16th October 2019
ACHILLEAS KEMOS: This afternoon we will have a panel discussion co‑ hosted with Europol on safety and security, so let's deal quickly first with. The minutes from the Reykjavik meeting, if they can approved or if there is any remark/objection. So then, let's start with the first presentation of the day, that would be Michiel Steltman on the compelling case for national vulnerability management. The floor is yours.
MICHIEL STELTMAN: Good afternoon, it's actually, for the English‑speaking, the digital infrastructure association of the Netherlands, cooperation of eight organisations, hosting Cloud, internet exchange and NL foundation and the domain registrar so everybody under the hood of the Internet. This is my first RIPE meeting, ISOC and others but never have been to RIPE meeting, which is change, if you consider technical background, it just didn't happen. And I am totally impressed by the organisation, it's awesome, really. I am quite impressed, everything is top‑notch. So very happy and an honour to have the opportunity to speak to you about a private /public initiative in the Netherlands and private/public always sounds a bit like okay, let's talk and see how we can cooperate, a bit like world peace, sometimes cooperation, nobody in public private partnership ship can be against that, but in the the era it can be really tough and one of the topics that we as an association are dealing with is the wide range of things about trust establish security so that means the prevention ‑ security, creating facility, creating opportunities to cooperate on fighting abuse, mitigating abuse in the Netherlands particularly were very active in the fight against child pornography, second country in the world to host lots of that material. But also cybersecurity initiatives and keeping the Netherlands a safe place to do business.
That brings together a lot of constituents from my sector but from government and law enforcement, supervisors, the DPAs and everybody else. Today, I am going to talk to you about a case that I presented last week together with some people from the Netherlands, Internet landscape. The compelling case for vulnerability management. Why vulnerability management? Let's take a look. Some slides are in Dutch but you gate picture. We are vulnerable. Every day, every week there is a newspaper article stating, showing, how big the problems are and how many leaks of you will havibilities there are. We are vulnerable to this and that. And that's ‑‑ this is business as usual sometimes but the point remains, we are vulnerable and even to a point where society can be disrupted. Our scientific council for government research presented a few weeks ago this report that said "prepare for digital disruption ,"and what they said is the traditional view of vulnerabilities and of being not too resilient to cyber attacks is caused by the fact our vital infrastructure, maybe our waterworks or electricity or some other vital function is vulnerable but what I said in the report, it goes far beyond that, anything down which is down long enough will lead to disruption of society. It's not just vital on vital, the essence is many services can have a disruptive impact on society based on the fact they appear in some digital value changes and it turns out somebody forgot this weak long and lots of companies and societal processes have this problem. So that means in general, that we don't just have to concentrate on vital, the new insight is that we have to raise the resilience of the entire digital industry to become more resilient to cyber attacks.
How to do that, I had the honour to speak last year, December, on the OECD conference and I was together with some of the Ministry of Economic Affairs, Bruce, and he made something that really struck us, a very simple remark: We are vulnerable because hardware and software have vulnerabilities, that is very obvious. But and the bad guys find them, but why don't we mobilise the good guys to find them because the bad guys keep them for themselves, state actors or whoever wants to exploit vulnerabilities but we can replicate that process to fight them and set up information sharing facility so that the vulnerability profile is raised. And he said, one of the countries that have a very strong responsible disclosure policy which isn't adopted very well but at least the policy is recognised is the Netherlands, so I felt very happy that he made that remark. But still, apparently there is tremendous amount of work to do, to have responsible disclosure between the years of policy makers and companies which I will highlight a bit later in my presentation.
So, why don't we just patch? Because the easy part is if we patch everything, you know and protect it then we are not vulnerable, it's that simple, isn't it? And many policy makers and sometimes Members of Parliament seem to think that way. Our Minister of Justice two weeks ago said after we found leak in some VPNs even affected the air traffic control system, if they don't get their security right I will kick in and start to do something. Ways ridiculous remark, they make one vulnerability and that hit the paper and demonstrates they don't have their security right? And everybody who is in technology knows it's really not that simple.
So we say we have cyber essentials, we have all sorts of programmes that urge companies to patch better, don't forget the leaks, but it's a complex process, here is this system that is responsible for the systems, either in‑house or parts in the Cloud, still responsible says the GDPR, says the ‑‑ so they have systems with leaks. So what you do, you crawl the CVE database and go to suppliers and look at updates and get all the information you can about what sort of you will havibilities can exist in Open Source or in commercial system and simply, you know, take an inventory of what you have, you download the patches and install them, that couldn't be too hard. But in practice, this process is terribly flawed, there is a lot of issues and reasons why companies don't patch and why the last mile and the last percent and the last single VPN patch that you missed isn't there and that's because there are tons and tons of services and there are thousands, only the CVE database has 20,000 entries on how to match that exactly with your inventory, and the patching process and patching has many problems, runs part of the value chain over which you don't have control, you know, and maybe they forgot something that affects your stack or your system. So, did a study and came to conclusions that it's terrible because patching also breaks things and if it breaks things, you can rest assured that the ‑ part of your company will block the match, they will not allow money is lost because you patch and their system is going down which means for lots of reasons patching can be delayed. Complex process, so very obviously keeping 100 percent patched and keeping 100 percent up to date is not a realistic, it's simply unachievable. So that means we need to have also plan B and that is to coordinate responsible disclosure, because out of the 20,000, if you miss one patch and it's critical or somebody can find in the networks of your company can find a single weak hole, and a bad guy can find it, a good guy can find it too.
