In message <CAPfiqjaU+3g5X0beHNsWMxHD=tWJ7gWcL2o-fR8F4tPjSSpqgA@mail.gmail.com>, Leo Vegoda <leo@vegoda.org> wrote:
On Mon, Aug 23, 2021 at 6:38 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Some long time ago, somebody (I can't remember who anymore) told me that "business information" given by a member to any RIR... which presumably included RIPE... was considered to be "confidential" and would not thereafter be shared by the RIR staff with any other or outside party.
Are you referring to this?
Well, yes and no, by which I mean "I can't even tell." Here is section 3.1 of the above document: 3.1 Confidentiality Internet Registries (IRs) have a duty of confidentiality to their registrants. Information passed to an IR must be securely stored and must not be distributed wider than necessary within the IR. When necessary, the information may be passed to a higher-level IR under the same conditions of confidentiality. There are muliple reasons why the text above fails to answer my question. *) The first sentence makes a quite sweeping and a quite generalized assertion and yet provides exactly -zero- references to support the assertion. From whence does this alleged "duty of confidentiality" arise? From law? If so, which law and in which jurisdiction? Or did this purported "duty" spring, fully formed, like Athena from the brow of Zeus? *) Isn't the publication of WHOIS information a quite apparent and obvious violation of this purported "duty of confidentiality"? Or whould that be more accurately referred to as "the exception that proves the rule"? Could there be other and as-yet unenumerated exceptions to the general rule? *) Given that the title of the containing document is "IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region" may it be safely inferred that this purported "duty of confidentiality" applies only to "Information passed to an IR" at a point in time when some member actually requests one or more IP Address Allocations, and thereafter? More specifically, does it apply to "Information passed to an IR" at some point in time *before* a member requests IP or other number resource allocations, e.g. at a point in time when a *prospective* member is applying for membership in RIPE? My points above are, of course, pertaining only to information relating to legal entities other than natural persons, for whom GDPR is controlling. I should say also that although some may view me as nitpicking, these matters are of grave and serious concern, not just to me, but also to law enforcement and "open source" researchers everywhere. Regards, rfg