Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Last Call for "AFPUB-2016-GEN-001-DRAFT-04 - Internet Number Resources Review by AFRINIC"

Kris Seeburn seeburn.k at gmail.com
Tue Jun 27 10:56:55 UTC 2017 

I oppose the policy

There are still many dark areas which gives way leave for getting afrinic in trouble. If the community would want to put the organization in a very difficult situation it’s not the way forward.

Let’s take closer look at the policy are we really going for a witch hunt here? If we are really looking at witch hunt. Name the people directly…..keeping things anonymous is one of the important things but in our case we are not audit factory and i still maintain who will pay for the audit and based on what are we going to audit. RIPE does it as a reasoning based on full reports that can be justified. 

Does afrinic have the resources to do so? The money etc.,?

From staff comments the legal counsel has already given his views….are we discarding the legal implications? I would say then those making anonymous requests should pay out of pocket expenses. 

So let’s look at the legal response:

Legal	Counsel’s	Assessment 1. In the	implementation	phase	staff	will	have	to	deal	with	evidence	emanating	from	several	jurisdictions.	Moreover,	staff	will	face	the	arduous	task	of assessing	evidence/information/data	from	different	sources	and	of	different	evidential	value.	Staff	will	be	burdened with	testing	the	reliability	of	this	evidence/information/data	to	assess	and	weigh	theses	evidences	and	to	decide	whether	same	may	be	used	to	establish	abuse	or	wrongful	use	of Internet	Number	Resources. The	possibility	of	collecting	evidence/information/data	coming	from	different	sources	via	affidavits	or	depositions	before	Commissioner	of	Oath	may	have	to	be	envisaged	to	partly	ease	pressure	on	staff. AFRINIC	will	have	to	protect	itself	and	act	only	on	reliable,	cogent	and	admissible	evidence before	finally	revoking	allocation	of	resources	which	the	investigated	member	claims	has	been	prejudicial	to	it	and	consequently	claims	for	compensation.	This	possibility	should	always	be	envisaged.	The	increasing	value	of	IPv4	resources	point	in	that	way. 2. What	modus	operandi should	be	put	into	place	to	“hear”	the	investigated	party	to	ensure	fairness?	The	policy	proposal	does	not	provide	anything	in	this	regard	and	should	address	it. 3. It	will	not	always	be	possible	to	confront	the	investigated	party with	data/documents/evidence	coming	from	third	parties	who	may	have	disclosed	same	in	confidence	and	have	expressly	refused	to	be	named or	referred	to. 4. The	arbitration	referred	to	in	the	proposal	has	to	be	effected	within	the	jurisdiction	of	one	country	– and	the	main	question	is	– which	would	this	country	be? 5. Section	13.5	of	the	proposal	states:	“the outcome	of	the	arbitration	process	is	unequivocal”. This	is	in	contradiction	of,	Articles	1027	to	1027-9	of	the	Code	de	Procedure	Civile	of	Mauritius	which	provides	that	a	party	to	an	arbitration	may	seek	the	“annulation	“of	an	award	by	seizing	the	Supreme	Court. 6. The	"Mauritius	Data	Protection	Act"	only	applies	to	personal	information/data.
 

I will try to just try and put it simple for all:

Legal threats which the counsel has already warned
IP audits cost vast amount of money, time and loads more money to conduct.
If we are to audit someone Afrinic needs and needs to ensure a very good reason for the audit else face the legal battle and if it fails to prove right the cost is still there and who will pay for it? on the reverse the company being audited could be asking afrinic to pay for the time and resources that may affect the operations  as well
If one refuses and stll want to come up with the audit better be ready to be sued fully. Because we know this community is aiming at certaon companies and people….let us be honest and not hide behind policies only to get even with people
 The other point is that if the company is audited and you publish the name of the companies as subject to audit we are in infraction also with ICP2 not to forget and that opens the door for being sued again.
If you revoke or even attempt to revoke the resources because the company does not comply with the audit you still attract legal threats

We can continue on and on with many reasons and the authors have been quite evasive on certain areas. For me the i oppose the policy as it stands. Unless guys you want to call it directly the policy for whom you want to do it just lay it out. The community cannot be that crazy not to know whom we are talking of. 

I prefer you guys do the right thing and get your acts right… i had asked questions on this in the past which the authors never replied to and i still do not have them as if ignored.

Can you the authors go back to my questions and reply to to them. Else we can just ask the authors to lay there money on the table to accomplish what you want. I am just a member of the community and i have been on the board seen our finances am still an IT auditor i know the process, timing costs and impacts. Again not forgetting ICP2 last paragraph…. 