If you look at it so fundamentally and that is a slide I presented to policy makers last week, this is what you do, start with the top layer of the company who have digital systems and are responsible under GDPR, you trite to multi motivate them, that doesn't work, so why don't we adds, find actual ‑‑ actual weaknesses in your system and make sure that that information about those weaknesses gets there where it's ‑‑ where it's effective or somebody can do something about it. So, that means, okay, somebody on the Internet, either from ‑‑ for all sorts of reasons, scans the Internet, finds a system, finds a vulnerability and then reports it to the responsible company, but this process also has quite a few flaws because what happens in practice and we saw a good example for those ‑‑ for you in the Netherlands yesterday, there was a good example from an amusement park. Somebody found a vulnerability in a system, a big leak, data leak, and reported that to the company and what they got was an angry mail saying how dare you and I will report you to the police over hacking our system, rather than thank you for informing me about vulnerability. That means that companies, for all sorts of reasons, they don't recognise the value of responsible disclosure or don't have a policy, they don't they are not responsible. So also in this process, getting the right actor to act is a very difficult ‑‑ sometimes very difficult thing to do.
So, we said, but still we need the additional value of finding the actual vulnerabilities and a process to fix it. So what do we do? We said, well, let's take another approach, lets try see if we can fit public private approach where we can have multiple actors work together to correct this, to fix this problem and to get the information‑flow between actors going. So first of all, we have to find crawler and scanners, as much as possible, and let's see how many of these sources there are. Last week also in the Netherlands a new initiatives launched by the GDI foundation who developed some scripting and tools to find weaknesses and find actual vulnerabilities in IoT devices, so and maybe you have even heard of brick a ‑‑ is also script, scans the Internet for vulnerable IoT desizes because that can cause DDoS attacks or can steal your data, your ‑‑ your device that is listening and sitting in the bed room your children, a toy which collects voice information, all those ‑‑ what they did, you can report somebody to patch it but you can also break the device. If the bad guy can exploit a link to do something in a device you can exploit to break it, to puts lot of firmware so it's no longer functional and can't boot so take it off the web, bit of a vigil anti‑approach that I don't recommend, but still it's an approach and somebody can do it and one person with one smart ID can take down a lot of infected devices from the web which shows you how effective the process of responsible, coordinated responsible disclosure can really be. We need more crawlers and we have Spamhaus ‑‑ we have looks for relays, looks for all sorts of command and control servers, all sorts of abuse and different things on the web that we find and that they can find and shouldn't be there. And we have this new foundation that crawls for devices or sources, so what we need to do is mobilise and also if possible, subsidise and we call on the government to incentivise people to find crawlers that find bad stuff on the Internet. One known instance in the Netherlands is the reported point for child pornography, they collect data from the Internet and collect reports about child abuse material that they found ‑‑ find, and they collect that material, they find out who is responsible and they forward the information to the next stage and that is somebody who can collect this information and can aggregate the information and make it into one consistent sterilized format, there is differential you have all sorts of standards that can be applied and ideally, companies shouldn't subscribe to all these different sources but should have one source of information by somebody who does that.
In the Netherlands in cooperation with the Netherlands bureau of ‑‑ control organisation for Internet providers, that is a collective not for profit organisation that provides some services for small service providers that can't deal with it. For instance, they developed the national centre which now already protects 42% of the .nl domain against Ddos, a collective function that is been developed by the fact that lots of constituents put their head together and said we need a collective function to protect that. NB IP did an aggregation function for many of these sources. We have a cooperation with TUDEL FT who finds and extracts performance information, how that works as follows:
Suppose your IP addresses appear in a shadow server and with lots of abuse and they measure today and they measure it also two weeks later, if still the same abuse information related to your IP addresses is still there, apparently you or the other people who use your networks haven't done anything and your performance is poor. However, if you have changed something, if maybe different types of abuse or your network or the original abuse is gone, then your performance is good because apparently based on the information of the shadow server and other sources you have acted taken away abuse and you will havibilities and your performance is good.
Now, TU Delft has been given money from our Ministry of Economic Affairs to further develop and improve their performance ratings and we have started to provide these performance ratings to a testing group of 35 /40 companies to see how they would react if they get a message ‑‑ your performance is poor because in your network we see a lot of bad stuff and secondly, these are the sources and if you want an extract and a number statistics, you can subscribe and connect to the abuse platform and you can collect that data and start processing to see if your perform cans improve. That immediately created a lot of activity and led to quite a bit of improvement by companies because it would be too nice if your performance would become public. That stick and carrot approach is something we deliberately did to see if wick find method to incentivise people to start doing something.
But then comes to you as a LIR, what you can do, because you are not responsible for the patching, very rarely it's your problem, the fact if you are a hosting company or you are a managed hoster, it's not your fault, you are not to blame for the fact that there are vulnerability in your network it's mostly your customer. My key take away for you today, there is still a very important thing you can do something about it, you can be an actor in this chain of information and this chain of action to prevent abuse and you will havibilities.
And this is ‑‑ if you look at how these companies, LIRs, domain registrars, if those companies, you and similar infrastructure providers and this is basically my sector, the sector that I represent and talk about, if we can put them to action in this value chain of of information, we can make a difference because think about it, this company didn't ‑‑ wasn't responsive to coordinated responsible disclosure, they had no idea what the reporter was talking about, they are clueless they will say, things such as IT, maybe my supplier does it, I don't know what to do with it, I don't know what vulnerability is or why I am being approached by you but you as network operators, hosters, hosting companies, Cloud provides, IT companies, do understand what these message and information is about. You guys can understand the importance and you guys know what the call to action is for your customers or the ones that use your networks so you can make the difference in forwarding this information to the actual company who can patch, who can do something and who can make the difference with patching the system, with directed precise, coordinated information from a party they trust, not just some external hacker but from their supplier that they know who can make the difference. So we believe that by not simple responsible disclosure but by setting up a chain of actors and dissecting the problem of vulnerability management in different compartments, collecting information, aggregating forewarning, adding performance information and an incentive, forwarding it to somebody who is not responsible the cause of the patching but who can make the difference in improving the resilience by going to customers.
