[arin-ppml] Comments - Draft Policy 2010-3: Customer Confidentiality

[Smith, Bill]

Proposal 2010-3 fails to meet the spirit, if not the letter of the Policy Development Process that instructs proposers to "make a clear and concise policy statement that is unambiguous and actionable" that "will ideally fit right into the Number Resource Policy Manual". A quick analysis follows:
Concise: a model of brevity using only 47 words.
Actionable: requests a new policy, but no changes to existing policy language.
Ambiguity: conflicts with NPRM 3.3 [1] and RSA 5. (b). [2]
Clarity: does not clearly state who can request "actual customer information"; who that request is made to; uses a term of art "strictest confidence" that is open to broad interpretation; and does not clearly state who is required to maintain that confidence.
As written, Proposal 2010-3 is far from "ideal". If the requested action (add the proposal text as a new policy) is taken, the NPRM becomes self-contradictory or at best ambiguous. Substituting an ISP's contact information for a customer's will institutionalize as acceptable, inaccurate WHOIS information in direct contravention to the RSA. Resolving these ambiguities will require changes to other ARIN polices and the RSA yet this proposal does not specify what those changes should be.
The rationale provided for Proposal 2010-3 does not articulate a specific problem as suggested in Appendix B of the PDP. Rather, it informs us that customer lists are proprietary assets that any good business would zealously protect. It goes on to suggest that current ARIN agreement and policy requirements "invites competitors and others to solicit both individuals and companies" "contrary to good business practices"..
The problem, if any, as articulated in the rationale is that the petitioner knowingly entered into an agreement but failed to exercise good business judgment or the petitioner was unaware of ARIN policies and long-standing Internet practice of providing and publishing the information in question. In either case, this is not the forum to address such a failure or lack of knowledge.
Proposal 2010-3 is a solution in search of a problem, and as articulated above, fails to meet the reasonable criteria for a policy as established by the PDP and consequently should not be adopted.
As a final comment, Proposal 2010-3 should not be adopted "on the merits". Others have argued against it on those grounds and repeating those arguments would needlessly consume yet more of our time.

[1] NPRM 3.3 that states "Organizations may designate certain points of contact as private from ARIN WHOIS, with the exception that, at the minimum, one point of contact must be viewable."
[2] RSA 5. (b) places a responsibility on the Applicant (ISP) "for the timely and accurate maintenance of directory services data (WHOIS), as well as data concerning any organization to which it further sub-delegates number resources".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20100415/57e380a5/attachment.htm>