Hello Emmanuel, and thank you for your message! Please find our comments and questions inline below: On Wed, 2023-12-13 at 20:30 +0000, Kessler, Emmanuel wrote:
With this message, I would like to express from Europol perspective, our questions and some clear concerns about the measure 2023-04 as proposed. We have been very recently informed about the project of measure that would indeed remove User assignment data from the RIPE Database public registry.
2023-04 aims to *increase* the level of End User assignment coverage in the RIPE database, not remove or decrease it. Quoting from the proposal: «As of August 2023, there were 19,221 PA allocations without any child PA assignments held by 10,052 LIRs (…) Since the RIPE Database Requirements Task Force published their report in May 2021, the PA allocations without any child assignment have grown by 18.4 percent.» We hypothesise that this trend is least partially caused by LIRs considering that registering all assignments individually is too labour-intensive and not worth the effort, especially in highly dynamic environments where individual (but otherwise identical) assignments rapidly come and go. 2023-04 would provide these LIRs a less labour-intensive option to register such assignments. Whether or not they would avail themselves of the new option is of course an open question, but it seems clear that something has to be done if the current trend towards less assignment coverage in the database is to be reversed.
We have started a consultation of EU law enforcement services (that however takes time), and informed the EU Commission.
Did this consultation take the information in the Impact Analysis into account – in particular the clarification made by the RIPE NCC that 2023-04 does *not* change the current policies and procedures when it comes to the registration requirements for End User contact information? If it did not, this concern may well be the same as the one we addressed in the message yesterday. Would it be possible for you to share the questionnaire that was sent to the LEAs with the working group?
The first negative impact will concern the swift availability of data : with the new measure, LEA will systematically have to request information to the LIRs, with a court order.
Could you please detail or give some examples of exactly what kind of information the LEAs would need to request from the LIRs using court orders? Taking into account the current policies and procedures, we suspect that the information about the End Users that LEAs can obtain directly from the RIPE database is inserted there voluntarily in the first place. If that is the case, wouldn’t it be more efficient for the LEAs to first contact the published contact information (found either in the End User assignment, or its containing allocation) and request the information that way – without going to the courts? Many LIRs would gladly help address any issues and are probably more capable in doing this than most End Users. Conversely, if the information requested is something the LIR prefers to withhold from the LEAs and the general public, it seems reasonable to assume that this information will not have been published in the public RIPE database in the first place. If so, a court order would be necessary - but that would be the case today, as well.
The other main impact will be on the quality of collected data. In practice, the proposed policy could indeed allow assignments to be somewhat anonymised.
As clarified by the RIPE NCC in the Impact Analysis, the current policies and procedures are already allowing assignments to be “somewhat anonymised”. This is not a change that 2023-04 will bring about.
The measure would have here an impact on data granularity : The shift to aggregated assignments would result in less granular data available to law enforcement. While individual assignments offer specific and detailed information about each IP address's usage, aggregated data may obscure such details, potentially complicating investigations that rely on precise IP address information..
As mentioned above it would be useful to know precisely what kind of information you are referring to here. We would appreciate it if you could share some examples. There is one thing we can think of, though - the assignment-size attribute. This is currently intended to be optional, as we did not see an independent justification for making it mandatory in IPv4. Given an LEA investigation into activity from 192.0.2.9, located within an aggregated inetnum object for 192.0.2.0/24 without the assignment- size attribute present, it would be impossible to deduce from the RIPE database alone if 192.0.2.10 is assigned to the same End User or not. If the assignment-size was present, the LEA would be able to answer that question without contacting the LIR. (assignment-size: <= /30 → same End User; assignment-size: >= /31 → different End User). This could be seen as an independent justification for making assignment-size mandatory in IPv4. If we amended 2023-04 accordingly, would that alleviate the LEAs concerns in this regard?
Identifying IPV4, remains highly challenging in many cases, as all know, and IPV6 will not replace it at short term.
The comparison with IPv6 is highly relevant. Apart from making the assignment-size attribute optional as discussed above, 2023-04 does not allow LIRs to do anything with their IPv4 assignments that has not already been allowed with IPv6 assignments for many years. The proposal is essentially a copy and paste from the IPv6 policy. With that in mind, do you see any principal difference between the proposed AGGREGATED-BY-LIR for IPv4 and the already existing AGGREGATED-BY-LIR for IPv6? Is the former more problematic for LEAs than the latter? If so, could you elaborate on why that is? Best regards, Tore and Jeroen