So, I will summarise:
What can you do? You are not responsible but you are a key actor in getting this going, which means what you can do is monitor, which badness in your network use these sources and if you don't want to, which is understandable, take the effort to subscribe to all these different sources, create something in your community, in your country, such as the NB IP in the Netherlands, somebody who can collect all the information, who has access to all the sources and can aggregate it for you. Around that in the Netherlands is also an Open Source abuse dot I O is a system that can process these messages and can help you in processing abuse and another vulnerability messages for stuff that occurs in your network that you can attribute to your customers and that helps you with running this process. Something I can recommend: Abuse dot I O monitor.
So receive the information, subscribe to the feed, do the triage and forward. You have to have a policy. Your policy should be, okay, I don't want this stuff in my network, I don't want my customers to be vulnerable, I don't want abuse in the networks, I don't want child abuse material on servers and I as LIR or as infrastructure providers can make a difference to mitigate that risk to inform my customers, warn them, do something to get them going and to make sure that they start to do the patching and the right thing to remove the abuse from the networks.
To this we developed policy in English on abuse platform .nl you will find Code of Conduct which is just a simple A4 that basically describes this process, this is I can use to and show to my management and say hey guys it's something we could do. It helps our customers and ourselves and our helpitation as a country and also as a provider of network services.
Doing the right thing. So basically, to summarise and to close that off, how do you guys feel about that and maybe some feedback and questions and answers when I finish this up. And do you agree that you guys can make a difference? You are not responsible, you can make a difference in this process.
To start with this mindset: Create policy, use that Code of Conduct to say yes, we can do something about it to improve the resilience in our country and networks from for customers. Decrease you will havibilities and abuse by setting up this chain of command and actors. And also we are here in the Netherlands with ministry of economic affairs and justice and national cybersecurity centre, law enforcement agencies, all parties are interested and cooperate to get this going in the Netherland and to put this together in the coming year, two years, it's all Open Source and actual share, the best practices are there to share to help you set this up in your country and your country to set up a similar programme.
So, this is where I want to leave it at and I believe we still have room for questions.
ACHILLEAS KEMOS: Thank you very much. Any feedback or questions?
AUDIENCE SPEAKER: I saw you using methods of like crawlers, like scanners, to detect vulnerable hosts. Is it legal in Netherlands or it can be done only by police or like this?
MICHIEL STELTMAN: Everybody, it's public information so everybody that you as a user can crawl, you can collect the information and under the ‑ under the GDPR collecting information which one of the processing grounds there is a processing ground that says this is ‑‑ and I don't know the exact English term for that but there is a real interest to do that. You do that for two reasons because it's a common interest and it's also in the interest of your customers and the ones that are actually, the parties who own the IP address. Secondly, we create an exemption by saying okay, we don't relate the IP address to the actual natural owner who could own the IP address. So this is why we can forward the information. And third, we determined that every one of the actors is an information processor ‑‑ an information responsible, because everybody could collect that information from the Internet, the fact that you forward it is not the fact that it makes you a processor because you could collect the ‑ you could have collected the information yourself, which means that everybody in that chain is responsible and there is ground that you can process because you ‑‑ it's in the interests of cybersecurity and of the party for which you improve the cybersecurity. So this is something we are still discussing with DPA but it looks really good and we think these are the grounds ‑‑
AUDIENCE SPEAKER: Of in short for vulnerable hosts is fully level ‑‑ it's fully legal? Felt felt absolutely.
ACHILLEAS KEMOS: We have five more questions, I will close the line there.
TATIANA TROPINA: I am not a member of RIPE community, so I am not a very much technical person, but I have been dealing with legal frameworks to fight abuse for quite a long time. And thank you very much for your great talk. What I gathered here from you, you were talking equally about vulnerability disclosures, about mitigation abuse and identifying it, but, at the same time, you were talking about content crimes like child abuse material and so on. The general perception of policy and law is that these are two different problems because vulnerability disclosures and detection of abuse technically is more about prevention, detection mitigation, you need to protect your networks technology while child abuse material and other forms of illegal content will require absolute different set of policies and tools because if you just remove it you will not catch the bad guys, you know what I mean is I really wanted to ask you because it wasn't for me from your talk, do you have different set of policies for technical prevention and disclosure and mitigation and taking down the contents? Because for me it would look like you should have different approach, but are are you ‑‑
MICHIEL STELTMAN: Absolutely. It takes too far legally to highlight the differentiation between different approaches, we are definitely aware of that, if perpetrators come into play you have a complete plea different of rules, something we Rye to stay away from so this is really about the content, about the technical abuse and we try to stay as far as possible, we are staying away from the fact that it correlates to an individual who can, you know, be prosecuted in in the law because you get into different set of rules and there is still some work of progress here, together with legal advisers, find out exactly how to square that off.
ALEXANDER ISAVNIN: Russian Internet Protection Society. Tatiana, you came here, are member of RIPE community. I can't understand from your presentations why so crucial, you mentioned LIR at the first slide but during the whole presentations it's not clear why you are focusing on these things. I know a lot of ‑‑ a lot of simple creating unions and associations, you already have eight Dutch members so you can invite other Dutch ISPs to join you and nothing special related to RIPE NCC might be needed.
The second question: If you accidentally was yesterday on presentations related to historically of BGP, maybe also know in interest of operators to move IP packets as fast as possible, without taking in account special considerations of governments, organisations and something like. Operators by default are not interest, by their businesses are not interested in all this. You say University of Delft, something like gets state money for working on this, finding operators are not. So if you are providing some information in case of connecting to their customers, you should make it interesting for them. As a former employee of operator I remember I filled abuse reports but none of them allows me to contact well with my customers and send them additional services, whatever else. But a lot of ‑‑ a lot of such associations starting from Spamhaus.
And upcoming again such things are running for years already. So‑called fake vulnerabilities so special kind of abusers creating something which looks like vulnerability or legal content and when tries to filter or take it down the operators get something like court call or being blamed in public space. So you also will not ‑‑ are not trying to protect your operators from such risks. In short, I still don't hand ‑‑ and LIRs should cooperate ‑ their interests.
