[anti-abuse-wg] personal data in the RIPE Database

Hi Hans-Martin and Matthias

[I have merged both your emails into one to address all your points.]

Thanks guys for being the first people to start to address the
question I have been pushing, which is "Why" do we need to identify
resource holders? I had this in the back of my mind when I wrote the
policy proposal but I didn't want to be the one to say it. I was
hoping to hear it from other members of the community. Now we have it
on the table.

On Fri, 3 Jun 2022 at 10:29, Hans-Martin Mosner via anti-abuse-wg
<anti-abuse-wg at ripe.net> wrote:
>
> Am 31.05.22 um 15:12 schrieb denis walker:
> > Colleagues
> >
> > I have raised an issue on the DB WG mailing list about publishing in
> > the database the identity of natural persons holding resources.
>
> There are conflicting interests at work here. In your proposal, you mention the need to contact resource owners, which
> is probably accepted by most.
>
> However, besides wanting to contact someone, there is a legitimate need to identify bad actors and shun them with
> whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, whatever). I do not want to communicate with
> them, just as I don't want to discuss with burglars about their actions!

This is starting to explain reasons why we need to identify resource
holders, even natural persons.

>
> So, a mere contact database (which could contain fully anonymized forwarding addresses through a "privacy provider",
> like it's nowadays common for whois entries) would work for the purpose of contacting someone, but it does not work for
> identifying who can be held accountable for abuse emitted from a network range.

I think there is general agreement that as long as a contact is
contactable there is no need to identify the natural persons operating
in that role.
Accountability, and any subsequent enforcement action, needs an
identity. This is the key element of why resource holders, even
natural persons, need to be identifiable. Further questions still need
to be answered like to what degree should they be identifiable, by
what means and to who?

>
> For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should
> be mandatory. This does not need to include personal data on employees that happen to be responsible for network or
> abuse issues, I'm fine with role accounts here. So in this case, no objection to eliminate personal data (which often
> becomes stale anyway after some years).

Again I think there is general agreement that for resource holders
that are NOT natural persons the name, address and legal country must
be included in the public data.

>
> However, resources allocated to private persons are a bit different. I suppose very few private persons hold a /24
> network range, and if they do, they probably fall squarely in the area of operating a business or other publicly visible
> enterprise under their personal name, and in many jurisdictions they are required to do so with identifying information.
> For example, in Germany you can't even have a web page without an imprint containing the names of people responsible for
> the content if you address the general public, and if you do business of any kind and you're not a corporation, you must
> do so under your name.

There are far more natural persons holding resources than you think.
Looking at the membership list on the RIPE NCC's website, all the
members are listed and you can see the natural persons. It has been
argued that even if a natural person's details are listed on some
other public business register, that alone is not a reason to publish
those details in the RIPE Database.

So what personally identifiable info should we publish about a natural
person holding resources and what should we do with the rest of the
currently available public info? Would it be reasonable to publish the
name but not publish the (full) address publicly?

Now I looked back at a presentation made by EUROPOL at RIPE 73
https://ripe73.ripe.net/archives/video/1501/

They were very clear that the address of resource holders is also very
important to LEAs in their investigations. So I am going to make a
controversial suggestion here. Currently we have two categories of
registry data, Private and Public. The Public data is available to
LEAs and their use of it is covered by agreed purposes of the RIPE
Database defined in the Terms & Conditions. For Private data they need
to get a court order, which is an expensive and time consuming
process. Suppose we add a middle category Restricted data. This could
be data like the address of natural persons who hold resources. Data
that is now public but we are proposing to take out of the public
domain. We could allow LEAs (and maybe other recognised public safety
agencies) to continue to have access to this Restricted data without a
court order. (There are technical ways of doing this which are out of
scope for this discussion.)

I know a lot of people have ideological phobias about allowing the
police access to non-public data. They will be screaming at me right
now for this suggestion...'it's giving the police a back door entry',
'it's the thin end of the wedge', 'where will it stop'... I understand
those concerns. But I see allowing LEAs continued access to what is
now public data as different from giving LEAs access to private data
that they have never had access to in the past. It is a different
direction. There is a lot of abuse and criminal activity on the
internet. LEAs have a job to do. They need this data and often need it
quickly. But we also have privacy concerns. So we are now considering
taking out of the public domain some of that data that LEAs need. I
see this as a compromise to allow LEAs continued access to what is now
public data so they can do their job effectively, but also increase
general privacy by taking this bit of data out of the public domain.

>
> I suppose that RIPE operates mostly on the level of legal entities that can be identified without naming individual
> persons. As such, it would be proper to clearly state that every database entry pertaining to a resource allocated
> through RIPE must contain truthful and usable identifying information of the resource holder. In German, that's
> "Ladungsfähige Anschrift" which was basically required to be an actual place of presence, but it appears that "virtual
> office" providers have succeeded in letting their addresses count as "Ladungsfähige Anschrift". I'm not a legal expert,
> I think this is wrong, but jurisprudence isn't always compatible with reason.
>
> Since RIPE isn't bound by German law, they may choose contractual wording that provides reasonable value for all parties
> involved. If all identifying information is lost, the abusers have won, as they have with domain whois already.

A situation we need to avoid.

>
>
On Fri, 3 Jun 2022 at 10:41, Matthias Merkel
<matthias.merkel at staclar.com> wrote:
>
> I agree that it must be possible to identify people who hold resources. Not just for other network operators but also so that organizations such as law enforcement are able to do so in emergency situations where contacting RIPE could be too slow.

I hope my controversial compromise above will do that.

>
> It is worth noting however that there now is a relatively large number of people operating networks as a hobby outside of any business activity.

Some people may consider spamming or hacking a hobby.

>
> At RIPE 84 I mentioned the possibility of publishing a name and city only and having RIPE hold the full address. This would likely be enough to unique identify a person (or at least a small number of potential people in a single city that would be few enough for law enforcement to all check out) while not publishing the full addresses of people who could be at risk for various reasons. It would also be enough information to identify multiple objects belonging to the same person, for example to block traffic from all of their networks. The full address could still be obtained from RIPE with a court order if required.

I think 'city' is too identifiable. If it is London, Paris, Berlin you
could get away with this. If it is a village or very small town you
will definitely identify people with that granularity. Perhaps a
county, region, province would work. But either way the database makes
no separation of address elements. All parts of an address are entered
into "address:" or "descr:" attributes. Separating them out would be
technically difficult.

cheers
denis
proposal author

>
> —
> Matthias Merkel
>
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/