[anti-abuse-wg] personal data in the RIPE Database

In message <CAKvLzuG7PPTtQDwx2GoDgULdmLZdz5FzWTwa2pUVQWRqGHfQig at mail.gmail.com>
denis walker <ripedenis at gmail.com> wrote:

>We are talking about restricting access to one piece of data, the
>address of natural persons. I accept that a lot of abuse may come from
>address space held by natural people. I understand that a lot of
>investigation work is done by companies and individuals. How much of
>an impact would it be on your activities to not know the private
>address of these natural people?

Just a second.  Let's pause here for a moment and look at this question
of the "physical address" information as it relates to WHOIS records.

One of the many things that have, over the past several years, rendered
almost all of the information that is now available in *domain name*
WHOIS records virtually entirely worthless was the decision, some
considerable time ago, by ICANN, to permit the use of essentially
anonymous P.O. box addresses in the WHOIS records for domains registered
within the gTLDs.  Additional commonly used methods of obfsucation in
these domain name WHOIS records include but are not limited to (a) the
use of "proxy" registrants and (b) the use of addresses of incorporation
agents and (c) use of the addresses of attorneys.  (I have not surveyed the
policies of the various ccTLDs with regards to their level of acceptance
of such shenanigans but I have no reason to doubt that even the .US TLD
allows for all of these clever methods of "hiding the ball" with respect
to the actual physical location of the domain name registrant.  Hell!
The policies governing the .US domain are crystal clear in prohibiting
non-US legal entities from registering .US domains, but the operators of
the .US registry demonstratably make no attempt whatsoever to check for
conformance with even this minimal requirement.)

So, as I have listed above, there are many different frequently-used ways
that any natural person may use to obfsucate their actual physical location
when registering a domain name.

This prompts a rather obvious question:  Do there exist any policies,
rules, or regulations which would prevent a natural person from using any
one of the several techniques I have listed above to obfsucate their
actual physical location when they generate their RIPE organization
WHOIS record?  And more to the point, is it true or false that, as I have
previously asserted, any member can put literally any inaccurate garbage
they want into their public-facing RIPE WHOIS records with no consequence
whatsoever?

If the answer to *either* question is "yes", then it seems to me that
enlisting RIPE NCC to embark upon a deliberate program to hide personal
information in public-facing WHOIS records EVEN WHEN THE CORRESPONDING
REGISTRANTS HAVE NOT THEMSELVES REQUESTED THAT is not only clearly
unnecessary, but actually and demonstratably counterproductive.  Should
a natural-person who actually WANTS to be directly contacted for any and
all issues relating to their RIPE number resources have that opportunity
closed out, perhaps without even their knowledge or consent, by some
small over-agressive cabal of GDPR fanatics acting unilaterally?  I think
not.

As noted above, if any RIPE registrant wants to have their physical address
info obfsucated then there appears to be any number of simple alternatives
available to the registrant themself to achieve exactly that.  Thus, this
new push to get RIPE NCC to hide information in public-facing WHOIS records
seems to be a solution in search of a problem, and just another misguided
top-down enforcement of an extremist view of "privacy", pushed onto the
community whether the people actually affected, i.e. the registrants
themselves, like it or not.

(Note: I am not intending to pick specifically on RIPE here.  To the best
of my current knowledge there are -no- policies or rules in -any- RIR
globally that explicitly prohibit the use of P.O. boxes, proxy registrants,
or the addrsses of associated corporate registration agents or lawyers
within public-facing number resource WHOIS records.  Nor do any RIRs
have any clear policies which would have the effect of requiring there
to be -any- clear correlation between what appears in a registrant's
public-facing WHOIS records and anything corresponding to objective
reality.)

>I can only think of three reasons why
>you would need the full address. You intend to visit them (unlikely),
>you want to serve legal papers on them or you attempt some kind of
>heuristics with the free text search in the database to match up
>resources with the same address.

I agree with this list of possibilities, 1, 2, 3.

So which of these three are you attempting to hobble?

Are you in favor of making it harder to serve people with legal papers?
If so, why would you do that and who would be the beneficiaries of that?

Are you in favor of making it harder for open-source researchers to search
the data base for textual correlations that might provide clues to untoward
activities?  If so, why would you do that and who would be the beneficiaries
of that?


Regards,
rfg