In some countries, like the UK, postal codes identify anywhere from one house to a street and are thus way too specific for that purpose, hence my suggestion to use city names instead. I don't think it's unreasonable to have a private whois database for law enforcement and similar agencies where they can access non-public information. Some domain registries and registrars do this as well (sometimes with varying types of data access depending on the agency) and it seems to be working out with relatively small problems relating to abuse of power. For this to make sense however, at least a country and state would need to be public so jurisdiction can be determined in case a member of the public needs to make a report to law enforcement about a resource holder. Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Carlos Friaças <cfriacas@fccn.pt> Sent: Sunday, June 5, 2022 11:53:01 AM To: denis walker <ripedenis@gmail.com> Cc: Hans-Martin Mosner <hmm@heeg.de>; Matthias Merkel <matthias.merkel@staclar.com>; anti-abuse-wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] personal data in the RIPE Database Hi Denis, All, (Please see inline, CSIRT hat=ON) On Sun, 5 Jun 2022, denis walker wrote: (...)
However, besides wanting to contact someone, there is a legitimate need to identify bad actors and shun them with whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, whatever). I do not want to communicate with them, just as I don't want to discuss with burglars about their actions!
This is starting to explain reasons why we need to identify resource holders, even natural persons.
Exactly! When we are talking about companies, GDPR doesn't even apply. When we are talking about natural persons GDPR applies, but there is **purpose** and a minimal set of information **needs** to be available.
So, a mere contact database (which could contain fully anonymized forwarding addresses through a "privacy provider", like it's nowadays common for whois entries) would work for the purpose of contacting someone, but it does not work for identifying who can be held accountable for abuse emitted from a network range.
I think there is general agreement that as long as a contact is contactable there is no need to identify the natural persons operating in that role.
No. No. No. That is the general agreement for those who prefer to ignore network abuse, or for those who have business models based in abusing other people's networks.
Accountability, and any subsequent enforcement action, needs an identity. This is the key element of why resource holders, even natural persons, need to be identifiable. Further questions still need to be answered like to what degree should they be identifiable, by what means and to who?
Authorities, at least.
For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should be mandatory. This does not need to include personal data on employees that happen to be responsible for network or abuse issues, I'm fine with role accounts here. So in this case, no objection to eliminate personal data (which often becomes stale anyway after some years).
Again I think there is general agreement that for resource holders that are NOT natural persons the name, address and legal country must be included in the public data.
Yes. But... Please explain how the legal country of a natural person may help anyone determine accurately how to identify a single natural person. Because i don't see how. Even for micro-countries/economies. Simply by having the accurate (and verified by the RIPE NCC) legal country would be a big help in determining **which** is the legal jurisdiction the offender is on.
However, resources allocated to private persons are a bit different. I suppose very few private persons hold a /24 network range, and if they do, they probably fall squarely in the area of operating a business or other publicly visible enterprise under their personal name, and in many jurisdictions they are required to do so with identifying information. For example, in Germany you can't even have a web page without an imprint containing the names of people responsible for the content if you address the general public, and if you do business of any kind and you're not a corporation, you must do so under your name.
There are far more natural persons holding resources than you think.
Yes, i know.
Looking at the membership list on the RIPE NCC's website, all the members are listed and you can see the natural persons. It has been argued that even if a natural person's details are listed on some other public business register, that alone is not a reason to publish those details in the RIPE Database.
Again, there is **purpose**.
So what personally identifiable info should we publish about a natural person holding resources and what should we do with the rest of the currently available public info? Would it be reasonable to publish the name but not publish the (full) address publicly?
The full (verified by the RIPE NCC) address -- at least for LIRs -- would probably be more useful while determining legal jurisdiction, which is imho, the number 1 issue.
Now I looked back at a presentation made by EUROPOL at RIPE 73 https://ripe73.ripe.net/archives/video/1501/
They were very clear that the address of resource holders is also very important to LEAs in their investigations. So I am going to make a controversial suggestion here. Currently we have two categories of registry data, Private and Public. The Public data is available to LEAs and their use of it is covered by agreed purposes of the RIPE Database defined in the Terms & Conditions. For Private data they need to get a court order, which is an expensive and time consuming process. Suppose we add a middle category Restricted data. This could be data like the address of natural persons who hold resources. Data that is now public but we are proposing to take out of the public domain. We could allow LEAs (and maybe other recognised public safety agencies) to continue to have access to this Restricted data without a court order. (There are technical ways of doing this which are out of scope for this discussion.)
