[arin-ppml] Fraud Policy ?

Ronald F. Guilmette rfg at tristatelogic.com
Fri Sep 30 16:23:42 EDT 2016 

I just want to take a moment and say how much I appreciate John Curran's
speedy reply to my two questions.   Coming from him, I feel sure that I
have answers which are coming straight from the proverbial horse's mouth,
as it were.  Thanks John!

I resopond briefly below.

In message <0FFFCD2A-863A-4D3D-9E41-13EFE5988E53 at corp.arin.net>, 
John Curran <jcurran at arin.net> wrote:

>> 1)  What sorts of documents, exactly, must either party `A' or party
>> `B' in the above scenario submit to ARIN in order to establish their
>> bona fides to ARIN's satisfaction?

>At a minimum, Incorporation documents which align with their state
>registration.  Additional information will likely be required, depending 
>on the circumstances.

The above answer is, of course, entirely sensible.  But I've just now
realized that I may have actually asked the wrong question.

Naturally, when a -new- legal entity shows up at the door of ARIN,
asking to be let in, ARIN is going to do some good and proper due
diligence to see that they are who they say they are.  But the
scenario I described is a bit different.  In that scenario, party
`B' shows up at ARIN's door -pretending- to be the already-vetted
party `A', and then proceeds to request ``additional'' number
resources, i.e. either additional AS numbers, or additional IP
blocks or both.  (The newly-allocated numbers would then be formally
assigned by ARIN to party `A', but it seems at least theoretically
possible that `A' might not even find out about these supplimental
allocations, thus leaving party `B' free to do as it will with them.)

I had actually intended to ask about ARIN's process for vetting these
kinds of ``supplimental'' allocations, but thinking about it now I've
just realized that actually, I'm not sure that I want to know, or
rather, I'm fairly sure that I -do not- want John to elaborate
in any detail on the internal processes used to vet supplimental
allocation requests.  Not in public anyway.

If there's one thing that both history and recent current events has
taught me it is that in order for any party to ``beat'' he system,
that party first has to know the system.  For this reason it is
probably better that the fine details of ARIN's vetting processes
should be left unspoken.  But with respect to the ``supplimental
allocation'' scenario I've described, I will just offer up the
(naive?) observation that I suspect that supplimental allocation
requests are, most likely, not subjected to quite the same level
of scrutiny as are original/primary allocation requests.  (That is
almost certainly both reasonable and unavoidable.  I doubt that
ARIN members would like being asked to prove their identities all
over again for each additional allocation request.  That would be
neither convenient nor terribly practical.)

Regarding my second question, I asked if there was any existing written
policy covering ARIN's actions in cases where it might see evidence of
bald faced fraud, and asked specifically about these four possibilities:

>     a)  ARIN will report the fraud to law enforcement
>     b)  ARIN will initiate civil legal action against party `B'
>     c)  both of the above
>     d)  none of the above

Once again I thank John for providing a crisp, clear, and on-point response.
John said that ARIN may do any of the above, and that the actions taken
in any given case are not, at present, governed by written policy.

I actually find that all to be quite reasonable, and having already said
that my goal was neither to create debate about any of this, nor to
participate in any such debate that might arise as a result of my
questions, I do feel constrained by that earlier comment.  Nontheless,
I can't help but put forward some modest suggestions for minor changes:

   1)  I think it would be Good if ARIN had at least some written policy
       with respect to fraud, even if that was only very minimal.  ARIN
       has been the victim of fraud on multiple occasions in the past,
       and given the both the incentives and the increasingly chaotic
       nature of life on the Internet, I believe that this is likely to
       be an issue in the future as well.

    2) With respect to civil litigation, I am personally and painfully
       aware of the old saying ``You can't get blood out of a turnip'',
       and that thus, civil litigation is often just not worth it.  Thus
       I think that it is eminently appropriate to leave decisions about
       civil litigation entirely up to to the good judgement and discretion
       of John and his colleagues.

       That having been said however, my personal preference would be to
       have in place a formal ARIN policy which would unambiguously direct
       ARIN management to file a formal report with law enforcement in each
       and every case where the available facts indicate that there is
       probably cause to believe that criminal fraud has occured.  Borrowing
       from the language of the RFCs, I would prefer to see this converted
       from a MAY to a MUST.  Any fraudster who is intent upon deceiving
       ARIN in a material way should have no illusions that his actions
       will go unreported.


Regards,
rfg

More information about the ARIN-PPML mailing list