This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] 2017-02 Review Phase Reminder
- Previous message (by thread): [anti-abuse-wg] 2017-02 Review Phase Reminder
- Next message (by thread): [anti-abuse-wg] 2017-02 Review Phase Reminder
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sascha Luck [ml]
aawg at c4inet.net
Tue Feb 20 15:04:54 CET 2018
On Tue, Feb 20, 2018 at 12:12:41PM +0000, Malcolm Hutty wrote: your points have incited me to apply the proportionality test https://en.wikipedia.org/wiki/Proportionality_(law)#European_Union_law to this proposal. It is nowadays held that policy must pass this test. So, let's see: 1) there must be a legitimate aim for a measure IMO the proposal passes this test, the aim, as stated in the proposal, is legit. 2) the measure must be suitable to achieve the aim (potentially with a requirement of evidence to show it will have that effect) I think the proposal fails that test. It has not been demonstrated that having an abuse-c, let alone running an annual verification on it, has any actual effect ("security theatre") 3) the measure must be necessary to achieve the aim, that there cannot be any less onerous way of doing it IMO, it fails this test too, it is both unneccessary and needlessly onerous. A LIR is already obliged to have a number of contacts who must be reachable and which are audited regularly. Also, in an age of increasing automation, having a requirement for a *human* to read and *respond to* an abuse email address is nothing short of anachronistic, if not reactionary[1]. 4) the measure must be reasonable, considering the competing interests of different groups at hand The competing interests here are for the LIR to be able to go about its business for which RIR-managed resources are an absolute requirement. The competing interest is that of the proposers and supporters to have someone respond to their abuse reports with an expectation that those who do not comply are put out of business[1]. This is wildly non-proportional, it creates a "death penalty" for a tickbox offence. An equivalent in criminal law would be that someone who is repeatedly found not to be in possession of an ID paper is ultimately executed. No polity with even a pretension to democracy can have such a law, and none does, ttbomk.[1] In light of these points, I cannot but view this proposal and the resulting policy -should it pass- as unneccessary, dangerous, and disproportionally draconian, and therefore strenuously oppose it. rgds, Sascha Luck [1] Since the de-registration of resources and termination of membership are expressly mentioned in the proposal (albeit as a an argument against it) and the community here has immediately latched onto it as the desired outcome, I presume this outcome to be the "legislative intent" of this proposal. Ditto, the tenor of the discussion has been that any contact with this abuce-c email address must result in a response from a human operator. Thus I presume this to be part of the legislative intent also. >> Making sure admins have a functioning abuse email address has nothing to >> do with security theater. > >My understanding of the term "security theater" is > > "Unnecessary and sometimes expensive inconveniences introduced to >demonstrate that 'something is being done' to address (usually >legitimate) security threats, when the measures introduced have no >material effect in mitigate the threat in question". > >It has been asserted that making sure admins have a functioning abuse >e-mail address will help combat abuse, but nobody has managed to explain >how in a way that I can understand. As far as I can see, this will >achieve nothing useful. > >I have developed three possible conclusions: > >1. This is just security theatre, according to the above definition. > >2. There is an important reason for doing this, but the proponents are >unwilling to discuss it openly and clearly. Perhaps some might hope that >abusive users will initially fall foul of this rule, and arbitrarily >selective and aggressive enforcement would provide a quick and easy >route to de-allocate IP address allocations to those users. > >3. I am simply too stupid to understand this simple issue. > >If there is a fourth, or if someone can explain how making people set up >an autoresponder that nobody reads is useful, then I would like to hear it. > >Malcolm. > >-- > Malcolm Hutty | tel: +44 20 7645 3523 > Head of Public Affairs | Read the LINX Public Affairs blog > London Internet Exchange | http://publicaffairs.linx.net/ > > London Internet Exchange Ltd > Monument Place, 24 Monument Street London EC3R 8AJ > > Company Registered in England No. 3137929 > Trinity Court, Trinity Street, Peterborough PE1 1DA >
- Previous message (by thread): [anti-abuse-wg] 2017-02 Review Phase Reminder
- Next message (by thread): [anti-abuse-wg] 2017-02 Review Phase Reminder
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]