[anti-abuse-wg] personal data in the RIPE Database

In message <CAKw1M3NsS=hc17FTV-2BUuOLpT7YxCRsKcPhfukWPsC0MrJrtA at mail.gmail.com>
=?UTF-8?Q?Cynthia_Revstr=C3=B6m?= <me at cynthia.re> wrote:

>AFAIK the "org-name" attribute on the organisation object does get
>verified if the organisation is a LIR or an end user that has received
>resources directly from the RIPE NCC (through a sponsoring LIR). (and
>possibly a few other cases like legacy resource holders with service
>agreements)
>I believe there are also many policies that say that information
>should be accurate, and while this might not be actively verified for
>the most part, it is still policy in many cases.

Policy in the total absence of -any- validation or enforcement is vacuous.
It is a NO-OP.  It is a joke.

>Part of the issue is that the RIPE NCC has some responsibility for
>this under the GDPR...

Or to be more accurate, RIPE NCC is -alleged- to have some responsibility
for this, e.g. by yourself and by other privacy extremists.

In point of fact however this opinion, on your part, has never been adjudicated
in any court of law.  And more to the point, GDPR has explicit carve outs
for the sharing and/or publication of data as may be necessary for an entity
to carry out its mission.

Some of us, at least (who may, coincidently have been on the Internet since
well before you were born),  still maintain the "old school" view that it
was, is, and remains an integral part of the mission of both domain name
registrars and also Regional Internet Registries to promote, foster, and
enable the smooth functioning of the Internet.  We also believe that that
continued smooth functioning can be either (a) enabled by openess and
transparency or else (b) hobbled by pointlessly and unnecessarily fetishizing
secrecy, specifically within WHOIS records.

If our interpretation of GDPR is the correct one, i.e. that RIPE and other
such organizations have both a current and a longstanding/historical duty
to *not* "hide the ball", then your claim that the GDPR obliges RIPE NCC to
do anything in particular now which is different from what it has been doing
for the past 20+ years is both meaningless and not at all supported by
*any* legal findings.  In short, this contention that GDPR is (suddenly?)
forcing RIPE to do something today that it was not forced to do at any time
last week, or indeed, at any time over the past 20 years is simply fallacious -
an imaginary imperative that doesn't actually exist.

>and it can be really difficult to do this
>correctly, but I think the legal team could explain those details
>better.

And I think that the legal team has also been sucked into the vortex of
privacy paranoia and extremism, and that they will say whatever they want
to say, regardless of whether their position has been endorsed or verified
in a court of law or not.

In short, they are part of the problem.  As I have previously noted RIPE
is a *private* organization mostly composed of *private* member organizations,
virtually all of which are loath to disclose anything to anybody ever.
Thus, I would not be in the least surprised if you told me tomorrow that
the RIPE legal team had come out in favor of making the entire WHOIS data
base private and accessible to "law enforcement only, eyes only".  The
legal team doesn't have any incentive whatsoever pulling them in the
direction of transparency.  All of their incentives run in the opposite
direction...  i.e. *against* any and all openness & transparency, even
if that means degrading the ongoing smooth functioning of the Internet.

>I run a hobby network and have an ASN and a /48 of PI assigned to me
>from RIPE NCC (through a sponsoring LIR) and also know many other
>people who are in a similar situation.
>Many people who do this are uncomfortable with having to publish their
>home address in the RIPE database...

I have two responses:

1)  Why don't you get a P.O. box if you are really that worried about it?

2)  So if I understand why you're saying, you are saying that because there
exists some small, but finite and non-zero set of people who, like you,
are "uncomfortable", then everybody else in the universe should bend over
backwards, throw out 20+ years of precedent, and should hobble the public
WHOIS data base, all just so that -you- won't be made to feel "uncomfortable".
Is that what you are saying?

If so, then I'd like to suggest that you consider moving to sunny Florida.
I think that you might fit in nicely there.

Although you may not have heard about it, the Governor of that state recently
signed into law a new state statute which makes it now illegal for teachers
in that state to say the word "gay".

The justification for this new law was that that word makes some small
minority of the parents in the State of Florida "uncomfortable".

My point of course, is that this is how the dictatorship of the minority
begins.  You are "uncomfortable" so everyone else must change what they
are doing.

And how shall we resolve the matter if, hypothetically, the discomfort of
you and your friends someday makes me and my friends "uncomfortable"?

>Sure, I could go and get a PO box for ~650/year and just let the RIPE
>NCC have that address instead but that seems a bit silly to me when
>instead the address could just be hidden from the public.

So basically, your argument comes down to:  "I don't want to be mildy
inconvenienced, so instead I wish the rest of the planet to just
arrange things so as to suit my personal maximal convenience."  Is that
about the size of it?

Well, at least you're being open about your viewpoint on this.  I do
applaud you for that.

>I just want to say that assuming PO boxes are illegitimate is kinda
>odd and also varies by country I would think.

I never said P.O. boxes were "illegitimate".  Please don't put words in
my mouth.  In fact I said something that arguably is the exact opposite,
i.e. that all or nearly all domain name registrars allow the use of P.O.
boxes in domain name WHOIS records, AND that as far as I know, so do all
Regional Internet Registries.

On the other hand I do not know any natural person who either physically
lives in or who physically works in a P.O. box.  (In general, the boxes
are too small to fit a whole human.)

>My point here is mostly just that such a policy doesn't make a lot of
>sense to me, I am not sure if you are suggesting that such a policy
>should exist or not, but I think it would be a bad idea to implement
>such a policy.

I honestly can't even tell what you are arguing either for or against...
only that you are arguing.

>> Are you in favor of making it harder to serve people with legal papers?
>> If so, why would you do that and who would be the beneficiaries of that?
>
>It is not really about preventing it, it is more just if that
>potential benefit outweighs the privacy implications.

In your opinion.

And thus you bring the conversation back to a point I've already made,
i.e. that many of you Europeans have become privacy fanatics and extremists,
so much so, in fact, that, as I noted, you can't even know if the person
who just moved in next door to you is a serial sexual predator or not,
because you Europeans have elected to value privacy *above* freedom of
speech, freedom or the press, transparency in public affairs, and the
public's right to know.  And if, for example, the former finance minister
of Bulgaria who was fired & put in prison for embezzling public funds
is nowadays running an ISP in, say, Moldova, and if that is hosting
mostly crypto-currency scams, nobody will ever be the wiser or know that
the proprietor of th ISP in question himself has a checkered past.

In case I have been anything less than clear, please allow me to say this
very plainly -- I do not agree with the way you folks in Europe nowadays
value privacy -above- transparency.  It is causing obvious disasters and
I have every faith and confidence that in the fullness of time you'll
all come to your senses and realize that you've swung the pendulum too
far, and that your collective over-reaction to the scandals of Facebook
et al is causing you, and coincidentally, the rest of the planet, more
harm than good.  (This -always- happens when extremists are allowed to
dictate policy.  See also: Maximilien Robespierre -- "The Incorruptable".)


Regards,
rfg