Good morning Denis/everyone, I believe that personal data in the RIPE public database is unwanted and adds no value at all to the public interest. Removing personal data instead of replacing it with actual "responsible organisation" data is unwanted also. To me as a public interest user personal data like assignments of ip addresses is the same as no data at all and should be avoided at all costs. The fact that a real person can be responsible for an ip address shows how immature the solution actually is. When i look at the abuse that online services receive my guess is that ~50% of online traffic is unwanted! I'm currently crunching the numbers so i can back my statements but this is what i got so far. Access log for one online service Total different ip's : little over 11K High risk ip's: 276 (combined hosting/rdp/etc) Abusers: 21 (blocked in next update) In the same period i blocked 173K requests (not IP still need to process this part) This would mean in terms of abuse i would have to send thousands of abuse emails for this single service only (this would be just stupid) how effective will that be if u send them to a "responsible person"? When i goto a grocery and steal or wreck something on purpose and get caught the police will come and i will get a big fine..... or even jail time. When i catch an abuser in the Wild Wild West, the internet makes it cost me even more money! (shouldn't i be payed for catching them?) Clearly the whole abuse part of Ripe isn't working and will never goto work as long as nobody can be held responsible for the actual damage that has been done. I would like to suggest the following: - Remove all personal data and replace with actual data from responsible companies - Change the current contracts with all responsible companies where they will have to pay a fine if any of their ip's has been detected and confirmed to produce abusive traffic. - Part of the fine will be payed to the company that caught the abuser and other part goes to Ripe for administrative costs. With the above we move the problem away from the victims to the causers as it should have been from the beginning! And yes the hosting companies will start crying about this since they never really had to take responsibility for their end-users and probably only see a small portion of the actual abuse since most abuse never get's reported since it costs the victims extra money.... If for some reason there is no company behind any personal registration i believe the resources should be removed from that member unless there is a very goo reason to keep a person responsible (i can't think of any) I'm not good at putting documents or presentations together (Ripe 84), so my excuse for that but i do have the data to backup all of the above! Kind regards, Jeroen -----Oorspronkelijk bericht----- Van: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> Namens denis walker Verzonden: dinsdag 31 mei 2022 19:27 Aan: Michele Neylon - Blacknight <michele@blacknight.com> CC: anti-abuse-wg <anti-abuse-wg@ripe.net> Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Hi Michele The proposal is here https://www.ripe.net/participate/policies/proposals/2022-01 cheers denis proposal author On Tue, 31 May 2022 at 18:07, Michele Neylon - Blacknight <michele@blacknight.com> wrote:

Denis

Where’s the actual proposal?

I’d love to get my personal details removed – especially as they’re for an address I no longer occupy!

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of denis walker <ripedenis@gmail.com> Date: Tuesday, 31 May 2022 at 14:12 To: anti-abuse-wg <anti-abuse-wg@ripe.net> Subject: [anti-abuse-wg] personal data in the RIPE Database

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Colleagues

I have raised an issue on the DB WG mailing list about publishing in the database the identity of natural persons holding resources. So far no one has been willing or able to support any public interest value in doing so. As things stand all personal data in the RIPE Database will have to be removed, or hidden from public view. If you have an opinion about this the conversation is here https://www.ripe.net/ripe/mail/archives/db-wg/2022-May/007432.html

cheers denis 2022-01 proposal author

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Michele, I have a question for u then. What would happen if i can find more people that actually would want this then u can find people that don't want this. Would that make a difference? I'm very curious on your answer. Kind regards Van: Michele Neylon - Blacknight <michele@blacknight.com> Verzonden: woensdag 1 juni 2022 13:05 Aan: jeroen@hackersbescherming.nl; 'denis walker' <ripedenis@gmail.com> CC: 'anti-abuse-wg' <anti-abuse-wg@ripe.net> Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Jeroen "- Change the current contracts with all responsible companies where they will have to pay a fine if any of their ip's has been detected and confirmed to produce abusive traffic. " That will never happen and suggesting it is not helpful. Nobody is ever going to agree to it and it's completely unworkable. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains <https://www.blacknight.com/> https://www.blacknight.com/ <https://blacknight.blog/> https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: <https://michele.blog/> https://michele.blog/ Some thoughts: <https://ceo.hosting/> https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net <mailto:anti-abuse-wg-bounces@ripe.net> > on behalf of jeroen@hackersbescherming.nl <mailto:jeroen@hackersbescherming.nl> <jeroen@hackersbescherming.nl <mailto:jeroen@hackersbescherming.nl> > Date: Wednesday, 1 June 2022 at 11:01 To: 'denis walker' <ripedenis@gmail.com <mailto:ripedenis@gmail.com> > Cc: 'anti-abuse-wg' <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net>

Subject: Re: [anti-abuse-wg] personal data in the RIPE Database [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Good morning Denis/everyone, I believe that personal data in the RIPE public database is unwanted and adds no value at all to the public interest. Removing personal data instead of replacing it with actual "responsible organisation" data is unwanted also. To me as a public interest user personal data like assignments of ip addresses is the same as no data at all and should be avoided at all costs. The fact that a real person can be responsible for an ip address shows how immature the solution actually is. When i look at the abuse that online services receive my guess is that ~50% of online traffic is unwanted! I'm currently crunching the numbers so i can back my statements but this is what i got so far. Access log for one online service Total different ip's : little over 11K High risk ip's: 276 (combined hosting/rdp/etc) Abusers: 21 (blocked in next update) In the same period i blocked 173K requests (not IP still need to process this part) This would mean in terms of abuse i would have to send thousands of abuse emails for this single service only (this would be just stupid) how effective will that be if u send them to a "responsible person"? When i goto a grocery and steal or wreck something on purpose and get caught the police will come and i will get a big fine..... or even jail time. When i catch an abuser in the Wild Wild West, the internet makes it cost me even more money! (shouldn't i be payed for catching them?) Clearly the whole abuse part of Ripe isn't working and will never goto work as long as nobody can be held responsible for the actual damage that has been done. I would like to suggest the following: - Remove all personal data and replace with actual data from responsible companies - Change the current contracts with all responsible companies where they will have to pay a fine if any of their ip's has been detected and confirmed to produce abusive traffic. - Part of the fine will be payed to the company that caught the abuser and other part goes to Ripe for administrative costs. With the above we move the problem away from the victims to the causers as it should have been from the beginning! And yes the hosting companies will start crying about this since they never really had to take responsibility for their end-users and probably only see a small portion of the actual abuse since most abuse never get's reported since it costs the victims extra money.... If for some reason there is no company behind any personal registration i believe the resources should be removed from that member unless there is a very goo reason to keep a person responsible (i can't think of any) I'm not good at putting documents or presentations together (Ripe 84), so my excuse for that but i do have the data to backup all of the above! Kind regards, Jeroen -----Oorspronkelijk bericht----- Van: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net <mailto:anti-abuse-wg-bounces@ripe.net> > Namens denis walker Verzonden: dinsdag 31 mei 2022 19:27 Aan: Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > CC: anti-abuse-wg <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net> > Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Hi Michele The proposal is here https://www.ripe.net/participate/policies/proposals/2022-01 cheers denis proposal author On Tue, 31 May 2022 at 18:07, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > wrote:

Denis

Where's the actual proposal?

I'd love to get my personal details removed - especially as they're for an

address I no longer occupy!

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net

<mailto:anti-abuse-wg-bounces@ripe.net> > on behalf of

denis walker <ripedenis@gmail.com <mailto:ripedenis@gmail.com> > Date: Tuesday, 31 May 2022 at 14:12 To: anti-abuse-wg <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net>

Subject: [anti-abuse-wg] personal data in the RIPE Database

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Colleagues

I have raised an issue on the DB WG mailing list about publishing in the database the identity of natural persons holding resources. So far no one has been willing or able to support any public interest value in doing so. As things stand all personal data in the RIPE Database will have to be removed, or hidden from public view. If you have an opinion about this the conversation is here https://www.ripe.net/ripe/mail/archives/db-wg/2022-May/007432.html

cheers denis 2022-01 proposal author

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

That could be changed if u ask me by contractual changes Ripe has with it's members. But i kinda get the feeling people in this group don't want to make the internet a better place! Kind regards Van: Matthias Merkel <matthias.merkel@staclar.com> Verzonden: donderdag 2 juni 2022 15:31 Aan: jeroen@hackersbescherming.nl; 'Michele Neylon - Blacknight' <michele@blacknight.com>; 'denis walker' <ripedenis@gmail.com> CC: 'anti-abuse-wg' <anti-abuse-wg@ripe.net> Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database No, because RIPE has no authority to fine anyone. If you think someone is intentionally sending you malicious traffic, the police is the point of contact for you. - Matthias Merkel <https://cdn.staclar.com/logos/novecore/newlogo.png> <https://app.frontapp.com/api/1/noauth/companies/2fa1142cccd8fdcdb954/seen/m sg_ye75ua2/0/3b7394b6.gif> On June 2, 2022, 3:27 PM GMT+2 jeroen@hackersbescherming.nl <mailto:jeroen@hackersbescherming.nl> wrote: Michele, I have a question for u then. What would happen if i can find more people that actually would want this then u can find people that don't want this. Would that make a difference? I'm very curious on your answer. Kind regards Van: Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > Verzonden: woensdag 1 juni 2022 13:05 Aan: jeroen@hackersbescherming.nl <mailto:jeroen@hackersbescherming.nl> ; 'denis walker' <ripedenis@gmail.com <mailto:ripedenis@gmail.com> > CC: 'anti-abuse-wg' <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net>

Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Jeroen "- Change the current contracts with all responsible companies where they will have to pay a fine if any of their ip's has been detected and confirmed to produce abusive traffic. " That will never happen and suggesting it is not helpful. Nobody is ever going to agree to it and it's completely unworkable. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains <https://www.blacknight.com/> https://www.blacknight.com/ <https://blacknight.blog/> https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: <https://michele.blog/> https://michele.blog/ Some thoughts: <https://ceo.hosting/> https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net <mailto:anti-abuse-wg-bounces@ripe.net> > on behalf of jeroen@hackersbescherming.nl <mailto:jeroen@hackersbescherming.nl> <jeroen@hackersbescherming.nl <mailto:jeroen@hackersbescherming.nl> > Date: Wednesday, 1 June 2022 at 11:01 To: 'denis walker' <ripedenis@gmail.com <mailto:ripedenis@gmail.com> > Cc: 'anti-abuse-wg' <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net>

Subject: Re: [anti-abuse-wg] personal data in the RIPE Database [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Good morning Denis/everyone, I believe that personal data in the RIPE public database is unwanted and adds no value at all to the public interest. Removing personal data instead of replacing it with actual "responsible organisation" data is unwanted also. To me as a public interest user personal data like assignments of ip addresses is the same as no data at all and should be avoided at all costs. The fact that a real person can be responsible for an ip address shows how immature the solution actually is. When i look at the abuse that online services receive my guess is that ~50% of online traffic is unwanted! I'm currently crunching the numbers so i can back my statements but this is what i got so far. Access log for one online service Total different ip's : little over 11K High risk ip's: 276 (combined hosting/rdp/etc) Abusers: 21 (blocked in next update) In the same period i blocked 173K requests (not IP still need to process this part) This would mean in terms of abuse i would have to send thousands of abuse emails for this single service only (this would be just stupid) how effective will that be if u send them to a "responsible person"? When i goto a grocery and steal or wreck something on purpose and get caught the police will come and i will get a big fine..... or even jail time. When i catch an abuser in the Wild Wild West, the internet makes it cost me even more money! (shouldn't i be payed for catching them?) Clearly the whole abuse part of Ripe isn't working and will never goto work as long as nobody can be held responsible for the actual damage that has been done. I would like to suggest the following: - Remove all personal data and replace with actual data from responsible companies - Change the current contracts with all responsible companies where they will have to pay a fine if any of their ip's has been detected and confirmed to produce abusive traffic. - Part of the fine will be payed to the company that caught the abuser and other part goes to Ripe for administrative costs. With the above we move the problem away from the victims to the causers as it should have been from the beginning! And yes the hosting companies will start crying about this since they never really had to take responsibility for their end-users and probably only see a small portion of the actual abuse since most abuse never get's reported since it costs the victims extra money.... If for some reason there is no company behind any personal registration i believe the resources should be removed from that member unless there is a very goo reason to keep a person responsible (i can't think of any) I'm not good at putting documents or presentations together (Ripe 84), so my excuse for that but i do have the data to backup all of the above! Kind regards, Jeroen -----Oorspronkelijk bericht----- Van: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net <mailto:anti-abuse-wg-bounces@ripe.net> > Namens denis walker Verzonden: dinsdag 31 mei 2022 19:27 Aan: Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > CC: anti-abuse-wg <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net> > Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Hi Michele The proposal is here https://www.ripe.net/participate/policies/proposals/2022-01 cheers denis proposal author On Tue, 31 May 2022 at 18:07, Michele Neylon - Blacknight <michele@blacknight.com <mailto:michele@blacknight.com> > wrote:

Denis

Where's the actual proposal?

