[arin-ppml] Comments on Draft Policy 2010-3:Customer Confidentiality

michael.dillon at bt.com michael.dillon at bt.com
Wed Apr 7 05:05:22 EDT 2010 

> "ISPs may choose to enter the customer's name along with the 
> ISP's address and phone number in reassignments and 
> reallocations in lieu of the customer's address and phone 
> number. The customer's actual information must be provided to 
> ARIN on request and will be held in the strictest confidence."
> 
> Those "two lines" (at-least to me), represent sort of the 
> "domains by proxy feature".

This is much stricter than today where an ISP can just leave out
customer information, and not give ARIN anything.

> When dealing with security incidents, if the contact 
> information is virtually proxy'd, then thats more time/money 
> spent trying to get a- hold of someone close enough to the 
> problem to do away with it. 

You clearly do not have front-line experience with this kind
of contact scenario. If you contact the ISP, they can disconnect
the customer, then contact them and help them sort out the problem.
If you contact the customer, they will say something like, "I don't
know what you are talking about, I was cooking supper and I'm not
using my computer at all, just reading the recipe off the screen".

Filling the whois directory with contact info for people who have
little understanding of technology and networks *WILL* cost you
more money and wasted time trying to get a hold of someone who
can understand your issue and act upon it.

> However, the very thing you're trying to 
> protect against (eg: customer lists), is one of the very 
> things security ops handlers are trying to build up and keep 
> current. The public information in an unstructured and 
> federated environment helps us do that. It is only two 
> sentences, and that's dangerous when you're setting a 
> standard for the backbone of the federated environment that 
> is the internet.

Yes, it is true that in the Wild West, private police forces 
and armies were free to form and to take action. But the Wild
West has ended, and it is time for the Internet to also become
more civilized. If this bothers you, then join the police force
or the FBI, and you will be a real cop, not just a pretend one.

> We are enumerating those customer lists on a daily basis to 
> help make the internet a safer place. 

On second thought, maybe you should go into politics. That way
you could pass a law mandating ISPs to share their databases
of customer identity and IP address with the legal authorities.

The fact is that by removing junk info from the whois directory
ARIN would be helping to make the Internet a safer place.

> By design, this policy 
> appears to be aimed at taking that functionality away. 

Yes, and in my opinion it should be simplified to remove this
sentence:

  The customer's actual information must be provided
  to ARIN on request and will be held in the strictest
  confidence.

That doesn't belong in policy and is already part of ARIN's
current operational practice. When ARIN needs the info, they
ask for it, and they will sign an NDA with the registrant.

--Michael Dillon

More information about the ARIN-PPML mailing list