[rpd] Decisions ... Abuse contact

[Ibeanusi Elvis]

Dear Community, 

Once more regarding this abuse contact policy or abuse-c, irrespective of the lack of a clear definition of what constitutes or entails an abuse, there is no guarantee that the abuse contact mail box will be routinely checked and the properly defined concept to determine if an abuse cases is valid and hence, take necessary action as pointed out by @Chloe. 

Similarly, despite this not being within the scope of the AFRINIC, members can be made to provide the abuse-c as part of the Whois registration process just like the admin-c and tech-c without necessarily making this “policy”. Also, @Patrick in accordance with your response to @Gaby on the possible consequences of no abuse-c provided, 

“This is no different in my opinion from not providing contacts for other required whois 
contacts. Someone posted the text for admin-c and tech-c. For new applicants if you don’t provide say an admin-c, it could
mean you don’t get resources. That would be the same for no abuse contacts. For existing holders you could lose your resources etc. I do not see the need to provide extra penalties for this. Note that this is just contact information. Not penalties for “abuse”. 

I believe that this is far too much and sounds more like blackmailing the members to comply with the abuse contact which i think is not necessary because by just adding this to the Whois registration procedure, the members will voluntarily comply or cooperate. 

Elvis 


> On Oct 3, 2020, at 02:10, Patrick Okui <pokui at psg.com> wrote:

> 

> Dear Chloe,

> 

> I’ll try to separate your message into individual contention points because otherwise it’s impossible to track where we are on each one.

> 

> #### 1. Consequences for not providing abuse-c.

> 

> I have dealt with this particular objection in a response to Gaby as seen here: https://lists.afrinic.net/pipermail/rpd/2020/011555.html <https://lists.afrinic.net/pipermail/rpd/2020/011555.html>

> The short version is, if we decide that this info is mandatory then it has the same consequences as not providing admin-c and tech-c. If this is a new request for resources, it gets denied. If it’s existing resources the holder runs the risk of having them reclaimed. AFRINIC would (as with all cases of violation of the RSA) liaise with the member to see they comply with this.

> 

> #### 2. Providing a contact that is not being read/responded to.

> 

> The text of the policy proposal we’re discussing is at https://www.afrinic.net/policy/proposals/2018-gen-001-d6#proposal <https://www.afrinic.net/policy/proposals/2018-gen-001-d6#proposal> If you read that you’ll see that part of this policy is exactly saying that

> 

> - The abuse contact can’t be some unattended destination.

> 

> - AFRINIC will periodically check that the contact is one that’s responded to.

> 

> - If someone complains that they didn’t get a response, then AFRINIC will check that and then either tell the person they seem to be mistaken OR get in touch with the member to update their abuse-c to something that is attended to.

> 

> #### 3. AFRINIC defining abuse so they can mediate in complaints.

> 

> This is finally your answer to the email I wrote earlier. I would not want AFRINIC to become a mediator in abuse cases. All AFRINIC needs to do is ensure they have the listed contacts for people to discuss. If the two people fail to agree they can fall back to filtering each other or court cases etc.

> 

> The only goal is to allow AFRINIC to specifically state that if you need to contact network X about a possible abuse case, then use the following email (that we’ve checked to be working). As a registry, that falls within their roles and mandate. Anything else would not.

> 

> #### 4. Use of this policy (mandatory contacts) minus AFRINIC abuse mediation.

> 

> - If you read point d. of Madhvi’s email at https://lists.afrinic.net/pipermail/rpd/2020/011534.html <https://lists.afrinic.net/pipermail/rpd/2020/011534.html> you will see that currently AFRINIC ends up responding to abuse complaints on behalf of members. It is not mentioned in that email but part of the reason is the parent objects have the AFRINIC abuse contact.