I still stand opposed to the policy. People just call it an Andrew or liquid audit policy or a cloud innovations policy audit. Let’s not hide and get off with it.

Kris




> On Jun 27, 2017, at 5:37 AM, Lu Heng <h.lu at anytimechinese.com> wrote:
> 
> Dear  Colleagues:
> 
> I remain firmly oppose this policy. And for the future of AFRINIC, I hope this policy can be modified and further discussed. And here are my reasons:
> First of all, this policy is in direct conflict with transfer policy, if someone wants to sell their address space, they surely not commit to use it with the original purpose, should AFRINIC instead of allowing them to transfer the space, but reclaim them and redistribute them for "better use"? If that is the case, the transfer policy will have no use because of that.
> 
> RIPE NCC does review their members as well, they call it assisted registry check, basically they check the contact details and so on and ask you to confirm if all OK, they also verify that assignments are registered, if anything is wrong, LIR is asked to fix it, there are no threats of de-registration, as far as I know, no RIR has ever de-register allocation from their active member ever in history. I would agree to the policy if the review was carry out on the assignment base (just imagine if you have to review entire MTN or liquid telecom), and if member does not comply, the punishment should be no more future additional allocation, therefore we do not let anyone lose their connection, so we can avoid the legal issue by doing that.
> 
> I would oppose review on the allocation base, image review an entire /12 allocation for example, it will cost both member and AFRINIC millions of dollars, and if you are nitpicking, you always find policy valuation in any large telcos, it's just impossible in business to follow the policy rule exactly if you are running a company like MTN, if you deregister MTN's range because of that....I only can image it become end of AFRINIC as we know it.
> 
> And as we can see from the data here, http://bgp.potaroo.net/ipv4-stats/allocated-afrinic.html <http://bgp.potaroo.net/ipv4-stats/allocated-afrinic.html> , 7.23 /8s Assigned, 6.27 /8s Allocated, 0.96 /8s in RIR Pool, 5.49 /8s Advertised, in which means, at this moment there is 1.76 /8 have been assigned to members in Afrinic region, but not even advertised in the internet, that is equal to 29527900 IP addresses, If, there is a review being conducted to this 29 million IP addresses, I am sure by current policy, they can have "better use" than sitting idle or being used internally. Since transfer policy have been passed, those address has market value of 300 million dollars, reclaim those amount of address space, without any additional business damage, would very likely results AFRINIC paying over 300 millions dollar worth of damage, in which is more than half a century income for AFRINIC.
> 
> 
> 
> 
> And below I will add my email on the topic a year ago, in which all the point still stands:
> 
> I'd like to contribute my own 2 cents.
> 
> Let's assume, this policy really putting into action and found a policy breach, stay with me with the example(so let's say the policy in fact works on its purpose of finding policy breach):
> 
> National telecom A from country B has a lot of its practice that not following the policy,Afrinic therefore by RSA trying to reclaim the address from the national telecom A from the requested audit.
> 
> Because of the reclamation, a lot of people lost their connection in country B.
> 
> National telecom taking Afrinic to court and country B government talking to UN and ITU to dismiss Afrinic.
> 
> Does Afrinic, being an 30 people organization with only 4 million dollar in budget, even stay a chance to fight them at all?
> 
> So this reclamation will risk the very existence of Afrinic, for a maybe a /15 misused address, seriously is it worth it for the community as a whole?
> 
> Maybe some would claim that not every company has 4 million in budget, not every member that Afrinic are not able to fight in court, the simple truth is, the one are smaller than Afrinic in size and budget, their space will be small enough that will not make difference for the community(audit an /22 and get it back will really worth nothing to the community, and you can hardly call /22 stock piling as well).
> 
> And any company go though RIR process and justified their need in which is greater than, let's say, /16, will surely have multiple times size of Afrinic with much stronger financial power, Afrinic can not afford fighting them in court under today's condition. Let's face it, Afrinic has no real enforcement power like some might think it does, Afrinic is an registration service, it already does everything it can during the process issuing the IP address to make sure fair distribution according to the policy, and keep the whois database accurate, that is all what community ask them to do, and that is all what Afrinic capable of doing. 
> 
