Re: [ripe-list] [ncc-announce] [news] New RIPE NCC Ticketing System and Contact Form
Dear Matt, I have a question regarding new ticketing system. Some days ago I sent an email and attached a file to my message. I received a receipt of ticket, then the NCC staff member replied to my question and I received a mail that contain a previous email content and a weblink to the file I attached before. The link was active and I was able to download the file. The link points to https://ripencc.zendesk.com/attachments/token/blablabla/?name=filename. The problem I see is that ripencc.zendesk.com is a hostname on the server in a cloud, the network is assigned to an Irish company and it seems that the file storage is not under RIPE NCC's control. This hostname is not reachable over IPv6, but this is not the issue I wish to discuss now. Can you clarify whether e-mail attachments/archives at RIPE NCC are stored at the third party servers? Do you think it is acceptable? Thank you. -- Kind regards, Sergey Myasoedov
On 1 Nov 2017, at 14:12, Matt Parker <mparker@ripe.net> wrote:
Dear Colleagues,
Today, the RIPE NCC launches its new ticketing system. There is a RIPE Labs article that explains the background behind this change at: https://labs.ripe.net/Members/AlexBand/ticketing-and-document-management-at-...
This change will mostly impact RIPE NCC staff and will not change how you deal with the RIPE NCC. You should still make requests for resources, transfers, company name changes, etc. through your LIR account via my.ripe.net.
All your questions and reports can be channeled through our new contact form, which combines the old contact and report form functionality. The new form also presents suggested content to users that can help to provide them with useful information. The form is available at: https://www.ripe.net/contact-form
Submissions made through the form will be ticketised and all documentation will be stored separately and securely in the RIPE NCC's Document Management System.
Please reply to the emails you receive to ensure your ticket is updated. You should add your replies to tickets at the top of your email and not reply "in line". Additional documentation can be submitted via the My Tickets functionality available to LIR account holders at: https://my.ripe.net/#/tickets
We have planned the migration to have as little impact as possible. If you do experience any delays in response during this period, please bear with us. And if you have any questions, please let me know.
Best regards,
Matt Parker Business Analyst - Product Management RIPE NCC
Dear Sergey, Thank you for your message. Yes, email attachments sent to RIPE NCC support addresses are stored on third-party servers provided by Zendesk. This was considered very carefully by the RIPE NCC before moving to a cloud-based ticketing system. Specific software and procedures have been put in place to ensure that sensitive/confidential documentation is handle appropriately. All support requests (membership applications, resource requests, mergers, transfers, name changes, etc.) are submitted to the RIPE NCC via 'request forms' in the LIR Portal. Any supporting documentation submitted as part of these requests is immediately offloaded to a local document management system. None of this documentation is stored on third-party servers. If the RIPE NCC needs any additional supporting documentation they will encourage the user to submit this via the 'My Tickets' functionality in the LIR Portal or via a unique generated link. Both methods ensure that the documentation is immediately offloaded to a local document management system. You can read more about this in the following RIPE Labs article: https://labs.ripe.net/Members/AlexBand/ticketing-and-document-management-at-... Finally, if a user submits unsolicited email attachments that are deemed to be sensitive/confidential in nature, the RIPE NCC is able to redact these documents, removing them completely from any third-party servers. Kind regards, Matt ----- Matt Parker Business Analyst - Product Management RIPE Network Coordination Center On 26/02/2018 18:32, sergey@devnull.ru wrote:
Dear Matt,
I have a question regarding new ticketing system.
Some days ago I sent an email and attached a file to my message. I received a receipt of ticket, then the NCC staff member replied to my question and I received a mail that contain a previous email content and a weblink to the file I attached before. The link was active and I was able to download the file. The link points to https://ripencc.zendesk.com/attachments/token/blablabla/?name=filename.
The problem I see is that ripencc.zendesk.com is a hostname on the server in a cloud, the network is assigned to an Irish company and it seems that the file storage is not under RIPE NCC's control. This hostname is not reachable over IPv6, but this is not the issue I wish to discuss now.
Can you clarify whether e-mail attachments/archives at RIPE NCC are stored at the third party servers? Do you think it is acceptable?
Thank you.
-- Kind regards, Sergey Myasoedov
On 1 Nov 2017, at 14:12, Matt Parker <mparker@ripe.net> wrote:
Dear Colleagues,
Today, the RIPE NCC launches its new ticketing system. There is a RIPE Labs article that explains the background behind this change at: https://labs.ripe.net/Members/AlexBand/ticketing-and-document-management-at-...
This change will mostly impact RIPE NCC staff and will not change how you deal with the RIPE NCC. You should still make requests for resources, transfers, company name changes, etc. through your LIR account via my.ripe.net.
All your questions and reports can be channeled through our new contact form, which combines the old contact and report form functionality. The new form also presents suggested content to users that can help to provide them with useful information. The form is available at: https://www.ripe.net/contact-form
Submissions made through the form will be ticketised and all documentation will be stored separately and securely in the RIPE NCC's Document Management System.
