[anti-abuse-wg] personal data in the RIPE Database

Hi Richard

On Mon, 6 Jun 2022 at 16:15, Richard Clayton <richard at highwayman.com> wrote:
>
> In message <CAKvLzuG47-bY0vN59+kkcgJ0p4332J7r-Q0wRFnoMhhTaVRgqA at mail.gma
> il.com>, denis walker <ripedenis at gmail.com> writes
>
> >They were very clear that the address of resource holders is also very
> >important to LEAs in their investigations. So I am going to make a
> >controversial suggestion here. Currently we have two categories of
> >registry data, Private and Public. The Public data is available to
> >LEAs and their use of it is covered by agreed purposes of the RIPE
> >Database defined in the Terms & Conditions. For Private data they need
> >to get a court order, which is an expensive and time consuming
> >process. Suppose we add a middle category Restricted data. This could
> >be data like the address of natural persons who hold resources. Data
> >that is now public but we are proposing to take out of the public
> >domain. We could allow LEAs (and maybe other recognised public safety
> >agencies) to continue to have access to this Restricted data without a
> >court order. (There are technical ways of doing this which are out of
> >scope for this discussion.)
>
> You appear to be under the impression that Internet security and safety
> arises out of the activities of Law Enforcement Agencies whereas in
> practice private individuals and companies do the vast majority of this
> work -- generating referrals to LEAs when it is appropriate for action
> to be taken that only they can perform
>
> Moving to a situation where only LEAs can see what is currently
> available in RIPE whois data would be a very retrograde step and would
> seriously impact the security and stability of the Internet.

We are talking about restricting access to one piece of data, the
address of natural persons. I accept that a lot of abuse may come from
address space held by natural people. I understand that a lot of
investigation work is done by companies and individuals. How much of
an impact would it be on your activities to not know the private
address of these natural people? From the country attribute in their
ORGANISATION object (accurately maintained by the RIPE NCC) you know
the country that they are legally operating from. You don't know the
street or city they work out of. I can only think of three reasons why
you would need the full address. You intend to visit them (unlikely),
you want to serve legal papers on them or you attempt some kind of
heuristics with the free text search in the database to match up
resources with the same address.

cheers
denis
proposal author

>
> --
> richard                                                   Richard Clayton
>
> Those who would give up essential Liberty, to purchase a little temporary
> Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/