I'd love to get my personal details removed - especially as they're for an

address I no longer occupy!

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net

<mailto:anti-abuse-wg-bounces@ripe.net> > on behalf of

denis walker <ripedenis@gmail.com <mailto:ripedenis@gmail.com> > Date: Tuesday, 31 May 2022 at 14:12 To: anti-abuse-wg <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net>

Subject: [anti-abuse-wg] personal data in the RIPE Database

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Colleagues

I have raised an issue on the DB WG mailing list about publishing in the database the identity of natural persons holding resources. So far no one has been willing or able to support any public interest value in doing so. As things stand all personal data in the RIPE Database will have to be removed, or hidden from public view. If you have an opinion about this the conversation is here https://www.ripe.net/ripe/mail/archives/db-wg/2022-May/007432.html

cheers denis 2022-01 proposal author

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Jeroen RIPE policy is not decided by a vote or astro-turfing. Also what you are proposing is over simplistic and would be impossible to operationalise without bankrupting the NCC. What is "abusive traffic"? Who decides what is or is not "abusive"? Who is going to enforce this? How? Bear in mind that RIPE does not have the power to fine a member, so that would have to change. And I can't imagine RIPE's Board or management would want to be put in that position. I know that most of the members wouldn't want RIPE to have that kind of power. Now if you want to run your own network and impose those kind of sanctions on your own users you are free to do so. Also if you want to effect change then you should do research into why things are the way they are now and who you are dealing with and where they are coming from. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 ________________________________________ From: jeroen@hackersbescherming.nl <jeroen@hackersbescherming.nl> Sent: Thursday 2 June 2022 14:27 To: Michele Neylon - Blacknight; 'denis walker' Cc: 'anti-abuse-wg' Subject: RE: [anti-abuse-wg] personal data in the RIPE Database [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Michele, I have a question for u then. What would happen if i can find more people that actually would want this then u can find people that don’t want this. Would that make a difference? I’m very curious on your answer. Kind regards Van: Michele Neylon - Blacknight <michele@blacknight.com> Verzonden: woensdag 1 juni 2022 13:05 Aan: jeroen@hackersbescherming.nl; 'denis walker' <ripedenis@gmail.com> CC: 'anti-abuse-wg' <anti-abuse-wg@ripe.net> Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Jeroen “- Change the current contracts with all responsible companies where they will have to pay a fine if any of their ip's has been detected and confirmed to produce abusive traffic. “ That will never happen and suggesting it is not helpful. Nobody is ever going to agree to it and it’s completely unworkable. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net<mailto:anti-abuse-wg-bounces@ripe.net>> on behalf of jeroen@hackersbescherming.nl<mailto:jeroen@hackersbescherming.nl> <jeroen@hackersbescherming.nl<mailto:jeroen@hackersbescherming.nl>> Date: Wednesday, 1 June 2022 at 11:01 To: 'denis walker' <ripedenis@gmail.com<mailto:ripedenis@gmail.com>> Cc: 'anti-abuse-wg' <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> Subject: Re: [anti-abuse-wg] personal data in the RIPE Database [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Good morning Denis/everyone, I believe that personal data in the RIPE public database is unwanted and adds no value at all to the public interest. Removing personal data instead of replacing it with actual "responsible organisation" data is unwanted also. To me as a public interest user personal data like assignments of ip addresses is the same as no data at all and should be avoided at all costs. The fact that a real person can be responsible for an ip address shows how immature the solution actually is. When i look at the abuse that online services receive my guess is that ~50% of online traffic is unwanted! I'm currently crunching the numbers so i can back my statements but this is what i got so far. Access log for one online service Total different ip's : little over 11K High risk ip's: 276 (combined hosting/rdp/etc) Abusers: 21 (blocked in next update) In the same period i blocked 173K requests (not IP still need to process this part) This would mean in terms of abuse i would have to send thousands of abuse emails for this single service only (this would be just stupid) how effective will that be if u send them to a "responsible person"? When i goto a grocery and steal or wreck something on purpose and get caught the police will come and i will get a big fine..... or even jail time. When i catch an abuser in the Wild Wild West, the internet makes it cost me even more money! (shouldn't i be payed for catching them?) Clearly the whole abuse part of Ripe isn't working and will never goto work as long as nobody can be held responsible for the actual damage that has been done. I would like to suggest the following: - Remove all personal data and replace with actual data from responsible companies - Change the current contracts with all responsible companies where they will have to pay a fine if any of their ip's has been detected and confirmed to produce abusive traffic. - Part of the fine will be payed to the company that caught the abuser and other part goes to Ripe for administrative costs. With the above we move the problem away from the victims to the causers as it should have been from the beginning! And yes the hosting companies will start crying about this since they never really had to take responsibility for their end-users and probably only see a small portion of the actual abuse since most abuse never get's reported since it costs the victims extra money.... If for some reason there is no company behind any personal registration i believe the resources should be removed from that member unless there is a very goo reason to keep a person responsible (i can't think of any) I'm not good at putting documents or presentations together (Ripe 84), so my excuse for that but i do have the data to backup all of the above! Kind regards, Jeroen -----Oorspronkelijk bericht----- Van: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net<mailto:anti-abuse-wg-bounces@ripe.net>> Namens denis walker Verzonden: dinsdag 31 mei 2022 19:27 Aan: Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> CC: anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Hi Michele The proposal is here https://www.ripe.net/participate/policies/proposals/2022-01 cheers denis proposal author On Tue, 31 May 2022 at 18:07, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> wrote:

Denis

Where’s the actual proposal?

I’d love to get my personal details removed – especially as they’re for an address I no longer occupy!

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net<mailto:anti-abuse-wg-bounces@ripe.net>> on behalf of denis walker <ripedenis@gmail.com<mailto:ripedenis@gmail.com>> Date: Tuesday, 31 May 2022 at 14:12 To: anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> Subject: [anti-abuse-wg] personal data in the RIPE Database

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Colleagues

I have raised an issue on the DB WG mailing list about publishing in the database the identity of natural persons holding resources. So far no one has been willing or able to support any public interest value in doing so. As things stand all personal data in the RIPE Database will have to be removed, or hidden from public view. If you have an opinion about this the conversation is here https://www.ripe.net/ripe/mail/archives/db-wg/2022-May/007432.html