Please reply to the emails you receive to ensure your ticket is updated. You should add your replies to tickets at the top of your email and not reply "in line". Additional documentation can be submitted via the My Tickets functionality available to LIR account holders at: https://my.ripe.net/#/tickets
We have planned the migration to have as little impact as possible. If you do experience any delays in response during this period, please bear with us. And if you have any questions, please let me know.
Best regards,
Matt Parker Business Analyst - Product Management RIPE NCC
On 27 Feb 2018, at 15:47, Matt Parker <mparker@ripe.net> wrote:
if a user submits unsolicited email attachments that are deemed to be sensitive/confidential in nature, the RIPE NCC is able to redact these documents, removing them completely from any third-party servers.
Matt, this misses the point completely. IMO, nothing member-related should be getting stored or processed on third-party services. Ever. [Well, OK encrypted backups can be held off-site by a reputable provider.] What happens when $cloud-provider-du-jour goes bust or changes its T&Cs (all your data are belong to us) or does stuff to that data unknown to either the NCC or the member? Will it be possible to switch providers or bring it back in-house once the NCC’s finds out it’s been locked in? At the very least, there should have been a considered discussion about this in the NCC services WG (and the GM) before a decision was taken. Some stuff in Zendesk’s privacy policy is downright alarming: "Our Websites may contain links to other websites and the information practices and the content of such other websites are governed by the privacy statements of such other websites. We encourage you to review the privacy statements of any such other websites to understand their information practices.” "We and our authorized partners may use cookies and other information gathering technologies for a variety of purposes.” "Third parties with whom we partner to provide certain features on our Websites or to display advertising based upon your Web browsing activity.” "We collect analytics information..... We may also share anonymous data about your actions on our Websites with third-party service providers of analytics services.” "We may use the information we collect about you (including personal information, to the extent applicable) for a variety of purposes, including to ... (e) send promotional communications, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners. ... (f) process and deliver contest or sweepstakes entries and rewards; (g) monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes; ... (i) personalize the Websites and Services, including by providing features or advertisements that match your interests and preferences" "We may also obtain other information, including personal information, from third parties and combine that with information we collect through our Websites. For example, we may have access to certain information from a third party social media or authentication service if you log into our Services through such a service or otherwise provide us with access to information from the service.” "We share information, including personal information, with our third-party service providers” I can’t imagine why anyone would sign up to this or think it was culturally compatible with the membership and RIPE community. I wonder too how this US company intends to comply with GDPR. I am saddened that the NCC does not appear to have learned from past mistakes. Some years ago, the NCC tried to use some (here today gone tomorrow?) third-party Web2.0 cloud thing or other for storing and presenting RIPE meeting materials. There was no prior consultation. IIRC it turned out the provider asserted copyright/IPR over anything that was uploaded to their systems. They also imposed other conditions which would have made it impossible for some speakers to provide content.
A quick search would show zendesk is GDPR compliant https://www.zendesk.com/company/customers-partners/eu-data-protection/#gdpr-... Sent from the road while on tour On Feb 27, 2018 12:57, "Jim Reid" <jim@rfc1035.com> wrote:
On 27 Feb 2018, at 15:47, Matt Parker <mparker@ripe.net> wrote:
if a user submits unsolicited email attachments that are deemed to be sensitive/confidential in nature, the RIPE NCC is able to redact these documents, removing them completely from any third-party servers.
Matt, this misses the point completely. IMO, nothing member-related should be getting stored or processed on third-party services. Ever. [Well, OK encrypted backups can be held off-site by a reputable provider.] What happens when $cloud-provider-du-jour goes bust or changes its T&Cs (all your data are belong to us) or does stuff to that data unknown to either the NCC or the member? Will it be possible to switch providers or bring it back in-house once the NCC’s finds out it’s been locked in? At the very least, there should have been a considered discussion about this in the NCC services WG (and the GM) before a decision was taken. Some stuff in Zendesk’s privacy policy is downright alarming: "Our Websites may contain links to other websites and the information practices and the content of such other websites are governed by the privacy statements of such other websites. We encourage you to review the privacy statements of any such other websites to understand their information practices.” "We and our authorized partners may use cookies and other information gathering technologies for a variety of purposes.” "Third parties with whom we partner to provide certain features on our Websites or to display advertising based upon your Web browsing activity.” "We collect analytics information..... We may also share anonymous data about your actions on our Websites with third-party service providers of analytics services.” "We may use the information we collect about you (including personal information, to the extent applicable) for a variety of purposes, including to ... (e) send promotional communications, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners. ... (f) process and deliver contest or sweepstakes entries and rewards; (g) monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes; ... (i) personalize the Websites and Services, including by providing features or advertisements that match your interests and preferences" "We may also obtain other information, including personal information, from third parties and combine that with information we collect through our Websites. For example, we may have access to certain information from a third party social media or authentication service if you log into our Services through such a service or otherwise provide us with access to information from the service.” "We share information, including personal information, with our third-party service providers” I can’t imagine why anyone would sign up to this or think it was culturally compatible with the membership and RIPE community. I wonder too how this US company intends to comply with GDPR. I am saddened that the NCC does not appear to have learned from past mistakes. Some years ago, the NCC tried to use some (here today gone tomorrow?) third-party Web2.0 cloud thing or other for storing and presenting RIPE meeting materials. There was no prior consultation. IIRC it turned out the provider asserted copyright/IPR over anything that was uploaded to their systems. They also imposed other conditions which would have made it impossible for some speakers to provide content.
