These are unedited transcripts and may contain errors.
Anti?Abuse Working Group on Thursday, 27th of September, 2012, at 2 p.m.:
BRIAN NISBET: Hello and welcome to the RIPE 65 Anti?Abuse Working Group session. Obviously, the rest of the hoards will come in over the course of the session and I do hope you are all awake and alert after lunch.
I am Brian Nisbet, my co?chair is Tobias, we have quite a full agenda today, I am not going to guarantee right now that you will have a full coffee break. We will do our best but there are some very interesting topics and some topics I am fairly sure will engender some discussion so it's ?? we won't be able to possibly allow people to talk forever and so ever we may have to be very strict on that, depending on the timing.
What do I have: I have an agenda. So, thank you to the NCC folks who are doing the scribing, to the wonderful Stenography, without whom I would be lost on a regular basis. If you want to say something on the microphone, please state your name and some manner or class of affiliation, but as we all know from this week that affiliation can be some random guy from off the street. Minutes for RIPE 64 have been sent out. I think there might have even been a comment which we correct. Any other comments on the minutes of RIPE 64? No. OK. Good.
So, they are finalised. And there have not been any late submissions for the agenda, so unless anybody has anything they want to flag now for AOB, then and we only have the one session so it's not like that we can do what AP did this morning by moving things around.
So, I want to talk about some recent list discussion, which we have had. So 2011?06 will be discussed a little later but there was a mail this morning which will be talking about later in the agenda. CleanIT and the NGRI stuff, that's something we will discuss at the appropriate agenda item. The data verification, which ?? is that actually what I meant or did I mean something else? I think I might there have actually meant the data privacy, I don't know why I wrote "verification" in that particular way. This is in relation to the legal structure for the RIPE database privacy, the abuse information, all of that, which the community asked for and which we will be talking about a little later on so there isn't anything from the list that I think we need to discuss now.
So unless somebody thinks differently or it won't be covered by the agenda? OK. Good.
So, we have some updates. So, first up, I'd like to ask But and Michl from the CleanIT project to present.
BUT KLASSEN: Thank you, Mr. Chair. This is my second opportunity for ?? thank you, again, thank you, too. This is my second opportunity to present here the CleanIT project in this Anti?Abuse Working Group and I am again very grateful for this.
It has been a special week for me, for the first time in my life I received very unfriendly e?mails and tweets, people that I don't know accused me of destroying something I believe is one of the prettiest benefits of modern society, they accused me of destroying the Internet. A result I think of the CleanIT project and it started when European Digital Rights Organisations published a so?called leak document, I think you all know about it, but for those who don't know what happened, I will explain.
But in the first place, let me say I am a believer, I believe in the freedom of speech and in my opinion, the freedom of speech is one of the core values of our society and one we should always protect. I believe in this core value and I take every possible care that the freedom of speech is also a core value within the CleanIT project. Every input, every comment, every idea, is handled equal and respectful. We do not sensor the input we receive from participants or others. Everyone is allowed to express their view.
And secondly, I also believe in innovation because it can contribute to a bit better, quicker and less expensive practices and organisations, but innovations requires an environment where you feel safe to experiment. It needs a trusted environment where ideas are welcomed even when it's still unclear if they will prove to be good or bad. I would like to emphasise that, still, if it's unclear, if it's good or bad ideas, such an environment should exist, and it should be no problem the ideas will lead to not feasible end results. If you never try, you will never know.
The best solution might be found only off the five, six, seven, eight or ten failed attempts. Now, those two angles, they come together in CleanIT project. We collect all the input we get and structure it and we give them the production of trusted environment where advantages and disadvantages are discussed. This is the first step in our drafting process.
The second step is to discuss these ideas in small Working Groups. In these groups, the issues are discussed in more detail. The results of these expert discussions will be provided to a plenary session and that plenary session is the third step. In the plenary session, we do our best to bring together a balanced participation on governments, industry and civil society, in the hope that this will lead to balanced results. During this plenary session, good ideas are improved, bad ones are deleted. And then we have the fourth step. And that's where the project team drafts a new version of the document and checks with all participants if they agree with the changes we made.
And then the fifth step is the project published is draft on the website. And it's open for comment by the public. And then this cycle begins again after each meeting again, and now we work through this for three ?? four times, I think.
Now, by the time that the project nears end, we aim to have one document supported by all participants, and then we will have this final document that consists of three parts. We have a preamble, where the problem is described, and in this case it is the use or the abuse of the Internet for terrorist purposes. Secondly, a set of general principles endorsed by all participants, and please do note this does not mean that the principles are legally binding because we have a non?legislative approach. And in the third place a list of best practices to be implemented on a voluntary basis.
So, let me emphasise again that the end result of this project can never have ?? can never be binding in any way.
Now, what the European Digital Advice Organisation, what did they publish, they publish documents that we use to capture the discussions in the first two steps that I described. We used this document to avoid all previous discussions being lost. If in this document you read somewhere that there is consensus, it means that the consensus was reached only in those small groups. And the proposals still have a long way to go before it ends in the final document.
Now, the reason we did not publish this document and we don't do it, is that it does not have a formal status, it is continually changing, and without the proper context, people might actually think we do want to destroy the Internet. Compare it with a cook preparing his dinner, he spends the afternoon in the supermarket choosing his ingredients, some he will choose and others not, he might go to another shop. At this stage it's really impossible to conclude what the menu will look like and how the food will taste. That's why we don't publish and based on this document you cannot conclude in which direction project is heading and it is not a secret document. Everybody may read it as long as we are able to explain the proper context.
And without this context publishing will only lead to misunderstandings.
Now, if we were to publish it, the third thing I would do is change the title. A better title at this stage would be "suggested practices that we don't agree upon yet." And maybe a subtitle "food for thought" or something. So, many people now say we should be fully transparent, and I personally, I think this might be the CleanIT project might be the most open and transparent counter?terrorism project there is in the world. I wonder if there any other counter?terrorist projects that are so open and puts private sector in such a strong position. But in a way they are right. We are not 100% transparent; there is some delay in what to publish, and we cannot be for 100% transparent for privacy reasons. This is more a general discussion and I open for debate on this matter.
Now, let me conclude by underlining once more that the CleanIT project does not aim to limit Internet freedom. We are trying to create a constructive dialogue about very complex issues and I believe we can only come to more understanding if law enforcement, academics, policy makers, the industry, the technology sector, the NGLs and civil society meet together in balanced society and with open mind and that's how CleanIT works.
