Hi Hans-Martin and Matthias [I have merged both your emails into one to address all your points.]
Thanks guys for being the first people to start to address the question I have been pushing, which is "Why" do we need to identify resource holders? I had this in the back of my mind when I wrote the policy proposal but I didn't want to be the one to say it. I was hoping to hear it from other members of the community. Now we have it on the table. On Fri, 3 Jun 2022 at 10:29, Hans-Martin Mosner via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: > > Am 31.05.22 um 15:12 schrieb denis walker: > > Colleagues > > > > I have raised an issue on the DB WG mailing list about publishing in > > the database the identity of natural persons holding resources. > > There are conflicting interests at work here. In your proposal, you mention > the need to contact resource owners, which > is probably accepted by most. > > However, besides wanting to contact someone, there is a legitimate need to > identify bad actors and shun them with > whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, > whatever). I do not want to communicate with > them, just as I don't want to discuss with burglars about their actions! This is starting to explain reasons why we need to identify resource holders, even natural persons. > > So, a mere contact database (which could contain fully anonymized forwarding > addresses through a "privacy provider", > like it's nowadays common for whois entries) would work for the purpose of > contacting someone, but it does not work for > identifying who can be held accountable for abuse emitted from a network > range. I think there is general agreement that as long as a contact is contactable there is no need to identify the natural persons operating in that role. Accountability, and any subsequent enforcement action, needs an identity. This is the key element of why resource holders, even natural persons, need to be identifiable. Further questions still need to be answered like to what degree should they be identifiable, by what means and to who? > > For resources allocated to legal entities (companies, organizations, etc.) an > identification of the organization should > be mandatory. This does not need to include personal data on employees that > happen to be responsible for network or > abuse issues, I'm fine with role accounts here. So in this case, no objection > to eliminate personal data (which often > becomes stale anyway after some years). Again I think there is general agreement that for resource holders that are NOT natural persons the name, address and legal country must be included in the public data. > > However, resources allocated to private persons are a bit different. I > suppose very few private persons hold a /24 > network range, and if they do, they probably fall squarely in the area of > operating a business or other publicly visible > enterprise under their personal name, and in many jurisdictions they are > required to do so with identifying information. > For example, in Germany you can't even have a web page without an imprint > containing the names of people responsible for > the content if you address the general public, and if you do business of any > kind and you're not a corporation, you must > do so under your name. There are far more natural persons holding resources than you think. Looking at the membership list on the RIPE NCC's website, all the members are listed and you can see the natural persons. It has been argued that even if a natural person's details are listed on some other public business register, that alone is not a reason to publish those details in the RIPE Database. So what personally identifiable info should we publish about a natural person holding resources and what should we do with the rest of the currently available public info? Would it be reasonable to publish the name but not publish the (full) address publicly? Now I looked back at a presentation made by EUROPOL at RIPE 73 https://ripe73.ripe.net/archives/video/1501/ They were very clear that the address of resource holders is also very important to LEAs in their investigations. So I am going to make a controversial suggestion here. Currently we have two categories of registry data, Private and Public. The Public data is available to LEAs and their use of it is covered by agreed purposes of the RIPE Database defined in the Terms & Conditions. For Private data they need to get a court order, which is an expensive and time consuming process. Suppose we add a middle category Restricted data. This could be data like the address of natural persons who hold resources. Data that is now public but we are proposing to take out of the public domain. We could allow LEAs (and maybe other recognised public safety agencies) to continue to have access to this Restricted data without a court order. (There are technical ways of doing this which are out of scope for this discussion.) I know a lot of people have ideological phobias about allowing the police access to non-public data. They will be screaming at me right now for this suggestion...'it's giving the police a back door entry', 'it's the thin end of the wedge', 'where will it stop'... I understand those concerns. But I see allowing LEAs continued access to what is now public data as different from giving LEAs access to private data that they have never had access to in the past. It is a different direction. There is a lot of abuse and criminal activity on the internet. LEAs have a job to do. They need this data and often need it quickly. But we also have privacy concerns. So we are now considering taking out of the public domain some of that data that LEAs need. I see this as a compromise to allow LEAs continued access to what is now public data so they can do their job effectively, but also increase general privacy by taking this bit of data out of the public domain. > > I suppose that RIPE operates mostly on the level of legal entities that can > be identified without naming individual > persons. As such, it would be proper to clearly state that every database > entry pertaining to a resource allocated > through RIPE must contain truthful and usable identifying information of the > resource holder. In German, that's > "Ladungsfähige Anschrift" which was basically required to be an actual place > of presence, but it appears that "virtual > office" providers have succeeded in letting their addresses count as > "Ladungsfähige Anschrift". I'm not a legal expert, > I think this is wrong, but jurisprudence isn't always compatible with reason. > > Since RIPE isn't bound by German law, they may choose contractual wording > that provides reasonable value for all parties > involved. If all identifying information is lost, the abusers have won, as > they have with domain whois already. A situation we need to avoid. > > On Fri, 3 Jun 2022 at 10:41, Matthias Merkel <matthias.mer...@staclar.com> wrote: > > I agree that it must be possible to identify people who hold resources. Not > just for other network operators but also so that organizations such as law > enforcement are able to do so in emergency situations where contacting RIPE > could be too slow. I hope my controversial compromise above will do that. > > It is worth noting however that there now is a relatively large number of > people operating networks as a hobby outside of any business activity. Some people may consider spamming or hacking a hobby. > > At RIPE 84 I mentioned the possibility of publishing a name and city only and > having RIPE hold the full address. This would likely be enough to unique > identify a person (or at least a small number of potential people in a single > city that would be few enough for law enforcement to all check out) while not > publishing the full addresses of people who could be at risk for various > reasons. It would also be enough information to identify multiple objects > belonging to the same person, for example to block traffic from all of their > networks. The full address could still be obtained from RIPE with a court > order if required. I think 'city' is too identifiable. If it is London, Paris, Berlin you could get away with this. If it is a village or very small town you will definitely identify people with that granularity. Perhaps a county, region, province would work. But either way the database makes no separation of address elements. All parts of an address are entered into "address:" or "descr:" attributes. Separating them out would be technically difficult. cheers denis proposal author > > — > Matthias Merkel > > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