> 

> - If you read Frank’s post at https://lists.afrinic.net/pipermail/rpd/2020/010971.html <https://lists.afrinic.net/pipermail/rpd/2020/010971.html> you’ll notice he was detailing what someone could try in order to track down the person to contact for abuse. The original poster knew of this process and was asking if AFRINIC would help make it easier by getting people to publish abuse contact data.

> 

> This proposal addresses the above two points from the view of the RIR and from operators. As you’ve mentioned when operators get contacted they usually can sort things out. In many cases the “abuse” is unintentional from compromised or infected devices. Right now figuring out who to talk to to get a response from the operator is quite the process.

> 

> Note that Jaco also addressed some of your very concerns at https://lists.afrinic.net/pipermail/rpd/2020/011549.html <https://lists.afrinic.net/pipermail/rpd/2020/011549.html> in different words.

> 

> On 2 Oct 2020, at 17:48 EAT, Chloe Kung wrote:

> 

>  

> Dear Patrick,

>  

> I see your point and thank you very much. Before I respond to that, I just want to say it actually leads to my another reason for objecting this proposal for it doesn’t state what will be the consequences nor does it guarantee the abuse email will be checked on a routine basis. Then I think it will only become a meaningless policy.

>  

> If all Afrinic needs to do when it’s getting involved is to ask whether or not someone’s abuse contact responded, and should not be doing anything beyond that, then why would we even need this proposal ? The way I see it is that, I imagine abuse cases have existed and happened before, so if they really care, both the complainants and the complainees would already have a more effective way to do it. And for those who doesn’t really care, having this abuse contact set up mandatorily doesn’t not help.

>  

> Let’s say if now Afrinic is going to do just a little more than that, maybe giving a warning. Then I suppose they will at least have to look into the case ? And so under such circumstances Afrinic will need to have a clear/ defined concept to determine if the abuse case is valid and if further actions are needed ? Though I believe this is out of the scope of RIRs.

>  

> Best,

> Chloe

> From: Patrick Okui <pokui at psg.com>

> Date: Thursday, October 1, 2020 at 02:58

> To: Chloe Kung <chloe.kung.public at gmail.com>

> Cc: "rpd at afrinic.net" <rpd at afrinic.net>, Jaco Kroon <jaco at uls.co.za>

> Subject: Re: [rpd] Decisions ... Abuse contact

>  

> Dear Chloe, all, [response inline]

> 

> On 30 Sep 2020, at 17:53 EAT, Chloe Kung wrote:

> 

> Like for objection d; no proper definition of the term Abuse, there is still a need to address on it. Yes the proposal is about “building” abuse contact, but just like what Jordi has said, “ The policy only needs to state what the staff should evaluate and thus, what members should do”, if the definition of the word/ act of Abuse is not clear, how can the staff evaluate such action then? Let's say if they interpret those cases in their own different ways, it will not be fair to any of the parties nor would it be something we want I suppose. And there are high chance of having mis-interpretation too!

> 

> Note that we have a tech-c contact for technical issues. There is no definition of what constitutes ‘technical’ issues for a tech-c contact. The requirement in this proposal is therefore not to define abuse. The requirement is for the holder of resources to specify where abuse complaints (by the definition of the person complaining) should go. Validation is only that it is a working destination that is active.

> 

> If someone sends you non abuse (by your definition) to your abuse contact your response is simply “This doesn’t constitute abuse because XYZ”. XYZ can be as simple as “the laws in my country and my AUP don’t prohibit such behaviour” or “connecting to port 80 is how browsers work”. If someone escalates to AFRINIC the only thing AFRINIC will ask is “Did Chloe’s abuse contact respond?”. Beyond that AFRINIC should not get involved.

> 

> Please give an example of a situation where a complaint requires AFRINIC to describe abuse.

> 

> --

> patrick

> 

> 

> 

> --

> patrick

> 

> _______________________________________________

> RPD mailing list

> RPD at afrinic.net

> https://lists.afrinic.net/mailman/listinfo/rpd


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20201003/6c838c5c/attachment-0001.html>