ARIN-PPML Message

[arin-ppml] Draft Policy 2010-3: Customer Confidentiality - staff assessment

Draft Policy 2010-3
Customer Confidentiality

Attached is the ARIN staff assessment of 2010-3.

This draft policy is open for discussion on this mailing list and will
be on the agenda at the upcoming ARIN Public Policy Meeting in Toronto.

2010-3 is below and available at:
https://www.arin.net/policy/proposals/2010_3.html

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


## * ##


Draft Policy 2010-3: Customer Confidentiality
Version (Date): 2 February 2010

Date of Assessment: 19 March 2010

1. Summary (Staff Understanding)

ARIN staff understands that this policy allows ISPs to substitute their
own mailing address and phone number in lieu of their customers’ mailing
address and phone number when registering reassignment information via
SWIP or RWHOIS. It requires ISPs to provide the full customer
information to ARIN when asked to do so by ARIN staff.

2. Comments

A. ARIN Staff Comments

Staff has no comments

B. ARIN General Counsel

This new proposal permits ARIN to obtain the information it needs to
fairly and accurately access utilization. The proposal appears intended
to afford privacy protection of customer contact information. However it
must be balanced by risks that may create. The proposal defines ARIN's
treatment of customer data using a non-legal formulation, e.g.
“strictest confidence”. Such a term conveys an intended sense of how
such data should be treated, but is open to wide interpretation. This
language, if enacted, could potentially increase ARIN’s legal risk that
current ARIN practices might be deemed insufficient under this standard.
Current policy attempts to addresses privacy protection for IPv6
reassignment data. For example, NRPM 6.5.5, which states “IRs shall
maintain systems and practices that protect the security of personal and
commercial information that is used in request evaluation, but which is
not required for public registration.” More precise language, such as
that in 6.5.5, might also be considered as a substitute for the term
“strictest confidence”.

3. Resource Impact

This policy would have minimal resource impact. It is estimated that
implementation would occur within 3 months after ratification by the
ARIN Board of Trustees. The following may be needed in order to implement:

Minor updates to the ARIN website
Updates to NRPM Sections 4.2.3.7.1 and 6.5.5.

4. Draft Policy Text

Draft Policy 2010-3
Customer Confidentiality

Version/Date: 2 February 2010

Policy statement:

ISPs may choose to enter the customer's name along with the ISP's
address and phone number in reassignments and reallocations in lieu of
the customer's address and phone number. The customer's actual
information must be provided to ARIN on request and will be held in the
strictest confidence.

Rationale:

Version 2.0 clarifies the need for the customer name to remain in the
SWIP and RWHOIS information.

Customer contact lists are one of the most proprietary and confidential
pieces of information in any business. The requirements for ISPs to
publish those lists via SWIP or RWHOIS runs contrary to good business
practices and invites competitors and others to solicit both individuals
and companies receiving reassignments and sub allocations from upstream
providers.

Timetable for implementation: immediate