[DBWG] --list-versions query on deleted resources?

Nishal Goburdhan nishal at controlfreak.co.za
Tue Apr 6 08:29:09 UTC 2021


On 3 Mar 2021, at 12:22, Yogesh Chadee wrote:


> Hi DBWG,

>

> Please find below the report on WHOWAS in plain text. I have also

> attached it in PDF format.


thanks; i have comments inline.



> No WHOWAS service

>

> No further work is required with this option.

> The risk of this option is that end-users who are looking forward to a

> WHOWAS service offering by AFRINIC will be disappointed.


i think that this is a gross misrepresentation of your work.

afrinic literally has *one* function, and that is to maintain an
accurate register of the assignments and allocations that it has made.
it is no stretch to expect that this should reflect allocations and
assignments that it has made over time. so, frankly, i am worried that
you would think that this is a “disappointment” to your community;
when i see this as a *requirement* of what you *absolutely need* to do -
as part of your “one task”!

this might seem like an ideological difference, but it is not. step
back, and understand the key reason for your organisation, and how this
requirement relates to it!



> Providing a WHOWAS service based on the current WHOWAS product will

> require AFRINIC to obtain explicit consent from all concerned data

> subjects concerned prior to Go-Live.


i also don’t see this as a large workload; it is something that you
can easily farm out to an intern or six. this is in effect
data-gathering, and interns are cheap, plentiful, and easy to find for
this purpose. if you don’t have as-yet-employed graduates in
mauritius, there are dozens elsewhere on the continent.



> After Go-Live, new data subjects will also need to give their explicit

> consent.

> To achieve this, consent management would be added to the membership

> processes as well as the membership data update processes.


i am ok with this. and i think it should be done immediately. i am
sure your legal team can add the appropriate verbage. in fact, why
hasn’t it been done already?




> The risk with this option is to increase the workload on AFRINIC for

> an indeterminate period of time.


no, i don’t agree; it’s a clause that you add to your process, and,
like the T&C that someone accepts when they step onto an airplane, they
accept it or not. however, i may be trivialising this, so please
explain *IN DETAIL* how this would increase ongoing workload for afrinic
staff?



> Exclude personal data

> Personal data can be excluded from the WHOWAS product’s output prior

> to Go-Live with the WHOWAS service, by eliminating the above-mentioned

> data fields.

> AFRINIC anticipates that by doing so, the relevance of the WHOWAS

> service may be questioned by the end-users.


not at all. if i wanted to lookup 192.0.2.0/24 and saw that the history
says that it went from corpA to corpB to corpC to X .. that’s
helpful.
i think that it would be appropriate to omit details like telephone
numbers; but showing the name of the individuals involved is not a
violation of the DPA.



> Recommendation

> Of the four alternative options proposed, the recommendation is to

> exclude the above-mentioned data fields from the WHOWAS service so as

> to be compliant with the Data Protection Act 2017.


.. or provide an obfuscated version like yogesh at afrinic.***
.. or ..


i should mention that i took the time to read the data protections act
over the past long weekend, and if you *really* want to get fussy, i can
see *many* transgressions on afrinic’s part relating to how you
process my data (part VI comes to mind). fortunately, this mailing list
is not the place to discuss how afrinic may or may not be in compliance,
that’s your internal problem to solve, and it is not an
unsurmountable problem from my weekend’s reading.


—n.



More information about the DBWG mailing list