Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Staff & Legal Assessements on "Internet Numbers review by AFRINIC"'s Proposal

David Hilario d.hilario at
Fri May 12 09:11:53 UTC 2017


The staff assessment are really important for the community to understand
what will happen if a policy gets passed, as it can indirectly impact the
Salad and even the membership fees.


I have to question this assessment's part on the staff workload:

> On Staff Workload: All review requests shall be handled First in, First
> (at staff discretion) - in which case, no significant impact to staff
> workload is expected.

First in first out only means that work gets handled in a fair manner, and
is highly important in cases of resource request, not so much in an audit,
in no ways is it a metric that can be used to state no increase on staff

How can it not have any increase on the workload, if it becomes a regular
task "randomly picking up" LIR to audit, then surely there should be some
kind of KPI to be introduced, how many audits per month/year are intended,
how long would be an average audit?
And that is not counting the reported ones, these audits can and will be
very time consuming, both for the LIR and the RIR if going in depth.

David Hilario

IP Manager

Larus Cloud Service Limited

p: +852 29888918 m: +359 89 764 1784
f: +852 29888068
a: Flat B5, 11/F, TML Tower, No.3 Hoi Shing Road, Tsuen Wan, HKSAR
e: d.hilario at

On 9 May 2017 at 18:11, Arnaud AMELINA <amelnaud at> wrote:
> Hi Community,
> Dear PDPWG, please find bellow The New Staff assessment concerning our
> Proposal on "Internet Number Resources Review by AFRINIC" and for your
> information the Old assessment follow the new one. Thanks
> Regards
> Arnaud
> New Assessment :
> ===============================================
> Staff Assessment for : Internet Number Resources Review by AFRINIC
> Proposal
> AFPUB-2016-GEN-001-DRAFT-04
> Title
> Internet Number Resources Review by AFRINIC
> Assessed
> 26/April/2017
> 1.0 Staff Understanding of the Proposal
> AFRINIC to conduct resource utilization reviews (audits) of IPv4, IPv6 and
> ASN resources randomly, periodically and/or triggered by a whistleblower
> ensure compliance with policy provisions and all terms of the AFRINIC RSA.
> Non-Compliant resources to be recovered (and can be reallocated).
> An arbitration team (whose decision is final) to be instituted (by
> to handle any complaints by members unsatisfied with the review/audit
> report.
> A report of all review/audit activity conducted every year will be
> on the website, contents of which must comply with the Mauritius Data
> Protection Act as well as any NDA in place with any AFRINIC member.
> 2.0 Staff Comments
> On Sec 13.6 - Our previous concerns that AFRINIC may be legally exposed
> regarding what member data can be published in the annual "Compliance
> Report" seem to have been addressed by the inclusion of "in accordance
> Mauritius Data Protection Act and NDA with members." The act however, only
> concerns personal information. The kind of information to include in the
> compliance report should preferably be to the discretion of AFRINIC.
> Authors to clarify on if the arbitration process can be initiated by the
> member anytime during or (only) after the review is completed. There also
> needs to be a time limit around when the arbitration process must complete
> (for the arbitration team to produce their findings/report).
> On Staff Workload: All review requests shall be handled First in, First
> (at staff discretion) - in which case, no significant impact to staff
> workload is expected.
> On the clause: “The review shall be conducted in full transparency and
> neutrality”. Authors need to expound more on what this means - as AFRINIC
> cannot disclose details of an ongoing audit/review to the public while
> the review - if this is what authors meant by "transparency".
> On the Clause: “AFRINIC shall publish the resources to be recovered for a
> period of three (3) months; during which the organization may at any time,
> seek compliance” - AFRINIC will add “remarks” attributes to the concerned
> whois database objects, with information regarding the ongoing review. We
> think that this is sufficient to address the "publish" requirement in this
> clause.
> 3.0 Comments from Legal Counsel
> Legal Counsel’s Assessment
> 1. In the implementation phase staff will have to deal with evidence
> emanating from several jurisdictions. Moreover, staff will face the
> task of assessing evidence/information/data from different sources and of
> different evidential value. Staff will be burdened with testing the
> reliability of this evidence/information/data to assess and weigh theses
> evidences and to decide whether same may be used to establish abuse or
> wrongful use of Internet Number Resources.
> The possibility of collecting evidence/information/data coming from
> different sources via affidavits or depositions before Commissioner of
> may have to be envisaged to partly ease pressure on staff.
> AFRINIC will have to protect itself and act only on reliable, cogent and
> admissible evidence before finally revoking allocation of resources which
> the investigated member claims has been prejudicial to it and consequently
