[db-wg] 2022-01 New Version Policy Proposal (Personal Data in the RIPE Database)

In message <CAKvLzuHZ_ncW4GS2ZNkv=1ico76KBM+URwQbG+r9AHnRy21qhw at mail.gmail.com>
denis walker <ripedenis at gmail.com> wrote:

>The RIPE NCC will not be redacting anything.  And let's be clear, we are
>talking here about 'postal' addresses.

Then I must have misunderstood.  Who exactly wil be redacting the mailing
addresses from the data base?  You?  Some committee?  The GDPR fairy?

>Many people do use a PO box or misleading addresses, as mentioned by
>Europol in their video.

Thank you for admitting that your proposal is both superfluous and unnecessary,
and for confirming that anyone who wishes to not have their physical address
published can already and easily arrange for that to be the case, even WITHOUT
any help from the community, from NCC, or from the GDPR fairy.

>>         but more importantly the price of a loss of transparency, and
>>         the short and long term implications of that.
>
>Loss of false and misleading data.

So you are proposing ONLY to redact "false and misleading" data?  Swell!
I am all for that!  But first maybe you ought to tell us who will make
the determination of what data is false and mislading, and on what basis
they will make that determination.  Will someone be permitted to compare
the public WHOIS data to the actual bona fides documents that NCC has on
file for each member?  And if so, who, exactly will be granted this kind
of privileged access to NCC's store of actual bona fides documents?  (I have
previously asked to see one -individual- set of such documents for -one-
lone and highly suspicious member, and I was shut down cold by RIPE legal.
But I guess you are in a more exhaulted and privileged postion than I am.)

Also, if your main idea is to eliminate false and misleading data from the
data base, then why stop at just the snail-mail addresses of only the
"natural person" members?  Isn't what's good for the goose good for the
gander also?  Assuming so, then why aren't you proposing to eliminate ALL
false and misleading data from the data base and for ALL categories of
members?  It would appear that your real goal is not to eliminate
"false and misleading" data at all, but just simply to eliminate some
small subset of data that is currently public and that you personally
find offensive for some reason.

Also, of course, as I have stated, I am very much in favor of eliminating
ALL false and misleading data from the public WHOIS data base, provided
that it is replaced with true and correct data.  If you are proposing to
do *that* for all WHOIS fields and for all members, then please propose
*that* and I will support it wholeheartedly.

>Please stop these emotive, utter nonsense, slippery slope, scare mongering
>arguments.

Please explain.  Are you offering the membership, the community, or the
Internet-using public as a whole your personal guarrantee that you won't
be back here in six months time arguing, based on the exact same "logic"
that you are using now, that phone numbers are private data and that they
also should be totally redacted from the data base?  And are you offering
a guarrantee that six months after that you won't be coming back yet again,
and demanding that all email addresses be redacted from the public WHOIS?
And if you *are* offering us all your personal guarrantee that this will
absolutely and positively be your "last territorial demand in Europe"
what are you willing to put up as collateral to back up this perssonal
guarrantee?

As I have already explained at length, the "logic" you are using today to
support this present proposal to redact out snail-mail addreses is quite
obviously applicable also to EVERY other data base field that contains
Personally Identifiable Information (PII).  You cannot either deny or
dismiss this as "scare mongering" because it is an obvious fact.  The
clear implication is that you WILL be back, next week, next, month, or
next year, arguing that phone numbers and email addresses are "PII" and
that thus, those things also "must" all be redacted.  This isn't wild-eyed
speculation.  It is the obvious and unavoidable implication of your present
position.  PII is PII.  If publishing some of it is "bad", then publishing
ANY of it is "bad".

>
>>     *)  Contrary to the ill-informed and fuzzy legal musings of the lone> two
>>         proponents of this proposal, there exists no legal basis for such
>>         a change to the public facing data base.  The postulated legal mandate
>>         regarding the content of the data base (or, more accurately, on
>>         the absence of content) simply does not exist, and no such legal
>>         mandate has existed at any time since GDRP came into full effect,
>>         way back in May 2018, over four full years ago now.  If any such
>>         legal mandate had in fact existed, then we all would have known
>>         about it long before now.
>
>I actually presented on this very point at a RIPE meeting a few years ago,
>shortly after the introduction of GDPR.

Yes.  And?

My point stands, and your statement only reinforces it.  Even four years after
GDPR came into effect, and even several years after you made a presentation
about this alleged "issue", there -still- are no GDPR police breaking down
the door of RIPE headquarters and/or demanding that all PII be immediately
removed from the data base.  If there's any actual legal issue here, it
seems to have engendered only yawns all around.  And yet here you are,
misrepresenting to everyone that this is a legal issue that really and
truly needs to be urgently "solved" right now.

Please forgive me for expressing a healthy bit of skepticism and incredulity.

To be clear, it isn't me who is using "emotive, utter nonsense" to try to
stampede people into making a bad policy choice.  You're not even an attorney
and yet you've trotted out this bogus "GDPR" argument to try to justify that
which cannot otherwise be justified on the merits.  You cannot make the case
on the merits, so instead you've tried to scare all of the other non-attorneys
here by using some vague references to GDPR without ever once noting any of
the numerous exceptions and carve outs in that legislation which would (and
that do) clearly allow RIPE to just keep on doing what it has been doing,
not only for the past four years, but for the past twenty.


Regards,
rfg