All,
On Thu, Sep 27, 2018 at 03:10:46PM +0200, Marco Schmidt wrote:
Dear colleagues,
A new RIPE Policy proposal, 2018-05, "Publication of Legal
+Address of
Internet Number Resource Holder", is now available for
+discussion.
I really wish these announcements included the text of the
proposal to make it easier to address it without having to
copy&paste the meat of the proposal into the response.
as for the proposal:
- this proposal ignores completely the fact that not all
resource holders are companies.
- publishing the "legal" address details of natural persons
likely conflicts with the GDPR for the EU and quite possibly
with national data protection regs in the non-EU service region.
- The "legal registered address" of a company will only rarely
have anything to do with the location of their network
management. In fact it often is no more than a lawyer's or
accountant's office. This is even more true where a business has
many locations for network administration.
I'll address arguments as they pertain to legal persons
exclusively below as I think the civil rights of *natural*
+persons
override any and all arguments you could make here.
specific arguments:
To make it more difficult for malicious actors to hijack block
+of
IP addresses and therefore play a preventive role in protecting
the community against malicious actors;
Please provide reasoning how this would be achieved. I see no
logical route to this assertion.
Assisting businesses, consumer groups, healthcare organizations
and other organisations combating fraud (some of which have
mandates to electronically save records) to comply with
+relevant
legal and public safety safeguards;
Please provide exactly which legal requirements and public
safeguards require a central, PUBLIC, database of all resource
holder address details.
Competent authorities to serve legal process to the party
responsible for the resources;
Competent authorities already have a route to this information
via the RIPE NCC or via national companies' reg offices.
To reduce delays in serving legal process, avoiding lost leads
and evidence.
"Delays" such as having to procure a warrant for this data or
having to look a business up in the national companies' office
databases?
The RIPE Database is made for technical troubleshooting and not
for legal purposes.
Counter-argument: In the wake of large-scale cyber incidents,
there is a strong need to enhance cross-border cooperation
related to preparedness. Responding to cybersecurity incidents
may take many forms, ranging from identifying technical
+measures
which may entail two or more entities jointly investigating the
technical causes of the incident (e.g. malware analysis) or
identifying ways through which organisations may assess whether
they have been affected (e.g. indicators of compromise), to
operational decisions on applying such measures and,
+ultimately,
to be able to reach out across different jurisdictions in a
+fast
fashion. Every national registry has different rules, languages
and formats. The availability of the data clustered in one DB
with one format will help for troubleshooting.
Again, I cannot see the logic behind the assertion that a PUBLIC
database of legal registered company addresses, insofar as it
doesn't already exist in most jurisdictions, solves any problem
related to technical troubleshooting. I'm sure in only the
tiniest minority of cases will the lawyer or company secretary
this address points to be able to, or even know whom to
ask for, help with technical troubleshooting.
The information will become out of date if the RIPE NCC can't
ensure current accuracy.
Counter-argument: Information is the lifeblood of organisations
such as the RIPE NCC. Impure data is like impure blood
???\200\223
+not
good for the system. The quality of data held in IT systems
+will
deteriorate unless steps are taken to maintain its accuracy and
consistency.
This is not an argument, it is merely a re-statement of the
position that data quality is important. Also, while everyone who
knows me will know that I am the last person to demand political
correctness in debate; I do question the need for the language
and rhetoric of "Mein Kampf" in a policy proposal.
Therefore, it is of utmost importance to keep data
+qualitatively
accurate. Poor data quality can lead to organisations taking
decisions based on inaccurate or out-of-date in-formation,
potentially with expensive consequences.
see above, not an argument, just restatement.
The achievements don't justify the needed efforts/costs.
Counter-argument: Network and information systems and services
play a vital role in society. Their reliability and security
+are
essential to economic and societal activities and in particular
to the functioning of modern societies and economies. A culture
of security is being shared across sectors which are vital for
our economy and society and will have to comply with the
+security
and notification requirements being discussed in the RIPE NCC
service region.
Again, the "counter-argument" is a boiler-plate politcal
+statement
and does not address the the effort/cost argument against.
For the avoidance of doubt, the above constitutes opposition to
this proposal.
Kind Regards,
Sascha Luck
We encourage you to review this proposal and send your comments
+to
<[email protected]> before 26 October 2018.
Hereby done.
