@EXT: RE: 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)
Dear all, we keep analysing the possible consequences of the measure on our LEA capacity to identify IPV4 It takes time as it interests various EU official partners and Law enforcement services, ...thanks for your understanding. We still identify two issues in the measure - about the process to access to data : as ending the direct access at RIPE level, it will not ease the work for some investigators who uses it as a convenient tool, although accessing the data at LIR level still remains partly an option. - about the granularity of the data as aggregated, and we think there is here a very strong question, with a large potential impact. As you know, EUROPOL has worked for years on the CGN-NAT challenge on IPV4, advocating for limiting this mutualisation of IPV4 addresses that regularly hampers investigation capacities. we observe the aggregation measure as having a real negative impact on the granularity of the answers that will be collected. it is also linked with internal practices in the companies that remain various...we know that. Situation with IPV4 is different than the one with IPV6. Consequently, we keep all our reserve about the proposal that raises concerns amongst many colleagues. We fully understand the code of conduct in RIPE debate, and still appreciate good discussion with constructive and realistic people... However, getting all the truth of the situation requires contradictory debate that can progress through the exchange of still more detailed explanations,.... As the matter is of real importance, we hope that the measure would not be adopted without this clarification with all opinions/arguments around the table,... We would be also in favour of postponing the deadline of the debate, to take time to exchange and check all the explanations as necessary. Thank you for your exchange and cooperation Regards Emmanuel Kessler European Cybercrime centre EUROPOL -----Original Message----- From: denis walker <ripedenis@gmail.com> Sent: 11 January 2024 03:21 To: Tore Anderson <tore@fud.no>; Maria Stafyla <mstafyla@ripe.net> Cc: Jan Ingvoldstad <frettled@gmail.com>; address-policy-wg@ripe.net; Frank Breedijk <f.breedijk@divd.nl>; Kessler, Emmanuel <Emmanuel.Kessler@europol.europa.eu> Subject: Re: [address-policy-wg] 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments) This email originated from outside Europol. Do not click links or open attachments unless you recognize the sender and know the content is safe. The external address that sent the message is: denis1@gmail.com Hi Tore and others On Wed, 10 Jan 2024 at 13:02, Tore Anderson <tore@fud.no> wrote:
Hello again Jan,
On 10/01/24 11:25, Jan Ingvoldstad wrote:
Basically, any public company register would be illegal according to the interpretation you lean on here.
Public company registries also need a lawful basis for processing. The Norwegian public company registry, for example, uses the lawful basis «exercise of official authority» – Article 6(1)(e) GDPR – as its lawful basis, see https://www.brreg.no/en/privacy-statement/. I would assume that to be the case in most other countries as well.
(Most) LIRs are not official authorities, so unlike public company registries LIRs cannot use this lawful basis for publishing PII in the RIPE Database.
As I explained in the previous email, you only quoted half the GDPR condition here. It actually says, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; As I also pointed out, during the discussion of 2022-01 (privacy) https://www.ripe.net/ripe/mail/archives/db-wg/2022-October/007630.html it was accepted that there is a 'public interest' basis here.
In any case, all of this is rather off-topic. 2023-04 does not change the legal obligations on the LIRs relating to the publication of End User contact information,
It does not matter how many times you repeat this, it is still NOT true. You remove the line When an End User has a network using public address space this must be registered separately with the contact details of the End User. Removing this line DOES change the LIR's obligations relating to the publication of End User contact information. No matter how many times you repeat this false information I will repeat the reply. nor does it change the RIPE Database Terms and
Conditions. If you want to publish PII in the RIPE Database, you need a lawful basis. That's true today, and that will continue to be true if 2023-04 passes.
Or you could take the other stance and stop publishing *any* contact details regarding an object, because you cannot know whether the information is personal data or not.
Exactly. LIRs may (but are not required to) chose this approach already *today*. This is a common and long-standing practice which the RIPE NCC has repeatedly clarified as compliant with today's policy.
