<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.ace-all-bold-hthree
{mso-style-name:ace-all-bold-hthree;}
span.gallery-wrapper
{mso-style-name:gallery-wrapper;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:578097678;
mso-list-template-ids:-1;}
@list l1
{mso-list-id:717044869;
mso-list-template-ids:-1;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:956837516;
mso-list-template-ids:-1;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1733967029;
mso-list-template-ids:-1;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style></head><body lang=en-MU link=blue vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Dear DBWG,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thank you for sharing your valuable views and opinions on the WHOWAS recommendation. We invite other group members to share their views and/or support for the views already expressed.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Please find below some elements with respect to the queries and views expressed by Nishal Goburdhan.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>==<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span class=ace-all-bold-hthree><b>WHOWAS is a “must-have” service for AFRINIC</b></span><o:p></o:p></p></div><div><p class=MsoNormal>It may be interesting to note that a recent related discussion point has been brought up by the RIPE NCC in its Database Working Group:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><a href="https://www.ripe.net/ripe/mail/archives/db-wg/2021-April/006921.html" target="_blank">https://www.ripe.net/ripe/mail/archives/db-wg/2021-April/006921.html</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div style='mso-element:para-border-div;border:none;border-left:solid windowtext 1.0pt;padding:0cm 0cm 0cm 0cm;margin-left:36.0pt;margin-right:0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;border:none;padding:0cm'><i>“As part of our work in the RIPE Database Requirements Task Force (DBTF), we are trying to understand if providing historical data is one of the requirements the RIPE Database must fulfil. Currently some attributes are filtered out to limit the exposure of unnecessary personal data. If providing historical data is a requirement the RIPE Database must fulfill, we will recommend the RIPE NCC to examine if additional filtering can be applied to limit further the unnecessary exposure of personal data in attributes that are not meant to contain personal data.’<o:p></o:p></i></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span class=ace-all-bold-hthree><b>A word on Data Protection at AFRINIC</b></span><o:p></o:p></p></div><div><p class=MsoNormal>The collection and processing of personal data may be done only if it is necessary for a lawful purpose connected to the function or activity of AFRINIC.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The services provided by AFRINIC to data subjects may be consulted on the corporate website:<o:p></o:p></p></div><div><p class=MsoNormal><span class=gallery-wrapper><a href="https://afrinic.net/privacy">https://afrinic.net/privacy</a></span><br><br><o:p></o:p></p></div><div><p class=MsoNormal><span class=ace-all-bold-hthree><b>Consent management can be done by interns as it is trivial </b></span><o:p></o:p></p></div><div><p class=MsoNormal>The WHOWAS management activities revolving around Data Protection would include, but are not limited to:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2'>Transfer data from WHOIS to WHOWAS when consent is given.<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2'>Stop processing personal data in WHOWAS when consent is withdrawn as well as upon request from a data subject.<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2'>Delete personal data from WHOWAS when consent is withdrawn as well as upon request from a data subject.<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2'>Stop processing and delete personal data when the retention period lapses (if this is applicable).<o:p></o:p></li></ul><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It must be noted that consent may be given and withdrawn at any point in time. Data subjects may make other requests as well according to their rights. AFRINIC has the responsibility to fulfill its duties at each such event, and not only at the time consent is first given or declined. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It would be risky to underestimate the additional work it represents at this point. A less risky alternative is preferable, for example deploying a consent management platform to automate where possible.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span class=ace-all-bold-hthree><b>Processing name of individuals without their consent does not violate the Data Protection Act</b></span><o:p></o:p></p></div><div><p class=MsoNormal>The name of a data subject may be used to directly identify him/her. Therefore processing a data subject’s name for a particular purpose requires prior consent. And where the purpose changes, fresh consent must be obtained.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Alternatively, insofar as compliance with the Data Protection Act is concerned, AFRINIC may consider transferring the burden of acquiring the requisite consent onto the current organisation holder so that they then confirm to us that they have obtained the relevant consent of their employee(s) for the purposes of the WHOWAS platform, together with a warning that AFRINIC reserves its rights to take such action against the said organisation should it reveal that it provided false information to AFRINIC. But this solution will only work for current prefix holders appearing on AFRINIC's WHOIS.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>==<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span class=ace-all-bold-hthree><b>Phased roll-out</b></span><o:p></o:p></p></div><div><p class=MsoNormal>In light of the above, we would like to propose a phased roll-out:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3'>Provide historical records for resource and member organisation details and obfuscate email addresses; and<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3'>Allow details of new and updated contact information where:<o:p></o:p></li><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level2 lfo3'>member organisations affirm that the data subjects have given their consent; or<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level2 lfo3'>the data subjects give their consent directly to AFRINIC.<o:p></o:p></li></ol></ol><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We would appreciate your views on the following with respect to the WHOWAS:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4'>Should AFRINIC provide historical data in WHOIS and/or via WHOWAS?