That sounds a step in the right direction. Court orders usually have one problem, you'll need to be sure about the legal jurisdiction. It's completely a waste of time to ask for a court order in jurisdiction X when the offender is sitting in jurisdiction Y.
I know a lot of people have ideological phobias about allowing the police access to non-public data. They will be screaming at me right now for this suggestion...'it's giving the police a back door entry', 'it's the thin end of the wedge', 'where will it stop'... I understand those concerns.
I manage a LIR for ~20 years. Hell, if someone is misusing our infrastructure/numbers, having LEA asking us questions so the abuse (and abusers) can be identified and stopped is a good thing, because our reputation is also at stake (as a service provider).
But I see allowing LEAs continued access to what is now public data as different from giving LEAs access to private data that they have never had access to in the past. It is a different direction.
There is a lot of abuse and criminal activity on the internet.
Yes there is. Glad we agree on that :-)))
LEAs have a job to do. They need this data and often need it quickly. But we also have privacy concerns. So we are now considering taking out of the public domain some of that data that LEAs need.
And that's wrong. And data quality is also an issue -- that should be tackled! When we see (in an object) an address from country X, phone from country Y, the country field with country Z, and a clearly bogus postal code, there is a long road to go in terms of data quality...
I see this as a compromise to allow LEAs continued access to what is now public data so they can do their job effectively, but also increase general privacy by taking this bit of data out of the public domain.
Yes. And i can support that compromise, but i suspect the only viable option for some business models is to block that compromise solution.
I suppose that RIPE operates mostly on the level of legal entities that can be identified without naming individual persons. As such, it would be proper to clearly state that every database entry pertaining to a resource allocated through RIPE must contain truthful and usable identifying information of the resource holder. In German, that's "Ladungsfähige Anschrift" which was basically required to be an actual place of presence, but it appears that "virtual office" providers have succeeded in letting their addresses count as "Ladungsfähige Anschrift". I'm not a legal expert, I think this is wrong, but jurisprudence isn't always compatible with reason.
Since RIPE isn't bound by German law, they may choose contractual wording that provides reasonable value for all parties involved. If all identifying information is lost, the abusers have won, as they have with domain whois already.
Domain whois is a real mess, and yes abusers have won on that front, as they are also winning on this :/ But you also raise an important issue. It's already very complex to manage the 27 EU national laws, but the RIPE NCC has not only to live with a 70++ service region, and beyond that also with LIRs that are based outside the service region -- which are also "allowed". And as we know, a part of those are really just the result of some "opacity engineering".
A situation we need to avoid.
I entirely agree, Denis.
On Fri, 3 Jun 2022 at 10:41, Matthias Merkel <matthias.merkel@staclar.com> wrote:
I agree that it must be possible to identify people who hold resources. Not just for other network operators but also so that organizations such as law enforcement are able to do so in emergency situations where contacting RIPE could be too slow.
I hope my controversial compromise above will do that.
It is worth noting however that there now is a relatively large number of people operating networks as a hobby outside of any business activity.
Some people may consider spamming or hacking a hobby.
And on some legal jurisdiction it might be a hobby, in others it might be against the law. Hence accurately determining which legal jurisdiction is key.
At RIPE 84 I mentioned the possibility of publishing a name and city only and having RIPE hold the full address. This would likely be enough to unique identify a person (or at least a small number of potential people in a single city that would be few enough for law enforcement to all check out) while not publishing the full addresses of people who could be at risk for various reasons. It would also be enough information to identify multiple objects belonging to the same person, for example to block traffic from all of their networks. The full address could still be obtained from RIPE with a court order if required.
I think 'city' is too identifiable. If it is London, Paris, Berlin you could get away with this. If it is a village or very small town you will definitely identify people with that granularity. Perhaps a county, region, province would work. But either way the database makes no separation of address elements. All parts of an address are entered into "address:" or "descr:" attributes. Separating them out would be technically difficult.
What about the postal code? In which situations can a postal code identify *one* person? It sounds unfeasible to split "address:" into "street/door:" and "region/province:" ? Regards, Carlos
cheers denis proposal author
? Matthias Merkel