This is one of your biggest false statements. The ONLY person repeatedly saying this is YOU. Let's do a fact check here. You asked a question to the RIPE NCC about publishing End User contact details in an assignment object. The RIPE NCC PDO, policy officer Angela, consulted with registration services and made a reply. She confirmed, once, it is compliant with current policy to not publish the End User contact details. I have disputed that by quoting the famous line (which you want to remove): 'When an End User has a network using public address space this must be registered separately with the contact details of the End User.' I have provided a mountain of supporting evidence that the RIPE NCC's interpretation of this statement is incorrect. Angela's one time answer was incorrect. Since then the RIPE NCC has said exactly NOTHING. No one from registration services has come to this list and expanded, qualified or explained their one time response. But since then you have endlessly repeated that one time response from the RIPE NCC. You have claimed so many times that the RIPE NCC has repeated this many times. That is NOT true. Please STOP saying what is NOT TRUE. It was said once by the RIPE NCC and then disputed. You are still hiding behind this false premise.
It will continue to be compliant with the policy after 2023-04 passes, as well. Thus, 2023-04 effects no change on the LIRs' obligations in this regard.
It has a massive change on the LIR's obligations, by removing a line of text from the current policy, which you have admitted yourself does not need to be removed for your aggregation proposal. You keep repeating that this change has no real, practical impact, so don't remove it. Then we can all get on with our lives.
I think that because the WG discussion has almost exclusively revolved around this alleged changing of policy requirements to publish End User contact information (which may or may not be PII), it is easy to lose track of what this proposal is *actually* all about. We are talking about two different things:
1) The actual intention behind the proposal: Making it possible to aggregate multiple IPv4 End User assignments that have consistent contact information and purpose into a single database object. This is not possible today, and that is what we want to make that possible, in the same way it is already possible in IPv6.
Then limit the proposal to exactly this!!!
2) The *alleged* change to what kind of End User contact information is required to be published in the RIPE database. We have never had any intention of changing this in any way, and the Impact Analysis and other statements from the RIPE NCC confirm that the proposal does not change it either.
This is total madness. You keep saying you have no intention of changing anything else. You keep saying the wording change actually changes nothing in practice. Some other people don't agree with you. Just don't change wording that you claim changes NOTHING and has nothing to do with aggregation and everyone is happy. The fact that you are pushing so hard to make this wording change, you refuse to back down or compromise, you insist on changing wording that changes nothing and has nothing to do with aggregation...proves that you don't believe that yourself. The fact is, I suspect that this is the real change you want. You want to drop the current policy requirement to define assignments with End User contacts. It is the aggregation that is the side issue here. There is no other explanation for why you are insisting so strongly on changing wording that changes nothing.
In short: 1) is an intentional and desired change from today, while 2) is *not* a change from today – intentionally so.
This (regarding item 2) is simply not true. Any change in text *is a change*.
We are not making the claim that the policy text does not change. That it clearly does – in order to achieve the desired change described in item 1 above.
We are however claiming that the *meanings* of the old and the new policy texts are exactly the same, with regards to how they translate into operational procedures and requirements for the publication of End User contact information (item 2).
You must think that WE are the crazy people. You cannot remove the line 'When an End User has a network using public address space this must be registered separately with the contact details of the End User.' and then say the meaning is exactly the same. I know it is a common tactic now, especially in politics, to keep repeating mis-information that makes no sense over and over again, refusing to listen to objections, until a mass of people start to believe your mis-information. I am one of those free thinkers who doesn't go with the masses. I will keep pointing out the mis-information here.
As the RIPE NCC writes in the Impact Analysis (emphasis added):
«Acceptance of this proposal **will not change** the fact that the RIPE NCC cannot enforce which contact details members add to their IPv4 PA assignments in the RIPE Database; this **will remain** their decision.»
So, once again: which End User contact details LIRs publish (if any) is their decision today, and it will be continue to be their decision if 2023-04 passes. Hence, 2023-04 does not effect any change in this regard.
