Hi Maria On Thu, 16 May 2024 at 10:04, Maria Stafyla <mstafyla@ripe.net> wrote:
Hi Denis,
I would like to acknowledge that all our legal framework documents, including the RIPE Database Terms and Conditions, are written by legal professionals.
I really don't know why everyone thinks I am some nasty person who argues for fun. All I have ever done is try to make things right. I am flattered that you think I am a legal professional, but I am an engineer and IANAL. Here you will find the text of the original draft of the RIPE Database Terms & Conditions that "I" wrote in 2008: https://www.ripe.net/ripe/mail/archives/dp-tf/2008-July/000096.html They are linked in the attachments to the email, along with the Acceptable Use Policy and Removal of Personal Data Procedure, which I also wrote the original drafts of. Here you will find the current RIPE Database Terms & Conditions: https://www.ripe.net/manage-ips-and-asns/db/support/documentation/terms/ If you compare them you will see they are 99% identical. The only differences are the addition of the geolocation purpose and some gender neutral fixes. At the time the RIPE NCC did not have a legal team. All this was done by myself and Jochem on behalf of, and under the oversight of, the Data Protection Task Force. The RIPE NCC engaged with external lawyers. They gave some advice on general legal points. But they did not really understand the industry and definitely not the RIPE Database. For that we were on our own. I don't understand why you are being so defensive. I am not accusing the current legal team of anything. You did not exist in 2008. I wrote this legal document. I did my best. I got it wrong. I have no problem admitting that I made mistakes. Almost everything it says about maintainers is wrong. The definition, description, responsibilities. I don't think you understand what a Maintainer is. We have a MNTNER object in the database. It holds tokens that allow itself and other objects to be updated. It references 'contacts' in the form of admin-c and tech-c. These contacts can be ROLE objects that make no reference to any PERSON objects. There does not need to be any reference to any ORGANISATION object. It can be an anonymous box that holds authorisation tokens. This box does not need to have any obvious relationship with any resource holder. It can represent a completely anonymised outsourcing of the ability to update objects in the database. Yet you insist that this anonymous box has legal responsibilities. If you ever get into any legal action over these T&C, good luck, you will lose. Now on a general note, not specific to legal issues, I am so happy now to be retiring and walking away from all this. There are so many things wrong with both RIPE and the RIPE NCC. I have tried to highlight and offer ways to fix so many of these issues, technical, procedural, legal, visionary. But I have failed in almost every case. Everyone has buried their heads so deep in the sand so they don't have to think about problems. I know, have uncovered and investigated so much more than I have ever said. But there is so much money, so many power games, so much dominance and control by so few people that it is not worth the risk to myself to say more than I have done. Even if you knew some of these problems you would all just look the other way. One more week and I am out of here...good luck...at least you won't have any more long, detailed emails to ignore (well at least not after I have wrapped up some last, outstanding issues)... cheers denis co-chair DB-WG
As to your other points, if a person object gets referenced in a resource object, it will be the Maintainer of the resource object who is responsible for ensuring the contact details are correct and accurate. This is because it is the Maintainer of the resource object that can make updates in that object.
Similarly in your second example, it is the responsibility of the Maintainer who enters the data in the RIPE Database to ensure they have informed the relevant individual and keep their data correct and up-to-date. Having parts of this process delegated to different people does not change the fact that the relevant individual was informed about the processing of their personal data for the purposes of the RIPE Database and agreed to it.
Kind regards, Maria Stafyla Senior Legal Counsel RIPE NCC
On Sun, 12 May 2024 at 02:25, denis walker <ripedenis@gmail.com> wrote:
Hi Maria
Oh dear!!! I wasn't going to respond to this. No one is interested in getting things right, so why should I bother? But I read it again and it is sooooo wrong, I couldn't just walk away. Let's go back to 2010. The RIPE Database Terms and Conditions is one of the most important corporate documents of the RIPE NCC concerning it's activity as an Internet registry. But this document was not written by legal experts. It was mostly written by me. I am an engineer, not a lawyer. What I wrote was approved by the Data Protection Task Force, not overflowing with legal experts. Then it was rubber stamped by the community, also not well known for expert legal opinion. As an engineer, I should never have been tasked with writing an important legal document. But the RIPE NCC was only just starting to bring in a legal expert. There was no one else so I volunteered to write it. I did my best, but I got it wrong. A lot of what I wrote about responsibility and liability, especially related to maintainers, is wrong. Responsibility and liability are key legal issues. An engineer's view is not the same as a lawyers. If you ever tried to enforce what the T&C says on these issues relating to maintainers, you would lose the argument. It is seriously flawed. The RIPE NCC now has a whole team of legal experts. But you have never reviewed the T&C document. All my mistakes are still there.
