- db-wg - mailman.ripe.net

2022-01 Review Phase (Personal Data in the RIPE Database)
by Angela Dall'Ara 20 Oct '22

20 Oct '22

Dear colleagues, Policy proposal 2022-01, "Personal Data in the RIPE Database", is now in the Review Phase. The goal of this proposal is to allow the publication of verified Personal Data in the RIPE Database only when they are justified by its purpose. The proposal has been updated to version 3.0 after the last round of discussion. This version differs from version 2.0 as follows: - it is not explicitly proscribed to enter the name of a person in role objects - the verification of fax numbers is not required The RIPE NCC has prepared an impact analysis on this latest proposal version to support the community’s discussion. You can find the proposal and impact analysis at: https://www.ripe.net/participate/policies/proposals/2022-01 https://www.ripe.net/participate/policies/proposals/2022-01#impact-analysis And the draft documents at: https://www.ripe.net/participate/policies/proposals/2022-01/draft As per the RIPE Policy Development Process (PDP), the purpose of this four-week Review Phase is to continue discussion of the proposal, taking the impact analysis into consideration, and to review the full draft RIPE Policy Document. At the end of the Review Phase, the Working Group (WG) Chairs will determine whether the WG has reached rough consensus. It is therefore important to provide your opinion, even if it is simply a restatement of your input from the previous phase. We encourage you to read the proposal, impact analysis and draft document and send any comments to <db-wg(a)ripe.net> before 4 November 2022. Kind regards, Angela Dall'Ara Policy Officer RIPE NCC

5 6

Agenda RIPE85 - Database Working Group
by William Sylvester 11 Oct '22

11 Oct '22

Below is the agenda for the Database Working Group for RIPE85. If you would like to present, have questions, comments, or requested changes please let the chairs know. Best regards, William & Denis DB-WG Chairs A. Introduction - 10 min * Welcome * Scribe * Jabber * Chairs & Succession Planning * Agenda B. NWI Update – 20 mins Denis Walker, Co-Chair DB-WG C. Operational Update– 20 mins Edward Shryane, RIPE NCC D. Geofeed Discussion – 10 mins Denis Walker, Co-Chair DB-WG E. Proposal 2022-01 – 10 mins Denis Walker, Co-Chair DB-WG Z. AOB (open discussion)

