Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Internet Number Resources review

sm+afrinic at elandsys.com sm+afrinic at elandsys.com
Sun Dec 11 20:49:36 UTC 2016 

Hi Kris,
At 00:31 11-12-2016, Kris Seeburn wrote:
>If members look at the current RSA which afrinic 
>and its resource members are legally attached 
>to, gives some level of auditing within the 
>premises of afrinic staff or hostmaster. Which i 
>would actually suggest the authors to try and 
>enforce. The reality is that the biggest issue 
>we want to address is obviously allocation of 
>the resources and its usage. Right now the RSA 
>builds in the audit at the request time and any 
>time afrinic thinks it wants to revisit the utilization usage.

I'll disclose that I opened a ticket at Afrinic Ltd about its privacy policy.

There were the following comments from "staff" of Afrinic Ltd:

   "We already have the ability to enforce the 
RSA, and the RSA already includes
    a requirement for policy compliance.

    We already have the ability, in terms of the RSA, to recover resources that
    are not being used for the purpose for which they were allocated/assigned."

There was the following comment from RIPE NCC 
about its existing audit practices:

   "It was noted that 200 cases were reported/received so far in 2016, leading
    to 76 investigations."

The "staff" did not comment about whether Afrinic 
Ltd is enforcing the RSA or whether Afrinic Ltd 
has recovered any resources.  I could not find 
any statistics about cases related to compliance 
with the RSA or information about audit 
practices.  Would anybody reading 
http://www.elandsys.com/~sm/cybercrime-facebook-mauritius.html 
be convinced if the information cannot be verified?

The purpose of the PDWG is to do policy 
development.  It is up to Afrinic Ltd to enforce 
its policies.  If there is an issue, e.g. 
allocation of the resources and its usage, the 
PDWG could discuss about a proposal to address it.

>Let me bring to attention of the community this part from the current RSA:
>
>4. Conditions of service

[snip]

>I would like to perhaps recommend a different way of revisiting the policy:
>First, is to give afrininc a greater level of 
>enforceability of the clause like something :- 
>based on the size of the allocation a detailed 
>review of application and details subject to a 
>staff visit of premises or infrastructure for 
>the the applicant may have to bear the cost subject to allocation of resources
>Second, in case of any doubt or report from 
>confirmed sources of reporting or cause for 
>having established that the said member is not 
>using the said allocated resources as per 
>conditions of service, afrinic can use or 
>suggest auditing such resources at its 
>discretion to ensure proper and agreed terms of 
>use. (This part is the challenging one, as any 
>such instance would need to establish that there 
>has been a real infraction to the usage of such 
>resources or to have falsely given wrong information)
>Third, subject to non-compliance as per existing 
>policies can revoke or claim back such resources 
>or deny such resources as requested by the 
>member. (Again we need to establish that the 
>member has wrongly provided or is really in infraction against the RSA)

Thank you for the above recommendations.

>The above is subject to legal views of course 
>but members what you really want is to ensure 
>afrinic does not fall short to a litigation 
>issue which can have a negative impact. We 
>really need to find better ways of enforcing 
>auditing under clause 4 of the RSA which would 
>have impact on allocation of resources time and 
>so on. Which i would urge all to consider 
>properly. The repercussions will be there. So 
>even on this we will need to ensure what we want 
>to be the further case where resources are 
>denied or recovered. We need a clearer way of 
>stating under what clear conditions these would apply.

I agree that it is better to ensure that there 
aren't any serious litigation issues because of a policy.

There is the following in Section 1 of the RSA:

   "ICANN, the Internet Corporation for Assigned 
Names and Numbers has been contracted
    by the Department of Commerce of the United 
States to fulfill the function of the
    IANA, Internet Assigned Name and Number Authority."

It seems inaccurate.  Has the above being taken 
into account from a legal perspective?  As a mild 
suggestion I'd say please reconsider the legal 
implications in relation to number resources as there is a risk of litigation.

>Now the other bit which is more the case and the 
>section 4.(d)  is what applies to and the 
>challenging part. There is perhaps a simple way 
>to give the membership what they want is perhaps 
>at reporting can just say X number of members 
>has been revoked and X number of resources 
>reclaimed. As such we respect the Data 
>Protection act and they are anonymized at the 
>same time. However, let me just bring the act in context:
>http://dataprotection.govmu.org/English/Documents/The%20Law/DPOregul.pdf
>http://dataprotection.govmu.org/English/Legislation/Pages/Data-Protection-Act-2004.aspx
>http://dataprotection.govmu.org/English/Legislation/Pages/Data-Protection-Principles.aspx
>
>We need to note under the DPA : Note: A 
>disclosure of any personal data to a person 
>specified above must not be made in any manner 
>incompatible with the purpose(s) for which those 
>data are kept. Otherwise, the disclosure will be 
>in contravention of section 26(b), 27 and 29(1) of the Data Protection Act.
>
>So we need to find a correct balance in what we 
>want to enact and how we do it. My personal take 
>is put in a rigorous assessment policy  because 
>of the IPv4 depletion and also unweary usage of 
>the current resource allocation and an 
>anonymized reporting that would at least ensure 
>we are not in contravention of the different legal process.
>
>So perhaps to make it work give the 
>discretionary power based on certain key rules 
>set by the community as a policy to affect the 
>"conditions of service" in the RSA and 
>modifying time of allocation of service in such 
>way that afrinic does not face more litigation 
>in longer run and also limit the provision of 
>details provided to membership so as not to affect afrinic as a company.

The Data Protection Act is to provide for the 
protection of the privacy rights of 
individuals.  I doubt that a company would be 
considered as a data subject.  It is possible to 
anonymize the personal data to avoid privacy 
concerns.  Another alternative is data aggregation.

>However, any detailed audit will have a cost 
>impact and i think we also need to define the 
>key rules to such audits as well. Cost impact as 
>an auditor myself depends how much in depth one 
>wants to go. So varied levels would require 
>varied costs. These will also need to be defined 
>by membership how we control or apply these.

Yes.

>We need to be pragmatic but also find a right 
>balance to fit what many of us want to try and 
>control within the real boundaries. What i am 
>saying it is not impossible to work things 
>through but lets think with what we have as boundaries around us.

Yes.

Regards,
S. Moonesamy

More information about the RPD mailing list