[address-policy-wg] @EXT: RE: URGENT 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)

Dear partners and chairs of the Address policy working group of RIPE,

Please find more clarifications from EUROPOL and Law enforcement agencies, about how the 2023-04 measure would impact the capacity of investigators in identifying cybercriminals.

First, I would inform you that we had to open a large consultation with various European services and EU authorities, cybersecurity authorities, that indeed showed an interest on the measure. It has taken some time to collect inputs, …of course. 
While we worked on providing concrete inputs as much as possible, we coped with some limits, as we cannot share some information that are under the secrecy of law or judicial cases, we cannot share information in public/open access that could in the end, inform cybercriminals on how countering our activities,….
and as a last point, omniscient statistics do not exist anywhere… Thank you for considering it. 

Having said that , lets jump with the points...   

In our assessment, the 2023-04 measure would impact at 2 levels.

The first level of impact is that it would complicate the process to access the information. 

Some European services have confirmed they do use on daily basis, the RIPE data basis to get directly the end user information. It is an easy access for them. They also use support-tools whose results would be weakened through the new configuration. 

At national level, capacities would be preserved in some extend for some services, but would it would become heavier, as court order would become systematic. 

At International level, identification of IPs would become far more complicated on digital investigations (from some general assessment, about 80% of investigations have a digital dimension now !),…and especially  on cyber cases.... 
Most of investigations rely on a swift IP identification, that may involve external LIRs  and various ISPs that regularly give an IP to others.. An European service gave me the example of a Child sexual abuse material case : an investigator would have to send a mutual legal agreement request to a LIR, to receive as an answer, 4-6 months later, that the IP is handled by an ISP (sometimes in the same country as the investigator)..we will here lose time, with less capacity in the end to identify victims, accomplices, perpetrators, (because of some data retention limits in many countries)…  
on this situation, it would be for the best interest of all parties if for example, a measure would ensure that, "in any case, LIRs and ISPs that transfer/give any IP or IP block to another legal entity, must declare this information to the RIPE database".

It would  also become more time consuming in getting the identification, meaning less cases processed by investigators. Judicial proceeding has got more and more complex for many reasons, and the new measure would not help the daily job.
The capacity of investigation services is asymmetric with the large volumes of ransomwares attacks, online scams, child sexual abuses materials sharing,…

In the end, the new measure could foster by design, a “bullet proof hosting” like-situation. Here is a point to be also considered.
RIPE covers not only the European Union, but also other countries outside the EU. The cooperation level with these countries may vary in a large extend and across time. With some of them, getting a swift answer on the sole court order is not an option, and it may be the most uncertain/long with a mutual legal agreement request. 
Here again, it would loudly impact us,...as the location of some of these countries are regularly used in a consequent number cyberattacks.
Some will say that criminals have not waited for anybody to use bullet proof hosting capacities,…yes,….but we consider that a measure that may hide their mistakes, clearly does not help us, ....but them…. 

International cooperation relies on processes, that are still largely humanly tailored by legal authorities (not automatized), linked with sovereignty, respect of fundamental laws and rights, safeguards. …I believe we all respect that,…
but it means consequences on the way the global flow of judicial cooperation may work and some balance is needed in maintaining some efficiency in the processes.  

The second level of impact would be linked with the quality of the data hosted in an aggregated environment.  

“Aggregating multiple IPv4 End User assignments that have consistent contact information and purpose into a single database object” : which impact on cross-matching the information of IPV4…???

IPV4 identification is far more challenging than IPV6 one....the matter has become well identified... 