This really does make me cry. The wording in the IA is poor. You have applied an interpretation to this which I do not believe is what was meant. Then the RIPE NCC legal team has remained silent. So I am asking the RIPE NCC legal team to clearly explain what they meant by this wording. Is the legal team actually saying here that the RIPE NCC cannot enforce RIPE policy? The current policy is clear on the 'type' of contact details. That 'line' says an assignment MUST include an End User contact. It is true the policy does not say the LIR must add Person A as the contact rather than Person B. So in this context the RIPE NCC cannot enforce which (Person A or B) contact details members add to their IPv4 PA assignments. The choice of Person A or Person B will remain the LIR's decision. But when the policy says an assignment MUST include 'an' End User contact, the RIPE NCC can and should enforce that 'a' contact for the End User is added. So I ask the legal team, which interpretation did you mean?
So maybe we could discuss 1) instead of 2) going forward? :-)
I have no problem with 1), as already stated.
We're happy to hear that!
I do agree with you that this is distracting from the proper meat of your proposal. Which is why I suggest that you drop this part of it. Again, drop the part of the proposal that people have a beef with.
Don't make the change that you claim is not a change.
This «beef» is based on reading current policy to mean that which End User contact details LIRs publish in the database (if any) is *not* the LIRs' decision today.
It is based on reading the current policy and understanding what a very clear sentence written in plain English means.
But the RIPE NCC has repeatedly clarified that that is simply not the case: it *is* the LIRs' decision today, and it will continue to be LIRs' decision should 2023-04 pass.
You are doing it again. The RIPE NCC has said something ONCE and refused to clarify it ever since, despite it being contested. It is YOU who repeatedly claims something.
Given that, it is hard to see how we could possibly amend the proposal to change this particular point to an even lesser extent than what is already the case?
Let me help you. Do NOT remove a sentence that has nothing to do with the stated goal of the proposal to aggregate assignments and that you claim does not change anything. cheers denis
Tore & Jeroen
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/address-policy-wg
Dear Emmanuel Kessler, It would help the co-chairs tremendously if your arguments gave some specific numbers or other details. We are aware of your concerns but phrases like "large potential impact" are vague. Kind regards, Leo Vegoda, for the Address Policy WG co-chairs On Mon, 15 Jan 2024 at 02:32, Kessler, Emmanuel <Emmanuel.Kessler@europol.europa.eu> wrote:
Dear all,
we keep analysing the possible consequences of the measure on our LEA capacity to identify IPV4 It takes time as it interests various EU official partners and Law enforcement services, ...thanks for your understanding.
We still identify two issues in the measure
- about the process to access to data : as ending the direct access at RIPE level, it will not ease the work for some investigators who uses it as a convenient tool, although accessing the data at LIR level still remains partly an option.
- about the granularity of the data as aggregated, and we think there is here a very strong question, with a large potential impact.
As you know, EUROPOL has worked for years on the CGN-NAT challenge on IPV4, advocating for limiting this mutualisation of IPV4 addresses that regularly hampers investigation capacities. we observe the aggregation measure as having a real negative impact on the granularity of the answers that will be collected. it is also linked with internal practices in the companies that remain various...we know that. Situation with IPV4 is different than the one with IPV6. Consequently, we keep all our reserve about the proposal that raises concerns amongst many colleagues.
We fully understand the code of conduct in RIPE debate, and still appreciate good discussion with constructive and realistic people... However, getting all the truth of the situation requires contradictory debate that can progress through the exchange of still more detailed explanations,.... As the matter is of real importance, we hope that the measure would not be adopted without this clarification with all opinions/arguments around the table,...
We would be also in favour of postponing the deadline of the debate, to take time to exchange and check all the explanations as necessary.
Thank you for your exchange and cooperation
Regards
Emmanuel Kessler European Cybercrime centre EUROPOL
-----Original Message----- From: denis walker <ripedenis@gmail.com> Sent: 11 January 2024 03:21 To: Tore Anderson <tore@fud.no>; Maria Stafyla <mstafyla@ripe.net> Cc: Jan Ingvoldstad <frettled@gmail.com>; address-policy-wg@ripe.net; Frank Breedijk <f.breedijk@divd.nl>; Kessler, Emmanuel <Emmanuel.Kessler@europol.europa.eu> Subject: Re: [address-policy-wg] 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)
This email originated from outside Europol. Do not click links or open attachments unless you recognize the sender and know the content is safe. The external address that sent the message is: denis1@gmail.com
Hi Tore and others
On Wed, 10 Jan 2024 at 13:02, Tore Anderson <tore@fud.no> wrote:
Hello again Jan,
On 10/01/24 11:25, Jan Ingvoldstad wrote:
Basically, any public company register would be illegal according to the interpretation you lean on here.