Now, our group will publish a new draft document within a few weeks. You are, again, very welcome to comment on it, and I sincerely hope this new draft document will get the same attention as the leaked document has. Thank you very much and I am ready to take any questions.
BRIAN NISBET: Thank you very much. So, please.
AUDIENCE SPEAKER: I am Anto from former Soviet Union, or should I say from the great IT country, Estonia. It's a little bit unclear for me how is it possible that some club will decide on fundamental rights which must be defined by law, and I don't understand how is it possible to prohibit the usage some languages. I don't know what language will be proposed, Arabic or Estonian. My problem is how you succeeded to involve people making such kind of proposals. Thank you very much.
BUT KLASSEN: I don't really catch your question, you have a question on language?
BRIAN NISBET: Myself and Anto have spoken about this during the week, if I could possibly help you with the understanding of the question and please, Anto, tell me if I am wrong here. Obviously, we have some examples from the brainstorming from the small group discussions, one of which was discussing or certainly the one that was said, was about enforcing language use in certain circumstances on the Internet. And I think the question is: Some of those suggestions were on the outer edge of what this community would consider to be certainly be technically feasible if nothing else, and so the question, there are people who are making those suggestions, how did they get involved? Is that the bulk of people who are involved?
BUT KLASSEN: We don't keep track who came up with which idea. So it's well possible that there was one idea that was in the small discussion group, it's possible that it came from the public. I have to ask, I really don't know if we can find out. But anyway, these are ideas that just explained are in consideration, they came to us, we want to have a discussion about advantages and disadvantages, and if it's legally not possible then it's very simple, it will never get to the end stage. That's it. So...
DANIEL KARRENBERG: Just another guy off the street. See, the problem that you are having is on the one hand, saying oh, this is just some ideas; on the other hand you have this blue and yellow thing on the left top. See, and that's what is getting people worried. I can sort of ?? I have my ears around this crowd, and what I keep hearing is they tried child porn, now they are trying terrorism. Number one. Just giving feedback, it's not a question, it's just feedback. The other thing is we had a discussion, just to relate anecdotally on Monday, where someone from Denmark was saying "I run a grassroots thing that let's people get around some filtering that's implemented in Denmark." And during the whole discussion, somebody just asked, you know, aren't you sort of doing something illegal? And he said no, it's not ?? the filtering that happens in Denmark is not really based on the law; it's based on an agreement that voluntarily the ISPs in Denmark, meant all of them, sort of entered into. Again, this reeks a little bit of that, and what you have here in this room are sometimes the people from the engineering community who, in other countries, have successfully resisted this, like in Germany for instance, where the same thing was tried and some people put their backbone up. So, I think it's very good that you come and engage, but I think the fact that you are taking there it's all informal, it's not going to build confidence. That's what I wanted to say as a guy off the street. So I think you should be a little bit more concrete.
BUT KLASSEN: Yes, but ?? if you allow, I would like to react because it's not how it's all informal, that's not the issue. The issue is, that we ought to have an open dialogue and that's where the project is about. If you read the project proposal we submitted, it is a process, it is a process for having a dialogue between different stakeholders in a multi?stakeholder environment, and this is very rare. Actually, there is one kind of conference I know where this really happens and that's the IGF and the Eurodig conference, there we found many, many stakeholders to getting in discussion. We tried to do this with a balanced group and have an open and constructive dialogue. That's what we try. And I don't see why that is as ?? as a idea why that should be a problem. And one more thing. I do fully understand that these ?? there are a lot of misunderstandings about that. I am totally agree with you. Especially the yellow flag and seeing just as discussion document, where we say, we are going to filter whatever, yeah that confuses people, exactly that's why we didn't publish it in the first place.
AUDIENCE SPEAKER: David Freedom. Thank you for coming here to talk to the group, which is not something that is always done, if we have these kinds of debates. I have two questions, the first is concerning the process if you follow this and all the steps are communicated in as broad a manner upfront, timely, to everybody, then that would be great; the problem is I think, me and many other people in this room have been around the block a few times and we have seen recently with ACTA and a decade ago with software patterns in Europe that initially when people got hold of documents and they became very worried about the contents of them and started to ask questions they got the answer yes, but we are still discussing so your comments are too early. And then suddenly something happened and we were told no, no, now it's locked in so now your comments are too late. Many people will be a bit scared going from the place where we are still talking about it so it's not official, to the state, yes, but it's now in the official EU process so you have to call MEP to comment, that the switch will be made and people will miss it and so this is not because we think you are necessarily without honour but it's because this has happened several times before in the last decade so people are concerned about that. I think it would be very good if you would be as proactive as possible in just communicating the dates in which these five phases are going so that people can make sure they have comments in on time. That's on a process.
The other thing is about the text. I didn't know I was going to be here 24 hours ago so did I some more reading ton this morning and contacted some former intelligence service people this morning on what they thought about the text and there were two comments I got back on the text within 30 minutes and the first said oh, just like MI5 and the CIA they don't seem to have an actual definition about terrorism. So it could mean pretty much anything. In the UK now if you protest the building of coal plant you are labelled as a domestic extremist and all terrorist laws can be applied to you and your family which is not very nice. The old thing seems to be we go from fighting terrorism to much more general economic crime in one fell swoop which is also how the post?London bombing laws in Europe are now applied to much more than just terrorism under whatever definition but now used for other sort of much less danger crimes that are ?? that don't threaten society. So that's a big concern.
The last e?mail I got back that says if you take the opening piece of text and replace Al Quaeda with the Pentagon, it sentence still works, and of course the Pentagon has killed about a hundred times more people than Al Quaeda in the last ten years, so this is a bit worrying about what is the problem that you are trying to solve here.
BUT KLASSEN: Yes, thank you very much. About the process, in the first place, your comments are not too late, and you say and your commenting not too early. We ask that every time we publish it on a document, we send it to our participants and invited them to comment, we invite them to forward other people to comment, so it has been open for comments all the time. Now, we are getting very much comments, actually. And I am also grateful because much of them are very useful so we have quite some work to look for all the blocks and articles to see what we can ?? but we ask for it from the beginning so it's not ?? we are just not like ACTA, having our own process; we try to be as much in contact with the community as we can.