> claims for compensation. This possibility should always be envisaged. The
> increasing value of IPv4 resources point in that way.
> 2. What modus operandi should be put into place to “hear” the investigated
> party to ensure fairness? The policy proposal does not provide anything in
> this regard and should address it.
> 3. It will not always be possible to confront the investigated party with
> data/documents/evidence coming from third parties who may have disclosed
> same in confidence and have expressly refused to be named or referred to.
> 4. The arbitration referred to in the proposal has to be effected within
> jurisdiction of one country – and the main question is – which would this
> country be?
> 5. Section 13.5 of the proposal states: “the outcome of the arbitration
> process is unequivocal”. This is in contradiction of, Articles 1027 to
> 1027-9 of the Code de Procedure Civile of Mauritius which provides that a
> party to an arbitration may seek the “annulation “of an award by seizing
> Supreme Court.
> 6. The "Mauritius Data Protection Act" only applies to personal
> information/data.
> The Old One :
> Staff & Legal Assessment and Comments
> Staff Comments:
> The proposal appears to be enabling AFRINIC to “enforce” article 4(b) the
> Registration Services Agreement, a matter of procedure and process.
> We already have the ability to enforce the RSA, and the RSA already
> a requirement for policy compliance.
> We already have the ability, in terms of the RSA, to recover resources
> are not being used for the purpose for which they were allocated/assigned.
> AFRINIC already reviews or audits members when they request additional
> resources. We also have the ability to review at other times, but we do
> regularly exercise such ability.
> We see no problem in principle with allowing complaints to trigger a
> but we are concerned about the details.
> It's not clear who decides whether a complaint "warrants investigation".
> interpret this part of the proposal as giving AFRINIC staff the discretion
> to decide which complaints to investigate or not to investigate.
> Each investigation will have large impact on staff workload, and is also
> likely to have a large impact on the organisation being investigated. We
> especially concerned about the impact of unjustified complaints.
> AFRINIC staff workload may be greatly increased by a large number of
> requests for review or audit. The requirement that the complaint "warrants
> investigation" may mitigate this issue, if staff have the ability to
> that certain complaints do not warrant investigation, but staff resources
> will nevertheless be expended on determining whether or not the complaint
> warrants investigation.
> There is no policy requirement for visibility in the global routing table.
> AFRINIC will have no contractual basis for treating "lack of visibility of
> the resource on the global routing table" as a problem under this policy.
> suggest that this proposal should focus on policy violations, and leave
> issue of global routing visibility to some other proposal that might be
> introduced in future.
> There is a reference to "unauthorised transfers". At present, all
> (other than under mergers and acquisitions) are unauthorised. Even under
> possible future transfer policy, any "unauthorised transfer" would be in
> violation of such policy. Accordingly, we suggest that there is no need to
> treat unauthorised transfers differently from any other policy violation.
> The requirement that "the records of the previous holder of the recovered
> resource shall be removed from AFRINIC databases"is in conflict with
> practice that when a resource is returned or transferred, it remains
> possible to find out information about the previous holder of the
> The requirement that the review be conducted with "full transparency" may
> in conflict with privacy provisions in NDAs, in the RSA, or in law.
> The requirement to publish a "compliance report" may be in conflict with
> privacy provisions in NDAs, in the RSA, or in law.
> There is a requirement for AFRINIC to create and document an appeal
> and appoint a pool of arbitrators. Creating the process, including a
> comment period and subsequent revisions, would probably take 3 to 6
> Calling for volunteers and appointing them would probably take another 2
> months.
> Legal:
> TheRSAisacommunityapproveddocument and all members are bound by each and
> every clause thereof once they sign the agreement. It
> isacontractwherebothpartiessubscribetoclearobligations.
> In application of the law of contract of Mauritius as found in Article
> of the Mauritius Civil Code Section 4, the RSA is already
> binding,asaresult,onallmemberswhosigntheagreement.
> It is perfectly lawful , in terms of the application of the Mauritius
> Code , for AFRINIC to act under the said section and reclaim
> resourcesfromthosememberswho/whichfailanaudit/reviewexercise.
> The policy can do no more than allow AFRINIC to do what it is already
> in a clear and transparent manner on the basis of a community
> approveddocument
> _______________________________________________
> RPD mailing list
> RPD at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the RPD mailing list