[DBWG] --list-versions query on deleted resources?

[Yogesh Chadee]

Dear DBWG,

Thank you for sharing your valuable views and opinions on the WHOWAS recommendation. We invite other group members to share their views and/or support for the views already expressed.

Please find below some elements with respect to the queries and views expressed by Nishal Goburdhan.

==

WHOWAS is a “must-have” service for AFRINIC
It may be interesting to note that a recent related discussion point has been brought up by the RIPE NCC in its Database Working Group:

https://www.ripe.net/ripe/mail/archives/db-wg/2021-April/006921.html

“As part of our work in the RIPE Database Requirements Task Force (DBTF), we are trying to understand if providing historical data is one of the requirements the RIPE Database must fulfil. Currently some attributes are filtered out to limit the exposure of unnecessary personal data. If providing historical data is a requirement the RIPE Database must fulfill, we will recommend the RIPE NCC to examine if additional filtering can be applied to limit further the unnecessary exposure of personal data in attributes that are not meant to contain personal data.’

A word on Data Protection at AFRINIC
The collection and processing of personal data may be done only if it is necessary for a lawful purpose connected to the function or activity of AFRINIC.

The services provided by AFRINIC to data subjects may be consulted on the corporate website:
https://afrinic.net/privacy

Consent management can be done by interns as it is trivial 
The WHOWAS management activities revolving around Data Protection would include, but are not limited to:

• Transfer data from WHOIS to WHOWAS when consent is given.
• Stop processing personal data in WHOWAS when consent is withdrawn as well as upon request from a data subject.
• Delete personal data from WHOWAS when consent is withdrawn as well as upon request from a data subject.
• Stop processing and delete personal data when the retention period lapses (if this is applicable).

It must be noted that consent may be given and withdrawn at any point in time. Data subjects may make other requests as well according to their rights. AFRINIC has the responsibility to fulfill its duties at each such event, and not only at the time consent is first given or declined. 

It would be risky to underestimate the additional work it represents at this point. A less risky alternative is preferable, for example deploying a consent management platform to automate where possible.

Processing name of individuals without their consent does not violate the Data Protection Act
The name of a data subject may be used to directly identify him/her. Therefore processing a data subject’s name for a particular purpose requires prior consent. And where the purpose changes, fresh consent must be obtained.

Alternatively, insofar as compliance with the Data Protection Act is concerned,  AFRINIC may consider transferring the burden of acquiring the requisite consent onto the current organisation holder so that they then confirm to us that they have obtained the relevant consent of their employee(s) for the purposes of the WHOWAS platform, together with a warning that AFRINIC reserves its rights to take such action against the said organisation should it reveal that it provided false information to AFRINIC. But this solution will only work for current prefix holders appearing on AFRINIC's WHOIS.

==

Phased roll-out
In light of the above, we would like to propose a phased roll-out:

1. Provide historical records for resource and member organisation details and obfuscate email addresses; and
2. Allow details of new and updated contact information where:
1. member organisations affirm that the data subjects have given their consent; or
2. the data subjects give their consent directly to AFRINIC.

We would appreciate your views on the following with respect to the WHOWAS:

1. Should AFRINIC provide historical data in WHOIS and/or via WHOWAS?
2. Is it necessary to display contact information of individuals?
3. Should the organisation holder (AFRINIC member) bear the burden of acquiring the consent?
4. Should we adopt a phased roll-out approach?

Best regards,
AFRINIC Team


From: Nishal Goburdhan
Sent: Tuesday, 6 April 2021 12:29
To: AFRINIC DBWG
Subject: Re: [DBWG] --list-versions query on deleted resources?

On 3 Mar 2021, at 12:22, Yogesh Chadee wrote:


> Hi DBWG,

>

> Please find below the report on WHOWAS in plain text. I have also 

> attached it in PDF format.


thanks;  i have comments inline.



> No WHOWAS service

>

> No further work is required with this option.

> The risk of this option is that end-users who are looking forward to a 

> WHOWAS service offering by AFRINIC will be disappointed.


i think that this is a gross misrepresentation of your work.

afrinic literally has *one* function, and that is to maintain an 
accurate register of the assignments and allocations that it has made.  
it is no stretch to expect that this should reflect allocations and 
assignments that it has made over time.  so, frankly, i am worried that 
you would think that this is a “disappointment” to your community;  
when i see this as a *requirement* of what you *absolutely need* to do - 
as part of your “one task”!

this might seem like an ideological difference, but it is not.  step 
back, and understand the key reason for your organisation, and how this 
requirement relates  to it!



> Providing a WHOWAS service based on the current WHOWAS product will 

> require AFRINIC to obtain explicit consent from all concerned data 

> subjects concerned prior to Go-Live.


i also don’t see this as a large workload;  it is something that you 
can easily farm out to an intern or six.  this is in effect 
data-gathering, and interns are cheap, plentiful, and easy to find for 
this purpose.  if you don’t have as-yet-employed graduates in 
mauritius, there are dozens elsewhere on the continent.



> After Go-Live, new data subjects will also need to give their explicit 

> consent.

> To achieve this, consent management would be added to the membership 

> processes as well as the membership data update processes.


i am ok with this.  and i think it should be done immediately.  i am 
sure your legal team can add the appropriate verbage.  in fact, why 
hasn’t it been done already?




> The risk with this option is to increase the workload on AFRINIC for 

> an indeterminate period of time.


no, i don’t agree;  it’s a clause that you add to your process, and, 
like the T&C that someone accepts when they step onto an airplane, they 
accept it or not.  however, i may be trivialising this, so please 
explain *IN DETAIL* how this would increase ongoing workload for afrinic 
staff?



> Exclude personal data

> Personal data can be excluded from the WHOWAS product’s output prior 

> to Go-Live with the WHOWAS service, by eliminating the above-mentioned 

> data fields.

> AFRINIC anticipates that by doing so, the relevance of the WHOWAS 

> service may be questioned by the end-users.


not at all.  if i wanted to lookup 192.0.2.0/24 and saw that the history 
says that it went from corpA to corpB to corpC to X ..  that’s 
helpful.
i think that it would be appropriate to omit details like telephone 
numbers;  but showing the name of the individuals involved is not a 
violation of the DPA.



> Recommendation

> Of the four alternative options proposed, the recommendation is to 

> exclude the above-mentioned data fields from the WHOWAS service so as 

> to be compliant with the Data Protection Act 2017.


.. or provide an obfuscated version like yogesh at afrinic.***
.. or ..


i should mention that i took the time to read the data protections act 
over the past long weekend, and if you *really* want to get fussy, i can 
see *many* transgressions on afrinic’s part relating to how you 
process my data (part VI comes to mind).  fortunately, this mailing list 
is not the place to discuss how afrinic may or may not be in compliance, 
  that’s your internal problem to solve, and it is not an 
unsurmountable problem from my weekend’s reading.


—n.

_______________________________________________
DBWG mailing list
DBWG at afrinic.net
https://lists.afrinic.net/mailman/listinfo/dbwg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/dbwg/attachments/20210416/55caece5/attachment-0001.html>