In the second place, about what is terrorism and what is not, that's a question actually I expected, and I think I have a sheet about this. I explained it also I think in the last time I was here at the Anti?Abuse Working Group. We projected the Internet in kind of three layers, idealogical websites, often illegal websites but not always, and the social media top level what we see as terrorist use of the Internet, is not that it will be used as a weapon but more used as a resource for their normal daily activity.
As you can see here, it's about spreading violent material, about clarifying violence, spread terrorist attacks and training manuals, plan and organise deadly attacks, that's in deep web part. This is the kind of use we are looking for. The effect, it's a kind of propaganda mechanism process going in opposite directions. That's the phenomenon we face as counter?terrorism, in the fight against terrorism, and we just stick to the definition from the European Community, which is stated in our document. If you are saying we can replace terrorism by child pornography, whatever, theoretically, it can, I am not sure it would be the same kind of text. It is more or less pragmatic choice to do this for counter?terrorism because this is where I work, the project that was predecessing us was about counter?terrorism which was 100% closed, EU restraint, we tried to make it more open process, that's what we are doing now. Definitions about terrorism, we are also working to make it as clear as possible in a document we have.
BRIAN NISBET: Jim.
JIM REID: Thank you, just another guy that has wandered in off the street. I think we have to be careful when we are trying to do things in this area because of potential bounding conditions and the processes that are used. I think everyone grease that things have to be done to prevent terrorist analysis of bad things, child porn, money?laundering whatever, how are those proses and procedures used on a day?to?day basis and there is always a concern about mission creep and that's something I worry about quite a lot. I will give an example: In the UK context, which is not specifically about terrorism, there was a law passed which was to do primarily with information about telephone calls and things of that nature, but those powers could be used by other parts of government and local authorities and other public bodies for other purposes which was not what the scope of the act was about, powers to check that people were really living where they say they were in order to get kids into particular schools because they were in a nice neighbourhood or getting their bins emptied properly and powers being used for that. My concerns was for these noble purposes like counter?terrorism, could start to get abused either deliberately for other purposes and the scoping and bounding conditions are clearly laid out, there is always potential for that mission creep and what way the concerns about human rights.
BUT KLASSEN: In essence you are touching the item of trust, can you trust the government in doing this.
JIM REID: It's partly trust but what can do you about it if you think those powers are being misused, where are the audits and controls.
BUT KLASSEN: Very short reaction. I would like to be an ability to change the public image about trust in government but that's far beyond my possibilities but I totally agree that this is a very important issue and one thing we try, I don't know if we succeed but we try to gain more trust by doing a counter?terrorism project in as open as we can at the moment so we hope it will gain trust by make publications on?line available every two months and so you can see your progress, that's what we hope anyway. But point taken. Thank you.
BRIAN NISBET: We are massively over the time I allocated to this. Two people and then we have got to close it.
AUDIENCE SPEAKER: I am from Russian Federation. I have some short questions. How many terrorists acts have been prevented in Netherlands last years?
BUT KLASSEN: Sorry, I didn't catch the ??
AUDIENCE SPEAKER: You are from counter?terrorists?
BUT KLASSEN: I am from national ? for counter?terrorism in the Netherlands and Ministry of Security and Justice ??
AUDIENCE SPEAKER: I am from country which you do not think very democratic and open and so on, and I am glad to see this slide because we have a fresh example of counter?terrorism prevention in Russia, exactly by this slide. Some students was sued and jailed for preparing a terrorist act against Putin, but the most interesting thing that they have been catched on forums on Internet, they really made an explosives, but once they decided not to make ?? that explosive stops but they got catched because they were watched. And the most interesting thing, that the guy who was propaganding them to make terrorist attack wasn't found. Do you ?? do you believe that somebody who for some months explained how to make an explosives in Internet wasn't found? Who believes? No one. It's Russian law enforcement agency tradition to provicate. So, I beg you here in Europe don't trust counter?terrorists, because they are trying to overrule Internet.
BRIAN NISBET: We are very, very tight on time here so ??
BUT KLASSEN: Freedom of speech, so...
SANDRA: RIPE NCC I am doing the monitoring, I have three questions, I don't know if I can ask the three of them.
BRIAN NISBET: You really can't unfortunately.
BUT KLASSEN: The most important one.
AUDIENCE SPEAKER: I will ask the first one in line. So that will be Alex Sander: How many terrorist acts have been prevented in ??
BRIAN NISBET: That was already asked.
AUDIENCE SPEAKER: I will go to the second in line, which is also ?? so from Arian access roll, can you list some of the participants which have been reached out to in the creation of this document?
BUT KLASSEN: Yes, we stated on our website, we have created can web page anyway so if you go to our website, you will find a tab partners and participants and there wave list with government partners and civil society and what we do, we ask the partners if they are OK with them that we publish their names and if they say yes, we publish them, so visit our site and there is your answer.
BRIAN NISBET: I linked to that particular page in a thread last week, or possibly this week, in relation to the point that the participants, the statement on the page, the participants by participating do not state that they agree with the document, etc..
BUT KLASSEN: Exactly. And at this point, because we did start the process of commitment, we will start after our last conference, so this is ?? this participation means exchange and ideas, not more on that, and if they agree with the document in the later phase it will never be a binding document, as I already explained.
BRIAN NISBET: I think there is a lot more to discuss and talk about but unfortunately we are out of time for today. So thank you very much gentlemen and thank you for your participation.
So moving swiftly along, yes, thank you very much for doing my job for me better than I can. So now a report from the RIPE NCC on data protection report, this is in relation to, as I said, the community asked for more information for the legal underpinning of some of the work the data Protection Task Force did and the current requirement requiring ?? thank you very much.
ANTHINA FRAGKOULI: Thank you very much, I am the legal counsel of the RIPE NCC. And I am going to talk about the data protection report, it's not published yet this report but it's going to be published very shortly.
What is this report? It is a description of the data protection legal framework, we have to comply with. And it's also a description of the way the RIPE NCC has complied to this framework. In relation to many services, most importantly with the RIPE database and of course other services, this work is mostly done by the data Protection Task Force in the period between 2006 and 2010, so it was a very time?consuming process, it was a transparent process. There was a dialogue between the task force and the community through the Database Working Group. So, the question is, why are we talking now about data protection and this work? That has been done? In the RIPE NCC, we realise more and more the need of a clear documentation of our procedures, of our activities, why we do what we do. So we realised that such a report can be part of this project of the governance documentation project. Since 2010, there have been more participants, new participants in the RIPE community and as transparent as this process was back then, this new participants did not have the opportunity to follow it back then.