Public company registries also need a lawful basis for processing. The Norwegian public company registry, for example, uses the lawful basis «exercise of official authority» – Article 6(1)(e) GDPR – as its lawful basis, see https://www.brreg.no/en/privacy-statement/. I would assume that to be the case in most other countries as well.
(Most) LIRs are not official authorities, so unlike public company registries LIRs cannot use this lawful basis for publishing PII in the RIPE Database.
As I explained in the previous email, you only quoted half the GDPR condition here. It actually says, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; As I also pointed out, during the discussion of 2022-01 (privacy) https://www.ripe.net/ripe/mail/archives/db-wg/2022-October/007630.html it was accepted that there is a 'public interest' basis here.
In any case, all of this is rather off-topic. 2023-04 does not change the legal obligations on the LIRs relating to the publication of End User contact information,
It does not matter how many times you repeat this, it is still NOT true. You remove the line When an End User has a network using public address space this must be registered separately with the contact details of the End User. Removing this line DOES change the LIR's obligations relating to the publication of End User contact information. No matter how many times you repeat this false information I will repeat the reply.
nor does it change the RIPE Database Terms and
Conditions. If you want to publish PII in the RIPE Database, you need a lawful basis. That's true today, and that will continue to be true if 2023-04 passes.
Or you could take the other stance and stop publishing *any* contact details regarding an object, because you cannot know whether the information is personal data or not.
Exactly. LIRs may (but are not required to) chose this approach already *today*. This is a common and long-standing practice which the RIPE NCC has repeatedly clarified as compliant with today's policy.
This is one of your biggest false statements. The ONLY person repeatedly saying this is YOU. Let's do a fact check here. You asked a question to the RIPE NCC about publishing End User contact details in an assignment object. The RIPE NCC PDO, policy officer Angela, consulted with registration services and made a reply. She confirmed, once, it is compliant with current policy to not publish the End User contact details. I have disputed that by quoting the famous line (which you want to remove): 'When an End User has a network using public address space this must be registered separately with the contact details of the End User.' I have provided a mountain of supporting evidence that the RIPE NCC's interpretation of this statement is incorrect. Angela's one time answer was incorrect. Since then the RIPE NCC has said exactly NOTHING. No one from registration services has come to this list and expanded, qualified or explained their one time response. But since then you have endlessly repeated that one time response from the RIPE NCC. You have claimed so many times that the RIPE NCC has repeated this many times. That is NOT true. Please STOP saying what is NOT TRUE. It was said once by the RIPE NCC and then disputed. You are still hiding behind this false premise.
It will continue to be compliant with the policy after 2023-04 passes, as well. Thus, 2023-04 effects no change on the LIRs' obligations in this regard.
It has a massive change on the LIR's obligations, by removing a line of text from the current policy, which you have admitted yourself does not need to be removed for your aggregation proposal. You keep repeating that this change has no real, practical impact, so don't remove it. Then we can all get on with our lives.
I think that because the WG discussion has almost exclusively revolved around this alleged changing of policy requirements to publish End User contact information (which may or may not be PII), it is easy to lose track of what this proposal is *actually* all about. We are talking about two different things:
1) The actual intention behind the proposal: Making it possible to aggregate multiple IPv4 End User assignments that have consistent contact information and purpose into a single database object. This is not possible today, and that is what we want to make that possible, in the same way it is already possible in IPv6.
Then limit the proposal to exactly this!!!
2) The *alleged* change to what kind of End User contact information is required to be published in the RIPE database. We have never had any intention of changing this in any way, and the Impact Analysis and other statements from the RIPE NCC confirm that the proposal does not change it either.
