Subject: [ncc-services-wg] @EXT: RE: 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder) Date: Wed, Oct 10, 2018 at 03:23:06PM +0000 Quoting Marcolla, Sara Veronica (Sara.Marcolla@europol.europa.eu):
Hi Erik,
I must disagree. Information about the location of legal incorporation of a company has nothing to do with the privacy of an individual as a natural person. I think we should be very clear on this. We have repeated across this mailing list several times now, this is why the amendment to the proposal was put up for discussion in the first place. I (personally) believe it is a very slippery slope to consider legal persons having the same rights as natural persons - but this is not the place to discuss this.
1. When the legal entity is a one-person or very small conpany, it under certain circumstances can be run as what is called "enskild firma" in Sweden. In effect, this is an individual, (that can have employees) taxed as a company, and as a person, where the VAT registration number is derived from the SSN. You can not separate the companmy from the person. If one goes bankrupt, so does the other. Et cetera. Putting this into the RIPEdb of all places is exposing the individual. Probably to a level that would make the NCC liable in any number of ways. Still, the data concerns a company. Of course, this can be dealt with by exceptions, but rules that need exceptions to even remotely work, are generally bad rules. 2. Today, the RIPEdb data needs independent verification. Anyway, because anyone can inject pretty much anything. And associate it to anything. (under their control) Since I control several objects in the RIPEdb, I can create a person entry for you, and associate you with my objects, making it look like you are responsible for my networks. At least at a level that would fool the casual onlooker. Trusting a directory that can not be trusted does not seem like a fantastic idea. 3. The only sensible path, as has been discussed, is to follow the money. You do not need every company in the RipeDB for that. Probably better to ask peeringdb where people make certain that their data is up to date so you can reach them with peering proposals. 4. Suggested route without useless data in RIPEdb: a. You have an IP adress. Look it up in BGP. b. Look up the AS you get from BGP in peeringdb. c. Find website with contact details. d. If no data in peeringdb, look in RIPE RIS for upstreams, get a warrant or ask kindly which of their customers is using the IP address. To get more specific data, that warrant should help. This can be done _today_ without any policy work from RIPE. Without furthering the police state. Without any privacy risks. But it does require competence and curiousness from the investigator. I hope this is not lacking, for then we're truly lost. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 Are you selling NYLON OIL WELLS?? If so, we can use TWO DOZEN!!