[rpd] Decisions ... Abuse contact

[Madhvi Gokool]

Dear Frank/Community members


a) In the Impact Assessment, staff assumed that the policy will not
impact the legacy resources in the AFRINIC whois database and requested
the authors to confirm that this is so.  AFRINIC staff needs to keep
this in consideration at the time of implementation(myafrinic and whois
business rules) - abuse-c mandatory for non-legacy resources. Staff were
therefore satisfied with this confirmation and had not indicated
otherwise to the co-chairs and community in the session.

b) "AFRINIC is bound by the Mauritian Data Protection Act 2017 (inspired
by GDPR). For more information on AFRINIC's Privacy Policy, click on the
following link - https://www.afrinic.net/privacy. Thus, implementation
of the abuse-c will not impact negatively on AFRINIC's data protection
obligations."

c) The only policy that affects the legacy resource holders is
documented in Section 5.7 of the CPM  - and it regards transfers of
legacy resources.  Legacy Holders are not bound by any other resource
policies.

Staff therefore will confirm with the authors that their policies do not
affect legacy resources , especially when implementation will be done on
the whois database.  This is  to ensure that the implementation does not
negatively impact  how the legacy resource holders manage their
resources on the whois database.

d) In the Policy Implementation Experience Report during
AFRINIC-32/AIS'20 , staff have pointed out that Section 8 of the CPM
does not enforce a mandatory abuse contact . They also mentioned that
they are having to respond to an increase in complaints regarding
missing abuse contacts in the number resources in the AFRINIC whois
database and that operators have warned that they will filter the
resources with no abuse contacts.  Staff are therefore doing the work
for the members , as they are bound to respond to any queries that are
logged with the AFRINIC service desk.  This situation is not scalable in
the long term & AFRINIC invites the community to also ponder on this
feedback.

Kind Regards

Madhvi

-- 
Madhvi Gokool
Senior IP Resources Specialist
AFRINIC Ltd.
t:  +230 403 5100 | f: +230 466 6758 | 
w: www.afrinic.net

On 28/09/2020 8:09 PM, Frank Habicht wrote:

> Dear chairs,

>

> On 21/09/2020 08:32, Frank Habicht wrote:

>> Dear chairs,

>>

>> On 21/09/2020 03:04, ABDULKARIM OLOYEDE wrote:

>>> 6.       Abuse Contact Update

>>>

>>> The proposal makes it mandatory for AFRINIC to include in each resource

>>> registration, a contact where network abuse from users of those

>>> resources will be reported.  The proposal whois DB attribute (abuse-c)

>>> to be used to publish abuse public contact information. There’s also a

>>> process to ensure that the recipient must receive abuse report and that

>>> contacts are validated by AFRINIC regularly. However, there some

>>> opposition to the proposal there are:

>>>

>>> a.                   Staff analysis on how it affects legacy holder not

>>> conclusive  (not sure why this should affect legacy holders)

>>>

>>> b.                  The proposal doesn’t state what will be the

>>> consequences of one member fails to comply. Why are we creating the

>>> abuse contact when there is no consequence for not providing the abuse

>>> contact

>>>

>>> c.                   Abuse contact email and issues with GDPR concerning

>>> the whois database

>>>

>>> d.                  No proper definition of the term Abuse

>>>

>>> e.                  To force members to reply to their abuse email is

>>> not in the scope of AFRINIC.

>>>

>>> Chairs Decision: No rough consensus

>> About d. "No proper definition of the term Abuse"

>> yes, this was mentioned several times by members opposing.

>> The proposal is about "abuse contacts". it is not about what "abuse" is.

>> there is no need for a definition of "abuse".

>> In my humble opinion the request for a definition of abuse is off-topic.

>>

>> Question: if someone makes a proposal about lame DNS servers in domain

>> objects for Reverse-DNS, and I object arguing that a definition of RPKI

>> is needed - what would you do with this argument?

>> Q2: can arguments about a proposal be irrelevant to this proposal?

>> Q3: was that the case here? were arguments, that a definition for abuse

>>     is required, irrelevant?

>>

>> I request chairs' response to Q2 and Q3.

> Dear chairs, requesting a response.

> Note: chairs said this was a point of opposition.

> I argue that this was an irrelevant point.

>

>> About e. "To force members to reply to their abuse email is not in the

>> scope of AFRINIC."

>> Yes, that was mentioned several times.

>> And also this is something the proposal does not do and does not attempt.

>> And all the comments about (d.) above apply.

> How can people complain that the proposal does something, when the

> proposal doesn't do that?

> How can that be a valid objections?

> Chairs?

>

>> If irrelevant objections are taken as valid arguments, please note that

>> I foresee that any future proposal can get rejected and the PDP will be

>> stuck.

>>

>>

>> About c. "Abuse contact email and issues with GDPR concerning the whois

>> database"

>> - I didn't see that on the mailing list, can you remind us, or was that

>> only during the live session?

>> - there are other contact information in whois. can staff confirm

>> whether AfriNIC are GDPR compliant?

> AfriNIC staff: above is a question for you.

> yes, I think I know the answer, but maybe the ones arguing that this is

> a problem with the proposed policy don't know the answer.

>

>> - would that status change if abuse contacts would be added?

> same... AfriNIC staff, please help.

>

>

>> About b. "The proposal doesn’t state what will be the consequences of

>> one member fails to comply. Why are we creating the abuse contact when

>> there is no consequence for not providing the abuse contact"

>> - I can imagine that AfriNIC would include in their meeting

>> presentations information regarding how big (in measurable terms) this

>> problem is.

>> - from that the WG can discuss and decide if more actions are necessary.

> Chairs, does my above answer sufficiently address the point b. of

> opposition that you had listed as relevant?

>

>

>> About a. "Staff analysis on how it affects legacy holder not conclusive

>>  (not sure why this should affect legacy holders)"

>> I didn't see that before, but as is tradition in my part of the world,

>> let me respond to the question with a question:

>> Are legacy holders subject to any for the PDWG's policies?

> Madhvi, please help: does any policy affect legacy holders?

>

>

> Thanks,

> Frank

>

>

> _______________________________________________

> RPD mailing list

> RPD at afrinic.net

> https://lists.afrinic.net/mailman/listinfo/rpd


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200930/453b149b/attachment.html>