ARIN-PPML Message

[ppml] Policy Proposal 2004-6: Privacy of Reassignment Inform ation

There have been very very very few cases of abuse of reassignment information
by one isp to get customers of another ISP. If it was a widespread issue, 
it would get reported on this and other lists - but ask yourself if you 
even know of one case?... So if it was widespread abuse, maybe then it
would have been worse it to consider such a widescale privacy policy, but
it really is not an issue.

Also "perfect contact info" is not right, in fact the contact for customer
bloick is usually an ISP itself and not customer. The only thing that is 
required is to list customer name and address (granted you often can find 
other data from that based on other sources, like whitepages).

As far as rwhois - yet we all know some ISPs don't let you see their rwhois
info, but it really is not because they are hiding data, most who do just 
dont have it maintained and populate database only when they need to 
get new ip block from arin (yes this is against the policies, but this 
privacy policy would not change anything as far as this bad practice). 
And if you run rwhois server, you'd know that there have not been any
scans of entire range of ips that server is responsible for (and to 
get list of your clients from rwhois, person would have to actually
scan each and every ip since rwhois does not require ISP to provide
"list" of clients for the range and only answer with information on
individual ip), so really there is no abuse of the data right now.

On Tue, 19 Oct 2004, Gregory Massel wrote:

> The crux of this issue is that re-assignment information contains a perfect
> contact list for most of an ISP's customers. Many ISPs consider this to be
> sensitive information and do not wish for it to fall into the hands of their
> competitors.
> 
> At the moment there is very little stopping ISPs from setting up rwhois
> servers and filtering them such that only ARIN can access them. This may be
> against policy, however, it is happening on quite a large scale, which
> indicates widespread demand for this information to be considered private.
> 
> I support this policy proposal, however, question why the entity's upstream
> organisations should have access? In many cases ISPs compete with their
> upstream provider making the client information quite confidential. In any
> case, their upstream provider has the most powerful tool imaginable to
> ensure that the downstream honors abuse complaints: it can simply disconnect
> them! I would argue that re-assignment information should only be accessible
> to ARIN unless designated public.
> 
> Exception may need to be considered in the case where an ISP makes an
> sub-allocation to another ISP. Ideally, one would want to have contact
> details for the downstream ISP so that abuse queries don't have to traverse
> a heirarchy of abuse desks.
> 
> 

-- 
William Leibzon
Elan Networks
william at elan.net