Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Internet Number Resources review

Kris Seeburn seeburn.k at gmail.com
Sun Dec 11 21:42:36 UTC 2016 

Reply in

> On Dec 11, 2016, at 11:52 PM, serge ilunga <sergekbk at gmail.com> wrote:
> 
> Hello SM / Kris,
> 
>  
> 1.         Est-ce légal qu’AfriNIC procède à l’audit et à la récupération des ressources? Oui.
> 

Oui de par les contraintes du RSA, mais ce que je propose c’est de revisiter les exigences. Ce que nous avons aujourd'hui ne permet pas vraiment les audits en questions que nous ne parlons pas. Si ca reste ouvert on n’aide pas aussi l’audit en question. On peux rester ouvert mais certaine peux dire pourquoi nous ? Si on arrive a mettre en exergue quelques critères on arrivera au résultats escomptée

> 2.         L’exigence de faire l’audit en toute transparence constitue-t-elle un risque de violation du NDA ?
> 
> Nous ne pensons pas que ça soit le cas car les informations échangées ne sont pas mises sur la place publique et sont manipulées exclusivement  par AfriNIC.
> 
Non tant que L’audit effectuée reste interne a afrinic en transparence au membre concernée, donc en effet ce qui dois se passer c’est que l’audit peux être aléatoire mais dois suivre une certaine exigence qui justifie le besoin de l’audit est le membre concernée dois savoir de quoi l’audit va prendre en consideration. Pour moi comme Auditeur on prepare toujours les audits en avance est tous est fais par rapport a un agenda spécifique. Est a la fin un rapport est partager entre le membre concernée est une poignée de personne interne. 

> 
> 3.         La publication du rapport : celle-ci ne constitue pas un risque de violation du NDA les données personnelles ne sont pas publiées et la version actuelle de la proposition n’impose pas de les publier. Pour éviter toute équivoque, nous nous proposons de spécifier clairement dans la section 3.6  de ne pas publier les données personnelles pour ne pas violer le NDA.
> 
> En rapport avec la DPA, est-ce le modèle de rapport proposé sur la liste  et présenté sous [1] expose t’il a une violation quelconque ?
> 
> Si oui quel type de données y contribue ?
> 
> 
3.6 Compliance Report

AFRNIC shall publish an annual report describing the members which have been audited and their level of compliance.

Rapport annuelle détaillant les membres qui ont subis un audit  est leur niveau de conformité —— ces donnes donne deja une indications des membres. Or je pense sous reserve legal qu’on peux trouver un entente ou on peux presentees ces infos différemment. C’est dire un rapport statistique ne dévoilant pas le nom de l’organisation etc., peut être comme RIPE 

There was the following comment from RIPE NCC about its existing audit practices:

 "It was noted that 200 cases were reported/received so far in 2016, leading
  to 76 investigations.”

Mais la aussi on parle de cas de complainte reçus a des infractions pas des audits. Soyons claire.

Pour continuer je reprend le  icp-2 - icann qui regis les RIRs: https://www.icann.org/resources/pages/new-rirs-criteria-2012-02-25-en <https://www.icann.org/resources/pages/new-rirs-criteria-2012-02-25-en>

9) Record Keeping

All RIRs must maintain proper records of all registry activities, including the archiving of all information collected from LIRs in the process of making IP address space assignments. This data is needed for internal purposes (namely, the evaluation of subsequent requests from the same customers), and also to maintain the auditability of RIR operations, essential in demonstrating responsible and neutral operations.

English is considered the official language of the registry system. Therefore, core registry documentation and records which may be subject to frequent review by (or exchange with) other RIRs, IANA or ICANN must be available at all times in English. In addition information which may be required for operational audit of RIRprocedures must be able to be provided in English within a reasonable timeframe.


This policy document does not detail precisely which information may be classified as "core documentation." The Emerging RIR should propose in its application an auditable procedure for Registry Record Keeping in English.

10) Confidentiality

Information collected by a RIR in the registration process must be kept in strict confidence, and used for registration purposes only. It must be transmitted only to another RIR or IANA upon request, but will not be transmitted to any other party unless explicitly agreed to in writing by the LIR/ISP served.

RIRs may establish their own local standards and policies for confidentiality, providing that the basic confidentiality provisions are maintained.

Par ce rapport: https://www.iana.org/reports/2005/afrinic-report-05aug2005.pdf <https://www.iana.org/reports/2005/afrinic-report-05aug2005.pdf> — IANA-ICANN Afrinic satisfais les besoin de confidentialité

10) Confidentiality. The AfriNIC application satisfies Principle 10. AfriNIC has developed and implemented a comprehensive set of policies and procedures to ensure that the information it collects in the registration process will be kept in strict confidence, and used for registration purposes only. 

As stated in AfriNIC’s application: Every piece of information collected by AfriNIC from members or any other entity will be processed and managed according to a non­disclosure agreement which should be signed between the two parties. All AfriNIC’s staff has signed a non­disclosure and confidentiality agreement at the start of work in the company.


La on a IANA est DPA — Si on arrive a terme de presenter un stats comme celle que présente SM dans son blog de recherche, on arrivera peut être a un juste milieux. Je pense dans ce sense que le conseiller legal peux nous indiquer le milieux qui marche.

Si on prend 
> [1] 
> 
> Description of "members” in AFRINIC context may at some points looks like:
> 
> A- How many members have been reviewed (we can keep the brief here)
> 
>  - By type:  LIR, End-users, etc… (we start opening the guess work and going in details)
> 
>  - By Category:  Extralarge, Large, Medium, small, etc… (we start opening the guess work and going in details)
> 
> B- Type of ressources involved:  ASN, IPv4 ,IPv6  (we start opening the guess work and going in details)
> 
> C- Level of compliance -  (we start opening the guess work and going in details - but what do you want to say with level of compliance a well)
> 
> 


Alons prendre un example : category: large , resources: ASN / IPv4 , level of compliance: RED/ no compliance

On peux deviner le nombre de membre dans cet catégorie deja est les autres infos vont suivre. 

