[anti-abuse-wg] 2019-03 and over-reach

In message <b178ce96-b36f-b04f-ad9f-666fad9e8acb at foobar.org>, 
Nick Hilliard <nick at foobar.org> wrote:

>1. it's not the job of the RIPE NCC to make up for a short-fall of civil 
>legislation in this area, no matter how distasteful we might find the 
>consequences of this;

OK.  I'll bite!  Whose job is it then?

It would appear, based on your statement, that EVEN IF everyone on planet
earth... or at least everyone in the european part of it... were to agree
tomorrow that BGP hijacks are a massively serious problem requiring a
speedy and stern response in all cases, your "solution" would be to have
each and every legislative body in each and every country in europe set
aside any and all of the other important work that they are doing so that
each and every one of them can debate and pass legislation which would
impose penalties for BGP hijacking.  Is that really your proposed "solution"?

To say that this "solution" is no solution at all would be a gigantic
understatement.  Are you, Nick, going to be the one who goes around to all
of the legislatures of each and every one of the countries of europe and
in each case demands that they immediately stop whatever elese they were
doing and instead immediately take up legislation to make BGP hijacking
an offense under law?

I would like it noted for the record, that regardless of who among us would or
could do this job... trying to convince all european national legislatures
that they should each make BGP hijacking illegal... the actual likelihood
of that actually happening, in practice, *even if* BGP hijacking were resulting
in *deaths* every day, is virtually nill.  Hell!  There is a proven and
well-known connection between money laundering and terrorist financing, and
there are EU regulations already on the books that positively REQUIRE national
legislatures to adopt anti-money-laundering legislation, AND YET THAT STILL
HASN'T HAPPENED IN SEVERAL OF EU THE COUNTRIES THAT ARE COVERED BY THE
DIRECTIVE!

Reference:
   http://europa.eu/rapid/press-release_IP-18-4491_en.htm

So, have I understood you correctly?  Is it really your contention that even
though european legislatures... or even just EU legislatures... still can't
even get their acts together to outlaw money laundering and terrorist
financing, nontheless, it is your position that we should leave it to them
to outlaw BGP hijacking?  Really??

Even if we set aside the total and self-evident absurdity of waiting
around and hoping that all european national legislatures will step in
and fix the problems that we, the technologists, have created for ourselves,
I would still come back to the point I made earlier about self-reliance.
Why should we be going, cap in hand, to national legislatures, begging
them to fix a problem that *we* have created?  Why shouldn't *we* take
some responsibility for cleaning up our own dogpiles?

I would argue that we have not only the moral, ethical, and legal right to
do so, but also that we have the moral, ethical, and legal *responsibility*
to so.  Render therefore unto Caesar the things which are Caesar's, and
unto God the things that are God's.  We made the mess, and we can unmake
it for ourselves.  And we should.  Trying to foist off the responsibility
for solving problems of our own making onto national legislatures, is
both improper and unseemly.  Not only will it simply not work, as explained
above, but worse, even the attempt will encourage various national
legislatures to become more active and agressive in attempting to pass
various bits of stupid "Internet" legislation, as they attempt to control
the very thing that they, the politicians, least understand.

>2. you can throw anything into a contract, but that doesn't mean it's 
>enforceable or even lawful.

That is quite so.   In my own country, any contractual provision which
makes reference to a person's race would likely to tossed out.  But if
it is your contention that RIPE cannot make contractual stipulations
about the use of IP addresses, then you are going to have to justify
that entirely surprising claim.

>In this particular case, the suggestion is for the RIPE NCC to start 
>making judgements about potentially legal actions between second or 
>third parties, potentially involving non-related resources and to deny 
>and/or withdraw number registration services on that basis.  This does 
>not sound legally enforceable.

I agree.  The party that should be held responsible for a hijack *must*
only be the party that engineered it.  Anything beyond that strays into
very dangerous waters indeed.

>What complicates things further is that the RIPE NCC has an effective 
>monopoly for internet number registration services in this part of the 
>world.  If withdrawal of these monopoly services were found to be 
>unlawful, this would be taken extremely seriously by any court or 
>regulatory authority.

The withdrawal of resources granted under the terms of a contract BY
DEFINITION cannot be unlawful if such withdrawal is done in accordance
with, and under the explicit terms of the contract.  If I rent you a
car and there is a "no smoking" clause in the contract that allows
for termination of the contract if you smoke in the car, and if I catch
you smoking in the car, then I have the right to terminate the contract
FOR CAUSE and in accordance with the contract.

None of this is either new or unique or novel.  In fact, exactly such
contractual provisions are enforced every day, all around the world.


Regards,
rfg