2 1

RIPE Database Service Criticality Questionnaire
by denis walker 10 Oct '22

10 Oct '22

Colleagues [Apologies to Job for copying your email from the Routing WG but you explained it well :) ] The RIPE NCC has asked the Database WG Chairs to facilitate a working group conversation on framing the RIPE Database service subcomponents in terms of criticality. At the bottom of this email is a form that focuses on three components: confidentiality, integrity and availability. Each component is split into three questions (a, b, and c), a total of 9 questions are being put forward to the working group. We envisage this process to be a public consultation: WG participants can submit (free-form) responses, and also chime in by replying to each other's responses; hopefully bringing us to a degree of consensus in the coming weeks. We believe this is a unique opportunity to help the RIPE NCC! The goal is to help the RIPE NCC develop a deeper understanding of how the moving parts fit together, which in turn helps decide where and how to invest resources. >>> Your feedback is much appreciated! <<< cheers, denis, William DB WG co-chairs ----------------------- FORM STARTS HERE ----------------------- Service Criticality Form - RIPE Database Introduction ------------ This form is used to gather input from the community on the service criticality of the RIPE database. The framework is detailed in https://labs.ripe.net/author/razvano/service-criticality-framework/ The service criticality has three components: * Confidentiality What is the highest possible impact of a data confidentiality -related incident (data leak)? * Integrity What is the highest possible impact of a data integrity -related incident (hacking)? * Availability What is the highest possible impact of a service availability -related incident (outage)? All our services are designed with at least 99% availability, so please consider outages of up to 22 hours. Service Purpose --------------- The RIPE Database is the public internet registry for the RIPE NCC region, comprised of: * Internet Number Registry * Internet Routing Registry * Reverse Delegations The critical parts of the service are: * Query (Port 43, REST API, NRTM, Web Application) * FTP dumps (whole database and split files) The non-critical part of the service is: * Update (REST API, Mailupdates, Syncupdates) Service Criticality ------------------- Please review the following three areas. (1) Global Routing Incident Severity * Low (No / negligible impact) * Medium (One or a few ASes are unavailable) * High (Many ASes in a region are unavailable) * Very High (Global Internet routing disruptions) Please rate the incident severity (Low to Very High) in the following three areas. Please explain why. (a) Confidentiality (Impact level of incidents such as data leaks) (b) Integrity (Impact level of incidents such as hack attempts) (c) Availability (Impact level of service outage incidents, up to 22 hours per quarter) (2) IP addresses and AS Numbers Incident Severity * Low (No / negligible impact) * Medium (Local disruptions (registration information not being available for some entities)) * High (Regional disruptions (registration information not being available for the RIPE NCC region)) * Very High (Global disruptions (lack of registration information for all AS Numbers and IP addresses)) Please rate the incident severity (Low to Very High) in the following three areas. Please explain why. (a) Confidentiality (Impact level of incidents such as data leaks) (b) Integrity (Impact level of incidents such as hack attempts) (c) Availability (Impact level of service outage incidents, up to 22 hours per quarter) (3) Global DNS Incident Severity * Low (No / negligible impact) * Medium (Local disruptions) * High (Regional disruptions) * Very High (Global disruptions) Please rate the incident severity (Low to Very High) in the following three areas. Please explain why. (a) Confidentiality (Impact level of incidents such as data leaks) (b) Integrity (Impact level of incidents such as hack attempts) (c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)

2 2

Whois Release 1.104
by Edward Shryane 10 Oct '22

10 Oct '22

Dear Colleagues, RIPE Database release 1.104 has been deployed to the Release Candidate environment. We plan to deploy to production on Monday 10th October. This release includes the following main changes: * Allow Grouping (-G) flag in Whois Search API (#1077) * cidr0 notation for rdap response (#1068) * Remove whois tags (#1059) * Added text/plain to Search and REST APIs (#1054) * Add comment not NOOP (#1052) * Do not allow comments in managed attributes (#1045) * Use documentation prefix 192.0.2.0/24 (#1044) * Organisation country: is modifiable for end-user orgs without RIPE NCC resources (#1041) * Do not return deleted versions (#1015) * Redirect empty requests to syncupdates help (#1011) The release notes are on the website: https://www.ripe.net/manage-ips-and-asns/db/release-notes/ripe-database-rel… More information on the Release Candidate environment can be found on our website: https://www.ripe.net/manage-ips-and-asns/db/release-notes/rc-release-candid… Please let us know if you find any issues with this release in the RC environment. Regards Ed Shryane RIPE NCC

1 1

RIPE Database Quarterly Planning Q4 2022
by Edward Shryane 26 Sep '22

26 Sep '22

Dear colleagues, We have published our quarterly plans for Q4 2022 for the RIPE Database: https://www.ripe.net/manage-ips-and-asns/db/quarterly-planning In this quarter, we will start implementing the RDAP cidr0 and NRO profiles. We are also continuing work on the Service Criticality framework and on the RIPE database documentation. We hope that by providing these plans, we can better inform the community of the ongoing developments on the RIPE Database and get feedback on our work. If you have comments or questions around this, we hope you'll let us know on the list or you can always contact the DB team directly at ripe-dbm(a)ripe.net . Regards Ed Shryane RIPE NCC