On 27 Feb 2018, at 22:29, Leslie <geekgirl@gmail.com> wrote:
A quick search would show zendesk is GDPR compliant
Thanks Leslie. FWIW I ran away in disgust after reading the so-called privacy policy.
On 28 February 2018 at 00:25, Jim Reid <jim@rfc1035.com> wrote:
On 27 Feb 2018, at 22:29, Leslie <geekgirl@gmail.com> wrote:
A quick search would show zendesk is GDPR compliant
Thanks Leslie. FWIW I ran away in disgust after reading the so-called privacy policy.
It would be far more constructive if you could share what is not appropriate in the privacy policy and why. -- Sincerely, Hans Petter Holen - hph@oslo.net - +47 45066054
On 28 Feb 2018, at 08:57, Hans Petter Holen <hph@oslo.net> wrote:
It would be far more constructive if you could share what is not appropriate in the privacy policy and why.
Hans Petter, I thought I’d already done that by quoting extracts from that policy. In short, you are fodder for our marketroids (and those of our unnamed partners). We’ll use tracking cookies so advertisers can monitor you. We will spam you too. Oh and you agree your personal data will be thrown over the wall to unknown third parties. Have a nice day. [I lied about the last bit. :-)] NCC services and the NCC should not be party to any of that. I’m surprised this needs to be explained. Aside from that, I made a much more important point about outsourcing important functions to the cloud: what happens when the provider goes bust or changes their T&Cs or achieves lock-in?
Dear Jim and all, We took the decision to move to a third party specialising in ticketing systems rather than continue to update our in-house system. This was to accommodate growing needs for efficiency and functionality. We needed a more resilient system that would meet the needs of our 18,000-strong membership. We ask members not to attach privacy-related documentation and instead to submit it via secure RIPE NCC processes, i.e. the request forms available through their LIR account or via the contact form on the RIPE NCC website. By following these procedures, all documentation is stored securely on RIPE NCC servers. If sensitive personal information is attached to an email, we delete that information from Zendesk once the information is moved to RIPE NCC servers. We also made members aware of these changes well in advance of starting to use Zendesk: https://www.ripe.net/ripe/mail/archives/ncc-announce/2017-August/001189.html As was noted, Zendesk guarantees that it is GDPR-compliant and the services we use are located by contract on servers in the EU. This in itself mitigates some of the concerns that have been raised. Zendesk is a well-established provider of these services, and we believe that their solution is likely to be maintained. And although we believe the likelihood of this company failing to meet our needs in future is very small, we have considered the risk and believe we can make any changes to our processes that scenario would require. We'd like to note that the quoted sections of Zendesk's privacy policy refer to activities that take place on their website. The RIPE NCC mitigated these concerns by choosing not to use these elements of the Zendesk solution. We can continue the discussion at the RIPE NCC Services WG in Marseilles in May and we are happy to take feedback on our approach. Best regards, Andrew de la Haye Chief Operations Officer RIPE NCC On 28/02/2018 10:40, Jim Reid wrote:
On 28 Feb 2018, at 08:57, Hans Petter Holen <hph@oslo.net> wrote:
It would be far more constructive if you could share what is not appropriate in the privacy policy and why.
Hans Petter, I thought I’d already done that by quoting extracts from that policy.
In short, you are fodder for our marketroids (and those of our unnamed partners). We’ll use tracking cookies so advertisers can monitor you. We will spam you too. Oh and you agree your personal data will be thrown over the wall to unknown third parties. Have a nice day. [I lied about the last bit. :-)]
NCC services and the NCC should not be party to any of that. I’m surprised this needs to be explained.
Aside from that, I made a much more important point about outsourcing important functions to the cloud: what happens when the provider goes bust or changes their T&Cs or achieves lock-in?
Speaking about privacy, the progress nowadays has made some step forward; https://figleafapp.com/blog/perspectives/when-privacy-is-a-choice-humanity-i... article makes some statements about possible steps towards privacy in the internet when working with personal data processing. Some startups are doing great in this field. Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
participants (7)
-
Andrew de la Haye
-
Hans Petter Holen
-
Jim Reid
-
Leslie
-
Lyle Simmons
-
Matt Parker
-
sergey@devnull.ru