MICHIEL STELTMAN: A short answer to that. We dissect the simple fact when you start crawling the Internet the only thing you see is networks, you see a range of IP addresses that are associated with something we don't want. And the point is that the attribution, who is the person who is actually responsible for the badness that is sitting somewhere, is not obvious from the fact you have to crawl, so you have to dissect the problem.
Your second point okay, if I transport bits, why basically bother me because I am transporting basically bits and providing IP networks and I have nothing to do with the content. We really recognise that principle, absolutely. Still, that shouldn't result in the message by the fact that I am simply doing infrastructure, I have no part, don't bother me, I can promise you governments and law enforcement are now are on the move to say you know, we don't appreciate it any longer, you should really do something. And what you can do is not mitigate the risk but you are one actor in the chain to know to which that ‑‑ you know who should receive it and thousand forward it into the chain and get it in the right place and maybe there is somebody else who can also do that. We believe by setting up, forwarding and getting everybody in action with exactly that I can do, will keep legislation, will keep governments and law enforcement away, that's what we strongly believe. We can disagree on that but we will do that afterwards.
AUDIENCE SPEAKER: Not actually question but a comment. I am Liam Glore from the UK, we have been doing this for the last few years and I want to thank you for creating this over here because we have had quite a high degree of success with it, not solve all the problems but a lot of our operators are very appreciative of being notified about this and are happy to take action so thank you very much.
PETER KOCH: Thanks for that insightful presentation and lots of interesting initiatives. One thing I confused me: I know some LIR and ‑‑ you were pointing at the LIR in particular when it comes to doing these scans and everything, I was just suggesting that the LIR is just a registry that deals with identifiers, not even with bits on the wire, while that may be the same entity in many cases, it might be important to keep the LIR function clean and understand that this is just about distributing the numbers, not operating them. So I wonder what your intent was to bring both into the game here.
MICHIEL STELTMAN: Absolutely, a very good point and some of the research we did with TU Delft to match the function with the business model with what company is. So hosting companies are LIRs but not all LIRs have infrastructure, so yes, there is an absolute different mix and landscape so in general with we say start from the crawling end you see IP addresses and end up somewhere and that somewhere and someone can be an unmanaged host or internet exchange, network operator, can be anybody and it really depends on you, on what particular part in the value chain you want and can take and sometimes you can't. I mean, we don't expect an internet exchange to act in this respect but we do expect from somebody who runs infrastructure to be more proactive, we understand these different functions and the different properties of companies can overlap, and that it's complex landscape, absolutely.
AUDIENCE SPEAKER: From the Portuguese NREN and CERT there. Just on a positive note, what you described by getting the feeds from three sources and that's something we do for years and we just distribute into our universities and members.
MICHIEL STELTMAN: Very good, thank you. It's last remark that some of these sources are not available to company, they can be available to an individual company or to a group, there are very many different restrictions to getting this feed, these feeds and also by having science and university involved, we find that the access and aggregating and collecting process can be easier, so that's something to take in mind.
AUDIENCE SPEAKER: From the national association of ISPs in Romania. I think we could add to the solution, doing the and focusing on what it takes to the authorities to actually find the perpetrators, the attackers and to chase them down, and this will solve a lot of of problems because by the power of example the others will somehow win. This is usually very neglected way to approach this phenomenon, which is unfortunately too large. If we make a comparison through the, I don't know, automotive industry, we ‑‑ the police is immediately giving fines to those who are breaching the circulation laws, but in this case, almost nothing happens so this is why the phenomenon has such a high.
MICHIEL STELTMAN: Thank you. I want to add to that, dealing with perpetrators and that's a tricky thing, like we discussed also with the questions from Leiden University, that can be a can of worms because if you get into that area with law enforcement it can potentially kill the entire initiative, so yes it's thinkable but yes we have to be extremely careful and exchange information with law enforcement for this reason and processing that.
ACHILLEAS KEMOS: Thank you very much, thank you for all questions.
CHRIS BUCKRIDGE: Thank you. I will be pretty quick because I know that we have a panel session coming up after this which will be very interesting but I did want to give a quick update on some of the Internet governance issues that we are seeing from the RIPE NCC on the global scale, particularly in the last few months. I have called the presentation swings and roundabout, apologies for the native English idiom there. The full phrase is what you lose on the swings you make up on the roundabout. And it means lots of action ending up exactly where you started or where you were. And I also like the sort of fact it indicates the kind of dizzy nature of some of this stuff.
Internet governance, it's been something that has been building, growing, over the last few decades. It's a bit of a new area so with that in mind, I sort of feel like you can play around a bit with the collective nouns, so I have gone with a murder here, a murder of crows and a murder of Internet governance venues. We are seeing these discussions growing, moving to many different places, we see it at the global level with the Internet governance forum and a lot of activity, we see national and regional events we have around 30 in our service registriesthere is just the RIPE NCC, 76 country a lot of activity going on there. But then we also see it's spreading to other areas, we see it in inter‑governmental organisations, the OECD, Internet telecommunication union, the World Trade Organisation as one of our mailing list participants, and then a few of the other UN agencies are taking quite an active interest now. CSTD has been battling out what cooperation action actually means, the UN CT AD, which is the trade section of the UN has been looking at this stuff in the last few years. And finally and probably most significantly is national and in the case of, for instance, the EU, super national regulatory structures and governments and they have really been starting to flex their muscles in the last few years, and that includes also formations like the G 7, we had a presentation last meeting about the Christchurch call that came out around the G 7 meeting and the G 20.
But so, at the same time, and continuing with the creative collective nouns, we have a plague of Internet governance challenges. This list is far from exhaustive. Your favourite is probably not there on but basically, these are the issues that Internet governance has been trying to tackle from the beginning. We have not seen this list shrink but neither have we seen to many of these issues definitive solutions that this is sorted and how we do this and what we are going to do moving forward.