cheers denis 2022-01 proposal author

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

6,000 abusive IPs is quite few. I think most people on this list are aware about abuse on the internet (this is what the group is about after all). The question is not whether this usage is wrong, it's whether RIPE is the right venue to enforce it. RIPE is only one of several RIRs, so this would hardly be a worldwide solution. Police also cooperate internationally (especially within certain regions such as the EU), so I'm not sure how RIPE would be better there. Some countries, such as the UK and US, have websites where you can report internet-based crime originating from their jurisdictions. If RIPE were to enforce anti-abuse rules, we would need an objective definition of abuse. We can't have the service operator define it for every case because then people would just say anything except paying customers is abuse as they have a financial incentive to do so. Also, what happens if abusive traffic is generated due to hacked devices for example? — Matthias Merkel [https://cdn.staclar.com/logos/novecore/newlogo.png] [Sent from Front] On June 2, 2022, 4:16 PM GMT+2 jeroen@hackersbescherming.nl<mailto:jeroen@hackersbescherming.nl> wrote: Ok, in a period of 6-7 weeks i gathered 6425 unique IP addresses that where used in an abusive way on a single online service, excluding the 21 that where found in the access log. So i blocked 99,66% of the unwanted traffic fort his particular service Think about; - scanning for vulnarabilities - overloading resources - unwanted search engines - data mining What gives them the right to use the end customers resources without the end customers permission (that is abuse) Since nobody will goto the police with this since they only have national authorities, what u people are suggesting is just crazy and shows me that u people never looked at log files in a way to determine what quality traffic is and everything else is unwanted "abusive" traffic. When i show this data to the end customers they first of all never knew this was happening and they think this is discusting. The owner of the service should always be the one who decides what is abusive!!! The fact that u don't know who is going to enforce something like this and send people to the police who are uncapable todo anything with this kind of data only shows how bad the current (stoneage) solution is. When i then come with a possible solution that would actually solve the problem (it is not helping at all to say a solution is not helping when u don't have an alternative). And yes there would still be a lot of variables that need tobe looked at as desribed below, but when done the right way it would solve the problem and evolve the internet to a better place. But again, i get the feeling this group hardly has any people in it from the public interest and is bassicly filled with internet cowboys who don't care about all the crap that is being pushed over the internet. I have gotten the feeling that Ripe is just a waste of my time when u give answers like u have done so far! And with that being said, this will be my last reply in Ripe mailing lists since i get the feeling that the whole Ripe organisation is just looking the other way when something obviously wrong is going on.... Kind regards, Jeroen -----Oorspronkelijk bericht----- Van: Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> Verzonden: donderdag 2 juni 2022 15:36 Aan: jeroen@hackersbescherming.nl<mailto:jeroen@hackersbescherming.nl>; 'denis walker' <ripedenis@gmail.com<mailto:ripedenis@gmail.com>> CC: 'anti-abuse-wg' <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Jeroen RIPE policy is not decided by a vote or astro-turfing. Also what you are proposing is over simplistic and would be impossible to operationalise without bankrupting the NCC. What is "abusive traffic"? Who decides what is or is not "abusive"? Who is going to enforce this? How? Bear in mind that RIPE does not have the power to fine a member, so that would have to change. And I can't imagine RIPE's Board or management would want to be put in that position. I know that most of the members wouldn't want RIPE to have that kind of power. Now if you want to run your own network and impose those kind of sanctions on your own users you are free to do so. Also if you want to effect change then you should do research into why things are the way they are now and who you are dealing with and where they are coming from. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 ________________________________________ From: jeroen@hackersbescherming.nl<mailto:jeroen@hackersbescherming.nl> <jeroen@hackersbescherming.nl<mailto:jeroen@hackersbescherming.nl>> Sent: Thursday 2 June 2022 14:27 To: Michele Neylon - Blacknight; 'denis walker' Cc: 'anti-abuse-wg' Subject: RE: [anti-abuse-wg] personal data in the RIPE Database [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Michele, I have a question for u then. What would happen if i can find more people that actually would want this then u can find people that don't want this. Would that make a difference? I'm very curious on your answer. Kind regards Van: Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com>> Verzonden: woensdag 1 juni 2022 13:05 Aan: jeroen@hackersbescherming.nl<mailto:jeroen@hackersbescherming.nl>; 'denis walker' <ripedenis@gmail.com<mailto:ripedenis@gmail.com>> CC: 'anti-abuse-wg' <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Jeroen "- Change the current contracts with all responsible companies where they will have to pay a fine if any of their ip's has been detected and confirmed to produce abusive traffic. " That will never happen and suggesting it is not helpful. Nobody is ever going to agree to it and it's completely unworkable. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net<mailto:anti-abuse-wg-bounces@ripe.net><mailto:anti-abuse-wg-bounces@ripe.net>> on behalf of jeroen@hackersbescherming.nl<mailto:jeroen@hackersbescherming.nl><mailto:jeroen@hackersbescherming.nl> <jeroen@hackersbescherming.nl<mailto:jeroen@hackersbescherming.nl><mailto:jeroen@hackersbescherming.nl>> Date: Wednesday, 1 June 2022 at 11:01 To: 'denis walker' <ripedenis@gmail.com<mailto:ripedenis@gmail.com><mailto:ripedenis@gmail.com>> Cc: 'anti-abuse-wg' <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net><mailto:anti-abuse-wg@ripe.net>> Subject: Re: [anti-abuse-wg] personal data in the RIPE Database [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Good morning Denis/everyone, I believe that personal data in the RIPE public database is unwanted and adds no value at all to the public interest. Removing personal data instead of replacing it with actual "responsible organisation" data is unwanted also. To me as a public interest user personal data like assignments of ip addresses is the same as no data at all and should be avoided at all costs. The fact that a real person can be responsible for an ip address shows how immature the solution actually is. When i look at the abuse that online services receive my guess is that ~50% of online traffic is unwanted! I'm currently crunching the numbers so i can back my statements but this is what i got so far. Access log for one online service Total different ip's : little over 11K High risk ip's: 276 (combined hosting/rdp/etc) Abusers: 21 (blocked in next update) In the same period i blocked 173K requests (not IP still need to process this part) This would mean in terms of abuse i would have to send thousands of abuse emails for this single service only (this would be just stupid) how effective will that be if u send them to a "responsible person"? When i goto a grocery and steal or wreck something on purpose and get caught the police will come and i will get a big fine..... or even jail time. When i catch an abuser in the Wild Wild West, the internet makes it cost me even more money! (shouldn't i be payed for catching them?) Clearly the whole abuse part of Ripe isn't working and will never goto work as long as nobody can be held responsible for the actual damage that has been done. I would like to suggest the following: - Remove all personal data and replace with actual data from responsible companies - Change the current contracts with all responsible companies where they will have to pay a fine if any of their ip's has been detected and confirmed to produce abusive traffic. - Part of the fine will be payed to the company that caught the abuser and other part goes to Ripe for administrative costs. With the above we move the problem away from the victims to the causers as it should have been from the beginning! And yes the hosting companies will start crying about this since they never really had to take responsibility for their end-users and probably only see a small portion of the actual abuse since most abuse never get's reported since it costs the victims extra money.... If for some reason there is no company behind any personal registration i believe the resources should be removed from that member unless there is a very goo reason to keep a person responsible (i can't think of any) I'm not good at putting documents or presentations together (Ripe 84), so my excuse for that but i do have the data to backup all of the above! Kind regards, Jeroen -----Oorspronkelijk bericht----- Van: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net<mailto:anti-abuse-wg-bounces@ripe.net><mailto:anti-abuse-wg-bounces@ripe.net>> Namens denis walker Verzonden: dinsdag 31 mei 2022 19:27 Aan: Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com><mailto:michele@blacknight.com>> CC: anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net><mailto:anti-abuse-wg@ripe.net>> Onderwerp: Re: [anti-abuse-wg] personal data in the RIPE Database Hi Michele The proposal is here https://www.ripe.net/participate/policies/proposals/2022-01 cheers denis proposal author On Tue, 31 May 2022 at 18:07, Michele Neylon - Blacknight <michele@blacknight.com<mailto:michele@blacknight.com><mailto:michele@blacknight.com>> wrote:

Denis

Where's the actual proposal?

I'd love to get my personal details removed - especially as they're for an

address I no longer occupy!

Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net<mailto:anti-abuse-wg-bounces@ripe.net><mailto:anti-abuse-wg-bounces@ripe.net>

...

on behalf of denis walker <ripedenis@gmail.com<mailto:ripedenis@gmail.com><mailto:ripedenis@gmail.com>> Date: Tuesday, 31 May 2022 at 14:12 To: anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net><mailto:anti-abuse-wg@ripe.net>> Subject: [anti-abuse-wg] personal data in the RIPE Database

[EXTERNAL EMAIL] Please use caution when opening attachments from

unrecognised sources.

Colleagues

I have raised an issue on the DB WG mailing list about publishing in the database the identity of natural persons holding resources. So far no one has been willing or able to support any public interest value in doing so. As things stand all personal data in the RIPE Database will have to be removed, or hidden from public view. If you have an opinion about this the conversation is here https://www.ripe.net/ripe/mail/archives/db-wg/2022-May/007432.html

cheers denis 2022-01 proposal author

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Hi, (please see inline) On Thu, 2 Jun 2022, Michele Neylon - Blacknight via anti-abuse-wg wrote:

Jeroen

RIPE policy is not decided by a vote or astro-turfing.

Exactly, new policies can in fact be blocked by 2 or 3 individuals. Even with bogus arguments. And there is a certain group of people that always ensures that, if the status quo is somehow at stake. The astro-turfing argument is the most bogus argument i've seen over the years in these lists. The policy process is expected/defined to be inclusive, but when someone talks about some possible changes in other communities, and new people do really come to this community to voice their opinion, then those newcomers that support policy changes are labelled as "astro-turfers", just because they don't share the views of the dominant "policy-making" group.

Also what you are proposing is over simplistic and would be impossible to operationalise without bankrupting the NCC.

That script is getting older and older. After the astro-turfing bit, then it comes the NCC's "armageddon" argument....... Boring. Cheers, Carlos

What is "abusive traffic"?

Who decides what is or is not "abusive"?

Who is going to enforce this?

How?

Bear in mind that RIPE does not have the power to fine a member, so that would have to change. And I can't imagine RIPE's Board or management would want to be put in that position. I know that most of the members wouldn't want RIPE to have that kind of power.

Now if you want to run your own network and impose those kind of sanctions on your own users you are free to do so.

Also if you want to effect change then you should do research into why things are the way they are now and who you are dealing with and where they are coming from.

Regards

Michele

I agree that it must be possible to identify people who hold resources. Not just for other network operators but also so that organizations such as law enforcement are able to do so in emergency situations where contacting RIPE could be too slow. It is worth noting however that there now is a relatively large number of people operating networks as a hobby outside of any business activity. At RIPE 84 I mentioned the possibility of publishing a name and city only and having RIPE hold the full address. This would likely be enough to unique identify a person (or at least a small number of potential people in a single city that would be few enough for law enforcement to all check out) while not publishing the full addresses of people who could be at risk for various reasons. It would also be enough information to identify multiple objects belonging to the same person, for example to block traffic from all of their networks. The full address could still be obtained from RIPE with a court order if required. — Matthias Merkel [https://cdn.staclar.com/logos/novecore/newlogo.png] [Sent from Front] On June 3, 2022, 10:29 AM GMT+2 anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net> wrote: Am 31.05.22 um 15:12 schrieb denis walker:

Colleagues

I have raised an issue on the DB WG mailing list about publishing in the database the identity of natural persons holding resources.

Hi, this mail triggered the expected avalanche of controversial responses, which quickly devolved into name-calling, so I prefer to respond to the original instead of any of the later responses. There are conflicting interests at work here. In your proposal, you mention the need to contact resource owners, which is probably accepted by most. However, besides wanting to contact someone, there is a legitimate need to identify bad actors and shun them with whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, whatever). I do not want to communicate with them, just as I don't want to discuss with burglars about their actions! So, a mere contact database (which could contain fully anonymized forwarding addresses through a "privacy provider", like it's nowadays common for whois entries) would work for the purpose of contacting someone, but it does not work for identifying who can be held accountable for abuse emitted from a network range. For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should be mandatory. This does not need to include personal data on employees that happen to be responsible for network or abuse issues, I'm fine with role accounts here. So in this case, no objection to eliminate personal data (which often becomes stale anyway after some years). However, resources allocated to private persons are a bit different. I suppose very few private persons hold a /24 network range, and if they do, they probably fall squarely in the area of operating a business or other publicly visible enterprise under their personal name, and in many jurisdictions they are required to do so with identifying information. For example, in Germany you can't even have a web page without an imprint containing the names of people responsible for the content if you address the general public, and if you do business of any kind and you're not a corporation, you must do so under your name. I suppose that RIPE operates mostly on the level of legal entities that can be identified without naming individual persons. As such, it would be proper to clearly state that every database entry pertaining to a resource allocated through RIPE must contain truthful and usable identifying information of the resource holder. In German, that's "Ladungsfähige Anschrift" which was basically required to be an actual place of presence, but it appears that "virtual office" providers have succeeded in letting their addresses count as "Ladungsfähige Anschrift". I'm not a legal expert, I think this is wrong, but jurisprudence isn't always compatible with reason. Since RIPE isn't bound by German law, they may choose contractual wording that provides reasonable value for all parties involved. If all identifying information is lost, the abusers have won, as they have with domain whois already. Cheers, Hans-Martin -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Am 04.06.22 um 02:05 schrieb Ronald F. Guilmette:

In message <c7b0643d-54db-6a97-999a-fbb9ce0980b7@heeg.de>, Hans-Martin Mosner <hmm@heeg.de> wrote:

...

For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should be mandatory. Would you agree also that such identification of non-person legal entities that are the registrants of number resources should be:

a) public, and

b) accurate and consistant with the bona fides that were submitted to RIPE NCC at the time the member was made a member, and at any & all times thereafter when the non-person member requested or was granted number resources? Yes, with the addition that whenever the identification of a legal entity changes, it needs to be updated. "Accurate" and "consistent" may be at conflict when initial information was inaccurate, I'd prefer accurate over consistent. If you say yes to both, then I am compelled to point out there there is, as far as I understand it, *no* requirement, within the RIPE region, at present for there to be *any* correlation between what appears in any public RIPE WHOIS record and the actual bona fides of the corresponding member, the -actual- identity o which remain secret & hidden behind an opaque wall of stony silence, backed up by RIPE's legal counsel.

