[arin-ppml] Clarify /29 assignment identification requirement

William Herrin bill at herrin.us
Fri May 4 22:05:43 EDT 2012


On 5/4/12, David Krumme <david at airbits.com> wrote:
>> I would think that any indirect evidence of a customer's existence
>> would support the address utilization claim. A bank statement listing
>> deposits and charges.
>
> Our bank statement shows all sources of our income and would not in any
> way tend to either validate or discredit our ISP activities.

Hi David,

It would demonstrate a plausible customer count (or the lack thereof)
for the address utilization you claimed.


>> A demonstration of access to the routers implied
>> by assignment claims with apparent programming and interface statuses
>> that match.
>
> I am not going to allow access to our routers to anyone out there on the
> Internet, out of security as well as trade secret concerns. Sorry.

I believe the suggestion was for a webex session in which an ARIN rep
on the phone asks you to operate the router and then observes
(read-only) the result.

Though I have to say I'm a little mystified by these trade secret
concerns. Most businesses I know consider their customer list one of
their most valuable trade secrets. And on the flip side, if you ask
then ARIN staff is under NDA when they're viewing.


>> A 10q or 10k filing listing customer counts.
>
> We don't file such reports. The 477 that American ISPs are required file
> at the FCC could be used, but I suppose it might be easy to lie to the FCC
> if one were so inclined.

Sure, but that gets you in to civil or criminal penalties that you
don't face lying to ARIN. Same with asking to see your tax returns as
a spot check on whether your revenues tend to support or refute the
claimed level of utilization.

Many virtual server providers ask to see a scan of your driver's
license before they'll open an account. Blacked out sections, low
resolution, all fine. Do you know why? Because faking a government
photo ID is at least a class 1 misdemeanor and they figure most
scammers won't commit an actual crime as a gateway into mere civil
fraud.


>> Really, I
>> could go on for paragraphs about what sort of anonymous, indirect data
>> could reasonably imply downstreams' existences in the claimed
>> quantities.
>
> Maybe you could list at least one that would apply to a small ISP such as
> myself?

I'll list two:

Employee count to see if you're over the low water mark typical for
the size of your address holdings.

A de-identified data dump from your configuration system that shows
what (e.g. dialup accounts, email boxes, etc.) but not who (no account
names, real names, addresses, etc).

But do you see what you've done here? You've ruled out several
perfectly reasonable ways to infer the reasonable range of legitimate
utilization simply because you don't like them. Why shouldn't the
other guy get the same opportunity to rule out the PII one that makes
him nervous in favor of the bank statements or router configs?

And oh by the way, I'm not sure you realized it when you posted this
but if ARIN feels the need they'll ask for the customer list
associated with one or more of your dynamic pools as well, not just
restrict themselves to the statics as they've done so far. So says
John Curran.


> I actually welcomed the request to provide the names of our subscribers. I

Fantastic. And I would be well satisfied if you chose that method of
validating your utilization over the others. Convince John Curran that
there's a way to do that without taking away anybody else's choice to
provide a tour of the routers instead of the PII and I'll write it up.

Regards,
Bill Herrin



-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004



More information about the ARIN-PPML mailing list