information, of the kind that might be submitted as part of a justification for number resources, and which must be held in confidence by RIPE NCC, and that there is also an additional and separate category of "non-sensitive" non-competitive information which NCC is -not- obliged to hold in confidence, especially as it has no bearing on either requests for, or assignments of number resources?
If you believe there is a need to add clarity, you are welcome to start a discussion in the Address Policy WG.
Well, I do thank you for the suggestion, but as I have been at pains to note above, from where I am sitting this doesn't really bear on address policy *at all*. Yes, when a member that has been accepted as a member requests number resources then they must submit "sensitive" information to NCC and that information must thenceforth and forever after be held in confidence by NCC. But what about the corporate registration document that a prospective member must submit even well before they even become a member, and also, by implication, well before they are even in a position to request number resources? Regards, rfg
participants (6)
-
Andreas Härpfer -
Athina Fragkouli -
Carlos Friaças -
Gert Doering -
Leo Vegoda -
Ronald F. Guilmette