APNIC Privacy of customer assignment records - implementation update

Fri Sep 24 06:05:36 UTC 2004

>>>>> "Matthew" == Matthew Kaufman <matthew at eeph.com> writes:

 Matthew> The truth is, it doesn't even need to be a case of "grandma"
 Matthew> listed in the whois (though that is a legitimate issue these
 Matthew> days). If as an ISP, I list "Bob's Flower Market" (which has
 Matthew> a DSL line and IP addresses for every cash register and
 Matthew> order-fulfillment machine) in whois, all that does is:

 Matthew>   A) Cause "Bob's Flower Market" to get spam at the address
 Matthew> harvested from whois,

Are you talking about email spam or snail-mail here?

 Matthew> and
 Matthew>   B) Cause people who have issues with virus-infected
 Matthew> machines to call Bob (who doesn't know jack about viruses)
 Matthew> instead of calling me (I can remotely shut him off until I
 Matthew> can drive over there with a CD full of anti-virus software),
 Matthew> and

So list yourself as the contact (but not the network owner) rather
than him.

There's a world of difference between hiding the whole assignment
(which means that, for example, I can't find out the extent of Bob's
network in order to block the viruses he's spewing without also
affecting traffic from the perfectly clean networks who have the bad
luck to be assigned adjacent IPs) and making the contacts point to
the ISP rather than the customer in cases where the ISP is the only
competent technical contact.

 Matthew>   C) Gives my competition Bob's name and phone number, so
 Matthew> they can try to sell him their DSL service instead.

Cost of doing business. The operational requirements of the rest of
the network, who _do_ have a substantial interest in being able to
know where one customer network stops and another one starts, and the
identity of the customer if it's a business, outweighs any
inconvenience you might suffer as a result.

 Matthew> (Imagine the response if you asked any other local business
 Matthew> to post their complete customer list, with the names and
 Matthew> unlisted phone numbers of buyers, on the front door)

I don't know about where you are, but where I live it's a legal
requirement for any company to display its registered company name on
every place where it does business. So if you're a provider of, say,
office space, then yes, the complete list of your customers will be on
the front door. (Your introduction of "unlisted phone numbers" into
the argument is of course wholly spurious - the issue of how much
contact info should be listed is a separate one from the issue of
whether the network assignment itself should be listed.)

 Matthew> What it does NOT do is:
 Matthew>   1) Reduce the amount of virus traffic accountable to Bob
 Matthew> (might make it worse, if people call him instead of me), or

But it stops me from reliably blocking Bob's network without affecting
innocent parties who don't have a virus problem but do have adjacent
IPs.

 Matthew>   2) Reduce the amount of spam in the world (probably
 Matthew> increases it, at least from Bob's point of view), or

If Bob happens to be a spammer, it makes it harder to block his
networks without affecting innocent bystanders. It makes it harder to
detect that his provider is simply shuffling him around in response to
blocks or complaints. It makes it harder to link up the connections
between otherwise apparently separate spammers or spam gangs.

I see no reason why there should not be some flexibility in the whois
data regarding who is listed as a contact for what purpose, the extent
of information required for listed contacts, etc. But there needs to
be a stronger argument than just vaguely saying "privacy concerns" in
order to justify not listing the extent of the IPs allocated, and the
owner and business address of the recipient of the allocation except
where the allocation is to a residential user.

As for the ARIN proposal 2004-6, I notice that it would have the
effect of essentially nullifying the requirements of the previously
adopted policy 2003-5 (requirements for RWhois servers). That policy
expressly states that reassignment info must be available to the
public and not just to ARIN staff. There is nothing given in the
rationale for 2004-6 to explain why 2003-5 should be summarily
overruled in this way.

-- 
Andrew, Supernews
http://www.supernews.com