Also, we have since then new rules, we may have new services, so it would be a good idea to have like a good point of reference to create this report so that everyone knows why some decisions have been made and so on. There is a documentation, there has been documents created from the task force but there is no reference to the legal framework and there have been like high level reports so here, we are also providing more details to that.
So the report first describes the legal framework and then goes into details on how this legal framework has been implemented. Now, the legal framework, as, you know, the RIPE NCC is an association under Dutch law so Dutch law is the law we have to obey. Now, the Dutch data protection act is the law that talks about the processing of personal data. And it gives some definitions that are very useful, that I think it's ?? it's good that we all know what exactly we mean when we are talking about like personal data and so?and?so that we all have the same point of reference, so personal data under the Dutch act is information relating to identified or identifiable persons. So information that leads directly to the identification of persons or indirectly.
Processing of personal data can be the collection, the storing, the modifying, deleting and so on. This is the process. The responsible party is known in other jurisdictions as the data controller, and under Dutch act, this is the responsible party, the party that ?? the person that determines the purpose of the process and the means of the process, and of course the data subject, that's the person that ?? the person data relates to.
Now, what is this processing, what are the rules that the process have to follow? Collection of personal data should have a specific purpose, an legitimate purpose and any process of this collected personal data should be compatible to this purpose.
Personal data should be maintained up?to?date, should be correct, and should be kept for as long as necessary, after that it should be deleted.
Accordingly, the data subject has several rights. That subject should be informed of this purpose and should agree with this collection of its personal data. What we called informed consent. And of course, the data subject has the rights to correct their personal data or to delete their personal data. Now, the person that is responsible to inform the data subject or to delete the personal data on the request of the data subject, is a responsible party.
So, this is, in a few words, the legal framework we have to obey to.
Now, how we have implemented this legal framework in the RIPE database. Personal data in the RIPE database. Do we have personal data in the RIPE database? Yes, we do, we have contact details of individuals. Processing of personal data, what is the purpose of it, why do we have this personal data there? The reason we have personal data there is that we need one person responsible for the communication for a network in case something goes wrong, so one person has to be available and reachable in case there is an abuse report or troubleshooting purposes and so on. That's the purpose why we have personal data in the database.
Now, the responsible party. That was a challenge because, yes, the RIPE database is maintained by the RIPE NCC, but the purpose is not ?? not determined by the RIPE NCC but by the RIPE community. Also, the personal data are not inserted in the rape database by the RIPE NCC, so yes, we have, by default, there is the responsibility; however, in the RIPE database there are maintainers of this personal data, so we have this attribute, the the maintained by attribute that shows the person that's indeed responsible for certain object and for the personal data that are in this object, so what the solution was to make this maintained by attribute mandatory and to shift the responsibility from the RIPE NCC to this person, the maintainers for the personal data they are responsible for.
Now, the data subjects. What are the rights of the people who have their personal data published in the RIPE database? They have to be informed of the purpose of this process of their personal data. This purpose is specified in the RIPE data terms and conditions, and now, after the collection of their personal data, how we make sure that users will use this personal data in accordance to this purpose, the users have to agree to process this personal data in accordance with the RIPE database terms and conditions. Also, there was a procedure created for the removal of the data of this personal ?? yes, sorry ??
AUDIENCE SPEAKER: This is Shane Kerr. Can you go back a slide? So I know that's a really hard problem, I totally agree with your analysis there; it's not clear to me that "MNT by" is the right mapping, what does it say about what the responsible party is? The person that determines the purpose and means of processing. Certainly the "MNT by" is the person who inputs the data and has control over it, but when I go to buy an airline ticket I am the person that types in that information and has control for it. I am not really responsible for the way this law seems to indicate.
ANTHINA FRAGKOULI: That is correct. You are absolutely right, yes. The "maintained by" is not the responsible party by law. This is RIPE NCC by default.
SHANE KERR: OK.
ANTHINA FRAGKOULI: Right. So the maintainer is the one that's actually the one that controls this data, yes. OK. So, yes, there is a data removal procedure so that individuals can change and remove their personal data. Now, limited access. Limited access to the database, is this OK by law? And limited access to the database means also unlimited access to personal data that is in the database and the question is is this justified by the purpose? Not really. The purpose is to approach individuals ?? sorry, I have only two minutes, I have to run a little bit ?? so, no, the purpose is not hire this personal data. Also, for particular services such as NRTM and bulk access, can people have bulk access to this personal data? No. So what was the solution? The solution was to create the acceptable use policy that would put some limits to the results of personal data query would bring and a solution was also to make this services, the NRTM and the bulk access available without personal data.
Now, that was with the RIPE database, how we implemented this. What about the other NCC services? Other NCC services such as members only services, available through the LIR Portal, allocation of resources and so on, registration to training courses, meetings, subscription to mailing lists, yes, we do gather personal data for these services, we gather contact details, billing details of individuals, what is the purpose of this collection and process personal data, the provision of each service depending on the service. Here is clear the responsible party is the RIPE NCC and data subject get informed and can delete their data.
And more information about that can be available in the RIPE NCC privacy statement. Now, in short, the report which is going to be published very shortly presents analysis of the legal framework, what was missing and of the implementation of this legal framework and the use of RIPE NCC services. The report is dynamic, will change when we will have new rules. We have now the cookie law which we are ?? that's being implemented so we will have a reference to that, and we are waiting for a new data protection legal framework, in Brussels they are discussing already a regulation so new things may be regulated. We also have actually today we have this new abuse policy proposal accepted and, yeah, actually, abuse C allows bulk access to all these personal data because we have the purpose, the purpose there is indeed to allow bulk access to the personal data of individuals that will be in the abuse C so this is something that changes, we have new things. Questions?
DENIS WALKER: RIPE NCC. By definition, the abuse C will not be personal data and that's why we will provide bulk access to it.
BRIAN NISBET: Almost like we thought of that. Are there any very quick questions for Athina? No. OK. Thank you very much.
(Applause)
So, now we have another NCC presentation, Christian, are you here somewhere? So this is Christian about ?? it's some questions about, listening responses about anti?abuse information in RIPE stat.