> There is no single RIR, RIPE NCC being 5 times bigger budget than Afrinic included, are able to reclaim address from member who do not need them anymore, and that is the exact reason why we have a transfer policy in most of the region now. People transferring are clearly not needing address anymore, why none of RIR today reclaim them from the holder? There might be quite few argument to that, but the one I understand is, none of them able to, most large block holder, if not all, are multiple size of the RIR both in number of staff and financial power, sometime even in political influence, and it is really not worth to risk all the member fees to fight an single member(or multiple members, consider the amount of transfer happening every month). Market works better than central planning, communist country learned this in hard way.
> 
> What is the normal practice in every region until now, is that, assignment can be cancelled by RIR, however, allocation are untouchable once it is issued, no RIR has ever in history claimed back an allocation from member due to insufficient usage. Not to mention Afrinic being the smallest, least funded RIR among them all.
> 
> Let's distribute the rest v4 at fair pace, and stop asking Afrinic acting as communist country's central government, all Afrinic has is an database, with 30 people maintain it under 4 million USD budget, the only reason all those government and large telecom leave Afrinic alone, is because Afrinic does not claim any power but only maintain the database, once Afrinic claim its power to manage whole continent's infrastructure(like one of the hostmaster mistakenly claimed in one of Afrinic meeting), it will simply be the day Afrinic ends as we know it. For that power, we will need a much bigger Afrinic with each country's gov setting on the board to decided things(and enforce it with real power), just like you see in most international governing organizations.
> 
> So please keep Afrinic doing registration service alone, like Rob, the first RIPE chair and much respected globe community member once said, RIR are bookkeepers, nothing more. The wise man help establish the RIR system as we know it today, and I believe its bookkeeper analogy are what protect the RIR's very existence for past 3 decates.
> 
> Otherwise, you will need not just a policy to make the intend of this policy work, you will need high level enforcement power from the each countries' government, and you will need a much bigger Afrinic, or rather, "Africa internet government".
> 
> I would appreciate author to address all the above concerns.
> 
> With regards.
> 
> Lu
> 
> On 26 June 2017 at 01:57, David Hilario <d.hilario at laruscloudservice.net <mailto:d.hilario at laruscloudservice.net>> wrote:
> Hi Arnaud,
> 
> AFRINIC Ltd being put in direct danger of legal actions and financial
> claims from its members is still a possibility regardless of how we
> look at the situation, this will continue to be the case for as long
> as the proposal threatens to de-register resources..
> 
> This is the reason why an objections were raised, it is even part of
> the reasoning in staff assessment as a very real possibility, I don't
> believe we can simply close our eyes on this one and just act as if it
> isn't there.
> 
> RSA is "only" a legal document between a member and AFRINIC LTD, it
> contains some resources related guidelines, but as we have seen with
> the transfer policy it is not above AFRINIC policies.
> The policies are above the RSA when it comes to resource management
> and distribution, RSA gets invalidated by any policy contradicting it,
> as such basing and defending a policy a policy proposal on the content
> of the current RSA may be unwise, the policy needs to stand on its own
> without having to refer to the RSA.
> 
> 
> 
> David Hilario
> 
> IP Manager
> 
> Larus Cloud Service Limited
> 
> p: +852 29888918 <tel:%2B852%2029888918>  m: +359 89 764 1784 <tel:%2B359%2089%20764%201784>
> f: +852 29888068 <tel:%2B852%2029888068>
> a: Flat B5, 11/F, TML Tower, No.3 Hoi Shing Road, Tsuen Wan, HKSAR
> w: laruscloudservice.net <http://laruscloudservice.net/>
> e: d.hilario at laruscloudservice.net <mailto:d.hilario at laruscloudservice.net>
> 
> 
> On 23 June 2017 at 19:33, Arnaud AMELINA <amelnaud at gmail.com <mailto:amelnaud at gmail.com>> wrote:
> > Hello Ashok, please find inside lines in red color, authors response to your
> > concerns :
> >
> > 2017-06-19 1:34 GMT+00:00 Ashok Radhakissoon <ashok at afrinic.net <mailto:ashok at afrinic.net>>:
> >>
> >>
> >>
> >> To the Attention of the  Co -Chairs-PDWG
> >>
> >> I refer to the proposed" Internet Number Resources Review" policy and
> >> specifically to my observations thereon from a legal perspective.( attached
> >> here)
> >> Indeed I made two assessments. The first was for the first version of the
> >> said proposal
> >
> >
> > Your first assessment is very inspiring and can be seen at
> > https://afrinic.net/community/policy-development/policy-proposals/1947-internet-number-resources-review-by-afrinic#assessment <https://afrinic.net/community/policy-development/policy-proposals/1947-internet-number-resources-review-by-afrinic#assessment>