Toute ces infos done trop de possibilité … meme si le nom de l’organisation ou membre n’est mentioner. Trouvons un entente de ce qui peut être publier ou pas. Mais ce type d’infos peut être jouable est ne constitue pas de problème direct de confidentialité.




Kris




>  
>  
> Bien cordialement.
> 
>  
>  
> [1]
> 
> Description of "members” in AFRINIC context may at some points looks like:
> 
> A- How many members have been reviewed :
> 
>  - By type:  LIR, End-users, etc…
> 
>  - By Category:  Extralarge, Large, Medium, small, etc…
> 
> B- Type of ressources involved:  ASN, IPv4 ,IPv6
> 
> C- Level of compliance
> 
> 
> On Sun, Dec 11, 2016 at 3:55 PM, Kris Seeburn <seeburn.k at gmail.com <mailto:seeburn.k at gmail.com>> wrote:
> People,
> 
> You may want to note that afrinic staff review already stated these:
> 
> The requirement that the review be conducted with "full transparency" may be in conflict with privacy provisions in NDAs, in the RSA, or in law.
> The requirement to publish a "compliance report" may be in conflict with privacy provisions in NDAs, in the RSA, or in law.
> I’ve already voiced that there be a revisit to this policy differently but i think pointing this in the DPA should be noted. Unless the NDA and RSA are modified to state that there is no confidentiality…. If that is the case.
> 
> These may help guide all. The data controller is an appointed staff of afrinic. Whether we state Mauritian law or else the NDA. In essence we need to note what is Public information and what is Private and confidential information.
> 
> 
> 
> 29.            Unlawful disclosure of personal data <> <>
> (1) Any data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purposes for which such data has been collected shall commit an offence.
> 
> (2) Any data processor who, without lawful excuse, discloses personal data processed by him without the prior authority of the data controller on whose behalf such data is or has been processed shall commit an offence.
> 
> (3) Subject to subsection (4), any person who -
> 
> (a) obtains access to personal data, or obtains any information constituting such data, without prior authority of the data controller or data processor by whom such data is kept; and
> (b) discloses the data or information to another person,
>                    shall commit an offence.
> 
> (4) Subsection (3) shall not apply to a person who is an employee or agent of a data controller or processor and is acting within his mandate.
> 
> (5) Any person who offers to sell personal data where such personal data has been obtained in breach of subsection (1) shall commit an offence.
> 
> (6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale, constitutes an offer to sell the personal data.
> 
> 
> 
> further reading:
> 
> 
> 31.            Transfer of personal data <> <>
> (1)               Subject to subsection (2), no data controller shall, except with the written authorisation of the Commissioner, transfer personal data to another country.
> (2)               The Eighth data protection principle specified in the First Schedule shall not apply where –
> (a)               the data subject has given his consent to the transfer;
> (b)               the transfer is necessary –
> (i)                  for the performance of a contract between the data subject and the data controller, or for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller;
> (ii)                for the conclusion of a contract between the data controller and a person, other than the data subject, which is entered at the request of the data subject, or is in the interest of the data subject, or for the performance of such a contract;
> (iii)               in the public interest, to safeguard public security or national security.
> (c)               the transfer is made on such terms as may be approved by the Commissioner as ensuring the adequate safeguards for the protection of the rights of the data subject.
> (3)               For the purpose of subsection (2)(c), the adequacy of the level of protection of a country shall be assessed in the light of all the circumstances surrounding the data transfer, having regard in particular to -
> 
> (a)               the nature of the data;
> (b)               the purpose and duration of the proposed processing;
> (c)               the country of origin and country of final destination;
> (d)               the rules of law, both general and sectoral, in force in the country in question; and
> (e)               any relevant codes of conduct or other rules and security measures which are <> <> <> <> <> <> <> complied with in that country.
> Amended by [Act No. 14 of 2009 <http://supremecourt.intnet.mu/Main/GetDoc.asp?Doc_Title=Act+No.+14+of+2009&Mode=Html&Search=No>]
> 
> 
> We need to see a balance and decide properly. I would like to say that i am not taking sides but we need to understand to what extent things can and cannot be reported. The mauritius DPA takes precedence from the EU Act. But still an NDA binds the resource member and afrinic within the binds of a legal clause of confidentiality that any member can recall and use against afrinic. 
> 
> However, i am sure if we keep to a brief as i said X number of applicants received and Y numbers not accepted  may be still fine but category etc., may already lead to guesswork and this may again lead to legal hassle. A compliance report as per the current state of proposal releases too much information already. 
> 
> 
> Further the RIPE NCC policy:
> 
> If you are referring to RiPE NCC policy:
> 
> RIPE NCC Audit Activity
> 
> ...
> 
> [Message clipped]  
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net <mailto:RPD at afrinic.net>
> https://lists.afrinic.net/mailman/listinfo/rpd <https://lists.afrinic.net/mailman/listinfo/rpd>
> 
> 
> 
> 
> -- 
> Serge ILUNGA KABWIKA
> Skype: sergekbk
> Cell: +243814443160

Kris Seeburn
seeburn.k at gmail.com
www.linkedin.com/in/kseeburn/ <http://www.linkedin.com/in/kseeburn/>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20161212/efbcb1df/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.tiff
Type: image/tiff
Size: 25256 bytes
Desc: not available
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20161212/efbcb1df/attachment-0001.tiff>

More information about the RPD mailing list