[anti-abuse-wg] personal data in the RIPE Database

On Tue, 7 Jun 2022 at 03:32, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
>
> In message <CAKw1M3NsS=hc17FTV-2BUuOLpT7YxCRsKcPhfukWPsC0MrJrtA at mail.gmail.com>
> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?= <me at cynthia.re> wrote:
>
> >AFAIK the "org-name" attribute on the organisation object does get
> >verified if the organisation is a LIR or an end user that has received
> >resources directly from the RIPE NCC (through a sponsoring LIR). (and
> >possibly a few other cases like legacy resource holders with service
> >agreements)
> >I believe there are also many policies that say that information
> >should be accurate, and while this might not be actively verified for
> >the most part, it is still policy in many cases.
>
> Policy in the total absence of -any- validation or enforcement is vacuous.
> It is a NO-OP.  It is a joke.

First of all some of the information in the ORGANISATION objects
related to resources directly allocated or assigned by the RIPE NCC is
maintained by the RIPE NCC. This data is accurately aligned with the
internal registry data. As for the rest of the data in the
ORGANISATION object and elsewhere in resource objects it is subject to
ARCs, Assisted Registry Checks, performed by the RIPE NCC with the
cooperation of the resource holder.

>
> >Part of the issue is that the RIPE NCC has some responsibility for
> >this under the GDPR...
>
> Or to be more accurate, RIPE NCC is -alleged- to have some responsibility
> for this, e.g. by yourself and by other privacy extremists.

This is really insulting language and bordering on a bullying
attitude. This has to stop. It doesn't reflect the professional manner
in which these matters need to be dealt with.

>
> In point of fact however this opinion, on your part, has never been adjudicated
> in any court of law.  And more to the point, GDPR has explicit carve outs
> for the sharing and/or publication of data as may be necessary for an entity
> to carry out its mission.

And as I said in the previous reply, the defined purposes of the RIPE
Database do not cover publishing to the general public the bits of
information the proposal is recommending to have restricted access.

>
> Some of us, at least (who may, coincidently have been on the Internet since
> well before you were born),  still maintain the "old school" view that it
> was, is, and remains an integral part of the mission of both domain name
> registrars and also Regional Internet Registries to promote, foster, and
> enable the smooth functioning of the Internet.  We also believe that that
> continued smooth functioning can be either (a) enabled by openess and
> transparency or else (b) hobbled by pointlessly and unnecessarily fetishizing
> secrecy, specifically within WHOIS records.

Putting people's lives in danger by publishing their home address
contrary to the defined purposes of the database is an issue that is
neither unnecessary nor pointless.

>
> If our interpretation of GDPR is the correct one, i.e. that RIPE and other
> such organizations have both a current and a longstanding/historical duty
> to *not* "hide the ball", then your claim that the GDPR obliges RIPE NCC to
> do anything in particular now which is different from what it has been doing
> for the past 20+ years is both meaningless and not at all supported by
> *any* legal findings.  In short, this contention that GDPR is (suddenly?)
> forcing RIPE to do something today that it was not forced to do at any time
> last week, or indeed, at any time over the past 20 years is simply fallacious -
> an imaginary imperative that doesn't actually exist.

You are just repeating yourself from the last email...I answered this
point already.

>
> >and it can be really difficult to do this
> >correctly, but I think the legal team could explain those details
> >better.
>
> And I think that the legal team has also been sucked into the vortex of
> privacy paranoia and extremism, and that they will say whatever they want
> to say, regardless of whether their position has been endorsed or verified
> in a court of law or not.
>
> In short, they are part of the problem.  As I have previously noted RIPE
> is a *private* organization mostly composed of *private* member organizations,
> virtually all of which are loath to disclose anything to anybody ever.
> Thus, I would not be in the least surprised if you told me tomorrow that
> the RIPE legal team had come out in favor of making the entire WHOIS data
> base private and accessible to "law enforcement only, eyes only".  The
> legal team doesn't have any incentive whatsoever pulling them in the
> direction of transparency.  All of their incentives run in the opposite
> direction...  i.e. *against* any and all openness & transparency, even
> if that means degrading the ongoing smooth functioning of the Internet.

More unprofessional comments...which actually says nothing

>
> >I run a hobby network and have an ASN and a /48 of PI assigned to me
> >from RIPE NCC (through a sponsoring LIR) and also know many other
> >people who are in a similar situation.
> >Many people who do this are uncomfortable with having to publish their
> >home address in the RIPE database...
>
> I have two responses:
>
> 1)  Why don't you get a P.O. box if you are really that worried about it?

The more PO Boxes the better...

>
> 2)  So if I understand why you're saying, you are saying that because there
> exists some small, but finite and non-zero set of people who, like you,
> are "uncomfortable", then everybody else in the universe should bend over
> backwards, throw out 20+ years of precedent, and should hobble the public
> WHOIS data base, all just so that -you- won't be made to feel "uncomfortable".
> Is that what you are saying?

