[dp-tf] Limit on access to personal data

Dear Colleagues

The RIPE NCC has been working with the RIPE Data Protection Task Force
on many areas, including access to personal data held in the RIPE
Database.

We have now developed a new Near Real Time Mirroring (NTRM) stream to
filter out identifiable personal information. NRTM is a mechanism
whereby users can receive filtered updates to the RIPE Database almost
immediately. It maintains the references to nic-hdls. So anyone using
this stream can find the references and then query the RIPE Database for
the personal data they really need. This, of course, will be subject to
our normal access limits.

Initially, those requesting NRTM streams will be provided with the new
stream and must sign a new contract. The data protection laws make it
very difficult to justify giving anyone full access to all personal data
held in the RIPE Database.

The RIPE NCC now has a dilemma. We often get requests from organisations
claiming to be spam or abuse fighters. They always ask for full access
based on an unpredictable need to query large numbers of PERSON objects.

A typical recent example is this:

"You see, the number of queries doesn't depend on me; it depends on
how many different IP addresses attack that server ... December was
quiet and I probably made 4,000 or 5,000 queries, while in the first
week of January alone I was hit by about 18,500 bots on distinct
addresses and had to make just as many queries."

To query a large number of inetnums without using the "-r" query flag
could return tens of thousands of PERSON objects. This is much higher
than our default access limit, which is the total number of personal
data sets a user can receive from queries to the RIPE Database in a set
period of time. (For security reasons, we do not disclose what the
default value is or the time period.)

We can raise the limit on the number of PERSON object queries allowed by
a specific IP address, subject to the user signing a contract with the
RIPE NCC. But we have some questions that need to be considered here:

1. How do we verify the validity of a claim that an organisation is a
genuine spam or abuse fighter? We have no knowledge of these
organisations. Often their website does not provide conclusive evidence.
It could even be a spamming organisation that claims to fight spam and
ask for an increased access limit.

2. If we are able to verify the claim, what is an acceptable increased
limit for organisations involved in this type of work? From a data
protection point of view, lower is better. We cannot accept an
open-ended, unpredictable need.

3. Perhaps a better approach would be to provide training on how to use
the RIPE Database. Rather than raising limits, advise people to query
the IP addresses with the "-r" flag and see how many networks these
individual addresses fall into. Find which of these networks have either
an "abuse-mailbox:" attribute or reference to an IRT object. Then only
query for personal data with those that are still difficult to trace.

The RIPE NCC would appreciate any input and guidance on these questions.
It is a topic that will be added to the agenda of the DP TF meeting
in February.

Regards
Denis Walker
Business Analyst
RIPE NCC