[arin-ppml] Policy Proposal 95: Customer Confidentiality

[George Bonser]

> 
> I don't think we're disagreeing per say.  I think we're looking at
this
> from
> different angles.
> 
> There are a couple reasons I chose not to eliminate SWIPs in the
> proposal;
> One, it would never fly.  

Well, my thought was that anonymous SWIP is the same as no SWIP for all
practical purposes.  The notion was to find some way that SOME of your
customers could be removed from being trawled via whois (and THAT really
seems to be the issue, not SWOP itself) but the ones that I believe must
remain public ... the ones not exclusively under your management ...
would still have the current registration requirements.

The real fix for this is actually the same as it was for telephones but
is unworkable for the internet.  The fix is to allow a customer, once
assigned IP addresses, to keep them if they move just like you can keep
your phone number if you change cellular providers.  It would, however,
cause routing table size explosion and isn't workable with the current
state of the art.  But it would end people trawling your allocated space
looking for your SWIPs because over time that space would scatter.  You
would no longer have any exclusively allocated space, you would simply
hand out initial allocations that would, over time, drift to other
providers and theirs would drift into you.

And I can understand the kind of business intelligence that can be
obtained from this information.  I could trend competitors, see which
were gaining customers, which were losing customers, etc.  And that is,
I believe, the real problem here.  It isn't SWIP per se, it is who has
access to it and for what reasons.  Is it in the interests of the
community that ARIN provide a resource for commercial entities to
collect information on each other?  Should they have to pay some price
for that information?  Should they be denied access?  How would it be
policed.  I believe end users should have quick and ready access to the
full POC information of people allocated IP addresses.  I don't believe
that marketing departments of competing providers should be leveraging
that information for their commercial interests.


> Plus ARIN still uses SWIP for justification.  They don't care who it's
> assigned to, just that it's assigned.
> 
> Nothing in my proposal takes away from anything that is already
> functional.

We disagree here.  Yes it does take away from things that are already
functional.  Someone emailed me this morning that they noticed
unfamiliar email activity on their mail server from one of my IP
addresses and they wanted to know what it was.  They were able to
quickly and easily determine who was responsible for that IP address
even though it was not from the block I have directly assigned.  They
were able to quickly locate the contact information for a role account
that I monitor and we were able to resolve the issue within five
minutes.  Under your scenario, they would probably need to open a
"ticket" with your abuse process.  They would need to get in line behind
potentially hundreds of other such tickets that got opened that morning
for other customers of yours.  They would need to explain the activity,
you would then contact me, then there would be back and forth
communications between me and the other user with you in the middle.  It
increases the chances if miscommunications, misunderstandings, and
creates more work for everyone involved. 

> It simply gives the ISP the ability, along with it's customer, to
> decide if
> the address, phone number and e-mail should be displayed.  Name is
> still
> required.
> 
> Aaron

All of the above must, in my opinion, be required.

George