1 0

NWI-13 Geofeed Legal Analysis
by Maria Stafyla 26 Sep '22

26 Sep '22

Dear colleagues, Following the legal update we provided on NWI-13: Geofeed at the DB WG session at RIPE 84, here is our analysis in case further discussion on this topic is needed. Executive Summary: -The RIPE Database is meant to contain specific information for its documented purposes. -Information inserted in the geofeed attribute could in some cases qualify as personal data. -The current purposes could explain geolocation information to be inserted only for ‘scientific research into network operations and topology’. -This purpose does not justify the processing of personal data; therefore restrictions had to be put in place to avoid the processing of unnecessary personal data. -The restrictions are now implemented based on the status of the registration. -If the purposes of the RIPE Database have changed in the meantime, this should be established via the community processes and documented. In that case we will re-evaluate the situation and the need for restrictions. Until then, the restrictions remain necessary. Legal Analysis: The RIPE Database is meant to contain specific information for the purposes that are defined in the RIPE Database Terms and Conditions. In terms of the _personal data_ inserted in there, the purpose that justifies its publication is to facilitate the coordination of network operations for the smooth and uninterrupted operation of Internet; this purpose explains why contact details of resource holders or their appointed contact persons are required. Before any new type of personal data is permitted to be inserted in the RIPE Database, we must evaluate if their processing is required for the purposes already defined and their processing can be considered in line with the basic personal data processing principles. Although it is the responsibility of the party inserting personal data to ensure that they have the appropriate legal grounds before doing so, the RIPE NCC has also shared responsibilities with regards to the personal data in the RIPE Database. This is because the RIPE NCC is the party that is making the RIPE Database available and implements the instructions given by the RIPE community. As mentioned in the Legal Review Impact Analysis, if the geofeed attribute is inserted for registrations of assignments that are reasonably assumed to be related to one individual user, then the attribute will be considered as containing personal data and GDPR will apply. This is why we have proposed to implement restrictions. These restrictions are essential to avoid any processing of personal data that is not required or necessary for the *currently defined* purposes of the RIPE Database and to limit the RIPE NCC's liability as a party with shared responsibilities in relation to the personal data inserted in the RIPE Database. Regarding the _(non-personal) data _inserted in the RIPE Database, it is also paramount that only data that is needed for the defined purposes of the RIPE Database is inserted. According to the RIPE Database Terms and Conditions, introducing the geofeed attribute (with restrictions) would be considered in line and acceptable to be used only for scientific research into network operations and topology (see Art. 3). We also understand that the purposes the RIPE Database must fulfil are not static but evolve over time. The RIPE Database Requirements Task Force has recently concluded its work and, with regard to geolocation, it has established that, although there is an active user group for geolocation data, geolocation itself is not an objective that the RIPE Database should fulfil. If the community's interests have changed since then and it is now agreed that geolocation is one of the purposes the RIPE Database must fulfil, this should be decided via the community's processes and reflected in the RIPE Database Terms and Conditions. In line with the data management principles proposed by the RIPE Database Requirements Task Force, it would be prudent to approach this issue holistically, taking into account that other geolocation information is already provided in the RIPE Database (i.e. geoloc, country code attributes in ORG and resource objects). On the basis of a new purpose for the geolocation information, we could then reassess the situation to understand whether the restrictions on the geofeed attribute are still necessary or whether it is justified to process personal data for this purpose. Kind regards, Maria Stafyla Senior Legal Counsel RIPE NCC

