This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] personal data in the RIPE Database
- Previous message (by thread): [anti-abuse-wg] personal data in the RIPE Database
- Next message (by thread): [anti-abuse-wg] personal data in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Tue Jun 7 00:36:32 CEST 2022
In message <CAKvLzuG7PPTtQDwx2GoDgULdmLZdz5FzWTwa2pUVQWRqGHfQig at mail.gmail.com> denis walker <ripedenis at gmail.com> wrote: >We are talking about restricting access to one piece of data, the >address of natural persons. I accept that a lot of abuse may come from >address space held by natural people. I understand that a lot of >investigation work is done by companies and individuals. How much of >an impact would it be on your activities to not know the private >address of these natural people? Just a second. Let's pause here for a moment and look at this question of the "physical address" information as it relates to WHOIS records. One of the many things that have, over the past several years, rendered almost all of the information that is now available in *domain name* WHOIS records virtually entirely worthless was the decision, some considerable time ago, by ICANN, to permit the use of essentially anonymous P.O. box addresses in the WHOIS records for domains registered within the gTLDs. Additional commonly used methods of obfsucation in these domain name WHOIS records include but are not limited to (a) the use of "proxy" registrants and (b) the use of addresses of incorporation agents and (c) use of the addresses of attorneys. (I have not surveyed the policies of the various ccTLDs with regards to their level of acceptance of such shenanigans but I have no reason to doubt that even the .US TLD allows for all of these clever methods of "hiding the ball" with respect to the actual physical location of the domain name registrant. Hell! The policies governing the .US domain are crystal clear in prohibiting non-US legal entities from registering .US domains, but the operators of the .US registry demonstratably make no attempt whatsoever to check for conformance with even this minimal requirement.) So, as I have listed above, there are many different frequently-used ways that any natural person may use to obfsucate their actual physical location when registering a domain name. This prompts a rather obvious question: Do there exist any policies, rules, or regulations which would prevent a natural person from using any one of the several techniques I have listed above to obfsucate their actual physical location when they generate their RIPE organization WHOIS record? And more to the point, is it true or false that, as I have previously asserted, any member can put literally any inaccurate garbage they want into their public-facing RIPE WHOIS records with no consequence whatsoever? If the answer to *either* question is "yes", then it seems to me that enlisting RIPE NCC to embark upon a deliberate program to hide personal information in public-facing WHOIS records EVEN WHEN THE CORRESPONDING REGISTRANTS HAVE NOT THEMSELVES REQUESTED THAT is not only clearly unnecessary, but actually and demonstratably counterproductive. Should a natural-person who actually WANTS to be directly contacted for any and all issues relating to their RIPE number resources have that opportunity closed out, perhaps without even their knowledge or consent, by some small over-agressive cabal of GDPR fanatics acting unilaterally? I think not. As noted above, if any RIPE registrant wants to have their physical address info obfsucated then there appears to be any number of simple alternatives available to the registrant themself to achieve exactly that. Thus, this new push to get RIPE NCC to hide information in public-facing WHOIS records seems to be a solution in search of a problem, and just another misguided top-down enforcement of an extremist view of "privacy", pushed onto the community whether the people actually affected, i.e. the registrants themselves, like it or not. (Note: I am not intending to pick specifically on RIPE here. To the best of my current knowledge there are -no- policies or rules in -any- RIR globally that explicitly prohibit the use of P.O. boxes, proxy registrants, or the addrsses of associated corporate registration agents or lawyers within public-facing number resource WHOISÂ records. Nor do any RIRs have any clear policies which would have the effect of requiring there to be -any- clear correlation between what appears in a registrant's public-facing WHOIS records and anything corresponding to objective reality.) >I can only think of three reasons why >you would need the full address. You intend to visit them (unlikely), >you want to serve legal papers on them or you attempt some kind of >heuristics with the free text search in the database to match up >resources with the same address. I agree with this list of possibilities, 1, 2, 3. So which of these three are you attempting to hobble? Are you in favor of making it harder to serve people with legal papers? If so, why would you do that and who would be the beneficiaries of that? Are you in favor of making it harder for open-source researchers to search the data base for textual correlations that might provide clues to untoward activities? If so, why would you do that and who would be the beneficiaries of that? Regards, rfg
- Previous message (by thread): [anti-abuse-wg] personal data in the RIPE Database
- Next message (by thread): [anti-abuse-wg] personal data in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]