<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>Please refer my summary/take on the situation inline below.</p>
On 2020/09/30 16:13, Gaby Giner wrote:<br>
<blockquote type="cite"
cite="mid:CANuMXao_XEdWooN7WdvAdYZYGqr2egZkrHHpF-kLWwWVCnQiRw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Hi Noah, Jordi, everyone,</div>
<div><br>
</div>
<div>I am confused. Everyone is raising the claim that there
are "invalid" objections and though I do not reject that
statement, it seems like it's being used here to
automatically dismiss the objections raised by the
community as for this policy. It was kindly summarized for
us by the Co-chairs, and just to get everyone up to speed,
here are THE objections to this policy:</div>
<div><br>
</div>
<div>
<p style="margin:0in 0in 8pt
0.5in;line-height:15.6933px;font-size:11pt;font-family:Calibri,sans-serif"><span
lang="EN-PH">6.<span
style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times
New Roman""> </span></span><span
lang="EN-PH">Abuse Contact Update</span></p>
<p style="margin:0in 0in 0.0001pt
1.25in;line-height:15.6933px;font-size:11pt;font-family:Calibri,sans-serif"><span
lang="EN-PH">a. </span><span lang="EN-PH"><i>Staff
analysis on how it affects legacy holder not
conclusive (not sure why this should affect legacy
holders)</i></span></p>
</div>
</div>
</div>
</div>
</blockquote>
<p>Legacy holders aren't held to the CPM, and nothing in the CPM is
binding on them. This is a problem as explained in the transfer
policy thread too. Effectively, we cannot prescribe anything to
legacy holders in any way, and as such, legacy holders cannot be
bound by this in any way.</p>
<p>My conclusion: invalid.<br>
</p>
<blockquote type="cite"
cite="mid:CANuMXao_XEdWooN7WdvAdYZYGqr2egZkrHHpF-kLWwWVCnQiRw@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<p style="margin:0in 0in 0.0001pt
1.25in;line-height:15.6933px;font-size:11pt;font-family:Calibri,sans-serif"><i><span
lang="EN-PH">b.<span
style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times
New Roman""> </span></span><span lang="EN-PH">The
proposal doesn’t state what will be the consequences
of one member fails to comply. Why are we creating
the abuse contact when there is no consequence for
not providing the abuse contact</span></i></p>
</div>
</div>
</div>
</div>
</blockquote>
<p>I just rechecked, I don't believe the CPM specifies consequences
for any other failures to comply, and as far as I know basically
refusal to comply can result in membership begin revoked, along
with issued resources, I may be wrong in this matter.</p>
<p>My conclusion: invalid.<br>
</p>
<blockquote type="cite"
cite="mid:CANuMXao_XEdWooN7WdvAdYZYGqr2egZkrHHpF-kLWwWVCnQiRw@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<p style="margin:0in 0in 0.0001pt
1.25in;line-height:15.6933px;font-size:11pt;font-family:Calibri,sans-serif"><i><span
lang="EN-PH">c. </span><span lang="EN-PH">Abuse
contact email and issues with GDPR concerning the
whois database.</span></i></p>
</div>
</div>
</div>
</div>
</blockquote>
jkroon@plastiekpoot ~ $ whois AS327767<br>
<p>...</p>
<p>this already contains a fair number of infomation covered by the
GDPR ... so please explain how an abuce-c is any different?</p>
<p>Please note: not saying this isn't valid, take for example whois
on the domain database where mostly everything is saying redacted
nowadays making any form of meaningful exchanges highly
problematic.</p>
<p>Conclusion: I don't think there is a problem here, but I'm not a
lawyer, not even in SA, never mind Mauritius where Afrinic is
incorporated.<br>
</p>
<blockquote type="cite"
cite="mid:CANuMXao_XEdWooN7WdvAdYZYGqr2egZkrHHpF-kLWwWVCnQiRw@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<p style="margin:0in 0in 0.0001pt
1.25in;line-height:15.6933px;font-size:11pt;font-family:Calibri,sans-serif"><i><span
lang="EN-PH">d. </span><span lang="EN-PH">No proper
definition of the term Abuse</span></i></p>
</div>
</div>
</div>
</div>
</blockquote>
<p>If I publish support contact details for my company - do I need
to publish a definition of the word support?</p>
<p>My understanding is that we've all agreed that the general
definition of what's abuse to me and to someone else will always
differ. We consider you running a port scan against our servers
abusive - yet we tolerate ~ 20 of those per day currently (some of
which we can link with so called penetration testing companies who
most definitely do not have the required permission). If someone
wants to raise to us that one of our customers is sending them
spam, sure, I'll take the complaint, I'll even acknowledge to you