So, around July last year, 2018, the UN Secretary General formed the United Nations Secretary General's panel on digital cooperation, which I am occasionally guilty of creating that acronym, the HLP DC, probably not helpful, let's stick with the high level panel here. This was a step or a process that was not really directly related to any of the others around. It certainly related to the IEGF but not part of it, it's not multi‑stakeholder in the sense of they did an open call and found multi‑stakeholder group. This was the Secretary General reaching out to known respected experts and saying, we want you to have a look and I will quote here: "Identify good examples and propose modealities for working cooperatives across certificate, disciplines and borders to address challenges in the digital age," not very specific but it's something. There are 20 members Melinda Gates and jack Maher are could chairs. We have Vince surf on there, former president of ICANN, and marine in a, who is part of the global, I am going to get this wrong now that I am saying, forum for stability of cyberspace ‑‑ global Commission for the stability of cyberspace but has actually also been recently elected as a member of the European Parliament so is certainly going to have quite an active role in this space.
This committee, this Commission, this high level panel produced a report a few months ago, and I'd recommend you go read it, you can find it at the URL there. They did have five sets of recommendations, and I am listing them here, I won't go through them necessarily, it's a bit mother hood and a.m. pie and goes into a few of the issues, foster global digital cooperation, it sounds innocuous enough but what it basically mean was looking again at what we have domino and love as the /TKPW*EF. Recommendation 5 A suggest the Secretary General facilitates some more consultation, have an initial goal of marking the 75th anniversary of the UN next year, that they appoint a technology envoy and that they they then propose three different models under which they see this continuing, one based on the IEGF, another on the structures that the technical community has it had and another is a bit more loose and free‑wheeling.
Important to note here, I think, the 75th anniversary, not because it's necessarily such a big thing but we would be loath to under‑estimate the significance that these sort of of events can have in providing momentum to do something and get something in place. So it's more than just a passing reference in this context.
So basically, what I am here to till, the RIPE NCC developed a response to this. It was not done on behalf of the community, it was done as a participant in this community, an institution that is part of this community, but with certainly no claim to represent the diversity of opinions that there are in RIPE. But basically, the key points of what we suggesting here is moving forward we would support a model that builds on the IGF, we see that as perhaps having some improvements necessary, but essentially, a fundamentally good model that can be built on and that it has strengths. What we are also argued is that the national and regional IGFs, while there may be many of them, still represent one of the strongest parts of this system and we should have that recognised in whatever solution the UN comes up with.
And finally, the issue of funding, and this is something that has /PHRA*EUGD the IGF from its first days, 14, 15 years ago, and the RIPE NCC and other I‑STAR organisations have been strong, consistent funders here, we have contributed, we have seen that, the contributions from others, including other UN member states dropping off significantly and it's been a challenge for the IGO. What we have said is that any model, proposal going forward needs really seriously address that and come up with a solution where every year you are not saying how are we going to afford this and how is this going to be sustainable. There is a link there, you can read the full document on RIPE Labs. It's about a page‑and‑a‑half. So the take aways generally at this point, and this is from the presentation rather than from just that document:
There is an urgency and severity to the Internet governance issues we are facing right now. And that's having a number of different effects. The most and perhaps more important ‑‑ most important perhaps is it sharpens that need to do something and I deliberately put that in quotes here, because something can be anything from good to bad but if the most important thing is that you are visibly doing something that is probably not the best recipe for sensible policy.
It splinters the discussion, with everybody wanting to do something you see lots of discussions popping up everywhere. Keeping track is hard, preventing bad policy, even more difficult.
Finally and I said at the beginning that governments are the key player here and perhaps the most important, as it gets harder or more urgent to do something, as it gets harder to engage it gets harder to make the argument those traditional measures or levers that you have like national legislation are not the appropriate way to go forward and that takes me to my final point, which is simply that we are not doing this engagement in IGF and Internet governance for no reason or to feel good about ourselves, we actually need to look and consider that if we don't come up with effective solutions in a multi‑stakeholder way to some of these challenges or at least ways forward, we are putting the model of RIPE and the kind of multi‑stakeholder processes that the technical community is built on, in jeopardy. So there is a very strong self‑interest for this community and for our organisations to actually engage here and successfully.
So, I am happy to take questions. I will put up on the screen here my community service announcements. One is IGF is happening next month but registration closes on 1st November. If ‑‑ you can use the QR code or download the presentation and there is a link there as well you can click on. The other is EuroDIG which is European IGF kind of event, it currently has a call for issues. This is something that EuroDIG does to form its programme for next year's event. You don't need to process a workshop or session, say this is an issue that should really be discussed in IGF kind of format, very simple and straightforward and follow the link and you can do that. Thank you.
ACHILLEAS KEMOS: Time to ‑‑
I will give over to my co‑chair who will be chairing the panel.
JULF HELSINGIUS: This is the Cooperation Working Group after all, with an effect on our universe, and one of the ones we have been very active cooperating with is law enforcement and we have forged panel together with Europol to discuss some of the issues law enforcement have come across when dealing with our universe, and let's see if we can together discuss some of them and see if we find some common ground on them. So I invite our panel up to join me here, I will let them present themselves instead of going through them.
SPENCER PAYTON: I am from the RIPE NCC from registration services. I am been working at the organisation for the past six years, hopefully improving everything and anything that you want. I have been in the industry for about 20 years working beforehand for ISPs, major ISPs doing international connection projects and also working as a network engineer for seven or eight years before I joined the RIPE NCC. So I like to think I have seen some background from the commercial and now the non‑commercial sectors, and I hope to be able to continue giving you everything you want, please don't ask for IPv4. Thank you, over and out.
TATIANA TROPINA: I am an assistant professor in cybersecurity governance at Leiden University, faculty of Governance and Global Affairs. I took this position very recently and before I was working for Maxplan Institute in Germany where I dealt with issues of cyber crime, network abuse, from legal and policy side. In addition to that I am a counsellor at ICANN so I am not new to the governance of technical identifiers and it's not my first RIPE NCC meeting although it's only my second one so very happy to be here, thank you for inviting me.
