[ppml] Policy Proposal 2005-2: Directory Services Overhaul

Owen DeLong owen at delong.com
Fri Apr 15 17:40:01 EDT 2005


> 1.  I feel it would be best for us to get a definative answer on Privacy
> Laws and what should and should not be made public accesible information.
> Along with a definition of what "public Accessible" really entails. 
> 
I think not.  Especially in terms of state-to-state differences, and, the
diffferences between privacy laws in Canada and the US, it just doesn't
make sense.

The ISPs are in a business which requires them to comply with the privacy
laws in the areas in which they do business.  This is part of the
requirements
of the business they are in, and, they already shoulder this responsibility.
They should, therefore, be able to make their contributions to the whois
database on this basis.  Perhaps ARIN should include an out in the policy
language of:

In the case where an ISP can show that appropriate submission/publication
of data required under this policy would violate a law, the ISP shall not
make such submission/publication, and, shall provide the data to ARIN
under seal accompanied by text of or reference to the applicable law.

> This proposal doesn't require you to publish anything publicly so
> hypothetically it could never be at odds with any privacy law.  However,
> the burden moves back to the ISP to insure that they are in compliance
> with the law with respect to their customers.  This might be hard for
> ISP's that span the US and more.
> 
Right... see above.  If it's hard for them, so what.  It's part of the
business they are in.

> Should'nt we make a policy that applies the same to everyone?  
> 
This policy does apply the same to everyone.  Everyone gets the same
choice.  I don't see why this is a problem.

> This proposal provides "choice".  But is that really a healthy policy?
> Giving someone the choice would create division between companies that
> make information "secure" and companies that don't.  This could create an
> unfair market advantage.  
> 
That's called market differentiation, and, no, it's not an unfair market
advantage, because, any advantage or disadvantage is based on the choice
made by the management of said company.  An unfair market advantage is
when one company gets an advantage over another by virtue of some policy
favorable to one and not favorable to the other set by an external body.
Since all companies get the same set of choices, they may all choose the
same policy, or, they may choose different policies, but, in any case, there
is no unfair advantage because the other choices remain open to them.

> If we were to choose a policy that enforces security I would hope that it
> still requires publication but that the publication is secured.  Not
> information horded away to keep it secure.  I'm not sure if this is
> possible...but it is another way of doing security that should be
> reviewed.  I'm sure there are many other ways of securing information
> that can be reviewed as well.  We should give it the diligence it
> requires and review as many different ways possible that we can keep
> information secure.  We shouldn't just approve the first solution at hand
> which is to "hide the information from everyone".
> 
Sorry, Marla, I can't even make sense of the above statement.  If you want
to publish information to the general public, then, you cannot secure
it other than preventing write access.  If you want to publish the
information only to a subset of authenticatable users, then, that is
secured information.  It's pretty binary.  Not a lot of shades of gray
there.

> If we move this proposal forward and change what "CHOICE" people have to
> make then here's what happens:
> 
> If you don't publish this information then your company will end up
> answering all first line abuse complaints.  Which is ok if you are a big
> company and have at least 5 people working for your abuse team.  However,
> if you are a small company and you can only have 1 person on your abuse
> team then they are going to need to publish this information so that
> their customers can respond themselves to first line abuse complaints.
> 
Well... If you are a small company and those are the tradeoffs, then,
perhaps this is not the correct choice for you.  In any realm of choice,
there are always tradeoffs.  That's what choice is about.  Businesses make
choices all the time.  That's called management.

> If it becomes a choice to publish information or not.....then the small
> companies that have to publish this information in order to keep the
> headcount cost down within their abuse team ...will end up facing the
> loss of customers to the bigger companies that can afford to not publish
> this information and have large headcount in the abuse team.  
> 
I don't see this as really being the case.  The smaller companies will not
have as much address space subject to abuse, so, they will attract fewer
abuse complaints.  A small company that enforces its AUP effectively
can run on a relatively small abuse department.  In my experience, the
larger an organization gets, the less likely it is to enforce its AUP
effectively, so, in fact, larger organizations need non-linearly larger
abuse departments to cope with this fact.  In my experience, this leads
to a slight reversal of what you describe above.  I don't think that
whether the information is published or not is a significant factor
to the smaller organization.  Failure to publish, OTOH, will certainly
produce a significantly bigger burden on the larger organization.

In that respect, I suppose this policy could provide slight market
advantage to the smaller organizations, but, compared to the other
market advantages that come with being a large organization, I think
this advantage for the little guy is relatively small.  As such, I
don't think it is unfair.

> Bad data is worse than no data doesn't hold here.  Why would someone
> publish bad data when they want their customers to be answering to first
> line abuse complaints?
> 
Because they don't know it's bad.

> In my opinion the worst kind of bad data I see is when I got to search
> who a /24 is assigned to and the only record on hand is that of the large
> ISP and not who is actually claiming to be using it.
> 
Nope... The worst kind of bad data is when I find who owns the /24 directly
in whois and they don't really exist and their upstream has the same non-
existant data for them.

I haven't made up my mind about this policy yet.  However, I think a lot of
what is in it is a step in the right direction.

Owen

-- 
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20050415/868cd87f/attachment-0001.sig>


More information about the ARIN-PPML mailing list