[arin-ppml] Audits

Leo Bicknell bicknell at ufp.org
Sun Nov 7 07:40:40 EST 2010

In a message written on Sat, Nov 06, 2010 at 09:29:30AM -0400, John Curran wrote:
> Leo's message also includes both "abuse" & "defunct companies" which 
> definitely require better definition via policy before ARIN knows how to 
> ramp up these activities.  If abuse means anything other than the fraud
> definition we're using, then we need to be very clear about what you all
> believe constitutes abuse.  

I will note that in the policy text I submitted I did not include
abuse for this very reason.  It was a mistake for me to include it
in the previous message I wrote.

ARIN seems to already know what fraud is, the only question there
is if they only work reactively to community reports, or also work
proactively.  The question with proactive seems to be how much time
shoud be spent, and I suspect if I put in policy something like
"400 hours of staff time per year" or "$100k of resource per year"
there would be great pushback that these are operational details.

I think ARIN leadership is able to make a determination on an
appropriate resource level, and that over time the feedback process
of reporting at the meetings how many cases were investigated and
the result will let the leadership, with feedback from the community,
determine if that activity should get more or less resources.

> We have similar issues with resources held by "defunct" organizations, 
> since it can be very difficult to find the appropriate original legal 
> entity that was assigned a legacy resource, and then even more challenging
> to determine if they're actually defunct when there's no declaration of
> same, given the chain of mergers, acquisitions, and divestitures that 
> occurred in this the early days of this industry. 
> Tracing these legally is just manageable when dealing with someone inside
> the successor firm, who has access to their legal records, and is willing 
> to be responsive to our requests for documentation (as occurs with transfers 
> due to merger and acquisition.)  Attempting to prove the same decades later 
> entirely from external legal records would to be a real adventure...

When ARIN created the LRSA a set of criteria had to be generated
to "prove" the person asking to sign the LRSA is indeed a successor
in interest to the original allocation and able to sign binding
contracts to that effect.  You allude to this in your last paragrah
here, ARIN asks for various records.  I don't know exactly what
records and don't believe ARIN publishes a list, but I believe it
is things like copies of drivers licenses or passports for the
people involved, and things like copies of articles of incorporation,
merger contracts, and so on for the business entities involved.

While ARIN asked the communnity for input on this process generating
the criteria did not require any work in the public policy process,
or even the ASCP.  Rather ARIN Legal, Staff, and Executive Management
worked out the operational details of what would be a firm legal
footing for ARIN to stand on in this process.  It is also my
understanding the set of criteria is not completely fixed, that it
can both vary case by case, but also that ARIN alters the set of
criteria over time as they learn from the process.  This is all

This is why I am puzzled and frustrated that the negative version
of the same thing, "proving" a defuct company, would be treated any
differently from a process perspective.  Just as in the positive
case above ARIN will have to find multiple sources of information
that when taken as a whole provide enough evidence that ARIN Legal,
Staff, and Executitve Management find any risk is de minimus.
Indeed, the vast majority of the input to this process I believe
comes from ARIN Legal as the real fear here behind all of the
discussion is that ARIN makes the wrong determination and is then
sued by the person harmed.  The fundamental question is does ARIN
have the best defense possible in this case that it took all
reasonable actions.  That is a question that I, a non-lawyer am not
qualified to answer.

What I, as a community member, would like to direct ARIN to do in
the case of defunct companies is to perform the exact same internal
process they did in the positive case of the LRSA to generate a set
of criteria in the negative case.  Further, I would expect, just
as in the LRSA case, ARIN would start with low hanging fruit, report
to the community on the activities, and work up the tree.  At some
point community feedback will be that it costs too much to get fruit
higher on the tree, and that's ok.

However, this is the last message I'm going to post on subjects
other than my policy.  In chatting with several folks who also read
PPML about why I seem to be misunderstood on what I want one of the
pieces of feedback I've gotten is that by posting in threads with
other subjects folks may be inadvertantly conflating my desires
with greater issues in the thread.

I'm going to wait for the AC to make their determination on my
policy, and will then argue my case there where it is clear.

       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20101107/b42f2829/attachment-0001.sig>

More information about the ARIN-PPML mailing list