Let's now jump to 2018 when you wrote this labs article. It has built on what I wrote in the T&C. So the labs article is also fundamentally flawed. You also wrote that labs article 6 years ago. Your legal opinion for 2023-04 was written about 6 months ago. If they don't agree, my non legal thinking would be to go with the most recent legal opinion, not an old one. I should also point out that your labs article was written entirely about allocations. The legal opinion concerning 2023-04 was entirely about assignments. Very different situations.
more comments inline...
On Wed, 8 May 2024 at 09:30, Maria Stafyla <mstafyla@ripe.net> wrote:
Hi Denis,
Thank you for your comments.
Regarding the processing of the various personal data that might be inserted in the RIPE Database, please refer to this Labs article where we have outlined which legal ground applies when processing personal data of resource holders and of their contact persons: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-legal-gro...
Irrelevant when it comes to End User assignments.
2023-04 policy proposal describes that ‘...It would be more efficient to remove the ‘solely for the connection’ limitation stated in the current policy, and to allow the creation of a single INETNUM object with status AGGREGATED-BY-LIR, then use this status for dynamic pools, grouping the IPv4 assignments used for the same purpose when they share the same contact information.’
Sorry but this paragraph shows that the legal team has completely misunderstood what 2023-04 was all about. This statement in the proposal was misleading. It suggested the new aggregated status was to handle these dynamic pools. They were already aggregated. The proposal was about aggregating, potentially, all assignments under any allocation.
In the Impact Analysis we are emphasising that, in the event this policy proposal were to be accepted, it would be up to the member to choose which contact details to insert in their aggregated assignments in the RIPE Database, and that before doing so, they would need to inform the contact persons and get their consent.
This was a confusing part of your analysis. I asked a few times during the discussion on 2023-04 for you to clarify this but you remained silent. The way I read the wording in your analysis was that it is up to the member if they add the details of contact person A or contact person B. This is very different to the policy stating the 'type' of contact whose details must be entered. Maybe the LIR's contact or the End User's contact.
But a clear point here is where you say "they would need to inform the contact persons and get their consent". That is a very clear assertion that personal details for ALL contacts MUST be on the basis of informed and explicit consent. That is not what the current T&C says.
In accordance with the RIPE Database Terms and Conditions, a ‘Maintainer’ is defined as ‘any Registrant or person to whom the authority to Update has been delegated by a Registrant either directly or indirectly, and who holds an identifier that allows updates to be authenticated and authorised.’
This was one of my mistakes. This definition is not correct. For example I am not a Registrant and no Registrant has delegated any authority to me. BUT I can create a PERSON object in the database right now. The database semantics and T&C permit that. Any Registrant can then reference that PERSON object that I created in their resource objects or End User assignments. Who is then responsible and liable for connecting this person with that resource, ensuring consent was given and not withdrawn, and that the personal details are accurate? The definition above does not cover this situation. Also within a large LIR organisation, the staff member who is in contact with the End User customer and who should obtain the consent of the customer to enter their correct personal data into the RIPE Database may not be the same staff member who creates and maintains the objects in the database. So again this definition does not cover this situation.
Article 6.3 describes that the one who holds an identifier and can therefore update (i.e. enter or remove) information from the RIPE Database ‘must ensure they have as a responsibility to inform the individual to whom the data pertains and to obtain their explicit consent for the entry in the public RIPE Database if required by law.’ Also, according to Article 6.2 they are responsible for ‘keeping all data maintained by them accurate and up-to-date, including correct Contact Details.’
It is more complex than this.