From our assessment, the measure would impact the granularity of the data, as already said. Through aggregating assignments, it will have as a consequence, the loss of various end users details, preventing cross-matching efforts by investigators, that are essential. 
While individual assignments offer specific and detailed information about each IP address's usage, aggregated data may obscure such details, potentially complicating investigations that rely on precise IP address information. 
In the end, the less detailed information will, either require additional steps or inquiries to ascertain the specifics of an IP address's usage, potentially delaying investigative processes….either identification may not be possible as it was previously…

To give you an idea of the extend of impact, Lets’ take the example of the CGN-NAT matter. The mutualisation of IPV4 addresses, is here fully considered as a big challenge for investigation. 
EUROPOL has worked for long on that, especially on this CGN-NAT matter that raises a similar question as the 2023-4 proposal. various reports are publicly available online (IOCTA, or other publications)
CGN-NAT configuration greatly helps criminals to get anonymous as the ISP cannot locate the subscriber. Numerous cases have been reported by investigators. 
Europol met this challenge in important operations, covering for example cases of traffic of arms, or child sexual exploitation (CSAM sharing forum with 62000 members, 10 children victims)

in big cases, we may have to process hundreds of IPV4, sometimes thousands in the biggest ones : because of aggregation, we may lose some cross matching/identification opportunities that are essential to solve a case.

As an example, on some big cases, the CGN use impacted up to 70% of identifications of perpetrators or accomplices. we observe that the 2023-4 proposal could generate a similar “fog” with the same extend of impact.  

The CGN-NAT is so hampering that in answer, some EU countries had to limit the number of subscribers per IP.

As another point, the measure observe some inconsistencies in Registration Practices: it acknowledges that some LIRs already apply exceptions to the current policy, leading to inconsistencies in how IPv4 addresses are registered.
This inconsistency can pose challenges for law enforcement in tracking and mapping IP addresses to specific users or activities, as the registration practices may not be uniform across different LIRs. However, standardisation should not mean further weaken the quality of data.

The expected decreased granularity of the data would raise a question in the context of the EU NIS2 DIRECTIVE, that aims to provide an improved quality of the data available for cybersecurity/legal needs. 
NIS2 covers identification of DNS, but it would be paradox that while we are progressing on the identification of DNS, we may decrease on identification of IPs,… 
It is right that so far, EU regulatory efforts have focused on the DNS identification need rather than the IP one, as DNS matter was clearly identified as a urgent need, after the evolution linked with GDPR.
the 2023-4 proposal would raise indeed a new concern...

To our assessment, ensuring reliable registration requirements for end user contact information (providing the necessary information, without any drafting interpretation) remains here essential to prevent progressive anonymization/losses of data. 
The way, each ISP will aggregate its data, is a real and complex question, with huge potential impact on investigations. In deep analysis, we still consider that there is a risk of progressive anonymization of data of end users information, with the 2023-4 proposal...

For these reasons, the 2023-4 proposal remains at EU level, a matter of concerns and question.
As such, it could practically result in being a technical evolution hampering in practice the legal obligation (in many countries) for ISPs to identify end user subscriber information, ....as long as it cannot be proved that the previous identification granularity is maintained. 

I hope that these information will help you on better understanding our concern. 
we do understand the business need, however the support of private partners is essential for us on protecting people. 

Thanks for your cooperation

Regards
Emmanuel Kessler



-----Original Message-----
From: Leo Vegoda <leo at vegoda.org>
Sent: 17 January 2024 18:01
To: Kessler, Emmanuel <Emmanuel.Kessler at europol.europa.eu>
Cc: address-policy-wg at ripe.net; Šileris, Edvardas <Edvardas.Sileris at europol.europa.eu>; BAUER-BULST Cathrin <Cathrin.BAUER-BULST at ec.europa.eu>; Tore Anderson <tore at fud.no>; Azofra Martínez, Álvaro <Alvaro.Azofra-Martinez at europol.europa.eu>; Frank Breedijk <f.breedijk at divd.nl>; Maria Stafyla <mstafyla at ripe.net>
Subject: Re: [address-policy-wg] @EXT: RE: 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)



This email originated from outside Europol. Do not click links or open attachments unless you recognize the sender and know the content is safe.
The external address that sent the message is: leo at vegoda.org


Dear Emmanuel Kessler,

It would help the co-chairs tremendously if your arguments gave some specific numbers or other details. We are aware of your concerns but phrases like "large potential impact" are vague.