I can't really judge this, but I see why that is your point of view. To be clear, I am just a participant in this mailing list, have never taken part in WG meetings, don't have the slightest insight into why certain information is withheld from public view, and as such I can only guess. Organizations with numerous stakeholders having different interests tend to be blocked by unanimous consensus and veto rules, so it's no surprise that RIPE seems to be afflicted by this, too. What such organizations need to come up with is a mechanism that allows them to deal with problem members without being blocked by them and their allies, while not succumbing to a dictatorship of the majority (majority decisions aren't always the best) or some central authority. As you point out, this is an issue with other organizations, too, but it's by far not limited to the ones you listed. I still believe in reason to a certain extent, although it takes a big leap of faith in light of reality. Cheers, Hans-Martin

Hi Ronald, All, On Sat, 4 Jun 2022, Ronald F. Guilmette wrote: (...)

Of course this is just the EU/AML part. For now I won't even go into the story of the time law enforcement officers showed up at RIPE headquarters in 2009 and started asking questions in connection with a money laundering investigation they were working on... which apparently involved RIPE itself.

Never heard anything about it. Any online references? Regards, Carlos

Hi Denis, All, (Please see inline, CSIRT hat=ON) On Sun, 5 Jun 2022, denis walker wrote: (...)

...

However, besides wanting to contact someone, there is a legitimate need to identify bad actors and shun them with whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, whatever). I do not want to communicate with them, just as I don't want to discuss with burglars about their actions!

This is starting to explain reasons why we need to identify resource holders, even natural persons.

Exactly! When we are talking about companies, GDPR doesn't even apply. When we are talking about natural persons GDPR applies, but there is **purpose** and a minimal set of information **needs** to be available.

...

So, a mere contact database (which could contain fully anonymized forwarding addresses through a "privacy provider", like it's nowadays common for whois entries) would work for the purpose of contacting someone, but it does not work for identifying who can be held accountable for abuse emitted from a network range.

I think there is general agreement that as long as a contact is contactable there is no need to identify the natural persons operating in that role.

No. No. No. That is the general agreement for those who prefer to ignore network abuse, or for those who have business models based in abusing other people's networks.

Accountability, and any subsequent enforcement action, needs an identity. This is the key element of why resource holders, even natural persons, need to be identifiable. Further questions still need to be answered like to what degree should they be identifiable, by what means and to who?

Authorities, at least.

...

For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should be mandatory. This does not need to include personal data on employees that happen to be responsible for network or abuse issues, I'm fine with role accounts here. So in this case, no objection to eliminate personal data (which often becomes stale anyway after some years).

Again I think there is general agreement that for resource holders that are NOT natural persons the name, address and legal country must be included in the public data.

Yes. But... Please explain how the legal country of a natural person may help anyone determine accurately how to identify a single natural person. Because i don't see how. Even for micro-countries/economies. Simply by having the accurate (and verified by the RIPE NCC) legal country would be a big help in determining **which** is the legal jurisdiction the offender is on.

...

However, resources allocated to private persons are a bit different. I suppose very few private persons hold a /24 network range, and if they do, they probably fall squarely in the area of operating a business or other publicly visible enterprise under their personal name, and in many jurisdictions they are required to do so with identifying information. For example, in Germany you can't even have a web page without an imprint containing the names of people responsible for the content if you address the general public, and if you do business of any kind and you're not a corporation, you must do so under your name.

There are far more natural persons holding resources than you think.

Yes, i know.

Looking at the membership list on the RIPE NCC's website, all the members are listed and you can see the natural persons. It has been argued that even if a natural person's details are listed on some other public business register, that alone is not a reason to publish those details in the RIPE Database.

Again, there is **purpose**.

So what personally identifiable info should we publish about a natural person holding resources and what should we do with the rest of the currently available public info? Would it be reasonable to publish the name but not publish the (full) address publicly?

The full (verified by the RIPE NCC) address -- at least for LIRs -- would probably be more useful while determining legal jurisdiction, which is imho, the number 1 issue.

Now I looked back at a presentation made by EUROPOL at RIPE 73 https://ripe73.ripe.net/archives/video/1501/

They were very clear that the address of resource holders is also very important to LEAs in their investigations. So I am going to make a controversial suggestion here. Currently we have two categories of registry data, Private and Public. The Public data is available to LEAs and their use of it is covered by agreed purposes of the RIPE Database defined in the Terms & Conditions. For Private data they need to get a court order, which is an expensive and time consuming process. Suppose we add a middle category Restricted data. This could be data like the address of natural persons who hold resources. Data that is now public but we are proposing to take out of the public domain. We could allow LEAs (and maybe other recognised public safety agencies) to continue to have access to this Restricted data without a court order. (There are technical ways of doing this which are out of scope for this discussion.)

That sounds a step in the right direction. Court orders usually have one problem, you'll need to be sure about the legal jurisdiction. It's completely a waste of time to ask for a court order in jurisdiction X when the offender is sitting in jurisdiction Y.

I know a lot of people have ideological phobias about allowing the police access to non-public data. They will be screaming at me right now for this suggestion...'it's giving the police a back door entry', 'it's the thin end of the wedge', 'where will it stop'... I understand those concerns.

I manage a LIR for ~20 years. Hell, if someone is misusing our infrastructure/numbers, having LEA asking us questions so the abuse (and abusers) can be identified and stopped is a good thing, because our reputation is also at stake (as a service provider).

But I see allowing LEAs continued access to what is now public data as different from giving LEAs access to private data that they have never had access to in the past. It is a different direction.

There is a lot of abuse and criminal activity on the internet.

Yes there is. Glad we agree on that :-)))

LEAs have a job to do. They need this data and often need it quickly. But we also have privacy concerns. So we are now considering taking out of the public domain some of that data that LEAs need.

And that's wrong. And data quality is also an issue -- that should be tackled! When we see (in an object) an address from country X, phone from country Y, the country field with country Z, and a clearly bogus postal code, there is a long road to go in terms of data quality...

I see this as a compromise to allow LEAs continued access to what is now public data so they can do their job effectively, but also increase general privacy by taking this bit of data out of the public domain.

Yes. And i can support that compromise, but i suspect the only viable option for some business models is to block that compromise solution.

...

I suppose that RIPE operates mostly on the level of legal entities that can be identified without naming individual persons. As such, it would be proper to clearly state that every database entry pertaining to a resource allocated through RIPE must contain truthful and usable identifying information of the resource holder. In German, that's "Ladungsfähige Anschrift" which was basically required to be an actual place of presence, but it appears that "virtual office" providers have succeeded in letting their addresses count as "Ladungsfähige Anschrift". I'm not a legal expert, I think this is wrong, but jurisprudence isn't always compatible with reason.

Since RIPE isn't bound by German law, they may choose contractual wording that provides reasonable value for all parties involved. If all identifying information is lost, the abusers have won, as they have with domain whois already.

Domain whois is a real mess, and yes abusers have won on that front, as they are also winning on this :/ But you also raise an important issue. It's already very complex to manage the 27 EU national laws, but the RIPE NCC has not only to live with a 70++ service region, and beyond that also with LIRs that are based outside the service region -- which are also "allowed". And as we know, a part of those are really just the result of some "opacity engineering".

A situation we need to avoid.

I entirely agree, Denis.

On Fri, 3 Jun 2022 at 10:41, Matthias Merkel <matthias.merkel@staclar.com> wrote:

...

I agree that it must be possible to identify people who hold resources. Not just for other network operators but also so that organizations such as law enforcement are able to do so in emergency situations where contacting RIPE could be too slow.

I hope my controversial compromise above will do that.

...

It is worth noting however that there now is a relatively large number of people operating networks as a hobby outside of any business activity.

Some people may consider spamming or hacking a hobby.

And on some legal jurisdiction it might be a hobby, in others it might be against the law. Hence accurately determining which legal jurisdiction is key.

...

At RIPE 84 I mentioned the possibility of publishing a name and city only and having RIPE hold the full address. This would likely be enough to unique identify a person (or at least a small number of potential people in a single city that would be few enough for law enforcement to all check out) while not publishing the full addresses of people who could be at risk for various reasons. It would also be enough information to identify multiple objects belonging to the same person, for example to block traffic from all of their networks. The full address could still be obtained from RIPE with a court order if required.

I think 'city' is too identifiable. If it is London, Paris, Berlin you could get away with this. If it is a village or very small town you will definitely identify people with that granularity. Perhaps a county, region, province would work. But either way the database makes no separation of address elements. All parts of an address are entered into "address:" or "descr:" attributes. Separating them out would be technically difficult.

What about the postal code? In which situations can a postal code identify *one* person? It sounds unfeasible to split "address:" into "street/door:" and "region/province:" ? Regards, Carlos

cheers denis proposal author

...

? Matthias Merkel

On Sun, 5 Jun 2022, Suresh Ramasubramanian wrote:

Good points here. There are no shortage of bad actors who will be happy to register a netblock as a private individual if this means their data is obfuscated (and in whois, even forged / fake data is quite useful as part of a consistent pattern). 

There have even been bogus LIRs - it used to be quite easy to set up an LLC and get a couple of /14s with an exclusive clientele of snowshoe operators, for example. --srs

Brian, Markus, Tobias, Why not invite Suresh to do a presentation about this last sentence at some RIPE meeting in the near future? I would be very curious about this :-) Regards, Carlos

_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Carlos Friaças via anti-abuse-wg <anti-abuse-wg@ripe.net> Sent: Sunday, June 5, 2022 3:23:01 PM To: denis walker <ripedenis@gmail.com> Cc: anti-abuse-wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] personal data in the RIPE Database  

Hi Denis, All,

(Please see inline, CSIRT hat=ON)

On Sun, 5 Jun 2022, denis walker wrote:

(...)

...

...

However, besides wanting to contact someone, there is a legitimate need to identify bad actors and shun them with whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, whatever). I do not want to communicate with them, just as I don't want to discuss with burglars about their actions!

This is starting to explain reasons why we need to identify resource holders, even natural persons.

Exactly!

When we are talking about companies, GDPR doesn't even apply.

When we are talking about natural persons GDPR applies, but there is **purpose** and a minimal set of information **needs** to be available.

...

...

So, a mere contact database (which could contain fully anonymized forwarding addresses through a "privacy provider", like it's nowadays common for whois entries) would work for the purpose of contacting someone, but it does not work for identifying who can be held accountable for abuse emitted from a network range.

I think there is general agreement that as long as a contact is contactable there is no need to identify the natural persons operating in that role.

No. No. No. That is the general agreement for those who prefer to ignore network abuse, or for those who have business models based in abusing other people's networks.

...

Accountability, and any subsequent enforcement action, needs an identity. This is the key element of why resource holders, even natural persons, need to be identifiable. Further questions still need to be answered like to what degree should they be identifiable, by what means and to who?

Authorities, at least.

...

...

For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should be mandatory. This does not need to include personal data on employees that happen to be responsible for network or abuse issues, I'm fine with role accounts here. So in this case, no objection to eliminate personal data (which often becomes stale anyway after some years).

Again I think there is general agreement that for resource holders that are NOT natural persons the name, address and legal country must be included in the public data.

Yes. But...

Please explain how the legal country of a natural person may help anyone determine accurately how to identify a single natural person. Because i don't see how. Even for micro-countries/economies.

Simply by having the accurate (and verified by the RIPE NCC) legal country would be a big help in determining **which** is the legal jurisdiction the offender is on.

...

...

However, resources allocated to private persons are a bit different. I suppose very few private persons hold a /24 network range, and if they do, they probably fall squarely in the area of operating a business or other publicly visible enterprise under their personal name, and in many jurisdictions they are required to do so with identifying information. For example, in Germany you can't even have a web page without an imprint containing the names of people responsible for the content if you address the general public, and if you do business of any kind and you're not a corporation, you must do so under your name.