CHRISTIAN TEUSCHEL: Hello. I am software engineer at the RIPE NCC, mainly working at RIPE stat and yeah, I would like to take the opportunity ?? I would like to take the opportunity to, well, introduce some new features on RIPE stat as well as get some feedback on these features.
The first one is the new anti?abuse widget, new data call new widget. The second one are the data sources we are using for black lists on RIPE stat. And the last one will be about new use interface we are creating and the implications with anti?abuse.
All right. So, the anti?abuse widget. The reason why we created this one was in our feedback channels, so in the comments, e?mails, we got a lot of requests of people trying to find abuse information. I mean, usually the abuse information that you could find in the RIPE database, but most of these people were kind of, well I wouldn't say computer illiterate but they had a hard time to find the correct abuse contact information and that was the reason why we thought about creating some kind of widget to help these people out. So, when we are talking about the anti?abuse widget, we have to keep in mind that the target audience are people that are not really trained to extract the anti?abuse contact information.
So, you can check out the abuse widget, if you go to this URL and, in the meanwhile, I try to prepare you for the questions I am going to have afterwards.
So, the data we are using for the anti?abuse widget is not really new. I mean, the database group at the RIPE NCC already created the contact abuse finder, which is a web interface as well as a rest interface, and we are using this data to get the abuse con contact somehow, so there is some kind of algorithm for the content abuse finder and it's basically like that. First of all, we are going to look if there is any IRT object connected to the object we are looking for, so if we are looking for IP address, then we try to find INET or INET 6 num object and then we find, if there is any IRT object, and as a second step we try to find any abuse mailbox attributes that are related to any objects that are referenced to the INET or INET 6 num object. And the third one is just looking in the remarks, if there is any mentioning of an abuse information.
So, but there is just one catch with this solution: Because finding the correct anti?abuse contact information is not straightforward ?? five minutes left ?? so, we have two ways: Either we restrict the extracting process with the risk that we can't get any information, or on the other side, we are very relaxed and then we get a lot of false positives, if we have a lot of false positives that, well, the people that will be mentioned in this context might not be used.
So in a short, this is what we came up with. So we tried to improve the contact abuse finder and embedded in some kind of context. This context involved some kind of checks, so, first of all, we check if it's a special network, so if it's according to RFC 1980, a private network then we wouldn't give out any abuse information. Another check is blacklist information, so basically if you have, if you are looking for address that's highly rated in a lot of blacklists, then hopes are quite low that you will succeed in reporting this kind of abuse.
Another check is the prefix size; I mean, as I mentioned earlier it's target to go users and it gives you the information that if you are looking for a prefix, then it might get less detailed information than if you are looking for a single IP address but yeah, I think that's something I don't have to explain.
Then, before we give out the actual information that we get from the content abuse finder, we do another check and that's based on if we are responsible, we as the RIPE NCC, is responsible for the resource. So, if the resource you are looking for is within our reach then we show the information we get from their content abuse finder, if there is any. And otherwise, we, well, we give at least a link to the Whois information of other RIRs.
OK. Well, we already, I mean it was already mentioned that the 2011?06 proposal is through. That might help us in finding the correct contact information but as it stands now, I mean, I think that it will be mandatory for new objects. I mean, that's totally fine, but if we have a complete coverage over all objects I think that will take quite a long time. So that's why we would like to ask you some questions: First of all, if you find it useful if we are putting effort into the abuse contact, so raise your hand if you think that we should go on with this effort?
All right. Two, three. OK. Two?and?a?half. Good.
So, some more detail questions about that. Would you prefer if we go on with that, that we make it more restricted or a bit more relaxed? So would you prefer a lot of false positives or basically the risk of a lot of people getting annoyed because we are spitting out e?mail addresses and it's not proper information. So raise your hands if you like to have more false positives. Or to have it more restricted? Perfect. OK. All right.
Before I take the questions, just the last, will you like to have more checks involved? I mean, I came up, for example, should be at geolocation information ?? no, OK. Perfect.
What about showing the distance from the object that is the exact match of what you are looking for and the object where ?? which is carrying the anti?abuse information. I mean, I think that could give some kind of indication if it's the proper abuse contact information or if it's totally irrelevant. Raise your hands if we should add this check. All right.
WILFRIED WOEBER: This distance will only give you an indication about the cluefulness of the people managing the database entries.
CHRISTIAN TEUSCHEL: Provided they are doing some kind of good job. We would have another ?? are there questions related to the anti?abuse contact finder?
AUDIENCE SPEAKER: Sure, that's why I am standing here. I can wait if you want to finish the presentation, don't worry.
CHRISTIAN TEUSCHEL: We are going to switch to the other two topics with black list and ?? maybe not. OK. I think we should ??
BRIAN NISBET: There is a dinner this evening people need to go to.
AUDIENCE SPEAKER: Seriously ??
PETER KOCH: I was going to ask about the black lists, if you want to postpone that I am happy.
CHRISTIAN TEUSCHEL: I think it makes sense we go on with the blacklist, cover this one and at the end we have all the questions, if that's OK for you.
BRIAN NISBET: Do you have a specific one here?
AUDIENCE SPEAKER: Did I have a question specifically relating to the anti?abuse. I went and looked through ?? Leo Vegoda from ICANN. I went and looked through some of this anti?abuse stuff and I popped in private address, which is like my default for checking how things respond, and it said "that's a private address, we don't have any contact information." So, I went and looked at what we have in Whois.IANA.org and it wasn't that good. I would like to offer to work with you on improving the quality of the information given to the average user because I think we are a little bit worse than you but I don't think an average user even knows what a private address is so I think there is improvement to be made and I'd' like to work with you on getting that done.
CHRISTIAN TEUSCHEL: OK. Yes. Thanks. I mean, I have to mention that anti?abuse contact widget is basically a new creation. We created it two weeks ago and having the RIPE meeting coming up, I mean there was not so much time to improve it, but I mean, our intention is to go this way and improve it and make basically the information that can be extracted from the RIPE database more useful and especially for obvious uses.
Then let me just cover the next two topics briefly. So, right now, we are using two different data sources for black lists, for the blacklist widget, and one of them is the spam house drop list and the other one is the UCE protect 1?3, and we got some requests from users that the blacklist data resources were using my tests some bad reputation. And I mean, I think it should not be up to us to just delete something if one user raises his voice and says, well, you shouldn't use that, so that's why I would like to ask you, first of all, if it's enough that we mark the data source in the widget so it's up to the user to decide which data source he trusts or not or if we should go ahead and remove certain data sources for the blacklist, because they might not be useful for that. And if we do that, I would also like to ask you if you have any all the tiffs that we should use in the blacklist widget.