Kind regards,

Leo Vegoda, for the Address Policy WG co-chairs

On Mon, 15 Jan 2024 at 02:32, Kessler, Emmanuel <Emmanuel.Kessler at europol.europa.eu> wrote:
>
> Dear all,
>
> we keep analysing the possible consequences of the measure on our LEA 
> capacity to identify IPV4 It takes time as it interests various EU official partners and Law enforcement services, ...thanks for your understanding.
>
> We still identify two issues in the measure
>
> - about the process to access to data : as ending the direct access at RIPE level, it will not ease the work for some investigators who uses it as a convenient tool, although accessing the data at LIR level still remains partly an option.
>
> - about the granularity of the data as aggregated, and we think there is here a very strong question, with a large potential impact.
>
> As you know, EUROPOL has worked for years on the CGN-NAT challenge on IPV4, advocating for limiting this mutualisation of IPV4 addresses that regularly hampers investigation capacities.
> we observe the aggregation measure as having a real negative impact on the granularity of the answers that will be collected.
> it is also linked with internal practices in the companies that remain various...we know that.
> Situation with IPV4 is different than the one with IPV6.
> Consequently, we keep all our reserve about the proposal that raises concerns amongst many colleagues.
>
> We fully understand the code of conduct in RIPE debate, and still appreciate good discussion with constructive and realistic people...
> However, getting all the truth of the situation requires contradictory debate that can progress through the exchange of still more detailed explanations,....
> As the matter is of real importance, we hope that the measure would not be adopted without this clarification with all opinions/arguments around the table,...
>
> We would be also in favour of postponing the deadline of the debate, to take time to exchange and check all the explanations as necessary.
>
> Thank you for your exchange and cooperation
>
> Regards
>
> Emmanuel Kessler
> European Cybercrime centre
> EUROPOL
>
> -----Original Message-----
> From: denis walker <ripedenis at gmail.com>
> Sent: 11 January 2024 03:21
> To: Tore Anderson <tore at fud.no>; Maria Stafyla <mstafyla at ripe.net>
> Cc: Jan Ingvoldstad <frettled at gmail.com>; address-policy-wg at ripe.net; 
> Frank Breedijk <f.breedijk at divd.nl>; Kessler, Emmanuel 
> <Emmanuel.Kessler at europol.europa.eu>
> Subject: Re: [address-policy-wg] 2023-04 Review Phase (Add 
> AGGREGATED-BY-LIR status for IPv4 PA assignments)
>
>
>
> This email originated from outside Europol. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> The external address that sent the message is: denis1 at gmail.com
>
>
> Hi Tore and others
>
> On Wed, 10 Jan 2024 at 13:02, Tore Anderson <tore at fud.no> wrote:
> >
> > Hello again Jan,
> >
> > On 10/01/24 11:25, Jan Ingvoldstad wrote:
> > > Basically, any public company register would be illegal according 
> > > to the interpretation you lean on here.
> >
> > Public company registries also need a lawful basis for processing. 
> > The Norwegian public company registry, for example, uses the lawful 
> > basis «exercise of official authority» – Article 6(1)(e) GDPR – as 
> > its lawful basis, see https://www.brreg.no/en/privacy-statement/. I 
> > would assume that to be the case in most other countries as well.
> >
> > (Most) LIRs are not official authorities, so unlike public company 
> > registries LIRs cannot use this lawful basis for publishing PII in 
> > the RIPE Database.
>
> As I explained in the previous email, you only quoted half the GDPR 
> condition here. It actually says,
> (e) processing is necessary for the performance of a task carried out 
> in the public interest or in the exercise of official authority vested 
> in the controller; As I also pointed out, during the discussion of 
> 2022-01 (privacy) 
> https://www.ripe.net/ripe/mail/archives/db-wg/2022-October/007630.html
> it was accepted that there is a 'public interest' basis here.
>
> >
> > In any case, all of this is rather off-topic. 2023-04 does not 
> > change the legal obligations on the LIRs relating to the publication 
> > of End User contact information,
>
> It does not matter how many times you repeat this, it is still NOT true. You remove the line When an End User has a network using public address space this must be registered separately with the contact details of the End User.
> Removing this line DOES change the LIR's obligations relating to the publication of End User contact information. No matter how many times you repeat this false information I will repeat the reply.