CHRIS LEWIS‑EVANS: From the National Crime Agency in the UK. I manage a team of infrastructure investigators, so there is roughly half a dozen of of us and mixed analysts and technical people so hopefully RIPE don't get silly question from law enforcement officers about can you give me the content for this IP address, please. So that's my main role, is to make sure we don't ask any silly questions.
PETER KOCH: Good afternoon. I work for DENIC, the germ applicant an top level domain registry as senior policy visor, and the more aged part of the audience will remember me as the DNS Working Group co‑chair, these days I am more into policy and regular /HAEUGS and as well, Internet governance and if that remark is allowed, Chris's analysis was spot oranges we are facing the same issues, seeing very much the same things (spot on) and moo in my role I jump back and forth between policy and tech so less mundane title is being a translator between tech and policy. And we have via scape.
CATHRIN BAUER BULST: Thank you for having me as part of that and Sebastian has made his introduction that works for me, the acting head of the cyber crime unit of the European Union and we work on designing policy on fighting cybercrime more effectively. I have done a bit of work in Internet Gough governance phase, so I have looked at these issues also in the DNS space and really look forward our discussion today, thank you for having me.
JULF HELSINGIUS: We have here with a slide of some of the issues that came out with the premier discussion about a what to discuss on this panel. And do you think, Chris, you would like to start.
CHRIS LEWIS‑EVANS: So I really want to frame why we want to discuss this today. It will be no surprise that cyber crime is big business. You know, just a business e‑mail compromise is worth hundreds of millions worldwide every year, and as a result of that, the use of enabling services, so IP space, ASNs, everything that runs into this area is really key, and whether that is use or abuse of systems from good actors or whether it's other criminal actors abusing policies, procedures and just the general technical infrastructure. So, some of the ways that we see from a law enforcement point of view of systems being misused or abused in this area is the use of unallocated or reserved space, fake or stolen credentials used to gain services, whether that's from RIPE directly or from the LIRs and sponsoring LIRs. LIRs based in tax havens, not revealing all their details, which makes it very difficult for law enforcement to make lawful requests to them, reselling and leasing of IPs, whether that is on short‑term basis and you know not updating the database correctly. And again, use of shell companies to bypass some of the protected measures that companies can put in place around geolocation details. So, you know, there is lots of areas there that sort of bump into the space where RIPE policies and procedures and the way the technical models work. Really here, I think looking at those sort of areas that concern us, law enforcement, we want to look at how we can cooperate better with the community and with RIPE and answer some of these and really makes things that bit tighter to allow the community to protect themselves and take action against bad actors.
JULF HELSINGIUS: Catherine, do you think you would like to go next and elaborate on this.
CATHRIN BAUER BULST: Thank you so much. And I think my points are pretty much already on the slide in front of you, which is wonderful, so to come back to Chris Buckridge's play with challenges, we are concerned about the fight against cyber crime or any that makes use of the IP address space as a resource and I have five points that we put together as our own little first problem assessment when it comes to the RIPE database in particular.
So there we have, first of all, the challenges around the lack of accuracy of certain entries in the database. Now, why does that matter? First of all, we have found in investigations in other spaces when you apply a policy of know your customer, so when you actually ask actors requesting IP space to register their details, you see an impact on the level of abuse, because the mere fact of demanding accurate data makes a difference for the incentive structure of criminal using that IP space. So that's why it matters.
And for law enforcement of course that's the basic information they need to serve legal process, not only individuals who might be suspects but rather just those companies that are providing Internet resources to those individuals.
The second problem that I want to flag of my little list of five is that the definition of purposes of the database is a little bit unclear. There is some aspects in the RIPE policies that speak to the various purposes of the database, but this is not necessarily an exhaustive list. And why is that important? First of all, it is helpful to all and any customers and RIPE members to know what exactly the purposes of the database are. And secondly, when it comes to personal data, of which there admittedly is not too much in the database but nonetheless there will be some, it is important to have the definition of "purpose" clear, also from a data protection regulation perspective.
Now, the third challenge that I would like to flag and it's also reflected on the slide in front of you, is that there are ‑‑ there may be an issue with respecting the policy, especially when it comes to delegating down IP space. So, while we might see better compliance at the level of RIPE members themselves, it seems that there is an issue in cascading down the obligations to those entities which might see sub‑delegated IP space. And once again, that calls into question the effectiveness of the policy as such, which is not a good thing.
The fourth point of mine is linked to that, which is that when you look at the room today and I assume most of the active participants in the RIPE community, you are dealing with here is actors who are keeping a clean space and making sure that they do their proper due diligence on applying and implementing policy, however there is people who benefit from the resources made available through RIPE that may not have the same approach and that creates a bit of a challenge.
And that brings me to my fifth and final point, which is that, from the RIPE policies as we have analysed them, there are limited tools for actual enforcement of the RIPE policies, including on the accuracy of the database, and that creates a bit of a challenge when it comes to actual proper implementation of that policy. So that might deserve a closer look.
And I think here we are really dealing with a very basics of having ‑‑ founded management, this is not fancy cross‑jurisdictional issues, but we are, as the European Commission, from our side we are looking to engaining on this, we have followed the efforts that have been spearheaded by Europol for two past years, we are more than ready to engage and also in view of what Chris alluded to and what Sebastian referenced, the pressure from regular layers and ‑‑ that includes us as the European Commission. We are fully committed to the multi‑stakeholder model and want to find solutions with you and that is why I am here, these problems have been around for quite some time. So I really look forward engaging with all of you to show that this effective multi‑stakeholder governance that Chris was aiming for can also be realised on this problem. Thank you very much for your attention.
JULF HELSINGIUS: Thank you, that was very useful. Spencer. There was lot of things that focused on RIPE policy and NCC processes.
