<br>Having shown some support for 2010-3 in the past; all the comments I have read to date on both sides leads me to reconsider and I would therefore not support policy change 2010-3 as written. However I could never imagine <i>" policy were (can) to be construed as conferring on ARIN a duty to shield that information"</i> from anti-abuse researchers and investigators.<div>
<br></div><div>RD</div><div><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
The Digital Crimes Unit within Microsoft investigates cybercrime attacks against our customers and services. We rely on information from the ARIN database to correlate and identify the source of nefarious online activities. As such, we oppose any policy change that would lessen the quantity and quality of information in the ARIN database. While we recognize the importance of data privacy, we strongly believe that the proposed changes would only hamper the security community's ability to investigate and mitigate cybercrime.<br>
<br>
<br>
<br>
Restricting access to the WHOIS data has the potential to slow or bottleneck investigations and security initiatives because customer addresses and phone numbers are critical to anti-abuse investigations. Although the current WHOIS data is not wholly reliable, further anonymizing and restricting the available data would only serve to weaken security and anti-abuse efforts. At best, requiring anti-abuse researchers and investigators to formally request needed customer data from ARIN will delay progress on time sensitive investigations and incur additional costs for both ARIN and the security community. At worst, the policy, as written, could seriously obstruct investigations if the policy were to be construed as conferring on ARIN a duty to shield that information.<br>
<br>
<br>
<br>
That ambiguity itself raises serious concerns about how the policy changes would be implemented in practice. According to the proposal language, "the customer's actual information must be provided to ARIN on request and will be held in the strictest confidence." This leaves open the question of when and under what circumstance this data would or could be shared with investigators, with the likely outcome being uncertain and inconsistent standards for both withholding and disclosing data.<br>
<br>
<br>
<br>
Given these serious concerns, we urge that this policy change not be adopted and we thank you for considering this feedback on Draft Policy 2010-3.<br>
<br>
<br>
<br>
Richard Boscovich<br>
<br>
T.J. Campana<br>
<br>
Angeline Lee<br>
<br></blockquote></div>
</div>