and I'll pass it on to my customer. They can choose to react to
you or not, and if not, you're free to take them to court over the
matter (probably, you'll have to unfortunately issue a summons
against us to release those details to you if it's not easily
deducible from your side because else I run into POPIA / GDPR
issues on my end). Specific example would be a violation of our
AUP so we would take more direct action.<br>
</p>
<p>Point is, no, I don't think the definition of the word abuse is
important, you would not think twice about publishing a definition
for support in order to publish a support contact to your
customers. You'd simply reply to them telling them that this is
outside the scope of the support rendered to them, so in this case
you can either choose to ignore, or to respond similar.</p>
<p>The problem I see with defining abuse is that we end up condoning
any action initiated from any of the Afrinic member's network
that's not specifically set as abuse in whatever definition we
come up with. Let's go very extreme, hacking into a military
network for the purposes of launching a nuke. Obviously that'll
be under "unlawful actions", which will probably be listed as
abuse in any definition of the word. But what if a specific
country has no laws against hacking?</p>
<p>My conclusion: I understand the sticky point, but I don't think
it makes one bit of difference whether such a definition is
published or not. As such, I don't understand what relation of
the word *abuse* has when dealing whether an abuse *contact*
should be published. It's about the contact, not the abuse.<br>
</p>
<blockquote type="cite"
cite="mid:CANuMXao_XEdWooN7WdvAdYZYGqr2egZkrHHpF-kLWwWVCnQiRw@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<p style="margin:0in 0in 8pt
1.25in;line-height:15.6933px;font-size:11pt;font-family:Calibri,sans-serif"><i><span
lang="EN-PH">e. </span><span lang="EN-PH">To force
members to reply to their abuse email is not in the
scope of AFRINIC.</span></i></p>
</div>
</div>
</div>
</div>
</blockquote>
<p>I don't believe that anybody said that (we would like you to
respond, even if at least to tell me off for sending you an abuse
complaint for something that you don't consider abuse). I believe
that what is stated is that Afrinic should validate that the
mailbox is valid/active, specifically, comply with proposed 8.4,
so in 8.5:</p>
<p><span style="color: #ff6600;">AFRINIC will validate compliance
with the items above, both when the "abuse-c" and/or
"abuse-mailbox" attributes are created or updated, as well as
periodically, not less than once every 6 months, and whenever
AFRINIC sees fit.</span></p>
<p>I suspect your concern is 8.4, point 2 (bullet number 4) "<span
style="color: #ff6600;">abuse reports receive a response.</span>"
- this doesn't preclude an auto responder. Perhaps some rewording
of 8.4 might be in order to clarify the point, but I do believe
that a validation of the mailbox to confirm it's at least
operational is in order.</p>
<p>What I would be more concerned about is the definition of
regularly - does this mean daily? weekly? monthly? hourly? It's
fairly much implied at least once in two weeks considering that
the validation period is 15 days (and there might be some
ambiguity here in the text now that I re-read it again, my
interpretation is that from the point where the validation email
is sent, there is a period of 15 days in order to respond and thus
validate the aliveness of the mailbox, it may be possible to
interpret this as Afrinic could require you to validate in an
arbitrary time as long as said arbitrary time is less than 15
days, say 15 minutes, this clearly isn't the intent though).</p>
<p>As I understand, our lack of publishing of this currently results
in the behaviour described in 8.6 anyway. In other words -
Afrinic staff currently has to deal with the lack of abuse-c in
our objects. This just gives Afrinic something to slap members on
the wrist with if someone escalates to them anyway, an action
outside of our control. This just gives Afrinic a response
towards the member ("hey, does your mailbox work?") and the
complainer ("We have verified the contact is in working order,
plainly they don't consider your issues abuse, thank you, good
bye"), whereas currently they need to actually deal with this (I'm
sure there will still be cases they do need to deal with).</p>
<p>I'm inclined to ask what's the point of having an abuse contact
that's completely non-responsive?<br>
</p>
<p>My conclusion: This might be a wording issue more than a
fundamental objection, maybe not.<br>
