[anti-abuse-wg] 2017-02 Review Phase Reminder

On Tue, Feb 20, 2018 at 12:12:41PM +0000, Malcolm Hutty wrote:

your points have incited me to apply the proportionality test
https://en.wikipedia.org/wiki/Proportionality_(law)#European_Union_law
to this proposal. It is nowadays held that policy must pass this
test.

So, let's see:

1) there must be a legitimate aim for a measure

IMO the proposal passes this test, the aim, as stated in the
proposal, is legit.

2) the measure must be suitable to achieve the aim (potentially
with a requirement of evidence to show it will have that effect)

I think the proposal fails that test. It has not been
demonstrated that having an abuse-c, let alone running an annual
verification on it, has any actual effect ("security theatre")

3) the measure must be necessary to achieve the aim, that there
cannot be any less onerous way of doing it

IMO, it fails this test too, it is both unneccessary and
needlessly onerous. A LIR is already obliged to have a number of
contacts who must be reachable and which are audited regularly.
Also, in an age of increasing automation, having a requirement
for a *human* to read and *respond to* an abuse email address is
nothing short of anachronistic, if not reactionary[1].

4) the measure must be reasonable, considering the competing
interests of different groups at hand

The competing interests here are for the LIR to be able to go
about its business for which RIR-managed resources are an
absolute requirement. The competing interest is that of the
proposers and supporters to have someone respond to their abuse
reports with an expectation that those who do not comply are put
out of business[1].
This is wildly non-proportional, it creates a "death penalty" for
a tickbox offence. An equivalent in criminal law would be that
someone who is repeatedly found not to be in possession of an ID
paper is ultimately executed. No polity with even a pretension to
democracy can have such a law, and none does, ttbomk.[1]

In light of these points, I cannot but view this proposal and the
resulting policy -should it pass- as unneccessary, dangerous, and
disproportionally draconian, and therefore strenuously oppose it.

rgds,
Sascha Luck

[1] Since the de-registration of resources and termination of
membership are expressly mentioned in the proposal (albeit as a
an argument against it) and the community here has immediately
latched onto it as the desired outcome, I presume this outcome to
be the "legislative intent" of this proposal.
Ditto, the tenor of the discussion has been that any contact with
this abuce-c email address must result in a response from a human
operator. Thus I presume this to be part of the legislative
intent also.
>> Making sure admins have a functioning abuse email address has nothing to
>> do with security theater.
>
>My understanding of the term "security theater" is
>
> "Unnecessary and sometimes expensive inconveniences introduced to
>demonstrate that 'something is being done' to address (usually
>legitimate) security threats, when the measures introduced have no
>material effect in mitigate the threat in question".
>
>It has been asserted that making sure admins have a functioning abuse
>e-mail address will help combat abuse, but nobody has managed to explain
>how in a way that I can understand. As far as I can see, this will
>achieve nothing useful.
>
>I have developed three possible conclusions:
>
>1. This is just security theatre, according to the above definition.
>
>2. There is an important reason for doing this, but the proponents are
>unwilling to discuss it openly and clearly. Perhaps some might hope that
>abusive users will initially fall foul of this rule, and arbitrarily
>selective and aggressive enforcement would provide a quick and easy
>route to de-allocate IP address allocations to those users.
>
>3. I am simply too stupid to understand this simple issue.
>
>If there is a fourth, or if someone can explain how making people set up
>an autoresponder that nobody reads is useful, then I would like to hear it.
>
>Malcolm.
>
>-- 
>            Malcolm Hutty | tel: +44 20 7645 3523
>   Head of Public Affairs | Read the LINX Public Affairs blog
> London Internet Exchange | http://publicaffairs.linx.net/
>
>                 London Internet Exchange Ltd
>           Monument Place, 24 Monument Street London EC3R 8AJ
>
>         Company Registered in England No. 3137929
>       Trinity Court, Trinity Street, Peterborough PE1 1DA
>