Hi Sascha,
I believe there is a bit of confusion on the scope of the proposal in relation to individuals. It is my understanding (also based on the implementation of GDPR at RIPE) that the large majority of resources is composed by companies, which are not subject
to the protection of their personal data because, of course, they are not people. It is absolutely true instead that the safeguards put in place by GDPR and other national regulations will be protecting the fundamental rights of those individuals who are
in the scope of this policy. I hope to have clarified this!
Indeed, the policy is not interested in pointing to a location the network management or any technical team of any sort. The aim of this policy is to have an address where a company is registered legally, so to have a juridical location reference in all
those cases where the necessity of serving a legal order or engaging in any kind of non purely technical interaction is needed.
A legally registered company is less likely to be a fraud, or criminal. Most countries publish a record of legal entities and companies that anybody can consult, and it helps citizens not to fall victims of fraudsters,
Competent authorities will be facilitated by the existence of such record as if a competent authority has to serve a legal order, or send an official letter, with this DB entry it will be easier and faster to know to which country (and to which legal system).
Sending official requests cross border is not as straightforward, and having one specific address to address instead of surfing through several possible addresses is indeed a better use of everyone’s resources.
I hope to have addressed your main concerns, and that we can continue this fruitful discussion. For the political considerations you make, I believe this is not the correct forum - the mention here is to the life-saving dialysis process needed to clean
up blood from toxins.
Kind regards,
Sara Marcolla
Typed with a very tiny keyboard this mistakes can occur
Date: Thursday, 27 Sep 2018, 4:29 PM
Subject: Re: [ncc-services-wg] 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder)
All,
On Thu, Sep 27, 2018 at 03:10:46PM +0200, Marco Schmidt wrote:
> Dear colleagues,
> A new RIPE Policy proposal, 2018-05, "Publication of Legal
+Address of
> Internet Number Resource Holder", is now available for
+discussion.
I really wish these announcements included the text of the
proposal to make it easier to address it without having to
copy&paste the meat of the proposal into the response.
as for the proposal:
- this proposal ignores completely the fact that not all
resource holders are companies.
- publishing the "legal" address details of natural persons
likely conflicts with the GDPR for the EU and quite possibly
with national data protection regs in the non-EU service region.
- The "legal registered address" of a company will only rarely
have anything to do with the location of their network
management. In fact it often is no more than a lawyer's or
accountant's office. This is even more true where a business has
many locations for network administration.
I'll address arguments as they pertain to legal persons
exclusively below as I think the civil rights of *natural*
+persons
override any and all arguments you could make here.
specific arguments:
> To make it more difficult for malicious actors to hijack block
+of
> IP addresses and therefore play a preventive role in protecting
> the community against malicious actors;
Please provide reasoning how this would be achieved. I see no
logical route to this assertion.
> Assisting businesses, consumer groups, healthcare organizations
> and other organisations combating fraud (some of which have
> mandates to electronically save records) to comply with
+relevant
> legal and public safety safeguards;
Please provide exactly which legal requirements and public
safeguards require a central, PUBLIC, database of all resource
holder address details.
> Competent authorities to serve legal process to the party
> responsible for the resources;
Competent authorities already have a route to this information
via the RIPE NCC or via national companies' reg offices.
> To reduce delays in serving legal process, avoiding lost leads
> and evidence.
"Delays" such as having to procure a warrant for this data or
having to look a business up in the national companies' office
databases?
> The RIPE Database is made for technical troubleshooting and not
> for legal purposes.
> Counter-argument: In the wake of large-scale cyber incidents,
> there is a strong need to enhance cross-border cooperation
> related to preparedness. Responding to cybersecurity incidents
> may take many forms, ranging from identifying technical
+measures
> which may entail two or more entities jointly investigating the
> technical causes of the incident (e.g. malware analysis) or
> identifying ways through which organisations may assess whether
> they have been affected (e.g. indicators of compromise), to
> operational decisions on applying such measures and,
+ultimately,
> to be able to reach out across different jurisdictions in a
+fast
> fashion. Every national registry has different rules, languages
> and formats. The availability of the data clustered in one DB
> with one format will help for troubleshooting.
Again, I cannot see the logic behind the assertion that a PUBLIC
database of legal registered company addresses, insofar as it
doesn't already exist in most jurisdictions, solves any problem
related to technical troubleshooting. I'm sure in only the
tiniest minority of cases will the lawyer or company secretary
this address points to be able to, or even know whom to
ask for, help with technical troubleshooting.
> The information will become out of date if the RIPE NCC can't
> ensure current accuracy.
> Counter-argument: Information is the lifeblood of organisations
> such as the RIPE NCC. Impure data is like impure blood
> �\200\223
+not
> good for the system. The quality of data held in IT systems
+will
> deteriorate unless steps are taken to maintain its accuracy and
> consistency.
This is not an argument, it is merely a re-statement of the
position that data quality is important. Also, while everyone who
knows me will know that I am the last person to demand political
correctness in debate; I do question the need for the language
and rhetoric of "Mein Kampf" in a policy proposal.
> Therefore, it is of utmost importance to keep data
+qualitatively
> accurate. Poor data quality can lead to organisations taking
> decisions based on inaccurate or out-of-date in-formation,
> potentially with expensive consequences.
see above, not an argument, just restatement.
> The achievements don't justify the needed efforts/costs.
> Counter-argument: Network and information systems and services
> play a vital role in society. Their reliability and security
+are
> essential to economic and societal activities and in particular
> to the functioning of modern societies and economies. A culture
> of security is being shared across sectors which are vital for
> our economy and society and will have to comply with the
+security
> and notification requirements being discussed in the RIPE NCC
> service region.
Again, the "counter-argument" is a boiler-plate politcal
+statement
and does not address the the effort/cost argument against.
For the avoidance of doubt, the above constitutes opposition to
this proposal.
Kind Regards,
Sascha Luck
> We encourage you to review this proposal and send your comments
+to
> <ncc-services-wg@ripe.net> before 26 October 2018.
Hereby done.
*******************