There are far more natural persons holding resources than you think.

Yes, i know.

...

Looking at the membership list on the RIPE NCC's website, all the members are listed and you can see the natural persons. It has been argued that even if a natural person's details are listed on some other public business register, that alone is not a reason to publish those details in the RIPE Database.

Again, there is **purpose**.

...

So what personally identifiable info should we publish about a natural person holding resources and what should we do with the rest of the currently available public info? Would it be reasonable to publish the name but not publish the (full) address publicly?

The full (verified by the RIPE NCC) address -- at least for LIRs -- would probably be more useful while determining legal jurisdiction, which is imho, the number 1 issue.

...

Now I looked back at a presentation made by EUROPOL at RIPE 73 https://ripe73.ripe.net/archives/video/1501/

They were very clear that the address of resource holders is also very important to LEAs in their investigations. So I am going to make a controversial suggestion here. Currently we have two categories of registry data, Private and Public. The Public data is available to LEAs and their use of it is covered by agreed purposes of the RIPE Database defined in the Terms & Conditions. For Private data they need to get a court order, which is an expensive and time consuming process. Suppose we add a middle category Restricted data. This could be data like the address of natural persons who hold resources. Data that is now public but we are proposing to take out of the public domain. We could allow LEAs (and maybe other recognised public safety agencies) to continue to have access to this Restricted data without a court order. (There are technical ways of doing this which are out of scope for this discussion.)

That sounds a step in the right direction.

Court orders usually have one problem, you'll need to be sure about the legal jurisdiction. It's completely a waste of time to ask for a court order in jurisdiction X when the offender is sitting in jurisdiction Y.

...

I know a lot of people have ideological phobias about allowing the police access to non-public data. They will be screaming at me right now for this suggestion...'it's giving the police a back door entry', 'it's the thin end of the wedge', 'where will it stop'... I understand those concerns.

I manage a LIR for ~20 years. Hell, if someone is misusing our infrastructure/numbers, having LEA asking us questions so the abuse (and abusers) can be identified and stopped is a good thing, because our reputation is also at stake (as a service provider).

...

But I see allowing LEAs continued access to what is now public data as different from giving LEAs access to private data that they have never had access to in the past. It is a different direction.

There is a lot of abuse and criminal activity on the internet.

Yes there is. Glad we agree on that :-)))

...

LEAs have a job to do. They need this data and often need it quickly. But we also have privacy concerns. So we are now considering taking out of the public domain some of that data that LEAs need.

And that's wrong. And data quality is also an issue -- that should be tackled!

When we see (in an object) an address from country X, phone from country Y, the country field with country Z, and a clearly bogus postal code, there is a long road to go in terms of data quality...

...

I see this as a compromise to allow LEAs continued access to what is now public data so they can do their job effectively, but also increase general privacy by taking this bit of data out of the public domain.

Yes. And i can support that compromise, but i suspect the only viable option for some business models is to block that compromise solution.

...

...

I suppose that RIPE operates mostly on the level of legal entities that can be identified without naming individual persons. As such, it would be proper to clearly state that every database entry pertaining to a resource allocated through RIPE must contain truthful and usable identifying information of the resource holder. In German, that's "Ladungsfähige Anschrift" which was basically required to be an actual place of presence, but it appears that "virtual office" providers have succeeded in letting their addresses count as "Ladungsfähige Anschrift". I'm not a legal expert, I think this is wrong, but jurisprudence isn't always compatible with reason.

Since RIPE isn't bound by German law, they may choose contractual wording that provides reasonable value for all parties involved. If all identifying information is lost, the abusers have won, as they have with domain whois already.

Domain whois is a real mess, and yes abusers have won on that front, as they are also winning on this :/

But you also raise an important issue. It's already very complex to manage the 27 EU national laws, but the RIPE NCC has not only to live with a 70++ service region, and beyond that also with LIRs that are based outside the service region -- which are also "allowed".

And as we know, a part of those are really just the result of some "opacity engineering".

...

A situation we need to avoid.

I entirely agree, Denis.

...

On Fri, 3 Jun 2022 at 10:41, Matthias Merkel <matthias.merkel@staclar.com> wrote:

...

I agree that it must be possible to identify people who hold resources. Not just for other network operators but also so that organizations such as law enforcement are able to do so in emergency situations where contacting RIPE

could be too slow.

I hope my controversial compromise above will do that.

...

It is worth noting however that there now is a relatively large number of people operating networks as a hobby outside of any business activity.

Some people may consider spamming or hacking a hobby.

And on some legal jurisdiction it might be a hobby, in others it might be against the law. Hence accurately determining which legal jurisdiction is key.

...

...

At RIPE 84 I mentioned the possibility of publishing a name and city only and having RIPE hold the full address. This would likely be enough to unique identify a person (or at least a small number of potential people in a single city that would be few enough for law enforcement to all check out) while not publishing the full addresses of people who could be at risk for various reasons. It would also be enough information to identify multiple objects belonging to the same person, for example to block traffic from all of their networks. The full address could still be obtained from RIPE with a court order if required.

I think 'city' is too identifiable. If it is London, Paris, Berlin you could get away with this. If it is a village or very small town you will definitely identify people with that granularity. Perhaps a county, region, province would work. But either way the database makes no separation of address elements. All parts of an address are entered into "address:" or "descr:" attributes. Separating them out would be technically difficult.

What about the postal code? In which situations can a postal code identify *one* person?

It sounds unfeasible to split "address:" into "street/door:" and "region/province:" ?

Regards, Carlos

...

cheers denis proposal author

...

? Matthias Merkel

In message <ME4P282MB090206083BC2157DA62ED1DDF5A39@ME4P282MB0902.AUSP282.PROD.O UTLOOK.COM>, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:

The person you should invite for this is Ron Guilmette

Ask him about Romanian LIRs from eight or nine years back and you will probably get chapter and verse.

For example https://seclists.org/nanog/2013/Jan/328

Indeed. I could write a book about the voracious Romanian gang. And a whole additional one about some similarly voracious folks in Moldova. The only question is: Who would read them? Nobody seems to care. Regards, rfg

In message <CAKvLzuG47-bY0vN59+kkcgJ0p4332J7r-Q0wRFnoMhhTaVRgqA@mail.gma il.com>, denis walker <ripedenis@gmail.com> writes

They were very clear that the address of resource holders is also very important to LEAs in their investigations. So I am going to make a controversial suggestion here. Currently we have two categories of registry data, Private and Public. The Public data is available to LEAs and their use of it is covered by agreed purposes of the RIPE Database defined in the Terms & Conditions. For Private data they need to get a court order, which is an expensive and time consuming process. Suppose we add a middle category Restricted data. This could be data like the address of natural persons who hold resources. Data that is now public but we are proposing to take out of the public domain. We could allow LEAs (and maybe other recognised public safety agencies) to continue to have access to this Restricted data without a court order. (There are technical ways of doing this which are out of scope for this discussion.)

You appear to be under the impression that Internet security and safety arises out of the activities of Law Enforcement Agencies whereas in practice private individuals and companies do the vast majority of this work -- generating referrals to LEAs when it is appropriate for action to be taken that only they can perform Moving to a situation where only LEAs can see what is currently available in RIPE whois data would be a very retrograde step and would seriously impact the security and stability of the Internet. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Hi Richard On Mon, 6 Jun 2022 at 16:15, Richard Clayton <richard@highwayman.com> wrote:

In message <CAKvLzuG47-bY0vN59+kkcgJ0p4332J7r-Q0wRFnoMhhTaVRgqA@mail.gma il.com>, denis walker <ripedenis@gmail.com> writes

...

They were very clear that the address of resource holders is also very important to LEAs in their investigations. So I am going to make a controversial suggestion here. Currently we have two categories of registry data, Private and Public. The Public data is available to LEAs and their use of it is covered by agreed purposes of the RIPE Database defined in the Terms & Conditions. For Private data they need to get a court order, which is an expensive and time consuming process. Suppose we add a middle category Restricted data. This could be data like the address of natural persons who hold resources. Data that is now public but we are proposing to take out of the public domain. We could allow LEAs (and maybe other recognised public safety agencies) to continue to have access to this Restricted data without a court order. (There are technical ways of doing this which are out of scope for this discussion.)

You appear to be under the impression that Internet security and safety arises out of the activities of Law Enforcement Agencies whereas in practice private individuals and companies do the vast majority of this work -- generating referrals to LEAs when it is appropriate for action to be taken that only they can perform

Moving to a situation where only LEAs can see what is currently available in RIPE whois data would be a very retrograde step and would seriously impact the security and stability of the Internet.

We are talking about restricting access to one piece of data, the address of natural persons. I accept that a lot of abuse may come from address space held by natural people. I understand that a lot of investigation work is done by companies and individuals. How much of an impact would it be on your activities to not know the private address of these natural people? From the country attribute in their ORGANISATION object (accurately maintained by the RIPE NCC) you know the country that they are legally operating from. You don't know the street or city they work out of. I can only think of three reasons why you would need the full address. You intend to visit them (unlikely), you want to serve legal papers on them or you attempt some kind of heuristics with the free text search in the database to match up resources with the same address. cheers denis proposal author

-- richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 --

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

On Mon, 6 Jun 2022 at 17:57, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:

Always a useful thing to do if you want to block all resources held by a single actor or set of actors.

So are you saying that you DO use the ORGANISATION object address to match resources held by different members at the same location? If so there are technical ways to offer that functionality within the database without exposing the full address of natural person members. cheers denis proposal author

--srs ________________________________ Denis walker <ripedenis@gmail.com>

you attempt some kind of heuristics with the free text search in the database to match up resources with the same address.

On Mon, 6 Jun 2022 at 19:27, Richard Clayton <richard@highwayman.com> wrote:

In message <CAKvLzuGDaye7RTgCbS=Y29aDpNViTaZs+9Xpe72yo- jGZDA5xw@mail.gmail.com>, denis walker <ripedenis@gmail.com> writes

...

On Mon, 6 Jun 2022 at 17:57, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:

...

Always a useful thing to do if you want to block all resources held by a

single actor or set of actors.

So are you saying that you DO use the ORGANISATION object address to match resources held by different members at the same location? If so there are technical ways to offer that functionality within the database without exposing the full address of natural person members.

you're about to suggest hashing ... that doesn't provide what is needed because it is far too fragile to be useful given that WHOIS entries are not canonicalised and also contain minor errors

I had something similar in mind.

you can find countless examples of typos, old addresses etc within the RIPE data. For a contemporary example check for inconsistent use of Kiev/Kyiv for resources held by exactly the same person/organistion.

