[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality

Steingruebl, Andy asteingruebl at paypal.com
Wed Mar 24 19:01:57 EDT 2010


This is a response to the suggested policy change 2010-3: Customer Confidentiality - https://www.arin.net/policy/proposals/2010_3.html

ARIN has a responsibility to maintain proper records, ensure the accuracy of their database and implement controls to prevent the abuse and inaccuracy of their data. 

However, we believe this change will create many unintended consequences that will ultimately increase the costs and workload of both ARIN and the ISPs. 

Among the various unintended consequences, we can see the following as a result of this change:

* ISPs will receive abuse complaints related to their customer activity, may 
  or may not take action, may or may not forward to actual customer involved. 
  This will cause increased workload and burden to the ISP.

* An ISP may be implicated in illegal activity their customer was engaged in
  since the party responsible for the IP space is not clearly denoted.

* In the event an ISP customer contact shared the same name as an ISP 
  employee, confusion and problems serving legal process will also arise.

* A simple traceroute will still allow a competitor to determine what ISP is 
  servicing what customer, thereby providing no confidentiality as suggested
  by the policy modification. 
  
Should we also do away with ICANN domain contact information since it too provides contact details on who owns a specific domain name and may be used to obtain customer contact lists?  We don't believe that would serve the public interest either.

The concerns we raise above to be aren't purely hypothetical either.  Just this week we've seen the publishing of data about possibly malicious ISPs that paints with a fairly broad brush because of how registration data is represented to the outside world.

http://maliciousnetworks.org/index.php
http://www.krebsonsecurity.com/2010/03/naming-and-shaming-bad-isps/

Without better visibility into the actual bad actors the community is forced to view certain large ISPs with more suspicion than they may be due.  More accurate records in WHOIS can help to prevent this situation.

--
Andy Steingruebl
and
Jon Orbeton
PayPal Information Risk Management  





More information about the ARIN-PPML mailing list