Hi Alex,

 

Undersood, and thanks a lot; it is very helpful to know that the ecommerce directive has a problem.

 

As said, I’m not advocating for RIPE to take actions if the operator doesn’t react on an abuse case.

 

What I’m trying to make sure, mainly, is that the abuse contact is a *real one*. The actual validation doesn’t ensure this. So the current situation (using your words) is not correct. I think this is the main problem. I believe most of the LIRs/end-users, don’t understand that there is a “small” problem here.

 

So a direct question. Do you think it is acceptable that RIPE NCC does a good validation (as done by ARIN, APNIC and soon LACNIC), or it is acceptable that any operator can use a fake email?

 

Regards,

Jordi

@jordipalet

 

 

 

El 16/1/20 18:04, "Alex de Joode" <adejoode@idgara.nl> escribió:

 

​Hi Jordi,

 

The inability based on the current ecommerce directive to adequately hold providers responsible when they ignore notices is the reason the Dutch government came up with some 'suggestions' on how to fix these. I'm involved in mitigating the adverse effects of these proposals. (I'm a lawyer and a lobbyist, so a double bad ;))

 

In my opinion RIPE should ensure those willing have an easy means of knowing who to contact. (that is the current situation) 

 

Full mailboxes/bounces etc is something the resource holder should take care of himself. Resource holders who are not interested in properly handling notices, and are striving for a 'McColo status' should be dealt with. However that should not be a role nor a responsibility of RIPE. Europol' EC3, JIT's, local police etc should primarily deal with this (yes takes time and effeort).  Advocating for a role for RIPE basically is outsourcing policing (based on Term of Service, something advocated by "your local police" as this looks like a "quick fix" however expect them to insist your ToS needs to have an article "x" and "y" soon.), and removes a lot of due process safeguards you have under the criminal system. If the internet is a "wretched hive of scum and villainy" the powers that be should allocate enough resources to deal with the problem.

 

​-- 

IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode


On Thu, 16-01-2020 17h 17min, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:

Hi Alex,

My reading of the eCommerce Directive (https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32000L0031) is different. Some points (most relevant text only):

(40) …  the provisions of this Directive relating to liability should not preclude the development and effective operation, by the different interested parties, of technical systems of protection and identification and of technical surveillance instruments …

(44) A service provider who deliberately collaborates with one of the recipients of his service in order to undertake illegal acts goes beyond the activities of "mere conduit" or "caching" and as a result cannot benefit from the liability exemptions established for these activities.

(46) In order to benefit from a limitation of liability, the provider of an information society service, consisting of the storage of information, upon obtaining actual knowledge or awareness of illegal activities has to act expeditiously to remove or to disable access to the information concerned ...

So, if I'm reading it correctly (not being a lawyer), a service provider not acting against abuse when it has been informed of so, is liable. I'm sure if the service provider tries to avoid being "informed" by not looking at notifications (email, postal, fax, etc.), they will also be liable in front of courts.

Regards,
Jordi
@jordipalet



El 16/1/20 16:40, "Alex de Joode" <alex@idgara.nl> escribió:

​Jordi,

Nice analogy, but when you add the eCommerce Directive into the mix, where a network provider (or hosting provider) is not liable for what their users do, the outcome changes. Only if you have knowledge there might be a possibility for liability, but if you do not accept abuse notices, and therefore do not have knowledge you are not liable. Also note there is no monitoring obligation, but if you do monitor you can gain knowledge and become liable for -everything-. So the current legal environment (in the EU) isn't very 'pro' abuse handling.
​-- 
IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode

On Thu, 16-01-2020 15h 18min, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Let’s try to see it from another perspective.
 
If you’re an electricity provider, and one of your customers injects 1.000 v into the network and thus create damages to other customers (even from other electricity providers), the electricity provider must have the means to resolve the problem, disconnect that customer if needed, and pay the damages if the customer creating them don’t do that.
 
When this happens, most of the time, the customer insurance will cover it, initially, and then claim to the electricity provider insurance, which in turn, can claim to the customer creating the trouble.
 
If insurance doesn’t work, most of the time, law will make the electricity provider responsible at the same level of the defaulting customer (especially if this one doesn’t pay the damages).
 
I’m sure that this is the same in every EU country. Can we agree on that?
 
This is totally symmetric to the Internet. An operator provides a service. If a customer is creating damages, even to customers of other operators, the minimum that the provider of the defaulting customer should be able to do is:
1) Receive the abuse report (it can be automated)
2) Investigate the abuse (it can be automated in many cases, especially if we mandate a format for the reporting, and there are open source tools that do that for most of the cases)
3) If it is against the AUP which its customers, take actions, warnings to the customer the first time, etc., even disconnecting the customer (of course, this means losing customers such as spammers that pay a lot …)
 
I don’t expect to respond to the abuse, but it’s nice to do. There are many open source ticket systems that do most of this.
 