OK lets narrow it down a bit. The address of a registered business will still be publicly available in the database. So if someone has registered multiple businesses at the same address this data will still be available, even with any spelling mistakes. What we are talking about are the resource holders who are natural persons. When these people apply to be a member I am sure the RIPE NCC requires proof of identity and proof of address. (They will correct me if I am wrong.) So unless a group of natural persons are all living at the same address and all provide proof of that, then you are not going to get this address correlation anyway. If a group of natural persons are all operating from a common commercial address, not a personal address, then the address will still be publicly available in the database. The only resource holder's addresses that will be restricted are for natural persons who are operating from their home address. Those addresses are likely to be unique in the database. I will give a balanced argument and point out that there is a downside. RIPE policy allows multiple LIRs. So a natural person operating from their home address can become a Member and then set up multiple LIR accounts. Each of these accounts will be linked to separate ORGANISATION objects with the same address. Because it is a natural person and their home address, that address will have restricted access. Each of these LIRs can get separate, distinct allocations and the address link between these allocations is lost publicly. This can be fixed if we modify address policy, requiring the RIPE NCC to publicly identify the link between multiple LIRs with the same owner. Relying on the address as the main link between multiple LIRs is not perfect anyway. A Member may be able to set up multiple LIR accounts with different addresses. Having an official link would be far more reliable. The bottom line is that there are honest, law abiding people who are, or would like to be, resource holders but are exposed to considerable personal danger by making their name and address public. We must take the personal privacy issue seriously. If this creates problems in other areas we need to find solutions to those problems. cheers denis proposal author

-- richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 --

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

On Mon, 6 Jun 2022 at 22:30, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:

Registered companies have in the past been LLCs or the local country equivalent and in some cases, using the id of random people paid a few euro to allow their name to appear in LLC paperwork, if I remember right.

The same thing is quite likely for “natural person” to be “some old drunk I met in a bar who handed over his ID to be used for registering ripe resources”

This defeats your own argument. You were arguing you need to know the addresses of these natural persons so you can link separate resources having the same address. Using the IDs of random people and drunks from a bar will give them all different addresses. Knowing these addresses doesn't help you in any way. Also an LLC is a registered business. Their addresses will remain public in the database. cheers denis proposal author

--srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of denis walker <ripedenis@gmail.com> Sent: Tuesday, June 7, 2022 12:19:43 AM To: Richard Clayton <richard@highwayman.com> Cc: anti-abuse-wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] personal data in the RIPE Database

On Mon, 6 Jun 2022 at 19:27, Richard Clayton <richard@highwayman.com> wrote:

...

In message <CAKvLzuGDaye7RTgCbS=Y29aDpNViTaZs+9Xpe72yo- jGZDA5xw@mail.gmail.com>, denis walker <ripedenis@gmail.com> writes

...

On Mon, 6 Jun 2022 at 17:57, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:

...

Always a useful thing to do if you want to block all resources held by a

single actor or set of actors.

So are you saying that you DO use the ORGANISATION object address to match resources held by different members at the same location? If so there are technical ways to offer that functionality within the database without exposing the full address of natural person members.

you're about to suggest hashing ... that doesn't provide what is needed because it is far too fragile to be useful given that WHOIS entries are not canonicalised and also contain minor errors

I had something similar in mind.

...

you can find countless examples of typos, old addresses etc within the RIPE data. For a contemporary example check for inconsistent use of Kiev/Kyiv for resources held by exactly the same person/organistion.

OK lets narrow it down a bit. The address of a registered business will still be publicly available in the database. So if someone has registered multiple businesses at the same address this data will still be available, even with any spelling mistakes.

What we are talking about are the resource holders who are natural persons. When these people apply to be a member I am sure the RIPE NCC requires proof of identity and proof of address. (They will correct me if I am wrong.) So unless a group of natural persons are all living at the same address and all provide proof of that, then you are not going to get this address correlation anyway. If a group of natural persons are all operating from a common commercial address, not a personal address, then the address will still be publicly available in the database.

The only resource holder's addresses that will be restricted are for natural persons who are operating from their home address. Those addresses are likely to be unique in the database.

I will give a balanced argument and point out that there is a downside. RIPE policy allows multiple LIRs. So a natural person operating from their home address can become a Member and then set up multiple LIR accounts. Each of these accounts will be linked to separate ORGANISATION objects with the same address. Because it is a natural person and their home address, that address will have restricted access. Each of these LIRs can get separate, distinct allocations and the address link between these allocations is lost publicly. This can be fixed if we modify address policy, requiring the RIPE NCC to publicly identify the link between multiple LIRs with the same owner. Relying on the address as the main link between multiple LIRs is not perfect anyway. A Member may be able to set up multiple LIR accounts with different addresses. Having an official link would be far more reliable.

The bottom line is that there are honest, law abiding people who are, or would like to be, resource holders but are exposed to considerable personal danger by making their name and address public. We must take the personal privacy issue seriously. If this creates problems in other areas we need to find solutions to those problems.

cheers denis proposal author

...

-- richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 --

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

On Tue, 7 Jun 2022 at 01:45, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

In message <CAKvLzuFUgogEdxKa00eyC0WpW9Q1YOo+bijSvZvh6PEyPp6U5w@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:

...

The bottom line is that there are honest, law abiding people who are, or would like to be, resource holders but are exposed to considerable personal danger by making their name and address public. We must take the personal privacy issue seriously...

These are exactly the central fallacies that have driven and that are driving so much of the GDPR-inspired "privacy" fanaticism that's coming out of Europe these days.

Who exactly are these unspecified "law abiding people" and what is it, exactly, that is preventing them from taking measures on their own (such as renting a P.O. box) to protect themselves and their privacy?

Go for it Ronald, keep plugging those PO Boxes, like the ones that "rendered almost all of the information that is now available in *domain name* WHOIS records virtually entirely worthless".

I do not dispute for a moment that there are many people, most notably journalists, many of whom I have had the pleasure to work with (and even some inside of Russia) whose freedom & lives could be endangered by publication of their exact whereabouts. And yet this current proposal was not, as far as I know, generated by any of *them*. *They* already know all about the many readily available ways at their disposal to avoid having their exact whereabouts published. (And God help us all if they ever have to rely on the good graces of RIPE to protect their locations!)

No idea what you are talking about...

Perhaps even more to the point, I'd like to see any actual Venn Diagram which would show us the -actual- (as opposed to postulated, by the privacy fear-mongers) overlap between the set of people who need any kind of anonymity and/or protection of their location info and the set of people who ALSO provably *need* to have RIPE number resources.

Oh! Nevermind! Conveniently, some kind soul on the Internet has already generated & published this exact Venn Diagram:

https://www.amcharts.com/docs/v4/wp-content/uploads/sites/2/2020/02/image-76...

Trivialising serious issues doesn't help anyone

So this is really the first-order fallacy: The assertion, without a single shred of supporting proof offered, that there exists some tiny minority of people who both (a) need either anonymity or else secrecy as regards to their actual physical address, and who also (b) need to have RIR number resources.

I spoke to two at the recent RIPE Meeting

If we are to believe this alarmist point of view, even, as it is, backed up by zero actual evidence, then we must accept on blind faith that there are some journalists or other "activists" who need to get their stories out to the public but who cannot use *any* form of existing social media to do that, and who cannot even do it via some shared or dedicated web hosting arrangement. No no! We must believe that there are, somewhere out there, activists and/or journalists who both (a) have reason to fear for their physical safety and who also (b) really need at least an ASN or a /24 or else they will be as good as gagged, for all practical purposes.

This is clearly nonsense on the face of it. We are blessed to live in an era where communication... even mass communication... has never been easier OR more widley available. And yet the contention is that edgy activism and/or journalism will be entirely wiped from the map if the person who wants to distribute a controversial newsletter cannot get hold of an entire /24. Rubbish.

Again, no idea what you are talking about...

It is this exact sort of illogical thinking that has led to a situation, in Europe, where you now can't even know if the new neighbor who just moved in next door to you is a previously convicted serial pedophile. You aren't allowed to know because your newspapers are no longer allowed to print even just the names of convicted serial sexual predators, much less their photographs.

Why any of you folks in Europe ever thought that this would be a good idea is, I confess, beyond me. You have placed this newfound fetish for "privacy" above the competing societal values of free speech, freedom of the press, transparency in public affairs, and the individual citizen's right to know. So now you have to live with the downsides of those value choices. But those obviously dubious value choices DO NOT have to spill over into the public RIPE WHOIS data base. And they will only do so if the same inability to judge fairly the cost/benefit ratio is sold to the membership at large by the privacy extremists.

More irrelevances...

And now, at last, we come to the second absurd fallacy driving this debate. I quote: "We must take the personal privacy issue seriously..."

Simple question: Why? Who says we do?

The society WE live and operate in!!

Did the EU Council pass a resolution while I was sleeping which has rendered RIPE legally responsible for the privacy of its members or their physical addrsses? If so, I didn't get the memo.

You must have been sleeping for a long while, the GDPR was introduced in May 2018. This regulation requires that publishing the personal address of natural persons in a public database must be supported by one of the purposes of this database. None of the defined purposes covers publishing this personal data to the general public. Sorry you didn't get the memo.

Seriously, who exactly is "we" and when did "we" become legally, ethically, or morally responsible for hiding the physical addresses of members who could, as I have noted above, quite easily take care of this on their own?

Keep plugging away and you'll soon have the database full of PO Box addresses...

Was RIPE actually responsible for hiding physical addresses for all of the past 20 odd years of its existance, but for some strange reason we are only finding out about it now?

Basically yes. There was data protection legislation before the GDPR that applied to the RIPE Database. We had a Data Protection Task Force looking into this around 2010. At that time the RIPE NCC was only just establishing an in-house legal council. So much of the ground work was done by engineers without any legal training and external lawyers without much knowledge of the RIPE Database. We laid the foundations but many aspects were overlooked. The introduction of the GDPR in 2018 was a trigger point to revisit this issue. There have been many presentations and discussions over recent years culminating in this policy proposal. Do try and keep up Ronald.

Again, I think not. Nothing has changed, morally, eithically, or legally, about RIPE's responsibilities to its members since last week. Any suggestion to the contrary is just an expression of a political viewpoint, not a statement of any actual fact.

You are clearly not keeping up...

Also, and more importantly, the old saying is "God helps those who help themselves."

That may be important to you, it is completely irrelevant to me and this discussion.

Members, if there even are any, who fall into the unique overlapping categories of those who are (a) concerned for their physical safety and also (b) unable to communicate AT ALL without their own private /24, can today, and could, at any time over the past 20 years, rent a P.O. Box and use that as their "physical address". If anyone can disprove that statement, I'm all ears. If, on the other hand, I am right about that, then I will simply reiterate again that the proposal to redact addresses from the RIPE data base is a solution in search of a problem.

Keep going...the PO Box count is rising... cheers denis proposal author

Regards, rfg

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Hi Suresh On Tue, 7 Jun 2022 at 10:06, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:

This tirade about Ronald is if anything, quite overblown

The only thing that is overblown is his attitude. If he cut out all the personal insults and attempts to bully people to agree with him we might have a better discussion. Considering his attitude I will respond accordingly.

Various csirt reps for example, and Richard Clayton, have raised valid concerns with your proposal.

Yes they have and I think that was a more useful discussion.

It is still quite likely to pass, like many such proposals in the past,

I am trying to remember when was the last proposal passed on Anti Abuse matters? I seem to remember a core group of people who shoot down almost every proposal. because of the old boy network that passes for rough consensus in the ripe community - the same sort of rough consensus that led several wg chairs and other ripe “names” to just happen to be in the room in time for a “any other business” session whose agenda was to drop Richard Cox from his co chair role. I wasn't there and it has nothing to do with this proposal. cheers denis proposal author

--srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of denis walker <ripedenis@gmail.com> Sent: Tuesday, June 7, 2022 12:59:10 PM To: Ronald F. Guilmette <rfg@tristatelogic.com> Cc: anti-abuse-wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] personal data in the RIPE Database

On Tue, 7 Jun 2022 at 01:45, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

...

In message <CAKvLzuFUgogEdxKa00eyC0WpW9Q1YOo+bijSvZvh6PEyPp6U5w@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:

...