> > It says:
> >
> >
> > Legal:
> >
> >     The RSA is a community approved document and all members are bound by
> > each and every clause thereof once they sign the agreement. It is a contract
> > where both parties subscribe to clear obligations.
> >     In application of the law of contract of Mauritius as found in Article
> > 1134 of the Mauritius Civil Code Section 4, the RSA is already binding, as a
> > result on all members who sign the agreement.
> >     It is perfectly lawful , in terms of the application of the Mauritius
> > Civil Code , for AFRINIC to act under the said section and reclaim resources
> > from those members who/which fail an audit/review exercise.
> >     The policy can do no more than allow AFRINIC to do what it is already
> > doing in a clear and transparent manner on the basis of a community approved
> > document
> >
> >
> >>
> >> and  the second was for the amended  versions thereof.
> >
> >
> > It will be good if you could  point out the amendments and how they bring
> > some potential risks
> >
> >>
> >> Whilst my first observation rested on the contractual  aspect of the RSA
> >> and the contractual obligation of members to comply thereto-See clause 4 of
> >> the RSA. My second assessment was made from the perspective of the
> >> implementation of the proposal.
> >
> >
> > As there is no legal concerns about adopting a policy to implement
> > contractual obligations set by the RSA and allocations/assignment policies,
> > it sounds good to discuss implementation.
> >
> >>
> >> As these assessments were submitted by AFRINIC to the authors in good time
> >> before the face to face discussion thereon, I expected that they were to be
> >> considered as a fourth version of the proposal was presented.
> >
> >
> > Just for records: version 4 was submitted on April 11, Second staff and
> > legal assessment  was  published on April 26
> >
> >>
> >> To all intents and purposes, it is my humble opinion that the legal issues
> >> were not addressed by the authors nor did you draw attention to them during
> >> the face to face meeting.
> >
> >
> > Authors responded to this second  assessment on the mailing list. See
> > https://lists.afrinic.net/pipermail/rpd/2017/006889.html <https://lists.afrinic.net/pipermail/rpd/2017/006889.html> and spoke about
> > them in the presentation made during the PPM
> >
> >>
> >> I believed that since the assessments were part of the record for the
> >> purposes of discussions and consideration, I did not draw the attention of
> >> the working group to them.
> >> I am now doing so.
> >
> >
> > Thank you. We believe this give the working Group and yourself a single
> > opportunity to progress and close this issues.
> >
> >>
> >>  I reiterate that the proposal, as submitted and later amended, would
> >> expose AFRINIC to potential legal suits if the following issues which I have
> >> raised in my assessment are not addressed.
> >
> >
> > See below
> >
> >
> >>
> >> 1- The testing of data/facts/ evidence submitted( by third parties) to
> >> staff  require the latter to verify  the veracity/admissibility/authenticity
> >> thereof.If AFRINIC was to act on these, and they later reveal themselves to
> >> be forged/untrue/inadmissible/, AFRINIC may potentially face civil suits at
> >> the behest of members from whom resources would have been recovered and
> >> which could have been prejudicial to them(members).
> >
> >
> > You point to Third parties  with  “data/facts/evidence submitted by (third
> > Parties) to staff.  You are then referring to section 13.3.2(b) below
> >
> >
> > 13.3.2 Selected
> > A member is selected because of an internal report or due to a lack of
> > contact between the AFRINIC and the member.
> > 13.3.3 Reported: Here, members are reviewed either because:
> > a. They have requested the review themselves or;
> > b. There has been a community complaint made against them that warrants
> > investigation. Complaints shall be backed by evidence and AFRINIC staff
> > shall evaluate the facts as appropriate to conduct the review. However, this
> > review is not applicable to a member with the same resources portfolio on
> > which a full review has been completed in the preceding 24 months.
> >
> >
> > Staff shall evaluate the facts at their discretion just to know if the
> > complaint is worth establishing a review. The decision to run a review in
> > all cases fall under RSA and policies provisions.
> >
> > section 4 (iii) of RSA
> >
> > Further  acknowledges  that  AFRINIC  may  at  its  own  discretion  and
> > for  good  cause  and
> > common Interest of the stability of the Internet, investigate or cause to be
> > investigated, the Applicant’s
> > use of the services by the appropriate and competent authority(ies).
> >
> >
> >>
> >> I also referred to the problem of multi-jurisdictional sources of
> >> evidence/facts etc
> >
> >
> > No need for a legal document/evidence as explain above.
> >
> > But in case this would be needed, one could expect the company legal counsel