BRIAN NISBET: I feel bad about hurrying you up on this but unfortunately we have ?? we are now running very, very short on time. I think there might be a bunch of questions you have here and you have possibly in the next slide or so that could be sent to the mailing list as questions, because I am conscious of the fact that we have a few more presentations and it's now just past 1400 already. Or whatever time it is in this part of the world, I am looking at ?? just past 1500 already. So Peter, do you have a quick question or point or comment?
PETER KOCH: I can try to make it quick. Peter Koch, DE?NIC again. I think the question of these blacklists, I was actually going to the microphone asking for the policy that you apply to selecting or deselecting a certain blacklist. What you as the NCC are doing usually with RIPE database, you are stating registered facts about the objects registered. What you have done here is extend this to a reputation system, the scrutiny of which of which is questionable and varying where the target audience that Wilfried just made a very important remark about is probably not qualified enough to judge when you just give the information we took it from here or there. So I think this is a line that has been crossed and it makes me nervous.
DANIEL KARRENBERG: From the RIPE NCC this time. This is not the RIPE database; this is RIPE stat. RIPE stat aims to get any data you may ever have wanted to know about an IP address or an AS number and present it. I share Peter's concern about presenting it totally unqualified and we are working on that to go and put things into context. What the policy is about what data we show is anything that we can get. And that's exactly where the problem is with the blacklists, is that most of the terms of usage of the blacklists prevent republication in one way or another so that's why we actually chose the ones we incorporated the ones that allow republication and showing of history. And that these are maybe not the greatest ones on earth; we understand. But we still think, in the hands of a qualified ?? in the hands of a knowledgeable person, actually the history ?? the current state of the blacklists and the history of it actually is a useful thing to know. And that's ?? so, but quite clearly, it's not a part of the registry, it's part of the information systems that we do, just like the ??
BRIAN NISBET: We are really running out of time here.
DANIEL KARRENBERG: This is community ??
BRIAN NISBET: I am trying to ?? I am not stopping from you talking, I am saying to we can't add more people to the microphone.
DANIEL KARRENBERG: We have to be very careful, it's not part of our registry, just like the routing information service, we just collect BGP data, make it available, that's what we do with the blacklist data, make it available. I am the first to admit that we want to put this into context and especially if it goes into anti?abuse where the consumer is usually not a geek. And Christian, if Christian can show his next slide it could actually inform you about the direction we are taking in this area.
CHRISTIAN TEUSCHEL: I just want to do that briefly. So, yes, as Daniel said, I mean, this is a different data source and I think the bakes question that we want to solve right now is that if we should be active about re ?? one of these data sources or if it's just enough to mark it but I think we can leave that as some kind of feedback that you can send via e?mail.
The last thing is that with the change in the user interface because we saw that people have some kind of problems to understand this kind of big set of widgets we are going to throw at them, so as one solution for that we tried to group the information we have on RIPE stat, and one thing that came up is the anti?abuse step, and that should in a way gather all the information that it's related to anti?abuse. So far, we have the anti?abuse widget, what we talked before and we have the blacklist widget and I think another question that I would raise to you but maybe off?line, is if we should add different widgets to that tap and for what reason. So, I think just to keep it short, you can reach us on the stat [at] ripe [dot] net. So if you have any feedback, we would like to hear from you. I think the time is over.
BRIAN NISBET: Very, very briefly, please.
AUDIENCE SPEAKER: Private consultant. I think what we are seeing and hearing here is Internet governance the way it should be, I think, and can be. My advice would be to ?? where gather information on anti?abuse and black?listing, etc., is concerned, get it from as much independent places in the world as possible, so I already said this in the Cooperation Working Group, but there are a lot of BotNet centres being built in the world in which ISPs are voluntarily cooperating, there is a lot of data to be gathered on what is going wrong on the Internet there, so, what are the possibilities to get data from them? I am sure they will be happy to oblige because you can actually help fight them. But then it's the end voluntary to ISPs to do something with the data or not. It's the same here, I think, is showing, making visible, and I think that's the start of things. So go on, I say.
BRIAN NISBET: OK. I think with Peter's caveats noted and noted strongly and we can possibly have more discussion about this in the mailing list, I'd like to say thank you very much Christian.
CHRISTIAN TEUSCHEL: Thank you.
(Applause)
BRIAN NISBET: And in our three of three NCC talks, I'd ask Ingrid to come up to talk briefly, one hopes, about the reclamation of some of the space in relation, partially in change to the DNS changer issues.
INGRID WIJTE: From RIPE NCC, and there has been some discussion on the list about reallocating some blocks, some time ago. So, I will explain the procedure that we follow, that we have been following for years, and the overview of the process, we closed an LIR and after we close it had we deregistered the resources. Most cases, it's either non?payment or the LIR themselves closed the LIR. And hand back the resources. After close is done, we start taking back the resources. We make sure that prefix no longer routed and we delete the database objects.
When that's done, we put them in quarantine. And when they come out, they get reallocated to the next LIR end user, asking for resources.
The default procedure is three months for each resource, whether it's v4, v6 or AS numbers. It's not uncommon that resources are taint that had we get back, especially when we close the LIR or we take back the independent resources. When the quarantine ends the prefix becomes available automatically. The system will release them when the period ends and when ?? it will be reissued when a suitable prefix size needs to be issued.
Now, what happened before we reached the last /8: We had to reduce the quarantine period slowly in order to make sure that we were issuing all resources before we would enter the last /8 mode. So in July, we sent it back to one month, and during the last few days, we went from one week to, at the last day, one day, so that was a special procedure for this period in time. Now that we have reached the last /8 we go back to normal quarantine procedure. So all the returned and deregistered prefixes are again quarantined for three months. However as we are allocating from the last /8 we won't reallocate or reissue any returned blocks until we finished the last /8, so in effect, from now on, returned resources will be, well, in fact quarantined for as long as the last /8 will last us, that can be undefinable period. So that's the process we have used and that's how the returned prefixes got back into the pool and were reallocated recently.
And if you have any questions about this?
BRIAN NISBET: I like presentations that short. Are there any questions? All of this is obviously clearly documented?