<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4'>Is it necessary to display contact information of individuals?<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4'>Should the organisation holder (AFRINIC member) bear the burden of acquiring the consent?<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4'>Should we adopt a phased roll-out approach?<o:p></o:p></li></ol><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Best regards,<o:p></o:p></p></div><div><p class=MsoNormal>AFRINIC Team<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>From: </b><a href="mailto:nishal@controlfreak.co.za">Nishal Goburdhan</a><br><b>Sent: </b>Tuesday, 6 April 2021 12:29<br><b>To: </b><a href="mailto:dbwg@afrinic.net">AFRINIC DBWG</a><br><b>Subject: </b>Re: [DBWG] --list-versions query on deleted resources?</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On 3 Mar 2021, at 12:22, Yogesh Chadee wrote:</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> Hi DBWG,</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> Please find below the report on WHOWAS in plain text. I have also </p><p class=MsoNormal>> attached it in PDF format.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>thanks; i have comments inline.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> No WHOWAS service</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> No further work is required with this option.</p><p class=MsoNormal>> The risk of this option is that end-users who are looking forward to a </p><p class=MsoNormal>> WHOWAS service offering by AFRINIC will be disappointed.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>i think that this is a gross misrepresentation of your work.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>afrinic literally has *one* function, and that is to maintain an </p><p class=MsoNormal>accurate register of the assignments and allocations that it has made. </p><p class=MsoNormal>it is no stretch to expect that this should reflect allocations and </p><p class=MsoNormal>assignments that it has made over time. so, frankly, i am worried that </p><p class=MsoNormal>you would think that this is a “disappointment” to your community; </p><p class=MsoNormal>when i see this as a *requirement* of what you *absolutely need* to do - </p><p class=MsoNormal>as part of your “one task”!</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>this might seem like an ideological difference, but it is not. step </p><p class=MsoNormal>back, and understand the key reason for your organisation, and how this </p><p class=MsoNormal>requirement relates to it!</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> Providing a WHOWAS service based on the current WHOWAS product will </p><p class=MsoNormal>> require AFRINIC to obtain explicit consent from all concerned data </p><p class=MsoNormal>> subjects concerned prior to Go-Live.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>i also don’t see this as a large workload; it is something that you </p><p class=MsoNormal>can easily farm out to an intern or six. this is in effect </p><p class=MsoNormal>data-gathering, and interns are cheap, plentiful, and easy to find for </p><p class=MsoNormal>this purpose. if you don’t have as-yet-employed graduates in </p><p class=MsoNormal>mauritius, there are dozens elsewhere on the continent.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> After Go-Live, new data subjects will also need to give their explicit </p><p class=MsoNormal>> consent.</p><p class=MsoNormal>> To achieve this, consent management would be added to the membership </p><p class=MsoNormal>> processes as well as the membership data update processes.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>i am ok with this. and i think it should be done immediately. i am </p><p class=MsoNormal>sure your legal team can add the appropriate verbage. in fact, why </p><p class=MsoNormal>hasn’t it been done already?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> The risk with this option is to increase the workload on AFRINIC for </p><p class=MsoNormal>> an indeterminate period of time.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>no, i don’t agree; it’s a clause that you add to your process, and, </p><p class=MsoNormal>like the T&C that someone accepts when they step onto an airplane, they </p><p class=MsoNormal>accept it or not. however, i may be trivialising this, so please </p><p class=MsoNormal>explain *IN DETAIL* how this would increase ongoing workload for afrinic </p><p class=MsoNormal>staff?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> Exclude personal data</p><p class=MsoNormal>> Personal data can be excluded from the WHOWAS product’s output prior </p><p class=MsoNormal>> to Go-Live with the WHOWAS service, by eliminating the above-mentioned </p><p class=MsoNormal>> data fields.</p><p class=MsoNormal>> AFRINIC anticipates that by doing so, the relevance of the WHOWAS </p><p class=MsoNormal>> service may be questioned by the end-users.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>not at all. if i wanted to lookup 192.0.2.0/24 and saw that the history </p><p class=MsoNormal>says that it went from corpA to corpB to corpC to X .. that’s </p><p class=MsoNormal>helpful.</p><p class=MsoNormal>i think that it would be appropriate to omit details like telephone </p><p class=MsoNormal>numbers; but showing the name of the individuals involved is not a </p><p class=MsoNormal>violation of the DPA.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> Recommendation</p><p class=MsoNormal>> Of the four alternative options proposed, the recommendation is to </p><p class=MsoNormal>> exclude the above-mentioned data fields from the WHOWAS service so as </p><p class=MsoNormal>> to be compliant with the Data Protection Act 2017.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>.. or provide an obfuscated version like yogesh@afrinic.***</p><p class=MsoNormal>.. or ..</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>i should mention that i took the time to read the data protections act </p><p class=MsoNormal>over the past long weekend, and if you *really* want to get fussy, i can </p><p class=MsoNormal>see *many* transgressions on afrinic’s part relating to how you </p><p class=MsoNormal>process my data (part VI comes to mind). fortunately, this mailing list </p><p class=MsoNormal>is not the place to discuss how afrinic may or may not be in compliance, </p><p class=MsoNormal> that’s your internal problem to solve, and it is not an </p><p class=MsoNormal>unsurmountable problem from my weekend’s reading.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>—n.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>_______________________________________________</p><p class=MsoNormal>DBWG mailing list</p><p class=MsoNormal>DBWG@afrinic.net</p><p class=MsoNormal>https://lists.afrinic.net/mailman/listinfo/dbwg</p><p class=MsoNormal><o:p> </o:p></p></div></body></html>