>
>
>  nor does it change the RIPE Database Terms and
> > Conditions. If you want to publish PII in the RIPE Database, you 
> > need a lawful basis. That's true today, and that will continue to be 
> > true if
> > 2023-04 passes.
> >
> >
> > > Or you could take the other stance and stop publishing *any* 
> > > contact details regarding an object, because you cannot know 
> > > whether the information is personal data or not.
> >
> > Exactly. LIRs may (but are not required to) chose this approach 
> > already *today*. This is a common and long-standing practice which 
> > the RIPE NCC has repeatedly clarified as compliant with today's policy.
>
> This is one of your biggest false statements. The ONLY person repeatedly saying this is YOU. Let's do a fact check here. You asked a question to the RIPE NCC about publishing End User contact details in an assignment object. The RIPE NCC PDO, policy officer Angela, consulted with registration services and made a reply. She confirmed, once, it is compliant with current policy to not publish the End User contact details. I have disputed that by quoting the famous line (which you want to remove):
> 'When an End User has a network using public address space this must be registered separately with the contact details of the End User.'
> I have provided a mountain of supporting evidence that the RIPE NCC's interpretation of this statement is incorrect. Angela's one time answer was incorrect. Since then the RIPE NCC has said exactly NOTHING. No one from registration services has come to this list and expanded, qualified or explained their one time response. But since then you have endlessly repeated that one time response from the RIPE NCC. You have claimed so many times that the RIPE NCC has repeated this many times. That is NOT true. Please STOP saying what is NOT TRUE. It was said once by the RIPE NCC and then disputed. You are still hiding behind this false premise.
>
> >
> > It will continue to be compliant with the policy after 2023-04 
> > passes, as well. Thus, 2023-04 effects no change on the LIRs' 
> > obligations in this regard.
>
> It has a massive change on the LIR's obligations, by removing a line of text from the current policy, which you have admitted yourself does not need to be removed for your aggregation proposal. You keep repeating that this change has no real, practical impact, so don't remove it. Then we can all get on with our lives.
>
> >
> >
> > > I think that because the WG discussion has almost exclusively 
> > > revolved around this alleged changing of policy requirements to 
> > > publish End User contact information (which may or may not be 
> > > PII), it is easy to lose track of what this proposal is *actually* 
> > > all about. We are talking about two different things:
> > >
> > >     1) The actual intention behind the proposal: Making it possible to
> > >     aggregate multiple IPv4 End User assignments that have consistent
> > >     contact information and purpose into a single database object.
> > >     This is not possible today, and that is what we want to make that
> > >     possible, in the same way it is already possible in IPv6.
>
> Then limit the proposal to exactly this!!!
>
> > >
> > >     2) The *alleged* change to what kind of End User contact
> > >     information is required to be published in the RIPE database. We
> > >     have never had any intention of changing this in any way, and the
> > >     Impact Analysis and other statements from the RIPE NCC confirm
> > >     that the proposal does not change it either.
>
> This is total madness. You keep saying you have no intention of changing anything else. You keep saying the wording change actually changes nothing in practice. Some other people don't agree with you.
> Just don't change wording that you claim changes NOTHING and has nothing to do with aggregation and everyone is happy. The fact that you are pushing so hard to make this wording change, you refuse to back down or compromise, you insist on changing wording that changes nothing and has nothing to do with aggregation...proves that you don't believe that yourself. The fact is, I suspect that this is the real change you want. You want to drop the current policy requirement to define assignments with End User contacts. It is the aggregation that is the side issue here. There is no other explanation for why you are insisting so strongly on changing wording that changes nothing.
>
> > >
> > >     In short: 1) is an intentional and desired change from today,