> > to guide the organization as how it works by default.
> >
> > AFRINIC already deals with evidences/Facts from members and potential
> > members when evaluating request for allocations and additional allocations.
> >
> >
> >>
> >> 2- The authors must pronounce themselves on whether members should have
> >> recourse to sworn affidavits or go through the services of a commissioner of
> >> oath or propose any other modus to enable the staff of AFRINIC to undertake
> >> the testing exercise on the basis of reliable evidence, before embarking
> >> upon a review process.
> >
> >
> > RSA does not require sworn affidavit to provide information to staff
> >
> >>
> >> 3-My remarks would apply for the two "classes" of review- complaints from
> >> community- AFRINIC's own decision-
> >
> >
> > this is addressed above
> >
> >>
> >> 4- I have also not seen the stand of the authors regarding the fact as to
> >> the "arbiration award" being unequivocal and my observation related to an
> >> incompatibility with the Code of Civil Procedure of Mauritius.
> >
> >
> > There seems to be some confusions and misunderstandings here. Below is again
> > the text of the appeal procedure:
> >
> >
> > 13.5 Appeal procedure
> >
> > The review shall be conducted in full transparency and neutrality.
> >
> > Reviewed members who are not satisfied have the right to appeal against the
> > result.
> >
> > Appeals shall follow an arbitration process as defined by AFRINIC, which
> > shall publish the process and the pool of arbitrators whom shall be
> > knowledgeable volunteers from the community.  The outcome of the arbitration
> > process is unequivocal.
> >
> >
> > It is about an appeal against the result of the audit. Nothing more.  An
> > appeal process as we do have for example in the section 3.5 of the CPM.
> >
> > The Arbitration process to be defined by AFRINIC “must” only cover appeals
> > against the results of review and not appeal against actions taken by
> > AFRINIC after a review.
> >
> > This must be separated from any dispute which may arise from action taken by
> > AFRINIC as results of a review or other mechanisms which shall follow the
> > Number Resource Dispute Resolution of AFRINIC as  shown  at this URL.
> > https://www.nro.net/about-the-nro/rir-governance-matrix/#disputes <https://www.nro.net/about-the-nro/rir-governance-matrix/#disputes>
> >
> > So question is  “ is section 13 of the RSA incompatible with the Code of
> > Civil procedure of Mauritius” ?.  But this discussion does not fall under
> > this policy proposal
> >
> >
> >
> >>
> >> 5- I also raised the issue of " hearing" the investigated party( a
> >> requirement of the rules of natural justice) and expressly stated that the
> >> proposal does not provide anything in this regard.
> >
> >
> > Policies and RSA provide mechanisms for staff to conduct review of
> > allocation/assignment requests and allocated resources usage. This policy
> > proposal does not need to define any other mechanisms.
> > Investigated party must collaborate and provide information required by
> > AFRINIC.
> >
> > Afrinic does not conduct hearings with requesting members, so not required
> >
> >
> >>
> >> 6-The question of choice of jurisdiction  wherein the arbitration  be
> >> held-Would it always be Mauritius ? This is the law that applies to the RSA.
> >
> >
> > As stated above, the Arbitration this policy proposal refers to does not
> > require jurisdiction.
> >
> > Choice of jurisdiction according to the RSA is Mauritius, and we expect this
> > to apply to Number Resource Dispute Resolution as defined in the RSA
> >
> >
> >>
> >> In the light of the above ,may I request the Co-Chairs to consider same
> >> and consequently decide, whether further discussions are required on this
> >> proposal.
> >
> >
> > Hope the above clarify  things and address your concerns
> >
> >
> >>
> >> I thank you for you kind consideration.
> >> Ashok.B.Radhakissoon
> >> Afrinic-Legal Adviser.
> >>
> >>
> >
> > Warm Regards
> >
> > Arnaud A. A. A.
> > Active Community member ;)
> >>
> >>
> >>
> >> _______________________________________________
> >> RPD mailing list
> >> RPD at afrinic.net <mailto:RPD at afrinic.net>
> >> https://lists.afrinic.net/mailman/listinfo/rpd <https://lists.afrinic.net/mailman/listinfo/rpd>
> >>
> >
> >
> > _______________________________________________
> > RPD mailing list
> > RPD at afrinic.net <mailto:RPD at afrinic.net>
> > https://lists.afrinic.net/mailman/listinfo/rpd <https://lists.afrinic.net/mailman/listinfo/rpd>
> >
> 
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net <mailto:RPD at afrinic.net>
> https://lists.afrinic.net/mailman/listinfo/rpd <https://lists.afrinic.net/mailman/listinfo/rpd>
> 
> 
> 
> -- 
> --
> Kind regards.
> Lu
> 
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpd

Kris Seeburn
seeburn.k at gmail.com
www.linkedin.com/in/kseeburn/ <http://www.linkedin.com/in/kseeburn/>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20170627/a363ddf3/attachment-0001.html>

More information about the RPD mailing list