INGRID WIJTE: We realised we didn't publish prospectus, something that we have been doing forever, but since the discussion we have put this on?line and you can see which process we follow.
BRIAN NISBET: Thank you very much, Ingrid.
(Applause)
Our final presentation this afternoon is from Peter Forsman from .se about counterfeiting websites. I will let you know Peter's presentation is not as short as Ingrid's but the last few items on the agenda are very short, so while there is a number of items after Peter's presentation, they are very short so rest assured we won't keep you here too long. So thank you very much.
PETER FORSMAN: I am the abuse manager of .se but besides that, I am also known as Internet Sweden because I have traced down fraudsters in Sweden for several years.
In my role at .se I try to do ?? make the fraudsters account to other TLDs for the activities and what I can't handle, under .se, I write about and then trace as a private person.
I call it counterfeit shops or China shops. And this is somewhat story?telling. Last year, I was asked by Swedish law enforcement to try to follow and map foreign websites that targeting Swedes, and this is ?? I mean, it's clothes, shoes, it's electronics and watches and if you notice, Mcafee secure log type, it's authentic and full security for the visitor, and it's actually Mcafee's log type that anyone can download and use as a full security logo. And it's actually Apple seller in California.
So go back two years in time and ICE take down two domains in November 2010, and nearly a year after, they take down 150. And it's called Operation Fake Sweep and out of the 150 about 120 is related to NFL, it's about two?month Super Bowl starts and I think it was two, two or three days they take down another 307 so it's ?? 527 in 450 days but didn't any effect on anything. I would say no. If I Google in Sweden in 97% of Internet users use Google, I receive 193 million results. If I do the same search in image search I receive 816 million results.
But when we talk about trademarks, it's more interesting to look at air max, etc.. the volumes ?? global search, it's ?? you can't ?? you can see the red and blue peaks but it's not very sharp peaks but in Swedish searches it's more ?? you see when it's getting colder outside.
So, in my presentation I will look into Moncler and Coach, two very common trademarks. In November last year, I received 55 and a half million results, and already in the third place I see Moncler's value.org that offers 70% off price, and the thing is that it's registered only three days earlier, so in three days, it went to third place in the competition of 55 million other websites.
So, how was it possible? Well, as you can figure, it's sort of spam and manipulation. So let's look at the Moncler's value.org. I found at least ?? I find thousand backlinks to the website, but I looked into Flinkles because of the and I also saw that it was made by a user called perfume Lily, which made another post about Coach and that was interesting because there were three anchor texts to different websites and especially one that linked by 301 to another one that linked to another one and they were all registered by different registrants through different registrars and different dates.
And this is the source content, so to speak. When I reverseD ?? looked it up, we are here in Netherlands and I checked the IP and, as you can see, there is totally 13 different websites and its content was in different counterfeit shops. And when I stepped down and upwards it was the same but as I have pointed out in the red, it's geotargeting different markets, so to speak. And all of them contain Coach, same sort of string domain names.
So, what does it really mean? Well, Google 301 move all ranking and strings by links and black hat, all off page optimisation. So, when someone actually abuse report IP, they move on to another one and with double strength and another one and another one. The IP, the server could be actually in the same place but they move the domain name and forward the traffic.
Google translation is quite ?? a statement this short article, surely it's Chinese from beginning, but it's ?? Swedish ?? and in a few weeks, in May this year, there were half million posts with this and it was articles like this with free up going links that went to different kind of websites. Just example.
And also behind the shops there were articles that wasn't possible to visit from the web shop but it's strengthened the site. And also, the use SQL injections and different intrusions. DHL dashboard .se have actually some links, I don't think they placed themselves. And the registrant is quite fun because they will have the same initials like BS, and the e?mails is the structure is word word plus three random letters at Yahoo. So it's quite easy to follow. And another was the ?? quite interest of Moncler and Ugg boots. And the third is private page where the MS Marquis, one can remember. Upgoing links.
So, this was ?? my first slides was from November, and this is in April when I checked it again and then I received 72 million results and as you see, the last third result is gone but now it's for new ones. So this actually means that in 150 days there are new 113,000 new pages index per day in Google. And if I look at the phrase "Moncler" and results written in Swedish and compare April with June, it looks like this, seven out of ten first results and the same in June but if we compare it four gone, four new ones arrived.
If I use all in URL, still the page is written in Swedish. I receive 74,000 in April and 62 in June and eight out of ten is this counterfeit sites. And some leave, a new one replace them.
If I do image search, as you know these shops all use images for selling the stuff. Moncler, I receive one page included 64 images that went to 34 China shops and none of them were Moncler themselves. 34 China shops were ?? 14 targeting Swedes, written in Swedish, the red ones. And when I did the same in June, it's 61 images and on first page and it says 37 China shops. And 18 targeting Swedes.
And another way is of course, to just copy the URL and paste it into Google image search and I received 31,000 out of this exactly the same.
And out of the 100 first results I saw 19 of them were targeting Swedes, but when I reversed ?? reversed look them up I saw none of them were hosted in Sweden but all over the world and the red numbers are number of page ?? shops on that IP number, and if we look at the last one, Moncler in IP ending with 148, we can see it's hosted in Germany and as I shown before, it's targeting all kind of customers all around the world. And if I sit down three numbers it's the same, they usually use blocks of five to seven IP numbers, and the same when I go up the three numbers. So what speed are we talking about? Well, I looked into one small name server that I used to check regularly basis and in April, there were new registrations 75 at one day; registrar transfer to the named server were 150 and from 40, and when I did the same check in June, there was 75 new registrations and registered transfer to were ?? sorry, 70 and from, 65, so moving all the time.
And how relevant is my example Moncler in the context? Well, I did a check little larger name server and found 10,000 domains that were interesting, and about half of them were containing active shops, and 108 were Moncler shops, which means about 2% of total, which means that about at least 49 other trademarks exposed as Moncler. This means that use large number of IP numbers all over the world, service seems to contain script packages and I am sorry for the Swedish country names, but they have them all over the world and they use so many different domain names that and no one is stronger than another one so they are replaceable, so to speak, the opposite on the Piratebay where the domain is the hub, so to speak, they use a large number of registrars, but they only use the DNS hosting and the sources is another place in the world. And also they ?? they host?swap all the time.