SPENCER PAYTON: The first point was regarding the accuracy of the information in the RIPE database. We can approach this on so many different levels but I start off by saying as an organisation, we are a membership organisation and we have a mandate to cover certain amount of ground. And basic mandate, if I remember correct wording, is to fully maintain accuracy of the registry, and I guess in very simple term we are talking about what the RIPE NCC puts into the RIPE database on behalf of its members. We have certain process and procedures in place to verify what we are putting in there to start off with. We are looking at who our members are, we obtain a certain amount of information regarding them to make sure that we actually are registering an organisation that we can recognise, whether it's a one person organisation, a single person, or whether it's an organisation, it's a large corporation, no matter where they are in the world, as Nikolas mentioned earlier we are facing a challenge that the membership is also coming from a space outside of our traditional service region, which requires maybe additional checks and expertise to make sure that we have actually correctly identified who we are doing business with, effectively. There is a second layer to this, and once we have gone through that process and issued those resources to those organisations and members they are under a certain level of obligation as part of their membership and under the policy development process to manage those resources effectively, so we are placing a reservation into the system of who those resources are in the name of, we are relying upon them because it's a trust based model to effectively live by those rules and register correctly who is using them and how they are being used. So if you receive, for example, the /22, it's in your name as to when you actually start use it, we are relying on you to then correctly register who is using it under the allocation in the RIPE database, with correct, valid and correct contact information. Do we have mechanisms in place to try to ensure this is taking place? Yes, we have certain audits in place and certain checks but we also have quite an extensive reporting procedure so if you want to report something to us that's incorrect we can then receive that report and take action, and I think if I remember correctly, I think last year we received something like 350 such reports about possibly incorrect information in the database. So, yes, there are mechanisms in place, will it ever be? I guess it cannot be. But it relies on a level of cooperation and that's why I guess the challenge is how do you try to make sure it's inclusive enough to have everyone involved?
JULF HELSINGIUS: Thank you. Tatiana or Peart, who wants to go first?
TATIANA TROPINA: Thank you very much to three other for contribution and I made several rather tactic notes. I want to thank Catherine for such a clear outline of the issues that European Commission thinks that are there. I think that when we come to these issues from the policy and law enforcement point of view, it is interesting, because as Peter said, that RIPE and certain database and data accuracy is a relationship that is based on trust or it was. And of course for me, I am young in the Internet governance. I know those were being built for many, many years but when I hear the word "trust" in these relationships about the services and accuracy of database I immediately think about abuse, because trust does create vulnerability, and this is where criminals can put their hands‑on and do whatever abuse they want. And I do understand it is very hard and even for me, because I'm coming from the space, from, you know, these ideal legal model that everything works like public/private partnerships and we have to trust each other and regulation could be self regulated, probably not any more. They just went too far. And I believe that the first step maybe to these is just to realise that probably trust does not solve the problem. And here comes my second thought:
That RIPE, in a way, and I am sorry for saying this, RIPE does regulate by policy and contract. I know that RIPE is not a regulator, no, but relationship, database, RIPE, their members, are in a way regulated by those policies and contracts.
And what Catherine said about additional problems like purpose of the database or purpose limitation of the data used in transfer, there is also additional layer, well, where European Union and other regulatory agencies are stepping in and already start regulating this in parts. And I believe I remember my first RIPE NCC meeting, it was in 2014 in London, and I was talking about change in regulatory intervention and relationships based on trust and I remember how much ‑‑ how to say, avoidance, and almost sort of resistance in the community, I saw towards European Commission and governmental agencies coming here to regulate. Aye just want to say, there would be regulation if RIPE is not going to fix this database problem and this policy problem. There would be some point where someone either national government or maybe European Commission is too busy but this regulation will start coming in parts and sometimes it will destroy trust and whatever you already have. So, I believe that it is up to RIPE community ‑‑ RIPE community to wake up now and at least start maybe implementing additional checks with regard to their accuracy, on its own. I understand that it would be hard to check especially when the member is located in the territory which is completely out of scope, but otherwise, the pressure from ‑‑ of regulatory intervention is going to be quite big and also, imagine yourself in the shoes of the law enforcement, how much struggle they have when they actually come into your database and it doesn't have data, it should have, and nobody checked this data. So, unless you can meet in the middle in terms of policy addressing this issue or at least trying address this issue, there is going to be quite ‑‑ I believe that there would be a lot of regulatory attempts later which might not take into account what you actually have here, which might be quite far from reality but there would be attempts and it's better if RIPE and community is try to fix themselves and come up with something that is technically sound and technically working, than regulators trying to fix these in their way and then there might be a lot of of mistakes. So, yes, thank you.
PETER KOCH: There is little to add but so much to add at the same time. Taking advantage of being the last in the first round, I dare share some observations, and we have heard lots about trust and lots about accuracy and a bit of the history of the database. So, the RIPE database is part of this threefold identifier system of names, numbers and protocol identifiers and of course the registries were built in a way that in case of a dispute over resource, the information should be sufficient and precise you have no decide who owns... or holds that resource, I should say. And there is a certain leeway to give to the subjects in the database because people move, entities move and entities change their name and their legal form and so on and so forth, so that's one thing that happens. All these databases also are highly distributed in a way that we have a distributed DNS and also through the RIR, LIR or NIR RIR systems, we have multiple entities that feed data into the database and maintain it there. Let's not forget we are talking about identifiers, not packets on the wire, the like street numbers and not things that happen inside the houses. So that said, the other observation is that people talk about accuracy and it appears to me that they mean different things sometimes, because the accuracy is ‑‑ it is necessary to interpret that in the context of a certain expectation. Now, as I said, the expectation for the registry is like maintaining a correct register, is that in case of a dispute, people claim resources and others contest that claim, the registry should be able to support a decision who is the actual holder of the database. And the database is tolerant or the procedures and processes are tolerant to slight mistakes, mistakes is something that you don't make intentionally, and therefore, there is a certain leeway in there. But, I can't go back into history that far but probably these were the ‑‑ designed to withstand systematic introduction of false information, which is something that also subliminally came up. So that's one thing.
