Hi Sara, Assuming that law enforcement indeed has insurmountable problems obtaining the address of a resource holder during an investigation, and given all the international mechanisms and legislation currently in place, I think this is a big assumption, is there really no better idea you can come up with besides just publishing a bunch of personal information in a public database? Regards, Alex Le Heux
On Oct 10, 2018, at 07:21 , Marcolla, Sara Veronica <Sara.Marcolla@europol.europa.eu> wrote:
Hi Mark,
You are indeed right. Very often self-employed people and really tiny undertakings with specific activities operate from the private address of the owner which then doubles as the address of the undertaking. However, for what I can understand this Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person. But even those have to be somewhat recorded as businesses in their country, right?
I would like to clarify that the aim of the proposal was never aimed to publish information for which a warrant is needed. Only data that is publicly available in national company registries.
This is why I am actually liking a lot your idea of publishing the number provided by a chamber of commerce or similar in the specific country. This wouldhelp to unambiguously identify the resource holder, without prejudice to the privacy of the individuals. The NCC has the registration number from the registration papers that resource holders must sent them. Many countries allow now to verify company details online, and for the others, it will be a small step of additional due diligence (like thoroughly checking the registration paper or asking for additional documentation). Implementing it could imply slightly more manual work as we only started recently to save the registration numbers of new members. Still, that would be something RIPE NCC would need to sort out if such proposal would reach consensus.
@ All
What would you think if the proposal would be adjusted in that way (to publish the registration number and the country of registration for resource holder)?
If there is a CSIRT rep on the list I’d as well like to hear their opinion on this.
Kind regards, Sara
From: Mark Scholten [mailto:mark@mscholten.eu] Sent: 10 October 2018 12:32 To: Marcolla, Sara Veronica; ncc-services-wg@ripe.net Subject: RE: @EXT: RE: [ncc-services-wg] 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder)
Hello Sara,
If no address is used that is used as a home by someone and it is verified by RIPE NCC it can work. However a business address can be a home address at the same time. When that happens I'm strongly against publishing it.
A better option is to mention the country off the resource holder and a number provided by a chamber of commerce or similar in the specific country. And if they don't have that some other number that can be used to identify the organization. That way the legal system can work as normal (you can find someone based on this number) and no new publication of an address is required.
At this moment I'm against this proposal and as long as at least this isn't resolved I will be against.
Kind regards, Mark
From: Marcolla, Sara Veronica [mailto:Sara.Marcolla@europol.europa.eu] Sent: Thursday, September 27, 2018 23:58 To: Mark Scholten; ncc-services-wg@ripe.net Subject: @EXT: RE: [ncc-services-wg] 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder)
Hi Mark,
I read your concern about individual privacy and I am sure that in the implementation of the policy, the safeguards and guarantees that are aimed at protecting personal privacy and individual rights, especially following the provisions of the GDPR, will be guaranteed. On this point, I believe that even in this strong disagreement, we do agree.
The aim of the policy, as you indeed understand, is to publish the location of where to address non-technical concerns. That we like it or not, there are other reasons that call for the need of quickly contacting a resource holder other than a merely technical issue. And as Internet is global but chamber of commerce databases are local, it is to be welcome an addition to a database that can serve this purpose. Do you agree?
In this sense, it is indeed helping to speed up legal processes - and it speeds up the most basic first hurdle, that is “to whom can I address my concerns that are not of (purely) technical nature”? I am not only speaking here of Law Enforcers - but I am also speaking here of all those entities that have to put into practice provisions coming from the NIS Directive for example, or perhaps even the GDPR. All these require to immediately contact for legal reason an entity, and this policy proposal would be a step into this direction. All what can be done on the technical level (and you rightfully mention RPKI and other measures surely effective technically) needs to be complemented by what can be done to facilitate certain processes in place that require actions other than technical. There are as well as you say other actions to speed up other parts of the legal process and they are being explored, but this proposal complements them, does not substitute them. I know. It might sound a little philosophical but is in the end reflecting the reality of what internet is now: not only a community of technicians and enthusiasts, but a wider one.
Kind regards, Sara Marcolla
Typed with a very tiny keyboard this mistakes can occur
From: Mark Scholten <mark@mscholten.eu> Date: Thursday, 27 Sep 2018, 10:12 PM To: ncc-services-wg@ripe.net <ncc-services-wg@ripe.net> Subject: Re: [ncc-services-wg] 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder)
Hello,
This should have come from my personal account.
This are my personal opinions.
Regards, Mark
-----Original Message----- From: ncc-services-wg [mailto:ncc-services-wg-bounces@ripe.net] On Behalf Of Stream Service Sent: Thursday, September 27, 2018 23:08 To: ncc-services-wg@ripe.net Subject: Re: [ncc-services-wg] 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder)
Hello,
I'm against this policy. Publishing the a number that refers to some local chamber of commerce registration is not a problem for me (if the resource holder is a company). However having an extra location to publish the address is something I'm against. Especially when the address/building is also the home of someone. If someone has a genuine right to obtain the address they will likely be able to get it anyway.
Also in some cases the resource holder is a natural person. Please keep this in mind with any policy that is created.
This policy greatly violates any privacy law that might apply. At least when the home address of someone is published. If it is a private person that is the resource holder publishing the address is also a privacy violation I believe.
Now about the rationale:
To make it more difficult for malicious actors to hijack block of IP addresses and therefore play a preventive role in protecting the community against malicious actors
I don't believe this to be true. The only thing that really helps against malicious actors are technical actions that can be taken by networks to prevent accepting any routes that are not good. RPKI might help and other options might exist or can be created in the future when there is a problem. A non-technical solution will not help in this situation.
Competent authorities to serve legal process to the party responsible for the resources
There are already legal options to get the relevant information and to contact the resource holder. No change for this is required to make it possible.
To reduce delays in serving legal process, avoid lost leads and evidence
A better option for this is to look into the legal process and try to speed that up in general. This doesn't help for it.
In short: I'm strongly against the policy.
Regards, Mark
-----Original Message----- From: ncc-services-wg [mailto:ncc-services-wg-bounces@ripe.net] On Behalf Of Marco Schmidt Sent: Thursday, September 27, 2018 15:11 To: ncc-services-wg@ripe.net Subject: [ncc-services-wg] 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder)
Dear colleagues,
A new RIPE Policy proposal, 2018-05, "Publication of Legal Address of Internet Number Resource Holder", is now available for discussion.
The goal of the proposal is for the RIPE NCC to publish the validated legal address information of holders of Internet number resources.
You can find the full proposal at: https://www.ripe.net/participate/policies/proposals/2018-05
As per the RIPE Policy Development Process (PDP), the purpose of this four-week Discussion Phase is to discuss the proposal and provide feedback to the proposer.
At the end of the Discussion Phase, the proposer, with the agreement of the RIPE Working Group Chairs, decides how to proceed with the proposal.
We encourage you to review this proposal and send your comments to <ncc-services-wg@ripe.net> before 26 October 2018.
Kind regards,
Marco Schmidt Policy Officer RIPE NCC
Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
*******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
******************* *******************
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
*******************