</p>
<p>Obviously we want validation of contact addresses, so could you
please propose alternate text/concepts that can be used here then
for 8.4 through 8.6 that would be better suited?<br>
</p>
<blockquote type="cite"
cite="mid:CANuMXao_XEdWooN7WdvAdYZYGqr2egZkrHHpF-kLWwWVCnQiRw@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Okay, people have addressed several concerns
such as A, C, D but I think B and E deserve to be raised up
as well because (and maybe it is just me being overwhelmed
with the barrage of emails lately) I haven't read enough
rebuttal for these points. Even if one were to consider that
they are not valid objections, one could not steamroll the
policy into last call immediately without addressing the
entirety of the summarized objections from the community
discussion by saying that every objection is invalid.<br>
<br>
</div>
<div dir="ltr">Gaby</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 30, 2020 at 9:23
PM Noah <<a href="mailto:noah@neo.co.tz"
moz-do-not-send="true">noah@neo.co.tz</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 30, 2020 at
9:20 AM Madhvi Gokool <<a
href="mailto:madhvi@afrinic.net" target="_blank"
moz-do-not-send="true">madhvi@afrinic.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Dear Frank/Community members</p>
<p><br>
</p>
<p>a) In the Impact Assessment, staff assumed that the
policy will not impact the legacy resources in the
AFRINIC whois database and requested the authors to
confirm that this is so. AFRINIC staff needs to
keep this in consideration at the time of
implementation(myafrinic and whois business rules) -
abuse-c mandatory for non-legacy resources. Staff
were therefore satisfied with this confirmation and
had not indicated otherwise to the co-chairs and
community in the session.<br>
</p>
<p>b) "AFRINIC is bound by the Mauritian Data
Protection Act 2017 (inspired by GDPR). For more
information on AFRINIC's Privacy Policy, click on
the following link - <font color="#000000"><a
href="https://www.afrinic.net/privacy"
target="_blank" moz-do-not-send="true">https://www.afrinic.net/privacy</a>.
Thus, implementation of the abuse-c will not
impact negatively on AFRINIC's data protection
obligations."</font></p>
<p>c) The only policy that affects the legacy resource
holders is documented in Section 5.7 of the CPM -
and it regards transfers of legacy resources.
Legacy Holders are not bound by any other resource
policies. <br>
</p>
<p>Staff therefore will confirm with the authors that
their policies do not affect legacy resources ,
especially when implementation will be done on the
whois database. This is to ensure that the
implementation does not negatively impact how the
legacy resource holders manage their resources on
the whois database. <br>
</p>
<p>d) In the Policy Implementation Experience Report
during AFRINIC-32/AIS'20 , staff have pointed out
that Section 8 of the CPM does not enforce a
mandatory abuse contact . They also mentioned that
they are having to respond to an increase in
complaints regarding missing abuse contacts in the
number resources in the AFRINIC whois database and
that operators have warned that they will filter the
resources with no abuse contacts. Staff are
therefore doing the work for the members , as they
are bound to respond to any queries that are logged
with the AFRINIC service desk. This situation is
not scalable in the long term & AFRINIC invites
the community to also ponder on this feedback.</p>
</div>
</blockquote>
<div><br>
</div>
<div>Madhvi thanks for all the clarifications beyond the
staff assessment.</div>
<div><br>
</div>
<div>Clearly this proposal had no valid objections, yet it
was tossed back to the list based on invalid definitions
arguments as though we are all not internet folk to
understand what <b>abuse-c</b> really means.</div>
<div><br>
</div>
<div>Can we move forward to the last call now.</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Noah</div>
</div>
</div>
_______________________________________________<br>
RPD mailing list<br>
<a href="mailto:RPD@afrinic.net" target="_blank"
moz-do-not-send="true">RPD@afrinic.net</a><br>
<a href="https://lists.afrinic.net/mailman/listinfo/rpd"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.afrinic.net/mailman/listinfo/rpd</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
RPD mailing list
<a class="moz-txt-link-abbreviated" href="mailto:RPD@afrinic.net">RPD@afrinic.net</a>
<a class="moz-txt-link-freetext" href="https://lists.afrinic.net/mailman/listinfo/rpd">https://lists.afrinic.net/mailman/listinfo/rpd</a>
</pre>
</blockquote>
</body>
</html>