16 44

geolocation and current purposes
by denis walker 22 Aug '22

22 Aug '22

Colleagues I have spent some time thinking about the wording of the current purpose of the RIPE Database in relation to geolocation services. In some ways the purposes are very loosely written. That means they are open to interpretation. I think they can be interpreted to cover the "geofeed:" attribute. Some people have expressed this view but it is not sufficient to just say it, you need to justify the viewpoint. I will attempt to do that. "Facilitating coordination between network operators (network problem resolution, outage notification etc.)" The first point is the 'etc'. That means the example list is not exclusive. It doesn't even define the types or categories of coordination. So basically any coordination between network operators is included. 'Facilitating' means 'to make things easy'. So the database exists to make any coordination activity between network operators easy. So in what ways is "geofeed:" going to make it easy for network operators to coordinate some activity? One of the ways network operators have talked about how they want/need to use "geofeed:" data is to provide content based on location of an IP address. If a content providing network operator wishes to offer this content to anyone in a specific location, that can be seen as a coordination activity. The content provider can coordinate with other network operators to establish that their customers are within this location so they can access this content. If this interpretation is accepted by the community then the context has changed. The legal team can now reassess their advice in the context that the use of the "geofeed:" data is now covered by the existing database purposes. But there are other questions that the legal team also needs to consider. The "geofeed:" attribute references data external to the RIPE Database that neither the RIPE NCC nor the RIPE community has any control, management or perhaps even influence over. This data may contain PII. Although the maintainer of that external data is responsible for its content, does the RIPE NCC have any (joint) accountability or liability as the data controller and facilitator of the RIPE Database? Nic Handles are considered to be PII as they reference objects that contain PII. But these objects are also contained within the RIPE Database. The geofeed csv files are external to the RIPE Database. Do the references to them still constitute PII? Given that we are currently discussing a policy proposal governing the use of personal data in the RIPE Database, here we have a mechanism where resource holders can publish full postal address details of end users who are natural persons and link that published data to the resources in the RIPE Database. Given that these files are published by holders of RIPE resources and referenced by the RIPE Database, should the content of these files follow RIPE policies? (I'm not suggesting any validation of the contents, but perhaps resource holders should be responsible for applying policies to this content.) The T&C is a legal document. In the event of any dispute, lawyers make a lot of money by analysing and interpreting documents like this. Although the loosely written purposes may now be interpreted to cover geolocation data, there are still significant problems with the way the purposes are written. A review would still be beneficial. The T&C are mostly in the background during day to day operations. Just as the terms of an insurance policy can be irrelevant for years. The one time it matters is when you want to make a claim, or in the case of the database if someone ever makes a legal challenge over any aspect of its use or content. At that point, if the purposes can be widely interpreted, then the outcome is uncertain. It would be advantageous to all parties if the purposes were clear and precise with little room for interpretation. Whenever this issue is raised some people make the cynical comments that there has never been any legal challenge and there is no queue of people waiting to do so and common sense has always prevailed (in the past). It only needs one. Other RIRs have been involved in legal actions. Don't wait until your house is flooded before checking your insurance policy to see if you are covered. Another clear issue with this purpose's wording is that use of contact details in the database is only allowed by network operators to contact other network operators ("between network operators"). In this sense the purpose is very precise. Use of contact details by the public, non member organisations, investigators, CSIRT teams (unless they are also operators) and LEAs is not allowed under these T&C. Something to think about... cheers denis co-chair DB-WG

5 6

Apologies for spam
by Alun Davies 22 Aug '22

22 Aug '22

Hello all, My apologies to everyone who received my out of office response this morning. Just wanted to note that the relevant messages have now been removed from the archives. Again, sorry for the spam! Best regards, Alun Davies RIPE NCC