A 20+ year precedent that didn't fully comply with the data protection
laws of the day. What we are proposing now is to bring the database
into line with current laws. When Cynthia said 'uncomfortable' I think
she was being polite. Some are seriously concerned. And yes Ronald,
some do make other arrangements. But those arrangements involve cost
in terms of money and inconvenience. It also means the police end up
chasing people at the wrong location because they have used the
address of another LIRs office. You go on and on about the
inconvenience to researchers and investigators like yourself, but you
ignore the other side of the coin. After all the investigations the
police need to take action. For that they need an actual, real,
correct address. So in the end, your constant theme of promoting the
use of PO Boxes delays the police action.

>
> If so, then I'd like to suggest that you consider moving to sunny Florida.
> I think that you might fit in nicely there.
>
> Although you may not have heard about it, the Governor of that state recently
> signed into law a new state statute which makes it now illegal for teachers
> in that state to say the word "gay".
>
> The justification for this new law was that that word makes some small
> minority of the parents in the State of Florida "uncomfortable".
>
> My point of course, is that this is how the dictatorship of the minority
> begins.  You are "uncomfortable" so everyone else must change what they
> are doing.
>
> And how shall we resolve the matter if, hypothetically, the discomfort of
> you and your friends someday makes me and my friends "uncomfortable"?

Let me say it again. Publishing the home address of a natural person
holding resources to the general public is not covered by the defined
purposes of the RIPE Database. Therefore the GDPR does not permit such
action. So either we change the way we publish this piece of data or
we change the purposes. Either can be done, but the latter would need
justification. Why do we need to publish it now when we didn't need to
publish it for the last 20+ years, to use one of your arguments.

>
> >Sure, I could go and get a PO box for ~650/year and just let the RIPE
> >NCC have that address instead but that seems a bit silly to me when
> >instead the address could just be hidden from the public.
>
> So basically, your argument comes down to:  "I don't want to be mildy
> inconvenienced, so instead I wish the rest of the planet to just
> arrange things so as to suit my personal maximal convenience."  Is that
> about the size of it?

No it comes down to it is unlawful unless we change the purposes.

>
> Well, at least you're being open about your viewpoint on this.  I do
> applaud you for that.
>
> >I just want to say that assuming PO boxes are illegitimate is kinda
> >odd and also varies by country I would think.
>
> I never said P.O. boxes were "illegitimate".  Please don't put words in
> my mouth.  In fact I said something that arguably is the exact opposite,
> i.e. that all or nearly all domain name registrars allow the use of P.O.
> boxes in domain name WHOIS records, AND that as far as I know, so do all
> Regional Internet Registries.

yes lets have more PO Boxes.

>
> On the other hand I do not know any natural person who either physically
> lives in or who physically works in a P.O. box.  (In general, the boxes
> are too small to fit a whole human.)
>
> >My point here is mostly just that such a policy doesn't make a lot of
> >sense to me, I am not sure if you are suggesting that such a policy
> >should exist or not, but I think it would be a bad idea to implement
> >such a policy.
>
> I honestly can't even tell what you are arguing either for or against...
> only that you are arguing.

That's how I feel reading much of your emails

>
> >> Are you in favor of making it harder to serve people with legal papers?
> >> If so, why would you do that and who would be the beneficiaries of that?
> >
> >It is not really about preventing it, it is more just if that
> >potential benefit outweighs the privacy implications.
>
> In your opinion.

and your reverse argument is your opinion

>
> And thus you bring the conversation back to a point I've already made,
> i.e. that many of you Europeans have become privacy fanatics and extremists,
> so much so, in fact, that, as I noted, you can't even know if the person
> who just moved in next door to you is a serial sexual predator or not,
> because you Europeans have elected to value privacy *above* freedom of
> speech, freedom or the press, transparency in public affairs, and the
> public's right to know.  And if, for example, the former finance minister
> of Bulgaria who was fired & put in prison for embezzling public funds
> is nowadays running an ISP in, say, Moldova, and if that is hosting
> mostly crypto-currency scams, nobody will ever be the wiser or know that
> the proprietor of th ISP in question himself has a checkered past.
>
> In case I have been anything less than clear, please allow me to say this
> very plainly

Devil forbid that you have been anything less than clear.

-- I do not agree with the way you folks in Europe nowadays
> value privacy -above- transparency.  It is causing obvious disasters and
> I have every faith and confidence that in the fullness of time you'll
> all come to your senses and realize that you've swung the pendulum too
> far, and that your collective over-reaction to the scandals of Facebook
> et al is causing you, and coincidentally, the rest of the planet, more

So Ronald is on one side and the rest of the planet is on the other side...

> harm than good.  (This -always- happens when extremists are allowed to
> dictate policy.  See also: Maximilien Robespierre -- "The Incorruptable".)
>

cheers
denis
proposal author

>
> Regards,
> rfg
>
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/