On Tue, Aug 24, 2021 at 10:50 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote: [...]
3.1 Confidentiality
Internet Registries (IRs) have a duty of confidentiality to their registrants. Information passed to an IR must be securely stored and must not be distributed wider than necessary within the IR. When necessary, the information may be passed to a higher-level IR under the same conditions of confidentiality.
There are muliple reasons why the text above fails to answer my question.
*) The first sentence makes a quite sweeping and a quite generalized assertion and yet provides exactly -zero- references to support the assertion.
From whence does this alleged "duty of confidentiality" arise? From law? If so, which law and in which jurisdiction?
The earliest reference I have found is in ripe-104, from 1993. "IRs will keep records of correspondence and information exchanges in conjunction with the registry function for later review and the resolution of disputes. IRs will hold this information in strict confidence and use it only to review requests and in audit procedures or to resolve disputes." [...]
*) Isn't the publication of WHOIS information a quite apparent and obvious violation of this purported "duty of confidentiality"? Or whould that be more accurately referred to as "the exception that proves the rule"?
Could there be other and as-yet unenumerated exceptions to the general rule?
I have always understood that the confidentiality requirement was intended to apply to any business information supplied to justify an allocation of resources and not the outcome, which is published in the RIPE Database and elsewhere. I understood that the goal was to assure the businesses operating networks that chatty staff would not gossip about what those businesses planned but had not announced. If you believe there is a need to add clarity, you are welcome to start a discussion in the Address Policy WG. Kind regards, Leo Vegoda Address Policy WG co-chair