1 0

Re: [db-wg] NWI-13 Geofeed Legal Analysis
by peering-ops＠telekom.de 22 Aug '22

22 Aug '22

Can someone at RIPE please stop this. This OOO message is spamming everything. ------ Best regards, Daniel Straßner Deutsche Telekom Technik GmbH Core Networks & First-Line Maintenance (T-CNF) IP Core (IPC) Daniel Straßner Squad Changemanagement Carrier und GK-Connectivity (CMC) Squad Lifecycle Produktionsmodelle Public & Wholesale (PWS) Olgastr. 67, 89073 Ulm +49 731 1003-4775 (Tel.) +49 731 1003-4770 (Hotline) E-Mail: d.strassner(a)telekom.de<mailto:d.strassner@telekom.de> www.telekom.de<http://www.telekom.de/> Life IS FOR SHARING. You can find the obligatory information on www.telekom.de/compulsory-statement-dttechnik BIG CHANGES START SMALL - SAVE RESOURCES BY NOT PRINTING EVERY E-MAIL. Von: db-wg <db-wg-bounces(a)ripe.net> Im Auftrag von Alun Davies via db-wg Gesendet: Montag, 22. August 2022 07:55 An: Alun Davies via db-wg <db-wg(a)ripe.net> Betreff: Re: [db-wg] NWI-13 Geofeed Legal Analysis Hi, I’m out of office till 22 August. Any RIPE Labs related queries can be sent to labs(a)ripe.net and one of my colleagues will get back to you. Cheers, Alun On 22 Aug 2022, at 07:52, Alun Davies via db-wg <db-wg(a)ripe.net> wrote: Hi, I’m out of office till 22 August. Any RIPE Labs related queries can be sent to labs(a)ripe.net and one of my colleagues will get back to you. Cheers, Alun On 22 Aug 2022, at 07:51, Alun Davies via db-wg <db-wg(a)ripe.net> wrote: Hi, I’m out of office till 22 August. Any RIPE Labs related queries can be sent to labs(a)ripe.net and one of my colleagues will get back to you. Cheers, Alun On 22 Aug 2022, at 07:42, Alun Davies via db-wg <db-wg(a)ripe.net> wrote: Hi, I’m out of office till 22 August. Any RIPE Labs related queries can be sent to labs(a)ripe.net and one of my colleagues will get back to you. Cheers, Alun On 29 Jul 2022, at 14:24, Warren Kumari via db-wg <db-wg(a)ripe.net> wrote: On Thu, Jul 28, 2022 at 9:50 PM, Cynthia Revström <db-wg(a)ripe.net> wrote: I am not sure how you came to that conclusion, the way I read Maria's email didn't make me come to a conclusion anything like that. Maria said: The RIPE Database is meant to contain specific information for the purposes that are defined in the RIPE Database Terms and Conditions. The RIPE DB T&C and the DBTF report are not the same and the RIPE DB T&C could be amended. Maria also says: If the community's interests have changed since then and it is now agreed that geolocation is one of the purposes the RIPE Database must fulfil, this should be decided via the community's processes and reflected in the RIPE Database Terms and Conditions. I feel like this directly goes against what you are saying, it seems very clear to me that it is possible to change the purposes. I'll also note that Maria's initial email said: "personal data that is not required or necessary for the currently defined purposes of the RIPE Database" with "currently defined" written in big, bold, flashy letters. It then continues with the paragraph you have quoted above: "If the community's interests have changed since then and it is now agreed that geolocation is one of the purposes the RIPE Database must fulfil, this should be decided via the community's processes…" I happen to think that Geofeed could easily fall into: "Publishing routing policies by network operators (IRR)" — part of my "routing policy" is that 192.0.2.0/24 is in Cologne, and that seems useful for you to know to build your policy as well and / or "Facilitating coordination between network operators (network problem resolution, outage notification etc.)" — you are seeing long latency to 192.0.2.0/24? Geofeeds tells you that that is in Warsaw, so when you contact me you can say something like "200ms seems like a long time to get from Berlin to Warsaw… perhaps we can not route this through Singapore??"" and / or "Scientific research into network operations and topology" — you are doing Internet measurements on latency. Why does traceroute to 192.0.2.0/24 take 3ms and 203.0.113.0/24 take 89ms? Well, Geofeeds tells you that one is in Akureyri and the other is in Lisbon. Seems like worth knowing… But, the bolding of "currently defined" and the "If the community's interests have changed since then…" seems to imply that it is at least worth discussing if we can add Denis suggestion of ""The RIPE Database may contain data that an agreed set of external services may use, require or rely on." and if it does actually need "a resolution by the GM to change the T&C", etc. Even if we successfully argue that Geofeeds fits into one of the above examples, it does seem like having the T&C reflect what people want to be able to use the DB for… W -Cynthia On Fri, Jul 29, 2022 at 3:29 AM Ronald F. Guilmette via db-wg <db-wg(a)ripe.net> wrote: In message <CAKw1M3PZPzwJHoNyGrSAY_2azHeZpTw4aVw7GwCLhmT_qt2CiA(a)mail.gmail.com> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?= <me(a)cynthia.re> wrote: The purposes could change... No, they couldn't. It appears that the RIPE Database Requirements Task Force issued its "final report" sometime late last year, and now the wheels have ground on further to bring us to the point where RIPE legal has issued an official proclamation to the effect that everything that does not comport with the Task Force's final list of defined purposes _must_ be jetisoned and thrown overboard. That would appear to be the short version of where things stand now. Based upon the principal of stare decisis, it would seem to be a bit late in the game to try to roll back any of what has already been adjudicated. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg

