This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] geolocation and current purposes
- Next message (by thread): [db-wg] geolocation and current purposes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
denis walker
ripedenis at gmail.com
Thu Aug 4 14:25:16 CEST 2022
Colleagues I have spent some time thinking about the wording of the current purpose of the RIPE Database in relation to geolocation services. In some ways the purposes are very loosely written. That means they are open to interpretation. I think they can be interpreted to cover the "geofeed:" attribute. Some people have expressed this view but it is not sufficient to just say it, you need to justify the viewpoint. I will attempt to do that. "Facilitating coordination between network operators (network problem resolution, outage notification etc.)" The first point is the 'etc'. That means the example list is not exclusive. It doesn't even define the types or categories of coordination. So basically any coordination between network operators is included. 'Facilitating' means 'to make things easy'. So the database exists to make any coordination activity between network operators easy. So in what ways is "geofeed:" going to make it easy for network operators to coordinate some activity? One of the ways network operators have talked about how they want/need to use "geofeed:" data is to provide content based on location of an IP address. If a content providing network operator wishes to offer this content to anyone in a specific location, that can be seen as a coordination activity. The content provider can coordinate with other network operators to establish that their customers are within this location so they can access this content. If this interpretation is accepted by the community then the context has changed. The legal team can now reassess their advice in the context that the use of the "geofeed:" data is now covered by the existing database purposes. But there are other questions that the legal team also needs to consider. The "geofeed:" attribute references data external to the RIPE Database that neither the RIPE NCC nor the RIPE community has any control, management or perhaps even influence over. This data may contain PII. Although the maintainer of that external data is responsible for its content, does the RIPE NCC have any (joint) accountability or liability as the data controller and facilitator of the RIPE Database? Nic Handles are considered to be PII as they reference objects that contain PII. But these objects are also contained within the RIPE Database. The geofeed csv files are external to the RIPE Database. Do the references to them still constitute PII? Given that we are currently discussing a policy proposal governing the use of personal data in the RIPE Database, here we have a mechanism where resource holders can publish full postal address details of end users who are natural persons and link that published data to the resources in the RIPE Database. Given that these files are published by holders of RIPE resources and referenced by the RIPE Database, should the content of these files follow RIPE policies? (I'm not suggesting any validation of the contents, but perhaps resource holders should be responsible for applying policies to this content.) The T&C is a legal document. In the event of any dispute, lawyers make a lot of money by analysing and interpreting documents like this. Although the loosely written purposes may now be interpreted to cover geolocation data, there are still significant problems with the way the purposes are written. A review would still be beneficial. The T&C are mostly in the background during day to day operations. Just as the terms of an insurance policy can be irrelevant for years. The one time it matters is when you want to make a claim, or in the case of the database if someone ever makes a legal challenge over any aspect of its use or content. At that point, if the purposes can be widely interpreted, then the outcome is uncertain. It would be advantageous to all parties if the purposes were clear and precise with little room for interpretation. Whenever this issue is raised some people make the cynical comments that there has never been any legal challenge and there is no queue of people waiting to do so and common sense has always prevailed (in the past). It only needs one. Other RIRs have been involved in legal actions. Don't wait until your house is flooded before checking your insurance policy to see if you are covered. Another clear issue with this purpose's wording is that use of contact details in the database is only allowed by network operators to contact other network operators ("between network operators"). In this sense the purpose is very precise. Use of contact details by the public, non member organisations, investigators, CSIRT teams (unless they are also operators) and LEAs is not allowed under these T&C. Something to think about... cheers denis co-chair DB-WG
- Next message (by thread): [db-wg] geolocation and current purposes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]