The bottom line is that there are honest, law abiding people who are, or would like to be, resource holders but are exposed to considerable personal danger by making their name and address public. We must take the personal privacy issue seriously...

These are exactly the central fallacies that have driven and that are driving so much of the GDPR-inspired "privacy" fanaticism that's coming out of Europe these days.

Who exactly are these unspecified "law abiding people" and what is it, exactly, that is preventing them from taking measures on their own (such as renting a P.O. box) to protect themselves and their privacy?

Go for it Ronald, keep plugging those PO Boxes, like the ones that "rendered almost all of the information that is now available in *domain name* WHOIS records virtually entirely worthless".

...

I do not dispute for a moment that there are many people, most notably journalists, many of whom I have had the pleasure to work with (and even some inside of Russia) whose freedom & lives could be endangered by publication of their exact whereabouts. And yet this current proposal was not, as far as I know, generated by any of *them*. *They* already know all about the many readily available ways at their disposal to avoid having their exact whereabouts published. (And God help us all if they ever have to rely on the good graces of RIPE to protect their locations!)

No idea what you are talking about...

...

Perhaps even more to the point, I'd like to see any actual Venn Diagram which would show us the -actual- (as opposed to postulated, by the privacy fear-mongers) overlap between the set of people who need any kind of anonymity and/or protection of their location info and the set of people who ALSO provably *need* to have RIPE number resources.

Oh! Nevermind! Conveniently, some kind soul on the Internet has already generated & published this exact Venn Diagram:

https://www.amcharts.com/docs/v4/wp-content/uploads/sites/2/2020/02/image-76...

Trivialising serious issues doesn't help anyone

...

So this is really the first-order fallacy: The assertion, without a single shred of supporting proof offered, that there exists some tiny minority of people who both (a) need either anonymity or else secrecy as regards to their actual physical address, and who also (b) need to have RIR number resources.

I spoke to two at the recent RIPE Meeting

...

If we are to believe this alarmist point of view, even, as it is, backed up by zero actual evidence, then we must accept on blind faith that there are some journalists or other "activists" who need to get their stories out to the public but who cannot use *any* form of existing social media to do that, and who cannot even do it via some shared or dedicated web hosting arrangement. No no! We must believe that there are, somewhere out there, activists and/or journalists who both (a) have reason to fear for their physical safety and who also (b) really need at least an ASN or a /24 or else they will be as good as gagged, for all practical purposes.

This is clearly nonsense on the face of it. We are blessed to live in an era where communication... even mass communication... has never been easier OR more widley available. And yet the contention is that edgy activism and/or journalism will be entirely wiped from the map if the person who wants to distribute a controversial newsletter cannot get hold of an entire /24. Rubbish.

Again, no idea what you are talking about...

...

It is this exact sort of illogical thinking that has led to a situation, in Europe, where you now can't even know if the new neighbor who just moved in next door to you is a previously convicted serial pedophile. You aren't allowed to know because your newspapers are no longer allowed to print even just the names of convicted serial sexual predators, much less their photographs.

Why any of you folks in Europe ever thought that this would be a good idea is, I confess, beyond me. You have placed this newfound fetish for "privacy" above the competing societal values of free speech, freedom of the press, transparency in public affairs, and the individual citizen's right to know. So now you have to live with the downsides of those value choices. But those obviously dubious value choices DO NOT have to spill over into the public RIPE WHOIS data base. And they will only do so if the same inability to judge fairly the cost/benefit ratio is sold to the membership at large by the privacy extremists.

More irrelevances...

...

And now, at last, we come to the second absurd fallacy driving this debate. I quote: "We must take the personal privacy issue seriously..."

Simple question: Why? Who says we do?

The society WE live and operate in!!

...

Did the EU Council pass a resolution while I was sleeping which has rendered RIPE legally responsible for the privacy of its members or their physical addrsses? If so, I didn't get the memo.

You must have been sleeping for a long while, the GDPR was introduced in May 2018. This regulation requires that publishing the personal address of natural persons in a public database must be supported by one of the purposes of this database. None of the defined purposes covers publishing this personal data to the general public. Sorry you didn't get the memo.

...

Seriously, who exactly is "we" and when did "we" become legally, ethically, or morally responsible for hiding the physical addresses of members who could, as I have noted above, quite easily take care of this on their own?

Keep plugging away and you'll soon have the database full of PO Box addresses...

...

Was RIPE actually responsible for hiding physical addresses for all of the past 20 odd years of its existance, but for some strange reason we are only finding out about it now?

Basically yes. There was data protection legislation before the GDPR that applied to the RIPE Database. We had a Data Protection Task Force looking into this around 2010. At that time the RIPE NCC was only just establishing an in-house legal council. So much of the ground work was done by engineers without any legal training and external lawyers without much knowledge of the RIPE Database. We laid the foundations but many aspects were overlooked. The introduction of the GDPR in 2018 was a trigger point to revisit this issue. There have been many presentations and discussions over recent years culminating in this policy proposal. Do try and keep up Ronald.

...

Again, I think not. Nothing has changed, morally, eithically, or legally, about RIPE's responsibilities to its members since last week. Any suggestion to the contrary is just an expression of a political viewpoint, not a statement of any actual fact.

You are clearly not keeping up...

...

Also, and more importantly, the old saying is "God helps those who help themselves."

That may be important to you, it is completely irrelevant to me and this discussion.

...

Members, if there even are any, who fall into the unique overlapping categories of those who are (a) concerned for their physical safety and also (b) unable to communicate AT ALL without their own private /24, can today, and could, at any time over the past 20 years, rent a P.O. Box and use that as their "physical address". If anyone can disprove that statement, I'm all ears. If, on the other hand, I am right about that, then I will simply reiterate again that the proposal to redact addresses from the RIPE data base is a solution in search of a problem.

Keep going...the PO Box count is rising...

cheers denis proposal author

...

Regards, rfg

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

In message <CAKvLzuG7PPTtQDwx2GoDgULdmLZdz5FzWTwa2pUVQWRqGHfQig@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:

We are talking about restricting access to one piece of data, the address of natural persons. I accept that a lot of abuse may come from address space held by natural people. I understand that a lot of investigation work is done by companies and individuals. How much of an impact would it be on your activities to not know the private address of these natural people?

Just a second. Let's pause here for a moment and look at this question of the "physical address" information as it relates to WHOIS records. One of the many things that have, over the past several years, rendered almost all of the information that is now available in *domain name* WHOIS records virtually entirely worthless was the decision, some considerable time ago, by ICANN, to permit the use of essentially anonymous P.O. box addresses in the WHOIS records for domains registered within the gTLDs. Additional commonly used methods of obfsucation in these domain name WHOIS records include but are not limited to (a) the use of "proxy" registrants and (b) the use of addresses of incorporation agents and (c) use of the addresses of attorneys. (I have not surveyed the policies of the various ccTLDs with regards to their level of acceptance of such shenanigans but I have no reason to doubt that even the .US TLD allows for all of these clever methods of "hiding the ball" with respect to the actual physical location of the domain name registrant. Hell! The policies governing the .US domain are crystal clear in prohibiting non-US legal entities from registering .US domains, but the operators of the .US registry demonstratably make no attempt whatsoever to check for conformance with even this minimal requirement.) So, as I have listed above, there are many different frequently-used ways that any natural person may use to obfsucate their actual physical location when registering a domain name. This prompts a rather obvious question: Do there exist any policies, rules, or regulations which would prevent a natural person from using any one of the several techniques I have listed above to obfsucate their actual physical location when they generate their RIPE organization WHOIS record? And more to the point, is it true or false that, as I have previously asserted, any member can put literally any inaccurate garbage they want into their public-facing RIPE WHOIS records with no consequence whatsoever? If the answer to *either* question is "yes", then it seems to me that enlisting RIPE NCC to embark upon a deliberate program to hide personal information in public-facing WHOIS records EVEN WHEN THE CORRESPONDING REGISTRANTS HAVE NOT THEMSELVES REQUESTED THAT is not only clearly unnecessary, but actually and demonstratably counterproductive. Should a natural-person who actually WANTS to be directly contacted for any and all issues relating to their RIPE number resources have that opportunity closed out, perhaps without even their knowledge or consent, by some small over-agressive cabal of GDPR fanatics acting unilaterally? I think not. As noted above, if any RIPE registrant wants to have their physical address info obfsucated then there appears to be any number of simple alternatives available to the registrant themself to achieve exactly that. Thus, this new push to get RIPE NCC to hide information in public-facing WHOIS records seems to be a solution in search of a problem, and just another misguided top-down enforcement of an extremist view of "privacy", pushed onto the community whether the people actually affected, i.e. the registrants themselves, like it or not. (Note: I am not intending to pick specifically on RIPE here. To the best of my current knowledge there are -no- policies or rules in -any- RIR globally that explicitly prohibit the use of P.O. boxes, proxy registrants, or the addrsses of associated corporate registration agents or lawyers within public-facing number resource WHOIS�records. Nor do any RIRs have any clear policies which would have the effect of requiring there to be -any- clear correlation between what appears in a registrant's public-facing WHOIS records and anything corresponding to objective reality.)

I can only think of three reasons why you would need the full address. You intend to visit them (unlikely), you want to serve legal papers on them or you attempt some kind of heuristics with the free text search in the database to match up resources with the same address.

I agree with this list of possibilities, 1, 2, 3. So which of these three are you attempting to hobble? Are you in favor of making it harder to serve people with legal papers? If so, why would you do that and who would be the beneficiaries of that? Are you in favor of making it harder for open-source researchers to search the data base for textual correlations that might provide clues to untoward activities? If so, why would you do that and who would be the beneficiaries of that? Regards, rfg

In message <CAKw1M3NsS=hc17FTV-2BUuOLpT7YxCRsKcPhfukWPsC0MrJrtA@mail.gmail.com> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?= <me@cynthia.re> wrote:

AFAIK the "org-name" attribute on the organisation object does get verified if the organisation is a LIR or an end user that has received resources directly from the RIPE NCC (through a sponsoring LIR). (and possibly a few other cases like legacy resource holders with service agreements) I believe there are also many policies that say that information should be accurate, and while this might not be actively verified for the most part, it is still policy in many cases.

Policy in the total absence of -any- validation or enforcement is vacuous. It is a NO-OP. It is a joke.

Part of the issue is that the RIPE NCC has some responsibility for this under the GDPR...

Or to be more accurate, RIPE NCC is -alleged- to have some responsibility for this, e.g. by yourself and by other privacy extremists. In point of fact however this opinion, on your part, has never been adjudicated in any court of law. And more to the point, GDPR has explicit carve outs for the sharing and/or publication of data as may be necessary for an entity to carry out its mission. Some of us, at least (who may, coincidently have been on the Internet since well before you were born), still maintain the "old school" view that it was, is, and remains an integral part of the mission of both domain name registrars and also Regional Internet Registries to promote, foster, and enable the smooth functioning of the Internet. We also believe that that continued smooth functioning can be either (a) enabled by openess and transparency or else (b) hobbled by pointlessly and unnecessarily fetishizing secrecy, specifically within WHOIS records. If our interpretation of GDPR is the correct one, i.e. that RIPE and other such organizations have both a current and a longstanding/historical duty to *not* "hide the ball", then your claim that the GDPR obliges RIPE NCC to do anything in particular now which is different from what it has been doing for the past 20+ years is both meaningless and not at all supported by *any* legal findings. In short, this contention that GDPR is (suddenly?) forcing RIPE to do something today that it was not forced to do at any time last week, or indeed, at any time over the past 20 years is simply fallacious - an imaginary imperative that doesn't actually exist.

and it can be really difficult to do this correctly, but I think the legal team could explain those details better.

