Dear partners, companies and RIPE,
on the last RIPE meeting, my inputs have unfortunately been hampered by some technical problems of online connection.
With this message, I would like to express from Europol perspective, our questions and some clear concerns about the measure 2023-04 as proposed.
We have been very recently informed about the project of measure that would indeed remove User assignment data from the RIPE Database public registry.
We have started a consultation of EU law enforcement services (that however takes time), and informed the EU Commission.
From the first feedback we have gathered, the measure will have some clear negative impacts on the capacity of law enforcement authorities to lead investigation, considering the current situation and practices.
Various law enforcement actors (LEA) do appreciate to have the information in the RIPE databases. This direct access helps many investigators to work swiftly in their daily activity against cybercriminals, fraudsters, pedophiles, terrorists…as we all know.
The first negative impact will concern the swift availability of data : with the new measure, LEA will systematically have to request information to the LIRs, with a court order.
Beyond the sole matter of lawfulness requirement, it will not ease as such the daily work, but instead it will be another barrier to the facilitated access to the data : easing the access means easing an efficient and swift investigation. The proposed
measure does not prioritize it.
Maintaining access to the data of end users at RIPE level is also a way to ensure access to all data, in spite of the uncertainty of answers from some LIRs. Registration practices are far to be uniform across the various LIRs.
Please kindly consider that capacity of Law Enforcement is asymmetric towards large volumes of ransomware
attacks, online scam types and massive sharing of Child Sexual Abuses Material,…all
support from our partners is the most precious to counter these realities.
The other main impact will be on the quality of collected data.
In practice, the proposed policy could indeed allow assignments to be somewhat anonymised.
The measure would have here an impact on data granularity : The shift to aggregated assignments would result in less granular data available to law enforcement.
While individual assignments offer specific and detailed information about each IP address's usage, aggregated data may obscure such details, potentially complicating investigations that rely on precise IP address information..
We do understand that the aggregated registration of IPv4 addresses would streamline administrative processes for LIRs but, it is important to acknowledge that it would also have a negative impact on the efficiency and effectiveness of law enforcement
investigations.
The less detailed information will require additional steps or inquiries to ascertain the specifics of an IP address's usage, potentially delaying investigative processes.
Identifying IPV4, remains highly challenging in many cases, as all know, and IPV6 will not replace it at short term.
All delays hamper the general (complex) process of investigation and may have an strong impact on the final result (bad guys arrested and new victims prevented or saved)
EU has recently adopted the NIS2 directive with its article 28 for a better access to DNS information for the legitimate actors. we observe that the planned measure 2023-04 would open an opposite (negative) trend on the access to IP information.
We express our serious concern with the impact that such a measure would have on various investigations carried out by EU competent authorities, and the protection of victims, should it be adopted.
Thank you for your attention and consideration.
Regards
Emmanuel KESSLER
Head of Team - Prevention/Outreach
Europol - O3 European Cyber Crime Centre (EC3)
Eisenhowerlaan 73, 2517 KK
The Hague, The Netherlands
Phone: +31(0)70 353 1163 / mobile +31(0)61 503 1274