This is total madness. You keep saying you have no intention of changing anything else. You keep saying the wording change actually changes nothing in practice. Some other people don't agree with you. Just don't change wording that you claim changes NOTHING and has nothing to do with aggregation and everyone is happy. The fact that you are pushing so hard to make this wording change, you refuse to back down or compromise, you insist on changing wording that changes nothing and has nothing to do with aggregation...proves that you don't believe that yourself. The fact is, I suspect that this is the real change you want. You want to drop the current policy requirement to define assignments with End User contacts. It is the aggregation that is the side issue here. There is no other explanation for why you are insisting so strongly on changing wording that changes nothing.
In short: 1) is an intentional and desired change from today, while 2) is *not* a change from today – intentionally so.
This (regarding item 2) is simply not true. Any change in text *is a change*.
We are not making the claim that the policy text does not change. That it clearly does – in order to achieve the desired change described in item 1 above.
We are however claiming that the *meanings* of the old and the new policy texts are exactly the same, with regards to how they translate into operational procedures and requirements for the publication of End User contact information (item 2).
You must think that WE are the crazy people. You cannot remove the line 'When an End User has a network using public address space this must be registered separately with the contact details of the End User.' and then say the meaning is exactly the same. I know it is a common tactic now, especially in politics, to keep repeating mis-information that makes no sense over and over again, refusing to listen to objections, until a mass of people start to believe your mis-information. I am one of those free thinkers who doesn't go with the masses. I will keep pointing out the mis-information here.
As the RIPE NCC writes in the Impact Analysis (emphasis added):
«Acceptance of this proposal **will not change** the fact that the RIPE NCC cannot enforce which contact details members add to their IPv4 PA assignments in the RIPE Database; this **will remain** their decision.»
So, once again: which End User contact details LIRs publish (if any) is their decision today, and it will be continue to be their decision if 2023-04 passes. Hence, 2023-04 does not effect any change in this regard.
This really does make me cry. The wording in the IA is poor. You have applied an interpretation to this which I do not believe is what was meant. Then the RIPE NCC legal team has remained silent. So I am asking the RIPE NCC legal team to clearly explain what they meant by this wording. Is the legal team actually saying here that the RIPE NCC cannot enforce RIPE policy? The current policy is clear on the 'type' of contact details. That 'line' says an assignment MUST include an End User contact. It is true the policy does not say the LIR must add Person A as the contact rather than Person B. So in this context the RIPE NCC cannot enforce which (Person A or B) contact details members add to their IPv4 PA assignments. The choice of Person A or Person B will remain the LIR's decision. But when the policy says an assignment MUST include 'an' End User contact, the RIPE NCC can and should enforce that 'a' contact for the End User is added. So I ask the legal team, which interpretation did you mean?
So maybe we could discuss 1) instead of 2) going forward? :-)
I have no problem with 1), as already stated.
We're happy to hear that!
I do agree with you that this is distracting from the proper meat of your proposal. Which is why I suggest that you drop this part of it. Again, drop the part of the proposal that people have a beef with.
Don't make the change that you claim is not a change.
This «beef» is based on reading current policy to mean that which End User contact details LIRs publish in the database (if any) is *not* the LIRs' decision today.
It is based on reading the current policy and understanding what a very clear sentence written in plain English means.
But the RIPE NCC has repeatedly clarified that that is simply not the case: it *is* the LIRs' decision today, and it will continue to be LIRs' decision should 2023-04 pass.
You are doing it again. The RIPE NCC has said something ONCE and refused to clarify it ever since, despite it being contested. It is YOU who repeatedly claims something.
Given that, it is hard to see how we could possibly amend the proposal to change this particular point to an even lesser extent than what is already the case?
Let me help you. Do NOT remove a sentence that has nothing to do with the stated goal of the proposal to aggregate assignments and that you claim does not change anything.
cheers denis
Tore & Jeroen
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/address-policy-wg
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/address-policy-wg
participants (2)
-
Kessler, Emmanuel -
Leo Vegoda