I don’t expect to compensate the victims, but I’m sure it can be done if the victims go to the courts. No difference with the electricity example, just we don’t have (as I know) this kind of insurance for Internet abuses.
 
Actually, it will be very nice to have those insurances, because insurance companies have the power to put together many claims in the courts, so operators that don’t care about abuse pay for it.
 
Saludos,
Jordi
@jordipalet
 
 
 
El 16/1/20 15:03, "anti-abuse-wg en nombre de Volker Greimann" <anti-abuse-wg-bounces@ripe.net en nombre de vgreimann@key-systems.net> escribió:
 
Hi Sara,
isn't making the world (and the internet) first and foremost a job of law enforcement agencies like the police and Europol? While I agree that everyone has a role to play, crime prevention and protection of the public is part of the LEA job description, right? Civil society entities certainly have a role to play, but it does not help trying to deputize them into a role they do not carry.
I disagree that the contract language you quote puts any duty of care regarding the abuse of any networks by third parties on the parties to the agreement. That duty may arise from other sources, but this language is directed at its own information the party provides to RIPE NCC and the cooperation with any audits. Just because it includes the word security does not mean it refers to all thinkable security issues.
The ability of any part of the internet infrastructure to curtail abuse that somehow touches services it providers is usually severely curtailed and its ability to review abuse complaints is usually limited to the resources it provides. In many cases, that is simply not enough information to go on when dealing with many common forms of abuse.
Best,
Volker
Am 16.01.2020 um 14:23 schrieb Marcolla, Sara Veronica:
Very well put, Sérgio. Thank you for voicing clearly the concern of (at least a part of) the community.
 
We should not forget that, according to the provisions of RIPE NCC audits, “every party that has entered into an agreement with the RIPE NCC is contractually obliged to provide the RIPE NCC with complete, updated and accurate information necessary for the provision of the RIPE NCC services and to assist the RIPE NCC with audits and security checks”.  Complete, accurate information goes hand in hand with a duty of care, of promptly taking actions against abuse, and should be accompanied by a social responsibility of trying to make the Internet a safe and secure place for everyone, thus not enabling actively DDoS, spammers, and criminals in general.  
 
If the community does not agree that everyone has the right to a safe, spam free, crime free Internet, maybe we have some issue to solve here first.
 
 
Kind regards,
 
Sara
 
Europol - O3 European Cyber Crime Centre (EC3)
 
Eisenhowerlaan 73, 2517 KK
The Hague, The Netherlands
http://www.europol.europa.eu
 
 
From: anti-abuse-wg anti-abuse-wg-bounces@ripe.net On Behalf Of Sérgio Rocha
Sent: 16 January 2020 13:38
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
 
Hi,
 
Agree, This anti-abuse list seems the blocking group to any anit-abuse response measure.
It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against
 
There is an idea that everyone has to hold, if as a community we cannot organize a policy, one of these days there will be a problem that will make governments take the opportunity to legislate and we will no longer have the free and open internet.
 
There are a feew ideas that is simple to understand:
 
1 - If you have been assigned a network you have responsibilities, paying should not be the only one.
2 - There is no problem with email, since ever are made solutions to integrate with emails. There is no need to invent a new protocol. Who has a lot of abuse, invests in integrating these emails.
3 - If you have no ability to manage abuse should not have addressing, leave it to professionals.
 
The internet is critical for everyone, the ability for actors to communicate with each other to respond to abuse must exist and RIPE must ensure that it exists.
It’s like the relation with local governments, there is a set of information that has to be kept up to date to avoid problems, in RIPE it must be the same.
 
Sergio
 
 
 
From: anti-abuse-wg [anti-abuse-wg-bounces@ripe.net] On Behalf Of Fi Shing
Sent: 16 de janeiro de 2020 04:55
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
 
 
>> Best not to judge the race until it has been fully run.
 
I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish.
 
It is idiotic and is not ad hominem.
 
This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance?
 
The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals.
 
 
 
 
 
--------- Original Message ---------
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
From: "Ronald F. Guilmette" <rfg@tristatelogic.com>
Date: 1/16/20 11:47 am
To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>

In message <mailto:20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@
email19.asia.godaddy.com>, "Fi Shing" <phishing@storey.xxx> wrote:

>That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is
not immediately apparent that you have been on the list for all that long.
So perhaps you should stick around for awhile longer before making such
comments. If you do, I feel sure that there will be any number of
stupider things that may come to your attention, including even a few
from your's truly.

Best not to judge the race until it has been fully run.

>Which criminal is paying you to say this nonsense, because no ordinary person
>that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as
it is, ad hominem, is not at all likely to advance your agenda. It may
have felt good, but I doubt that you have changed a single mind, other
than perhaps one or two who will now be persuaded to take the opposing
position, relative to whatever it was that you had hoped to achieve.


Regards,
rfg
*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************
--
Volker A. Greimann

**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.