[rpd] Decisions ... Abuse contact

[Patrick Okui]

Dear Chloe,

I’ll try to separate your message into individual contention points 
because otherwise it’s impossible to track where we are on each one.

#### 1. Consequences for not providing abuse-c.

I have dealt with this particular objection in a response to Gaby as 
seen here: https://lists.afrinic.net/pipermail/rpd/2020/011555.html

The short version is, if we decide that this info is mandatory then it 
has the same consequences as not providing admin-c and tech-c. If this 
is a new request for resources, it gets denied. If it’s existing 
resources the holder runs the risk of having them reclaimed. AFRINIC 
would (as with all cases of violation of the RSA) liaise with the member 
to see they comply with this.

#### 2. Providing a contact that is not being read/responded to.

The text of the policy proposal we’re discussing is at 
https://www.afrinic.net/policy/proposals/2018-gen-001-d6#proposal If you 
read that you’ll see that part of this policy is exactly saying that

- The abuse contact can’t be some unattended destination.

- AFRINIC will periodically check that the contact is one that’s 
responded to.

- If someone complains that they didn’t get a response, then AFRINIC 
will check that and then either tell the person they seem to be mistaken 
OR get in touch with the member to update their abuse-c to something 
that is attended to.

#### 3. AFRINIC defining abuse so they can mediate in complaints.

This is finally your answer to the email I wrote earlier. I would not 
want AFRINIC to become a mediator in abuse cases. All AFRINIC needs to 
do is ensure they have the listed contacts for people to discuss. If the 
two people fail to agree they can fall back to filtering each other or 
court cases etc.

The only goal is to allow AFRINIC to specifically state that if you need 
to contact network X about a possible abuse case, then use the following 
email (that we’ve checked to be working). As a registry, that falls 
within their roles and mandate. Anything else would not.

#### 4. Use of this policy (mandatory contacts) minus AFRINIC abuse 
mediation.

- If you read point d. of Madhvi’s email at 
https://lists.afrinic.net/pipermail/rpd/2020/011534.html you will see 
that currently AFRINIC ends up responding to abuse complaints on behalf 
of members. It is not mentioned in that email but part of the reason is 
the parent objects have the AFRINIC abuse contact.

- If you read Frank’s post at 
https://lists.afrinic.net/pipermail/rpd/2020/010971.html you’ll notice 
he was detailing what someone could try in order to track down the 
person to contact for abuse. The original poster knew of this process 
and was asking if AFRINIC would help make it easier by getting people to 
publish abuse contact data.

This proposal addresses the above two points from the view of the RIR 
and from operators. As you’ve mentioned when operators get contacted 
they usually can sort things out. In many cases the “abuse” is 
unintentional from compromised or infected devices. Right now figuring 
out who to talk to to get a response from the operator is quite the 
process.

Note that Jaco also addressed some of your very concerns at 
https://lists.afrinic.net/pipermail/rpd/2020/011549.html in different 
words.

On 2 Oct 2020, at 17:48 EAT, Chloe Kung wrote:


> Dear Patrick,

>

> I see your point and thank you very much. Before I respond to that, I 

> just want to say it actually leads to my another reason for objecting 

> this proposal for it doesn’t state what will be the consequences nor 

> does it guarantee the abuse email will be checked on a routine basis. 

> Then I think it will only become a meaningless policy.

>

> If all Afrinic needs to do when it’s getting involved is to ask 

> whether or not someone’s abuse contact responded, and should not be 

> doing anything beyond that, then why would we even need this proposal 

> ? The way I see it is that, I imagine abuse cases have existed and 

> happened before, so if they really care, both the complainants and the 

> complainees would already have a more effective way to do it. And for 

> those who doesn’t really care, having this abuse contact set up 

> mandatorily doesn’t not help.

>

> Let’s say if now Afrinic is going to do just a little more than 

> that, maybe giving a warning. Then I suppose they will at least have 

> to look into the case ? And so under such circumstances Afrinic will 

> need to have a clear/ defined concept to determine if the abuse case 

> is valid and if further actions are needed ? Though I believe this is 

> out of the scope of RIRs.

>

> Best,

> Chloe

> From: Patrick Okui <pokui at psg.com>

> Date: Thursday, October 1, 2020 at 02:58

> To: Chloe Kung <chloe.kung.public at gmail.com>

> Cc: "rpd at afrinic.net" <rpd at afrinic.net>, Jaco Kroon <jaco at uls.co.za>

> Subject: Re: [rpd] Decisions ... Abuse contact

>

>

> Dear Chloe, all, [response inline]

>

> On 30 Sep 2020, at 17:53 EAT, Chloe Kung wrote:

>

> Like for objection d; no proper definition of the term Abuse, there is 

> still a need to address on it. Yes the proposal is about 

> “building” abuse contact, but just like what Jordi has said, “ 

> The policy only needs to state what the staff should evaluate and 

> thus, what members should do”, if the definition of the word/ act of 

> Abuse is not clear, how can the staff evaluate such action then? Let's 

> say if they interpret those cases in their own different ways, it will 

> not be fair to any of the parties nor would it be something we want I 

> suppose. And there are high chance of having mis-interpretation too!

>

> Note that we have a tech-c contact for technical issues. There is no 

> definition of what constitutes ‘technical’ issues for a tech-c 

> contact. The requirement in this proposal is therefore not to define 

> abuse. The requirement is for the holder of resources to specify where 

> abuse complaints (by the definition of the person complaining) should 

> go. Validation is only that it is a working destination that is 

> active.

>

> If someone sends you non abuse (by your definition) to your abuse 

> contact your response is simply “This doesn’t constitute abuse 

> because XYZ”. XYZ can be as simple as “the laws in my country and 

> my AUP don’t prohibit such behaviour” or “connecting to port 80 

> is how browsers work”. If someone escalates to AFRINIC the only 

> thing AFRINIC will ask is “Did Chloe’s abuse contact respond?”. 

> Beyond that AFRINIC should not get involved.

>

> Please give an example of a situation where a complaint requires 

> AFRINIC to describe abuse.

>

> --

> patrick






--
patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20201002/f5627a43/attachment-0001.html>