[arin-ppml] /32 assignment identification requirement

[John Curran]

On Apr 27, 2012, at 11:40 AM, Lee Dilkie <lee at dilkie.com> wrote:

> My point was more along the lines of "this is third party information". It's one thing for an ISP's customer list to be compromised. At least in a lawsuit a customer cannot claim that the ISP had no right to store the data. But I worry that for ARIN the argument would come down to that, does ARIN have more liability because it would have to make a non-obvious argument as to why it needed to possess such data..
> 
> just me being a worry-wart I guess.

Lee -

It is a reasonable concern and worth discussing.

This is existing practice (requesting fairly detailed technical and business information as needed for request verification) and while we are in the midst of review our retention practices for such data, the current practice is considered a reasonable risk in light of our needs for faithful execution of policy. 

 
i.e. It would be impossible (in many cases) to verify a request with any degree of certainty with such data, and the duty to protect the comes with the policy administration duties unless the policy requirements are trivial.  The argument is fairly straightforward to explain even if non-obvious from a lay perspective.

Thanks for raising this!
/John

John Curran
President and CEO
ARIN