[arin-ppml] Clarify /29 assignment identification requirement

Fri May 4 23:12:30 EDT 2012

> On 5/4/12, David Krumme <david at airbits.com> wrote:
>>> I would think that any indirect evidence of a customer's existence
>>> would support the address utilization claim. A bank statement listing
>>> deposits and charges.
>>
>> Our bank statement shows all sources of our income and would not in any
>> way tend to either validate or discredit our ISP activities.
>
> Hi David,
>
> It would demonstrate a plausible customer count (or the lack thereof)
> for the address utilization you claimed.

Um...our income comes from lots of sources and nothing on the bank
statement would indicate the source of the income. I guess our total
revenue would show up as being sufficient, but how much of that was due to
Internet service would be impossible to detect. I don't see that that
would be very informative.

>
>>> A demonstration of access to the routers implied
>>> by assignment claims with apparent programming and interface statuses
>>> that match.
>>
>> I am not going to allow access to our routers to anyone out there on the
>> Internet, out of security as well as trade secret concerns. Sorry.
>
> I believe the suggestion was for a webex session in which an ARIN rep
> on the phone asks you to operate the router and then observes
> (read-only) the result.

The routers, for example, contain WEP and WPA keys disclosed in plaintext
to the person logged in to the router, and to anyone who might also be
observing. Maybe I'm being too paranoid, but I've always guarded any and
all access to our servers and routers instinctively.

> Though I have to say I'm a little mystified by these trade secret
> concerns. Most businesses I know consider their customer list one of
> their most valuable trade secrets. And on the flip side, if you ask
> then ARIN staff is under NDA when they're viewing.

Everyone in town knows who our customers are. It's the opposite of a
secret. Most of our customers have our name built into their email
addresses. In this regard, an ISP is rather different from most
businesses.

Of course, I wouldn't disseminate a complete list of customers, but I take
it for granted that ARIN will keep the complete list confidential.

>
>>> A 10q or 10k filing listing customer counts.
>>
>> We don't file such reports. The 477 that American ISPs are required file
>> at the FCC could be used, but I suppose it might be easy to lie to the
>> FCC
>> if one were so inclined.
>
> Sure, but that gets you in to civil or criminal penalties that you
> don't face lying to ARIN. Same with asking to see your tax returns as
> a spot check on whether your revenues tend to support or refute the
> claimed level of utilization.

So the 477 might be a good kind of justification. But I don't know whether
as a practical matter one could convince the FCC to divulge it to ARIN,
even if I gave them permission to do so. If this could be done, though, it
might be a really good form of substantiation, and it could have the
side-effect of encouraging ISPs to be honest with the FCC.

> Many virtual server providers ask to see a scan of your driver's
> license before they'll open an account. Blacked out sections, low
> resolution, all fine. Do you know why? Because faking a government
> photo ID is at least a class 1 misdemeanor and they figure most
> scammers won't commit an actual crime as a gateway into mere civil
> fraud.
>
>
>>> Really, I
>>> could go on for paragraphs about what sort of anonymous, indirect data
>>> could reasonably imply downstreams' existences in the claimed
>>> quantities.
>>
>> Maybe you could list at least one that would apply to a small ISP such
>> as
>> myself?
>
> I'll list two:
>
> Employee count to see if you're over the low water mark typical for
> the size of your address holdings.

We are a family business with no actual employees but several people
working part-time, so that might be hard to evaluate. Also, our people are
very productive, so we would probably look too small. I would be
disappointed to think that our staff-to-customer ratio was anything close
to what is typical for the industry.

> A de-identified data dump from your configuration system that shows
> what (e.g. dialup accounts, email boxes, etc.) but not who (no account
> names, real names, addresses, etc).

Something based on email accounts could indeed be very informative. But
without disclosing actual  email addresses, it's not clear what useful
information could be disclosed.

>
> But do you see what you've done here? You've ruled out several
> perfectly reasonable ways to infer the reasonable range of legitimate
> utilization simply because you don't like them. Why shouldn't the
> other guy get the same opportunity to rule out the PII one that makes
> him nervous in favor of the bank statements or router configs?

I only ruled them out because it seemed that they would be uninformative.

> And oh by the way, I'm not sure you realized it when you posted this
> but if ARIN feels the need they'll ask for the customer list
> associated with one or more of your dynamic pools as well, not just
> restrict themselves to the statics as they've done so far. So says
> John Curran.
>

I think they should. I see little difference between static and dynamic
for customers with permanent connections because "dynamic" ones are online
all the time anyway and there is going to be close to a 1:1 correspondence
between customers and IP addresses in use.

-David