So numbers, well, actually, I downloaded the gTLD root zones and put them and looked for 46 trademarks just to get a glimpse how many there were. And I came out with this, I have tried to make it as relevant as possible and use hyphens and like Ugg, used "struggle" and luggage" and so forth. I randomly checked 1,000, just to see how frequent they were, and my examples is coach and Moncler are medium used. But the total is 249 thousand domains are domains with trademarks in them, but since I don't know how many there is propecktive registrations or legitimate so I took 10% of, then I spidered three lodged main servers to come up with over 100,000 active counterfeit websites under this five gTLDs. And the figure shows the content of the of but the infringement domains with Moncler in the domain name is about 75% while 25% is generic words and it's much hard tore find, and 90% of the domains are registered under the gTLDs and the rest is spread out through ccTLDs.
But while they use drop shipping, so the network could actually be from wherever in the world, all I know is that the shipping and the products are coming from China, that's why I called it China shops. But actually, several details that indicates that it's European.
And this since two years we have seen large increase but with the new TLDs I am afraid ?? and Google do a great job today but it's not enough. In the beginning of the presentation I showed 55 millions and 193 millions and 816 and last week it looked like this, 50 and a half million and actually, the pictures images have raised.
I made it.
BRIAN NISBET: Fantastic. Absolutely. Thank you very much. Are there any questions for Peter?
DANIEL KARRENBERG: Someone who does while he is cooking dinner does stuff like you do just for my personal entertainment. The question: What is it that this community can do to help?
PETER FORSMAN: I am really here to bring awareness of it. I really can't tell what to do because, you know, it's like go to the ?? try to take down some ?? I mean, the problem is, the Swedish enforcement asked me to help find the ?? the websites that targeting Swedes but it can't be done because there are new one next week.
DANIEL KARRENBERG: If they understand that the method of taking down 50 here and stuff like that ?? as soon as they understand that that is not going to help, you done a perfect job, thank you, thank you, thank you. The other little knitty question is just for entertainment value: Why do you think the new gTLDs will make any difference because it doesn't make any difference what their name is, I think if I look at your pie chart there they went for the cheapest ones.
PETER FORSMAN: Well, really, they are going through Chinese registrars mostly, and I would say that if I can have sort of problems with registrant data today, there won't a lesser problem next year with the new TLDs, I am sure of it.
DANIEL KARRENBERG: But the ones you listed on your slide were ENUM, they are not really Chinese.
PETER FORSMAN: They were not. They were for examples. If we see in the future in one year, if we have 1,000 new gTLDs that in competition with each other, I would say that the prize would be lower than dotcom today.
DANIEL KARRENBERG: Yeah, I think they will go for the cheapest one, of course, they will go for the ones that are not really the best ones in publishing the registrant data, although even now it doesn't give you anything, does it?
PETER FORSMAN: No, not really. Not really.
DANIEL KARRENBERG: Anyway, it was very entertaining, thank you.
BRIAN NISBET: Thank you very much, Peter.
(Applause)
So, rather than look behind myself the entire time, I am going to use this. So, lots of updates which we have gone through and couple of other items. As I said quite short. Policy 2011?1106 has reached consensus.
(Applause)
Thank you very much, very much to the original task force and my co?chair Tobias who stepped back to write the bulk of the policy and and push it through so that has been announced this morning and we will speak to the NCC about the implementation, etc., of that.
DANIEL KARRENBERG: Yes, guy who walked off the street again. I really love it. My question to you guys is: How do you propose to proceed in order to not have this remain wishful thinking, because the question that's in my mind is OK you can mandate all sorts of things but how do we get people to actually populate this?
BRIAN NISBET: So, we will be working with the NCC, obviously on the basic information and implementation, and obviously especially looking at what has happened with 2007?01 these are big jobs. That said both myself and Tobias have already been talking about what is next, what is next in regards to ?? and this is kind of with mostly with our co?chair hats off at that point in time, with regards other policies such as data verification and indeed the possibility of what we can push and how far we can go. Obviously, with anything like this, I think that the bad people are going to continue to do bad things, but we are hoping that this is the first step in creating a framework which will improve that.
DANIEL KARRENBERG: Let me just be very, very explicit. Now we have a policy and I am detecting around the community a certain, lets put it a bit of antagonism against the NCC doing stuff without asking the community and so on. So what I am worried about here is because this is something that we have to make people to actually do something, that it's done very clearly with community involvement and even with community direction. Because otherwise, my personal concern is that the RIPE NCC will get the (in dutch) as the Dutch say ?? black Peter, will be the black Peter here so it has to be very, very clear that there is ?? in which way we should get this done is clearly with lots of community guidance.
BRIAN NISBET: Absolutely. And I think that both myself and Tobias have undertaken to work with the NCC and obviously we have a policy that has reached consensus via the PDP so that's the first step, we are definitely not operating in a policy?free zone and as I said, right now, the kind of drive so far has been to reach consensus and have that declared. The next step is to work with, well, whatever hat you are wearing with the NCC and you guys to make sure that we we introduce this in the most open way possible. So noted definitely and we want to make sure that you guys absolutely do not get blamed for what has clearly been a community request.
There will be more on that on the mailing list, absolutely.
Working Group interactions. There haven't really been very many since RIPE 64. In reality, 2011?06 may well bring up some stuff here. There are a bunch of things which may fall from this which were some of the original proposals we discussed about 18 months ago which led to 2011?06, there hasn't been much in the last few months.
As regards LEA interactions it's been a quiet summer but, and there is a certain amount of management by exception by done by the LEAs but in conversation with Jacim and other people we do know that the NCC have a bunch of things planned for over autumn and winter and spring as regards LEA interaction so we should have more to report on that when we are in Dublin.
Is there any AOB? No one is standing up. I like this. People are fleeing the room. I don't like that.
So, agenda for 66: We do have eight months between now and RIPE 66 so it is a while. I know there are some things already being talked about and happening which I am hoping we will have time to discuss. As always, mail the list, mail myself and Tobias, at the Chair's address, which is on the website and do consider, take off this hat and put on the Programme Committee hat, do consider submitting things to the plenary as well especially because we touched on a number of things today and it was mentioned in the chat room that some of the things we are talking about here are definitely things the wider community could be interested in.
Other than that, that's me. I look forward to seeing you all in my home town in May of next year, RIPE 66, we will have another exciting session. For the moment, from myself and Tobias, thank you very much.
(Applause)
