[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

In message <CAFV686cUaBmPiQ1e6oWD2oVwNA4X6otVbFxsHd0BjosMDLeT+Q at mail.gmail.com>, 
Jacob Slater <jacob at rezero.org> wrote:

>In the case of IP addresses and ASNs, the "convicted individual" has been,
>under the current policy draft, convicted in the mind of one - perhaps two
>upon appeal - experts (a term which has yet to be defined in policy). Such
>an opinion, no matter how professional, is a very low bar to be taking as
>objective.

I agree, but to avoid throwing the baby out with the bathwater, I would
suggest to you that it would be best if you could suggest to the proposal's
author and sponsor some different language with respect to the procedure
for judging such matters... some different process that would address
your reasonable concerns about process... rather than just saying that
the whole proposal is unacceptable.

In short, it appears that yur objection here is about implementation
details, and that you do not object to the over-arching concept, assuming
of course that the process of adjudicating such matters may be made
substantially more reliable and fool-proof.

>Should the NCC be allocating them more addresses?
>It is justified (morally, ethically, and perhaps even legally) to continue
>treating all entities as equals by allocating resources for their use
>unless they have been determined to be a distinct threat by a trustworthy
>system, such as a board of peers (as in the case of a criminal conviction).

So you do agree that there is a -possibility- that a threat exists and that
it might, in theory, and under some appropriate circumstances, be diminished
or eliminated by the termination of the RIPE contract with certain well
proven and accurately identified "rogue" members, yes?

>Keeping to my earlier discussion of the gun store analogy, I do not believe
>that the opinion of a single expert (with the possibility of appeal) is
>enough

I agree.

>> The proposal on the table doesn't deal with any matters which are in
>> any way even remotely tied to mere offenses against any local or
>> localize sensibilities.  It doesn't even remotely have anything at
>> all to do with either (a) any actions or offenses in "meatspace" nor
>> (b) any actions or offenses having anything at all to do with -content-
>> in any sense.  The present proposal only has to do with the outright
>> THEFT of IP addresses, i.e. the very commodity which RIPE is supposed to
>> the responsible shepard of.
>
>
>Within your jurisdiction, I can think of several cases which show this to
>not be the case (ALS Scan, Inc. v. Cloudflare, Inc., et al. being one of
>them).

That case has nothing at all to do with the theft OF IP ADDRESSES, and thus,
it is rather entirely irrelevant to this discussion.  But I am glad that you
brough it up anyway, because one one the points made by the *defendant* in
that case, Cloudflare, actually underscores a point that I have tried to
make here, i.e. that the act of disiplining any one RIPE member, or even
several of them, as is contemplated by 2019-03, is quite clearly *not*
equivalent to some kind of totalitarian banning, from the entire Internet,
of any particular piece of content.  But I will let Cloudflare's own legal
argument make the point for me:

    https://torrentfreak.com/cloudflares-cache-can-substantially-assist-copyright-infringers-court-rules-180314/

      "One of Cloudflare's arguments was that it did not substantially assist
      copyright infringements because the sites would remain online even if
      they were terminated from the service. It can't end the infringements
      entirely on its own, the company argued."

So, as you see, even Cloudflare itself made the point that simply eliminating
any one (bad) provider does virtually nothing at all to remove from the
entire Internet any given piece of -content-.  And this certainly matches
up with my own experience.

>Blocking content distribution methods is effectively blocking the content

I disagree, and apparently, so does Cloudflare.  And they should know.

>I've still yet to be convinced that this would substantially cut down on
>hijacking;

Maybe it wouldn't.  The question isn't whether it would or not.  The question
is whether or not this proposal is a demonstrably bad way to -try- to begin
to address the problem, at least in part.  I remind you that right now there
is essentially -zero- disincentive to the act of deliberate hijacking.

Maybe it is time to try something different and see if it will help.  If it
doesn't, then it can be discarded, and then some other approach can be
tried instead.

>additionally, I've yet to be convinced that such a policy would
>not sweep up innocents due to its allowance of reports by the general
>public and incredibly low bar for labeling someone a hijacker.

Again, I am in agreement with you, but I do believe that this is a matter
of fine-tuning the procedural aspects of the propsal, rather than simply
opposing or abandoning it wholesale.


Regards,
rfg