[ncc-services-wg] 2018-05 New Policy Proposal (Publication of Legal Address of Internet Number Resource Holder)

All,

On Thu, Sep 27, 2018 at 03:10:46PM +0200, Marco Schmidt wrote:
> Dear colleagues,
> A new RIPE Policy proposal, 2018-05, "Publication of Legal
+Address of
> Internet Number Resource Holder", is now available for
+discussion.

I really wish these announcements included the text of the
proposal to make it easier to address it without having to
copy&paste the meat of the proposal into the response.

as for the proposal:
        
- this proposal ignores completely the fact that not all
  resource holders are companies.

- publishing the "legal" address details of natural persons
  likely conflicts with the GDPR for the EU and quite possibly
with national data protection regs in the non-EU service region.

- The "legal registered address" of a company will only rarely
  have anything to do with the location of their network
management. In fact it often is no more than a lawyer's or
accountant's office. This is even more true where a business has
many locations for network administration.

I'll address arguments as they pertain to legal persons
exclusively below as I think the civil rights of *natural*
+persons
override any and all arguments you could make here.

specific arguments:

> To make it more difficult for malicious actors to hijack block
+of
> IP addresses and therefore play a preventive role in protecting
> the community against malicious actors;

Please provide reasoning how this would be achieved. I see no
logical route to this assertion.

> Assisting businesses, consumer groups, healthcare organizations
> and other organisations combating fraud (some of which have
> mandates to electronically save records) to comply with
+relevant
> legal and public safety safeguards;

Please provide exactly which legal requirements and public
safeguards require a central, PUBLIC, database of all resource
holder address details.

> Competent authorities to serve legal process to the party
> responsible for the resources;

Competent authorities already have a route to this information
via the RIPE NCC or via national companies' reg offices.

> To reduce delays in serving legal process, avoiding lost leads
> and evidence.

"Delays" such as having to procure a warrant for this data or
having to look a business up in the national companies' office
databases?

> The RIPE Database is made for technical troubleshooting and not
> for legal purposes.
> Counter-argument: In the wake of large-scale cyber incidents,
> there is a strong need to enhance cross-border cooperation
> related to preparedness. Responding to cybersecurity incidents
> may take many forms, ranging from identifying technical
+measures
> which may entail two or more entities jointly investigating the
> technical causes of the incident (e.g. malware analysis) or
> identifying ways through which organisations may assess whether
> they have been affected (e.g. indicators of compromise), to
> operational decisions on applying such measures and,
+ultimately,
> to be able to reach out across different jurisdictions in a
+fast
> fashion. Every national registry has different rules, languages
> and formats. The availability of the data clustered in one DB
> with one format will help for troubleshooting.

Again, I cannot see the logic behind the assertion that a PUBLIC
database of legal registered company addresses, insofar as it
doesn't already exist in most jurisdictions, solves any problem
related to technical troubleshooting. I'm sure in only the
tiniest minority of cases will the lawyer or company secretary
this address points to be able to, or even know whom to
ask for, help with technical troubleshooting.

> The information will become out of date if the RIPE NCC can't
> ensure current accuracy.
> Counter-argument: Information is the lifeblood of organisations
> such as the RIPE NCC. Impure data is like impure blood
> �\200\223
+not
> good for the system. The quality of data held in IT systems
+will
> deteriorate unless steps are taken to maintain its accuracy and
> consistency.

This is not an argument, it is merely a re-statement of the
position that data quality is important. Also, while everyone who
knows me will know that I am the last person to demand political
correctness in debate; I do question the need for the language
and rhetoric of "Mein Kampf" in a policy proposal.

> Therefore, it is of utmost importance to keep data
+qualitatively
> accurate.  Poor data quality can lead to organisations taking
> decisions based on inaccurate or out-of-date in-formation,
> potentially with expensive consequences.

see above, not an argument, just restatement.

> The achievements don't justify the needed efforts/costs.
> Counter-argument: Network and information systems and services
> play a vital role in society. Their reliability and security
+are
> essential to economic and societal activities and in particular
> to the functioning of modern societies and economies. A culture
> of security is being shared across sectors which are vital for
> our economy and society and will have to comply with the
+security
> and notification requirements being discussed in the RIPE NCC
> service region.

Again, the "counter-argument" is a boiler-plate politcal
+statement
and does not address the the effort/cost argument against.

For the avoidance of doubt, the above constitutes opposition to
this proposal.

Kind Regards,
Sascha Luck

> We encourage you to review this proposal and send your comments
+to
> <ncc-services-wg at ripe.net> before 26 October 2018.

Hereby done.