> > >     while 2) is *not* a change from today – intentionally so.
> > >
> > > This (regarding item 2) is simply not true. Any change in text *is 
> > > a change*.
> >
> > We are not making the claim that the policy text does not change. 
> > That it clearly does – in order to achieve the desired change 
> > described in item 1 above.
> >
> > We are however claiming that the *meanings* of the old and the new 
> > policy texts are exactly the same, with regards to how they 
> > translate into operational procedures and requirements for the 
> > publication of End User contact information (item 2).
>
> You must think that WE are the crazy people. You cannot remove the line 'When an End User has a network using public address space this must be registered separately with the contact details of the End User.'
> and then say the meaning is exactly the same. I know it is a common tactic now, especially in politics, to keep repeating mis-information that makes no sense over and over again, refusing to listen to objections, until a mass of people start to believe your mis-information. I am one of those free thinkers who doesn't go with the masses. I will keep pointing out the mis-information here.
>
> >
> > As the RIPE NCC writes in the Impact Analysis (emphasis added):
> >
> >      «Acceptance of this proposal **will not change** the fact that 
> > the RIPE NCC cannot enforce which contact details members add to 
> > their
> > IPv4 PA assignments in the RIPE Database; this **will remain** their 
> > decision.»
> >
> > So, once again: which End User contact details LIRs publish (if any) 
> > is their decision today, and it will be continue to be their 
> > decision if
> > 2023-04 passes. Hence, 2023-04 does not effect any change in this regard.
>
> This really does make me cry. The wording in the IA is poor. You have applied an interpretation to this which I do not believe is what was meant. Then the RIPE NCC legal team has remained silent. So I am asking the RIPE NCC legal team to clearly explain what they meant by this wording. Is the legal team actually saying here that the RIPE NCC cannot enforce RIPE policy? The current policy is clear on the 'type'
> of contact details. That 'line' says an assignment MUST include an End User contact. It is true the policy does not say the LIR must add Person A as the contact rather than Person B. So in this context the RIPE NCC cannot enforce which (Person A or B) contact details members add to their IPv4 PA assignments. The choice of Person A or Person B will remain the LIR's decision. But when the policy says an assignment MUST include 'an' End User contact, the RIPE NCC can and should enforce that 'a' contact for the End User is added. So I ask the legal team, which interpretation did you mean?
>
> >
> >
> > >     So maybe we could discuss 1) instead of 2) going forward? :-)
> > >
> > > I have no problem with 1), as already stated.
> >
> > We're happy to hear that!
> >
> >
> > > I do agree with you that this is distracting from the proper meat 
> > > of your proposal. Which is why I suggest that you drop this part of it.
> > > Again, drop the part of the proposal that people have a beef with.
> > >
> > > Don't make the change that you claim is not a change.
> >
> > This «beef» is based on reading current policy to mean that which 
> > End User contact details LIRs publish in the database (if any) is 
> > *not* the LIRs' decision today.
>
> It is based on reading the current policy and understanding what a very clear sentence written in plain English means.
>
> >
> > But the RIPE NCC has repeatedly clarified that that is simply not 
> > the
> > case: it *is* the LIRs' decision today, and it will continue to be LIRs'
> > decision should 2023-04 pass.
>
> You are doing it again. The RIPE NCC has said something ONCE and refused to clarify it ever since, despite it being contested. It is YOU who repeatedly claims something.
>
> >
> > Given that, it is hard to see how we could possibly amend the 
> > proposal to change this particular point to an even lesser extent 
> > than what is already the case?
>
> Let me help you. Do NOT remove a sentence that has nothing to do with the stated goal of the proposal to aggregate assignments and that you claim does not change anything.
>
> cheers
> denis
>
> >
> >
> > Tore & Jeroen
> >
> >
> > --
> >
> > To unsubscribe from this mailing list, get a password reminder, or 
> > change your subscription options, please visit:
> > https://mailman.ripe.net/
> --
>
> To unsubscribe from this mailing list, get a password reminder, or 
> change your subscription options, please visit: 
> https://mailman.ripe.net/