[DBWG] --list-versions query on deleted resources?

[Yogesh Chadee]

Hi DBWG,

Please find below the report on WHOWAS in plain text. I have also attached it in PDF format.

Kind regards,
Yogesh Chadee


Recommendation 
for an AFRINIC 
WHOWAS service

March 2021

By AFRINIC Team

________________
Introduction

The WHOWAS service was first proposed by APNIC and is now offered by a second RIRs as well. There has been recent interest from the AFRINIC community for a WHOWAS service offering by AFRINIC.

This report is about the WHOWAS product at AFRINIC. The product is intended to provide a new service at AFRINIC named WHOWAS.

The service aims at providing historical WHOIS data to the general public. Although the WHOIS already has the capability of providing historical data, the WHOWAS will provide intuitive search and browse capabilities which will be added-value for end-users.

The objectives of this paper are as follows:

1. Review whether the WHOWAS as it is in its present form respects the laws of Mauritius;
2. Consider the alternative options with respect to a potential WHOWAS service by AFRINIC; 
3. Describe the amount of work required in each case;
4. Put forth the risks associated with each option; and
5. Give a recommendation.
________________
Legal due diligence

Source code

The source code used is offered by APNIC and licensed under BSD licence (rdapd, rdap-history-ui). In summary, the source code is free for use and distribution but must retain the BSD license upon distribution as well as the BSD license notice.

Therefore AFRINIC is free to use the WHOWAS source code published by APNIC.

Data protection

According to the Data Protection Act 2017, 

1. Personal data is any data that can, directly or indirectly, help to identify a data subject;
2. Before processing any personal data, a data controller must have the explicit consent of the data subject concerned provided for a specific purpose; and
3. Explicit consent must be obtained for each processing/purpose.

Data subjects may be directly or indirectly identified through data contained in these fields, as provided by the WHOWAS product in its present form:

__________________________________
Field		WHOWAS object type
__________________________________
remarks		organisation, inetnum, inet6num, aut-num, person, role, mntner, irt
description	organisation, inetnum, inet6num, aut-num, mntner
name		person, role, irt
email		person, role, irt
__________________________________
Table 1: Fields potentially containing personal data in WHOWAS

________________
Alternative options

This presents AFRINIC with the following viable alternative options with respect to a potential WHOWAS service:

1. Do not propose any WHOWAS service at the moment;
2. Go-Live with the WHOWAS product as-is and face possible litigation;
3. Obtain explicit consent from data subjects prior to publishing their personal data on the WHOWAS; or
4. Exclude personal data from the WHOWAS service.

No WHOWAS service

No further work is required with this option.

The risk of this option is that end-users who are looking forward to a WHOWAS service offering by AFRINIC will be disappointed.

Go-Live as-is

The WHOWAS product is ready for Go-Live. There is little work involved with this option.

However, this option opens up serious risk of litigation for AFRINIC.

Obtaining explicit consent

It has been established that the WHOWAS product publishes personal data in its present form.

The Registration Service Agreement of AFRINIC covers the WHOIS service. However, providing historical WHOIS information to the general public is a separate and/or standalone form of processing the same underlying data. 

Providing a WHOWAS service based on the current WHOWAS product will require AFRINIC to obtain explicit consent from all concerned data subjects concerned prior to Go-Live. After Go-Live, new data subjects will also need to give their explicit consent. 

To achieve this, consent management would be added to the membership processes as well as the membership data update processes.

The risk with this option is to increase the workload on AFRINIC for an indeterminate period of time.

Exclude personal data

Personal data can be excluded from the WHOWAS product’s output prior to Go-Live with the WHOWAS service, by eliminating the above-mentioned data fields.

AFRINIC anticipates that by doing so, the relevance of the WHOWAS service may be questioned by the end-users.

To address the afore-mentioned concern, AFRINIC views that since the purpose of the WHOWAS service is to provide historical data on the allocation and assignment of Internet Resources to member organisations, removing personal data should not reduce the quality nor relevance of the service.

________________
Recommendation

There have been requests for AFRINIC to provide a WHOWAS service, and AFRINIC has a WHOWAS product to match the requests. However, after observing legal due diligence, it has been found that going live with the above-mentioned product as-is would be risky for AFRINIC.

This report contains alternative options for AFRINIC to consider. Each option has implications for AFRINIC’s day-to-day business as well as associated risks.

Of the four alternative options proposed, the recommendation is to exclude the above-mentioned data fields from the WHOWAS service so as to be compliant with the Data Protection Act 2017.




From: Yogesh Chadee
Sent: Thursday, 25 February 2021 14:10
To: Ben Maddison via DBWG
Cc: dbwg at afrinic.net
Subject: Re: [DBWG] --list-versions query on deleted resources?

Hi Ben,

3 weeks is a long time, yes. I will do my best to give by next week, 4th March 2021.

Regards,
Yogesh Chadee

From: Ben Maddison
Sent: Thursday, 25 February 2021 14:06
To: Yogesh Chadee
Cc: dbwg at afrinic.net
Subject: Re: [DBWG] --list-versions query on deleted resources?

Hi Yogesh,

I think our messages crossed on the wire.

On 02/25, Yogesh Chadee wrote:

> Hi,

> 

> Thank you for suggesting 3 weeks for the “legal due diligence” work. It works for me.

> 

Thanks for your feedback.
However, (without wishing to put words in his mouth) I believe Nishal
was referring to the 3 weeks (or more) that have already elapsed, not
that the WG should wait a further 3 weeks from today.

Perhaps we can aim for more like one week?

Cheers,

Ben


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/dbwg/attachments/20210303/6d0ad7fd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Recommendation for an AFRINIC WHOWAS service.pdf
Type: application/pdf
Size: 44376 bytes
Desc: not available
URL: <https://lists.afrinic.net/pipermail/dbwg/attachments/20210303/6d0ad7fd/attachment-0001.pdf>