<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 20/09/2018 15:04, denis walker via
db-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:256799274.13445999.1537445048775@mail.yahoo.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div style="color:#000; background-color:#fff;
font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px">
<div id="yui_3_16_0_ym19_1_1537195136705_145250" dir="ltr">Colleagues,<br
id="yui_3_16_0_ym19_1_1537195136705_145396">
<br id="yui_3_16_0_ym19_1_1537195136705_145397">
I will start with a blunt question, then give some arguments
for my concern. In May the RIPE NCC told me there are more
than 2 million PERSON objects in the RIPE Database. That is
almost 25% of the objects in the database. Who are these
people and why do we hold so much personal data?<br
id="yui_3_16_0_ym19_1_1537195136705_145398">
<br id="yui_3_16_0_ym19_1_1537195136705_145399">
At RIPE 76 the RIPE NCC legal team gave a presentation on GDPR
and the RIPE Database. The basis of that presentation seemed
to be that Article 3 of the RIPE Database Terms and Conditions
defined one of the purposes of the database as:<br
id="yui_3_16_0_ym19_1_1537195136705_145400">
Facilitating coordination between network operators (network
problem resolution, outage notification etc.)<br
id="yui_3_16_0_ym19_1_1537195136705_145401">
<br id="yui_3_16_0_ym19_1_1537195136705_145402">
It was argued that this justifies the inclusion of personal
data in the RIPE Database so that these people can be
contacted in the event of network operational issues, even by
people who have no business relationship with these contacts.
But this Article makes no mention of 'personal' contact
information.<br id="yui_3_16_0_ym19_1_1537195136705_145403">
<br id="yui_3_16_0_ym19_1_1537195136705_145404">
It was also mentioned that some personal data is included for
policy reasons. The IPv4 Address Allocation and Assignment
Policy makes a couple of references to contact data. In 4.0
Registration Requirements it says:<br
id="yui_3_16_0_ym19_1_1537195136705_145405">
All assignments and allocations must be registered in the RIPE
Database....Registration data (range, contact information,
status etc.) must be correct at all times<br
id="yui_3_16_0_ym19_1_1537195136705_145406">
<br id="yui_3_16_0_ym19_1_1537195136705_145407">
This clearly associates contact information with the necessary
registration. But this does not specify that it has to be
'personal' contact information. In 6.2 Network Infrastructure
and End User Networks it says:<br
id="yui_3_16_0_ym19_1_1537195136705_145408">
When an End User has a network using public address space this
must be registered separately with the contact details of the
End User. Where the End User is an individual rather than an
organisation, the contact information of the service provider
may be substituted for the End Users.<br
id="yui_3_16_0_ym19_1_1537195136705_145409">
<br id="yui_3_16_0_ym19_1_1537195136705_145410">
This clearly has the intent of avoiding the need to enter
'personal' data as contact information. In the IPv6 Address
Allocation and Assignment Policy it is even more vague saying
in 3.3 Registration:<br
id="yui_3_16_0_ym19_1_1537195136705_145411">
Internet address space must be registered in a registry
database accessible to appropriate members of the Internet
community. This is necessary to ensure the uniqueness of each
Internet address and to provide reference information for
Internet troubleshooting at all levels, ranging from all RIRs
and IRs to End Users.<br
id="yui_3_16_0_ym19_1_1537195136705_145412">
The goal of registration should be applied within the context
of reasonable privacy considerations and applicable laws.<br
id="yui_3_16_0_ym19_1_1537195136705_145413">
<br id="yui_3_16_0_ym19_1_1537195136705_145414">
'Reference' information and concerns about privacy again
clearly indicate that the intent is to avoid using 'personal'
data for the contacts.<br
id="yui_3_16_0_ym19_1_1537195136705_145415">
<br id="yui_3_16_0_ym19_1_1537195136705_145416">
This does raise a number of questions:<br
id="yui_3_16_0_ym19_1_1537195136705_145417">
-Should I believe that we really do have more than 2 million
individual people in this region who can seriously address
technical or administrative questions on Internet resources or
network operational issues?<br
id="yui_3_16_0_ym19_1_1537195136705_145418">
-Why is it considered necessary for contacts to be
identifiable people rather than roles?<br
id="yui_3_16_0_ym19_1_1537195136705_145419">
-Abuse-c was intentionally designed to reference a ROLE
object, which no longer needs to have any referenced PERSON
objects, to avoid the need to enter personal data, why can't
technical matters be addressed in the same way?<br
id="yui_3_16_0_ym19_1_1537195136705_145420">
<br id="yui_3_16_0_ym19_1_1537195136705_145421">
The purpose in the Terms and Conditions may define a reason
for holding contact information, but it doesn't justify this
level of personal data being held in the database. Perhaps
it's time to review what is meant by 'contact information'.
What is really needed to satisfy this purpose? For example,
why do we need an address for a technical contact who may need
to be contacted in the event of an operational issue? No one
is going to go to that address or post a letter.<br
id="yui_3_16_0_ym19_1_1537195136705_145422">
<br id="yui_3_16_0_ym19_1_1537195136705_145423">
As always your thoughts and opinions are welcome...<br
id="yui_3_16_0_ym19_1_1537195136705_145424">
<br id="yui_3_16_0_ym19_1_1537195136705_145425">
cheers<br id="yui_3_16_0_ym19_1_1537195136705_145426">
denis<br id="yui_3_16_0_ym19_1_1537195136705_145427">
co-chair DB WG<br id="yui_3_16_0_ym19_1_1537195136705_145428">
<br>
</div>
</div>
</blockquote>
<p>I think HOHO-RIPE would tend to disagree.</p>
<p>-Hank<br>
</p>
</body>
</html>