1 0

2022-01 Personal data in the RIPE Database Next Steps
by William Sylvester 04 Aug '22

04 Aug '22

Dear Database Working Group Members, The four-week discussion phase for the policy proposal "2022-01 Personal data in the RIPE Database" ended on 15 July. In agreement with the proposer, we have decided tomove the proposal into the Review Phase but postponed its start to the end of August. This was done keeping in mind that the upcoming vacation period might prevent participation in the discussion and the timely publication of the RIPE NCC Impact Analysis. Please note that the RIPE Database WG Co-Chair Denis Walker is the author of this policy proposal, hence he is not taking part in the decisions regarding consensus. The RIPE NCC Policy Officer will announce the start of the Review phase together with the publication of the policy draft and impact analysis. For reference, here’s a short summary of the discussion so far: Ronald Guilmette posted many messages strongly opposing the proposal, advocating instead for the accurate verification of WHOIS data and for not publishing personal data for privacy reasons only in special legitimate cases. His main points of disagreement were: a) The transparency of the database would suffer, affecting LEAs’ and researchers’ work. b) The postal address is managed solely by the resource holder and not by the RIPE NCC. c) The postal address can already be concealed using, e.g., a PO box. d) Only a minority in the community is asking for the postal address not to be published, which doesn’t justify the effort and cost of implementation. e) More contact details might fall under the same new proposed rule in the future. f) Accepting the proposal would change the historical practice of the RIPE Database. g) There is no legal basis for the proposed changes. The proposer addressed the concerns above as follows: a) The transparency achieved is questionable if it's based on unverified data. b) End Users are not always aware that their address has been entered in the RIPE Database by the LIR. c) Addresses like those of PO boxes do not help LEAs orresearchers. d) Implementation could be supported using the existing ARCs. e) There is no mention of further changes in the proposal. f) Historical practice should not be treated as a requirement. g) Legal aspects should be further clarified by the RIPE NCC legal team. Niels Bakker supported the proposal as it would allow the RIPE NCC to offer a way to prevent LIRs from entering End Users’ personal data in the RIPE Database. Some ideas for modifying the proposal were posted: - Ronald Guilmette suggested to address the verification of contact details entered in the RIPE Database with a separate proposal that he would support, provided that the implementation challenges, costs, and consequences for non-compliance would be clarified. This would split the existing proposal in two: VERIFICATION and REDACTION. - Sylvain Baya, contributed to the discussion and also postedlinks to RIPE Labs articles published in the past about the proposal’s topics. He supported Ronald’s suggestion of allowing the RIPE NCC to accept the requests of exemption from publication of the Personally Identifiable Information (PII) made by natural persons who need Internet resources and can legally demonstrate their privacy requirement. Sylvain also suggested splitting the subject into a set of proposals: one about the general principles for processing data within the RIPE Database, one about *insertion* of PII within the RIPE Database, one about the *query* of the RIPE Database and one for handling the current PII present into the RIPE Database. - Leo Vegoda suggested clearly separating the sections defining a principle from those defining its implementation. - Cynthia Revström supported the proposal and suggested rewording the proposal clarifying that entering the full home address is never justified and that the default should be no address at all for individuals. The assumption should be that any address an individual is operating from is a home address unless the individual themselves clearly say that it is not. Please let me know if you have any questions. Kind regards, William db-wg Co-Chair

1 0