[ppml] Last Call for Comment: Policy Proposal 2003-3

Owen DeLong owen at delong.com
Wed Nov 19 14:13:48 EST 2003 


--On Wednesday, November 19, 2003 9:00 AM -0600 J Bacher <jb at jbacher.com> 
wrote:

> Owen:
>  > Note that this policy has no size limit, so, depending on the
>  > "residential" customer and the willingness of the upstream to condone
>  > abuse and risk blacklisting, it doesn't put much of an onus.  As
> written,
>  > it is a blank check for abuse.
>
> If the upstream condones spam abuse, where is your data that supports
> that the upstream's client will adhere to your request?   You made the
> comment at the meeting about wanting to use legal means to contact the
> client directly.  I'll say it again, if you have a valid legal complaint,
> go through standard legal channels and file a complaint with the police.
>
>
The police do NOT handle CIVIL complaints.  They only deal with CRIMINAL
complaints.  YOU CANNOT get the POLICE to deliver your CIVIL SUIT to
a defendant for which you have no name or address information. 
Additionally,
the ISP whose contact information you DO have cannot be held liable in
your civil complaint against their customer in most cases.  The latter is
a good thing, but, this policy creates SERIOUS problems as long as both
are true.

> Owen:
>  > Any provider taking advantage of the residential customer privacy
> policy
>  > shall comply with the following restrictions on that policy:
>  > 1.	Said provider must agree to address abuse complaints about
>  > 	any blocks which are assigned under that policy promptly.
>
> We've had the discussion about ARIN playing babysitter and enforcer for
> abuse.  It doesn't scale.
>
This just requires the provider to agree to it.  It doesn't place any onus
on ARIN to enforce that beyond including it in the provider agreement when
the space is ussed.  However, since the provider has agreed to it, it
gives them some culpability in the subsequent civil suit.

>
> Marla:
>  > I dont take this as a way to stop spam really....but I do feel that
> unless
>  > your customer falls into a dial pool or DSL pool of some sort that they
>  > should have to have their info swiped on WHOIS so that any abuse issues
>  > coming from their usage can be handled directly with that user first
> before
>  > getting the upstream provider involved.
>
> I don't want you to handle abuse complaints directly with my residential
> customers.  As a zero tolerance for spam ISP, I want the prerogative to
> shut down that connection before I see chunks of my address space black
> listed.  This policy does not prevent you from SWIPing your residential
> customer information.
>
I understand that you don't want to publish your customer information for
a multitude of reasons advantageous to you and/or your customer.  I also
feel that it is not in the overall best interests of the internet for you
to not do so.  I am willing to compromise to /27s and smaller falling
within this at a limit of 1 per customer.  However, beyond that, I think
this policy just creates problems we don't need.

>
> John:
>  > And why would your mother or daughter need more than a single
>  > IP address ??"
>
> We have residential accounts with a local area network that do not use a
> centralized firewall and that use personal firewalls and do not NAT or
> PAT.
>
> We have clients that work from home.  I will not subject these clients'
> families to harassment and abuse.
>
Fine... I believe they would be covered by a /27 or less worth of space,
so, I don't think that's an issue with my proposed additional policy.

>
> Jeff:
>  > Owen DeLong says his concern is with spammers and spam tolerant transit
>  > vendors abusing the residential application for 2003-3."
>
> And I say again, if the upstream is tolerant, where does anyone think
> that the client will be any more proactive in fixing the problem?  The
> majority (99%) of our customer spammers are infected and are not sending
> spam intentionally.  Because of our zero tolerance for spam, we track
> infected customers, advise them, and shut them down (regardless of the
> type of connection) if they fail to fix the problem within our required
> time period.
> --------------------------------
>
Again... I don't expect the client to be more proactive, but, I expect to
be able to issue legal service to the client.  I don't expect to be able
to SUE the upstream ISP for his customers abuse, since this is specifically
prohibited in many places, and, since I don't want to see that precedent in
the places where it is not prohibited.  Do you?  Would you rather I sue
you instead of your client for your client's abuse?  Do you want to see
the law say specifically that I can?  Sounds like a bad thing for ISPs to
me.


> I realize that there are ARIN members that operate outside of the United
> States.  However, being a company within the United States, I have an
> obligation to protect the privacy of my customer base.
>
Really... Where exactly does that obligation come from?  Why, exactly, do 
you
think you have a legal obligation to not publish their information?  I agree
that you have an obligation to not do it without their permission, but,
currently, you should be getting their permission prior to issuing a larger
block of address space than a /29.  I don't see how this fails to meet your
obligations.

Owen


-- 
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20031119/a2136603/attachment.sig>

More information about the ARIN-PPML mailing list