The text in the Impact Analysis is an explanation of how the above rules are meant to be interpreted. This text does not supersede the RIPE Database Terms and Conditions.
I totally disagree with this suggestion. The IA has to relate to the policy proposal and what will change if that proposal is accepted. In ripe-781 (PDP) it says "The goal of this analysis is to provide relevant supporting information to facilitate discussions on the proposal and provide some projections about the possible impact if it were to be accepted." The IA has nothing to do with how the T&C are interpreted. It should be focused purely on the impact of approving the policy proposal. In your IA statement you made a clear comment about personal data in the RIPE Database that conflicts with the T&C. In this situation I believe that the legal opinion you gave in the IA DOES supersede the T&C.
cheers denis co-chair DB-WG
In our view an update to the RIPE Database Terms and Conditions in this regard is not needed.
Kind regards, Maria Stafyla Senior Legal Counsel RIPE NCC
On Mon, 6 May 2024 at 22:48, denis walker <ripedenis@gmail.com> wrote:
Hi Athina, Maria
It would be nice if one of you can give an update to the community on this issue of the Terms & Conditions being out of step your with current legal opinion.
cheers denis co-chair DB-WG
On Wed, 17 Apr 2024 at 07:36, denis walker <ripedenis@gmail.com> wrote:
Colleagues
In the Impact Analysis (IA) for 2023-04, the RIPE NCC legal team expressed rules for entering personal data into the RIPE Database that are quite different to our previous understanding. This legal IA was relied on heavily by the proposers of 2023-04 and constantly referred to by them during the policy discussions. Based on the discussions and the IA, the chairs of the AP-WG have now approved the proposal 2023-04. We MUST now update the RIPE Database Terms and Conditions to reflect this new understanding on personal data.
In the IA the legal team said this: "Inserting any personal data in the RIPE Database must be in compliance with the RIPE Database Terms and Conditions, even when it relates to the contact details of the member’s own contact person(s). In particular, before anyone updates the RIPE Database with personal data, they must obtain the contact person’s informed and expressed consent and ensure this data is kept accurate and up-to-date."
Article 6.3 of the RIPE Database Terms and Conditions currently says: "The Maintainer who enters personal data into the RIPE Database has a responsibility to inform the individual to whom the data pertains and to obtain their explicit consent for the entry in the public RIPE Database if required by law."
This article does not accurately reflect the statement in the IA by the legal team. The text "if required by law." must be removed. This suggests that some personal data may not need the 'contact person’s informed and expressed consent'. The IA makes it clear that all personal data entered into the RIPE Database must have the 'contact person’s informed and expressed consent'. There are no exceptions or caveats to this consent. Also the responsibility must not be restricted to the 'Maintainer'. ANYONE has the capability to enter personal data into the RIPE Database. This personal data can then be referenced by a Maintainer of resource data.
I would suggest Article 6.3 says something like this:
"Anyone who updates the RIPE Database with personal data must obtain the contact person’s informed and expressed consent to enter their personal details into a global, freely accessible, public database. This consent cannot be subject to any conditions. If the consent is withdrawn, the personal data must be removed from the RIPE Database in a reasonable time frame. The personal data must be kept accurate and up-to-date. The right to use some Internet resources requires a consenting contact. If no such contact person is available, the right to use some Internet resources may be revoked."
This is a clear and honest statement that fully reflects the IA understanding of the use of personal data in the RIPE Database. I would like to ask the RIPE NCC legal team to make arrangements for this update to the Terms and Conditions.
cheers denis co-chair DB-WG
======================================================== DISCLAIMER Everything I said above is my personal, professional opinion. It is what I believe to be honest and true to the best of my knowledge. No one in this industry pays me anything. I have nothing to gain or lose by any decision. I push for what I believe is for the good of the Internet, in some small way. Nothing I say is ever intended to be offensive or a personal attack. Even if I strongly disagree with you or question your motives. Politicians question each other's motives all the time. RIPE discussion is often as much about politics and self interest as it is technical. I have a style of writing that some may not be familiar with, others sometimes use it against me. I also have OCD. It makes me see the world slightly differently to others. It drives my mind's obsessive need for detail. I can not change the way I express my detailed opinions. People may choose how to interpret them. ========================================================