And I think that the legal team has also been sucked into the vortex of privacy paranoia and extremism, and that they will say whatever they want to say, regardless of whether their position has been endorsed or verified in a court of law or not. In short, they are part of the problem. As I have previously noted RIPE is a *private* organization mostly composed of *private* member organizations, virtually all of which are loath to disclose anything to anybody ever. Thus, I would not be in the least surprised if you told me tomorrow that the RIPE legal team had come out in favor of making the entire WHOIS data base private and accessible to "law enforcement only, eyes only". The legal team doesn't have any incentive whatsoever pulling them in the direction of transparency. All of their incentives run in the opposite direction... i.e. *against* any and all openness & transparency, even if that means degrading the ongoing smooth functioning of the Internet.

I run a hobby network and have an ASN and a /48 of PI assigned to me from RIPE NCC (through a sponsoring LIR) and also know many other people who are in a similar situation. Many people who do this are uncomfortable with having to publish their home address in the RIPE database...

I have two responses: 1) Why don't you get a P.O. box if you are really that worried about it? 2) So if I understand why you're saying, you are saying that because there exists some small, but finite and non-zero set of people who, like you, are "uncomfortable", then everybody else in the universe should bend over backwards, throw out 20+ years of precedent, and should hobble the public WHOIS data base, all just so that -you- won't be made to feel "uncomfortable". Is that what you are saying? If so, then I'd like to suggest that you consider moving to sunny Florida. I think that you might fit in nicely there. Although you may not have heard about it, the Governor of that state recently signed into law a new state statute which makes it now illegal for teachers in that state to say the word "gay". The justification for this new law was that that word makes some small minority of the parents in the State of Florida "uncomfortable". My point of course, is that this is how the dictatorship of the minority begins. You are "uncomfortable" so everyone else must change what they are doing. And how shall we resolve the matter if, hypothetically, the discomfort of you and your friends someday makes me and my friends "uncomfortable"?

Sure, I could go and get a PO box for ~650/year and just let the RIPE NCC have that address instead but that seems a bit silly to me when instead the address could just be hidden from the public.

So basically, your argument comes down to: "I don't want to be mildy inconvenienced, so instead I wish the rest of the planet to just arrange things so as to suit my personal maximal convenience." Is that about the size of it? Well, at least you're being open about your viewpoint on this. I do applaud you for that.

I just want to say that assuming PO boxes are illegitimate is kinda odd and also varies by country I would think.

I never said P.O. boxes were "illegitimate". Please don't put words in my mouth. In fact I said something that arguably is the exact opposite, i.e. that all or nearly all domain name registrars allow the use of P.O. boxes in domain name WHOIS records, AND that as far as I know, so do all Regional Internet Registries. On the other hand I do not know any natural person who either physically lives in or who physically works in a P.O. box. (In general, the boxes are too small to fit a whole human.)

My point here is mostly just that such a policy doesn't make a lot of sense to me, I am not sure if you are suggesting that such a policy should exist or not, but I think it would be a bad idea to implement such a policy.

I honestly can't even tell what you are arguing either for or against... only that you are arguing.

...

Are you in favor of making it harder to serve people with legal papers? If so, why would you do that and who would be the beneficiaries of that?

It is not really about preventing it, it is more just if that potential benefit outweighs the privacy implications.

In your opinion. And thus you bring the conversation back to a point I've already made, i.e. that many of you Europeans have become privacy fanatics and extremists, so much so, in fact, that, as I noted, you can't even know if the person who just moved in next door to you is a serial sexual predator or not, because you Europeans have elected to value privacy *above* freedom of speech, freedom or the press, transparency in public affairs, and the public's right to know. And if, for example, the former finance minister of Bulgaria who was fired & put in prison for embezzling public funds is nowadays running an ISP in, say, Moldova, and if that is hosting mostly crypto-currency scams, nobody will ever be the wiser or know that the proprietor of th ISP in question himself has a checkered past. In case I have been anything less than clear, please allow me to say this very plainly -- I do not agree with the way you folks in Europe nowadays value privacy -above- transparency. It is causing obvious disasters and I have every faith and confidence that in the fullness of time you'll all come to your senses and realize that you've swung the pendulum too far, and that your collective over-reaction to the scandals of Facebook et al is causing you, and coincidentally, the rest of the planet, more harm than good. (This -always- happens when extremists are allowed to dictate policy. See also: Maximilien Robespierre -- "The Incorruptable".) Regards, rfg

Ronald the reason I haven't responded to your previous emails is that you are talking utter nonsense. And as usual the two relevant sentences in your huge, long rants are lost in all the offensive and pointless references. You talk of fanatics, extremists, dictators, alarmists, privacy paranoia, perverts, fetish, fetishizing secrecy, journalists, activists, teachers, ethics, morality, political viewpoint, "old school" view, imaginary imperative, obvious disasters, over-reaction, opinions, pretense, RIPE structures of power, planned agenda of recalcitrance, obstructionism, consistant inaction, institutionalized dysfunction, lethargic EU member countries, opaque wall of stony silence, totally made-up bovine excrement, garbage, absolute horse manure, stealthy secrecy and deliberate opacity baked in, gay rights in Florida, God, Hell, .US registries, UBOs, etc. How on earth do you expect anyone to follow what little arguments you have when wrapped in all this crap. You have managed, in a few long emails, to insult or offend me, other contributors, the RIPE NCC, their legal council, the RIPE community, 20k+ member organisations and the EU with your arrogant, bullying attitude...Ronald is of course right, anyone who doesn't see the world as you do is an extremist, fanatical dictator. Why should anyone fear having their address in this open, public database? If you suffer from it, it's not the database's fault, it's your fault for giving your real address when asked for it. Clearly there are so many options available for you to confuse everyone. As in that video presentation I referenced from Europol when they explained how their investigation came to a dead end at a drop box. So yes great idea Ronald. Lets encourage everyone to get PO (Drop) boxes instead of using real addresses. Guess who is going to be queuing up at the post office tomorrow to register for these boxes using those 'borrowed' IDs from the pub? Probably every abuser across the region, given the way you have so heavily promoted this option across your recent set of rants. You have confused the issues so much that now I will have to answer your circular, repetitive arguments. On Tue, 7 Jun 2022 at 00:36, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

In message <CAKvLzuG7PPTtQDwx2GoDgULdmLZdz5FzWTwa2pUVQWRqGHfQig@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:

...

We are talking about restricting access to one piece of data, the address of natural persons. I accept that a lot of abuse may come from address space held by natural people. I understand that a lot of investigation work is done by companies and individuals. How much of an impact would it be on your activities to not know the private address of these natural people?

Just a second. Let's pause here for a moment and look at this question of the "physical address" information as it relates to WHOIS records.

One of the many things that have, over the past several years, rendered almost all of the information that is now available in *domain name* WHOIS records virtually entirely worthless was the decision, some considerable time ago, by ICANN, to permit the use of essentially anonymous P.O. box addresses in the WHOIS records for domains registered within the gTLDs. Additional commonly used methods of obfsucation in these domain name WHOIS records include but are not limited to (a) the use of "proxy" registrants and (b) the use of addresses of incorporation agents and (c) use of the addresses of attorneys. (I have not surveyed the policies of the various ccTLDs with regards to their level of acceptance of such shenanigans but I have no reason to doubt that even the .US TLD allows for all of these clever methods of "hiding the ball" with respect to the actual physical location of the domain name registrant. Hell! The policies governing the .US domain are crystal clear in prohibiting non-US legal entities from registering .US domains, but the operators of the .US registry demonstratably make no attempt whatsoever to check for conformance with even this minimal requirement.)

So, as I have listed above, there are many different frequently-used ways that any natural person may use to obfsucate their actual physical location when registering a domain name.

This prompts a rather obvious question: Do there exist any policies, rules, or regulations which would prevent a natural person from using any one of the several techniques I have listed above to obfsucate their actual physical location when they generate their RIPE organization WHOIS record?

You just explained how these techniques have "rendered almost all of the information that is now available in *domain name* WHOIS records virtually entirely worthless". Now you are suggesting to use these techniques on the number registry to obfuscate addresses.

And more to the point, is it true or false that, as I have previously asserted, any member can put literally any inaccurate garbage they want into their public-facing RIPE WHOIS records with no consequence whatsoever?

False

If the answer to *either* question is "yes", then it seems to me that enlisting RIPE NCC to embark upon a deliberate program to hide personal information in public-facing WHOIS records EVEN WHEN THE CORRESPONDING REGISTRANTS HAVE NOT THEMSELVES REQUESTED THAT is not only clearly unnecessary, but actually and demonstratably counterproductive.

So it is more productive to encourage people to use a range of techniques to obfuscate their addresses so even the LEAs can't easily find them.

Should a natural-person who actually WANTS to be directly contacted for any and all issues relating to their RIPE number resources have that opportunity closed out, perhaps without even their knowledge or consent, by some small over-agressive cabal of GDPR fanatics acting unilaterally? I think not.

You have, conveniently, ignored contacts. Those wonderful attributes that allow resource holders to be "directly contacted for any and all issues relating to their RIPE number resources". Surprisingly, when there is a network issue it is so much faster to use the phone than posting a letter to their address, especially that PO Box.

As noted above, if any RIPE registrant wants to have their physical address info obfsucated then there appears to be any number of simple alternatives available to the registrant themself to achieve exactly that. Thus, this new push to get RIPE NCC to hide information in public-facing WHOIS records seems to be a solution in search of a problem, and just another misguided top-down enforcement of an extremist view of "privacy", pushed onto the community whether the people actually affected, i.e. the registrants themselves, like it or not.

Yes Ronald, let's really push those ideas that "rendered almost all of the information that is now available in *domain name* WHOIS records virtually entirely worthless".

(Note: I am not intending to pick specifically on RIPE here. To the best of my current knowledge there are -no- policies or rules in -any- RIR globally that explicitly prohibit the use of P.O. boxes, proxy registrants, or the addrsses of associated corporate registration agents or lawyers within public-facing number resource WHOIS records.

Yeah, keep plugging that idea Ronald!!

Nor do any RIRs have any clear policies which would have the effect of requiring there to be -any- clear correlation between what appears in a registrant's public-facing WHOIS records and anything corresponding to objective reality.)

So what harm does it do to restrict access to data that doesn't reflect reality anyway? Thanks Ronald...no problem.

...

I can only think of three reasons why you would need the full address. You intend to visit them (unlikely), you want to serve legal papers on them or you attempt some kind of heuristics with the free text search in the database to match up resources with the same address.

I agree with this list of possibilities, 1, 2, 3.

Wow you actually agree with me :)

So which of these three are you attempting to hobble?

Never been into hobbling. Not my scene.

Are you in favor of making it harder to serve people with legal papers? If so, why would you do that and who would be the beneficiaries of that?

Are you in favor of making it harder for open-source researchers to search the data base for textual correlations that might provide clues to untoward activities? If so, why would you do that and who would be the beneficiaries of that?

There are other ways to achieve this goal if you have an open mind, but just for the record this type of research is not covered by the purposes of the RIPE Database as defined in the Terms & Conditions. cheers denis proposal author

Regards, rfg

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg