This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] personal data in the RIPE Database
- Previous message (by thread): [anti-abuse-wg] personal data in the RIPE Database
- Next message (by thread): [anti-abuse-wg] personal data in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hans-Martin Mosner
hmm at heeg.de
Fri Jun 3 10:29:17 CEST 2022
Am 31.05.22 um 15:12 schrieb denis walker: > Colleagues > > I have raised an issue on the DB WG mailing list about publishing in > the database the identity of natural persons holding resources. Hi, this mail triggered the expected avalanche of controversial responses, which quickly devolved into name-calling, so I prefer to respond to the original instead of any of the later responses. There are conflicting interests at work here. In your proposal, you mention the need to contact resource owners, which is probably accepted by most. However, besides wanting to contact someone, there is a legitimate need to identify bad actors and shun them with whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, whatever). I do not want to communicate with them, just as I don't want to discuss with burglars about their actions! So, a mere contact database (which could contain fully anonymized forwarding addresses through a "privacy provider", like it's nowadays common for whois entries) would work for the purpose of contacting someone, but it does not work for identifying who can be held accountable for abuse emitted from a network range. For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should be mandatory. This does not need to include personal data on employees that happen to be responsible for network or abuse issues, I'm fine with role accounts here. So in this case, no objection to eliminate personal data (which often becomes stale anyway after some years). However, resources allocated to private persons are a bit different. I suppose very few private persons hold a /24 network range, and if they do, they probably fall squarely in the area of operating a business or other publicly visible enterprise under their personal name, and in many jurisdictions they are required to do so with identifying information. For example, in Germany you can't even have a web page without an imprint containing the names of people responsible for the content if you address the general public, and if you do business of any kind and you're not a corporation, you must do so under your name. I suppose that RIPE operates mostly on the level of legal entities that can be identified without naming individual persons. As such, it would be proper to clearly state that every database entry pertaining to a resource allocated through RIPE must contain truthful and usable identifying information of the resource holder. In German, that's "Ladungsfähige Anschrift" which was basically required to be an actual place of presence, but it appears that "virtual office" providers have succeeded in letting their addresses count as "Ladungsfähige Anschrift". I'm not a legal expert, I think this is wrong, but jurisprudence isn't always compatible with reason. Since RIPE isn't bound by German law, they may choose contractual wording that provides reasonable value for all parties involved. If all identifying information is lost, the abusers have won, as they have with domain whois already. Cheers, Hans-Martin
- Previous message (by thread): [anti-abuse-wg] personal data in the RIPE Database
- Next message (by thread): [anti-abuse-wg] personal data in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]