[anti-abuse-wg] Definition of Abuse

Hi Andre, 

> Definition of Abuse as it should be defined by RIPE
> ---------------------------------------------------------------------

> The use of a resource to infringe upon the usage rights of another resource

The core of the problem of a good definition of abuse, is the intend of the action ...  And intend is in the eye of the beholder ...  

I'll give an example :  

BGP Hijacking ...  BGP Leaks ... 

If someone is doing a BGP Hijacks in order to knowingly divert traffic to harm others, while either the AS or the prefix is not rightfully under their control, it could be considered a Hijack. ( similar as carjacking. ) 
If those prefixes are used in order to :  deny service to the original legitimate owner of the prefix, or an un-used prefix is abused for spewing out spam .. or to regain control of a Command and Control server/infrastructure ( Hacking Team action after Santrex was closing and they stopped announcing their prefixes ... )  there is clear intent to take something that wasn't yours in order to benefit from the outcome.  

However .. when some Bulgarian dude hijacked a prefix from the Ministry of Foreign Affairs 1.5 years ago, with the intent to spam on it ( Domains were pointed to it and other space they hijacked was also quickly spammed on and abused before released..)  it was interesting to learn that hijacking as an Act, isn’t a crime .. (the law doesn't mention it.. it isn't illegal.. hence .. it is legal..)  There could be made a case that the wrongful intent is and if they would actually spammed on the space, it is directly a crime.. 
But they didn't (yet) and they stopped the hijack before spamming on it..  So nothing happened, as if your neighbor borrowed your bike and returned it to your doorstep before you knew it was missing. In the same pristine condition .. 
It could have been said, this is a denial of service, but as the particular ministry wasn't using the space, nothing was denied ... they didn't even noticed it for a complete week. ((!! ) But that is another topic..)  

Now let's do a similar thing .. but with Cyber Crime fighting or Anti-Abuse in mind .. here comes the DMCA lobby or TRA (Telecom Regulator Agency in some Middle East country..) or some similar organization that is fond of protecting digital content rights..  
And they are going to inject routes in a network, fiddle with BGP routing, in order to take down : Dreambox Key Servers on the internet (useful for free satellite decoding without subscriptions.. ) or phishing sites or command and control servers in $country .. or hell, why not take down the complete /21 of North Korea in the process while we talk about it ... Just because we can.. 

Who defines the greater good ... who is defining the wrongful intent of party X or party Y. Is the DMCA lobby correct if they want to shutdown some hosters torrent site customer.. or if the hoster correct that they don't take action on it and are not disclosing any information unless they are forced by a court order. There have been BGP injections in the past, to see if that could help in TRA compliance .. just in a subset of AS's. 
If those actions would have had a larger effect ... ( so large that it would have been noticed outside the region and into (this?) community perhaps.. or in the media.. ) ... who are we going to investigate .. 
The TRA that would like to enforce their local / regional laws and compliance .. or the violators that are facilitating the dreambox key servers that are sharing satellite subscriptions cards over the internet ... or the actual users of the dreambox in various countries ... In either of these scenario's .. the actual hoster or ISP that is hosting the 'service' on their IP space, is most likely outside the local jurisdiction and might not even be aware ...  ( they are naughty/ignorant, that is different from being bad. ) 

In the near future, we will see a lot of grey actions, done by people that in their own mind and under their local laws, stand in their right to fiddle with your routing, if that means they can enforce local censorship or re-gain access to certain infrastructure or deny $party to their infrastructure when they will have a tactical benefit in this.. ( think Turkey during a coup.. or Syria being completely removed from the internet during attacks in Aleppo.. )  

Our community covers a huge set of countries and there are quite a lot of political issues ( there are several countries that are real warzones today in our region.) .. and some of those political issues are corruption ( people getting paid to look the other way .. ) and some are just not dealing with the Spam Source because $investigator is blown out of his mind in the US or France Riviera ... 

RIPE isn't the internet police and this working group isn't either .. I think we should educate each other on what is going on, keep reporting on the issues we see, specifically around certain rotten area's .. 

We should refrain from forcing the RIPE NCC in becoming an internet police .. as they are an impartial party (like the Red Cross). They provide resources to those that need/request it.. and register who are using it.  
The same as the Red Cross, they hand out food to all people. Some of them might pick up a rifle 15 minutes later and shoot someone or sell that food .. but you can't blame the Red Cross for handing out food in certain areas or tell them to change their mission. 

Disciplinary actions (like de-registration due to abuse for instance) should not be up to the NCC, unless the information provided for registration isn´t correct.  Everything else is not within the scope of the NCC imho. 
It should be taken up to the local law enforcement if things are not in compliance with the law ... And that could be different in each country of this huge service region... 

Moving into any other direction might be a very slippery slope we are getting ourselves into ... 
Ambition is good, but we shouldn't outreach our place in this delicate environment ...  

Regards,
Erik Bais