The other is that it's nice to talk about accuracy and check it and prove it, but given that this is all in the identifiers and we all know, for example, how easy it is to spoof an e‑mail address so you can't even use in quotes identifiers without having ‑‑ without being registered as a quote‑unquote legitimate holder, in the case of an e‑mail address, for example, user to main name. There is also ways to inject packets and receive on the Internet without being the registered holder for that address space. What really matters is, in terms of accuracy, likely matters to law enforcement. But I am happy to hear your perspective there, that who is having the operational control of the resource that is identified by the identifier which is slightly different from who is registered as the holder in the database, and that sounds academic and probably is but it's a very subtle distinction that I think we need to keep in mind when we talk about using the identifier system to actually mitigate cyber crime abuse. We are talking about street signs and numbers, not talking about the packets on the wire, the cars or the motor bikes. Thank you.
JULF HELSINGIUS: I think Catherine wants to start with a comment and Tatiana after that.
CATHRIN BAUER BULST: Just on this accuracy point because I think it's a really good point that Sebastian made about the street signs and I would fully agree that the RIPE database is not the finite resource in terms of thousand tackle abuse and mitigate it. However, I think if there is an issue with the street sign the likelihood the street will be less careful with who it sub delegates the resources to, is greater, arguably, so if you are ready not able to keep a clean space at your own level, likely that you are doing well on implementing other RIPE policies may also be lower, and the main purpose of the RIPE database of course is to have, for law enforcement that is, is to have an address to which to serve legal process to actually identify, if you will, the houses in that street or possibly even who is sitting in all those houses. But that's further steps in the investigative chain and really the RIPE database is just the essential piece in the very first step which is getting one step closer to the actual user of the resource. And if it's not doing that properly, then there is an issue. And that's what is ‑‑ Sebastian rightly comments ‑‑ not necessarily well characterised by accuracy of the database but that's the principal aim that we are pursuing when asking for accuracy and we are open to finding a better word for that. Thank you.
TATIANA TROPINA: Thank you,Peter, for being on the spot. Actually I do realise what RIPE and technical community might mean by accuracy and the purpose of these database, of maintaining these day, was completely different from law enforcement actually want. But I think that also between, you know, like, we don't actually check this and that because it's for different purpose and we are collecting all the data which will allow to identify a criminal, this will not happen. Most of the time abusers would be smart, but the more accurate data will lead to more clues and the more attention to the accuracy of database would lead to those criminals who think that, you know, abusing this system is so easy they will make them think twice at least. There are lots of steps and grey areas we cannot do full identification or you can not, law enforcement will not be able to in many cases. But at least how to say, sort of say, some caution, some precaution measures when you reg sister; some checks, some know your customers techniques and some steps to introduce these would be already, I think, a big step towards identification, first step in identification, who is behind these. I don't think that law enforcement actually expect you to make everything 100 percent identifiable, they are not that stupid, and criminals are not that stupid, it's always cat and mouse game. This is what I was talking about when I talked about meeting in the middle. I do not believe that anyone can, in sound mind and realistically, expect full accuracy here, but between full accuracy and utter lack of accuracy, that are some ‑ that can be made to fix the the problem.
PETER KOCH: Peter trading as Sebastian. I was going to make one remark in response to Catherine actually and apologies in advance for anyone who has an eBGP deja vu, it's important to distinguish between use cases and purposes that law enforcement has come up with is we expect something in the database and we want to go there and either serve a warrant or open the door in whatever way, but I tried explain that was not what people had in mind when the database was designed, that does not imply on the other hand that it shouldn't be used for that but the caveat is important, and it also doesn't even if we cannot or do not want to change anything but the main purpose of course is keeping the register for the identification system, maybe some other information is needed that the content of the database can lead to or can help identify, but maybe that other information doesn't have a place in the database or it needs different sources and this is why, you know, we have routing system, peering agreement and people who actually push the packets who might be much, much more qualified to identify their neighbours than something that is maintained in the decentralised way but still centralised in Amsterdam.
CATHRIN BAUER BULST: It's funny how I talk about accuracy and call Peter Sebastian the entire time. My defence there is a very famous German actor who shares the last name as Peter. So Peter, please take it as a compliment.
CATHRIN BAUER BULST: Yes, and thanks also for offering to point out further resources that may be made available for law enforcement, that ‑‑ and I fully hear you on the difference between use cases and purposes, and that's part of the second point I was trying to make, which is that we should have clarity as a community for, on the purposes that RIPE database is used for, I would argue that that should include the use cases we have just mentioned, also for the reason of their inclusion in other policy and of the fact that RIPE is administering what is a public resource and needs to be administered in the public interest which includes a certain level of prosecution of crimes. So, that's my two cents on the purposes but I fully agree with you it's not clearly defined and in fact that is one of the things we would like to remedy.
JULF HELSINGIUS: Daniel?
DANIEL KARRENBERG: I am with the RIPE NCC, I am also the designer and implementer of the first couple of versions of the RIPE database. I know a lot of the history. The one thing that worries me about this discussion is the number of times accuracy and purpose are mentioned, and specifically accuracy, because I am not aware of any real good study of the accuracy. And not even the fitness for purpose. There is only anecdotal stuff that goes around, so I think ‑‑ I am a bit afraid that we are by saying it 100 times in different fora, we establish as a fact before actually seeing whether there is a fact.
The second thing want to say is that Sebastian and I now mean Sebastian, a bit under‑sold I think the efforts of the RIPE NCC here. I think from this discussion, if I was someone just coming into this room not having any background I would see like, oh, this is just a bunch of ISPs and techies who do something without regard to any ‑‑ to anything that happens in society and so on. This is not true. The membership of the RIPE NCC, which is actually the driving force here and the RIPE NCC we have made quite a lot of efforts to the know your customer thing and the always underestimated how much effort that is because we deal with 100 different national jurisdictions and about 1,000 different local jurisdictions about how you register a company, so it's not that easy and we are actually working on this so we actually know our membership and we know the people who register stuff, are much, much better than we even used to five or ten years ago, so just to say that in defence of actually against the impression that nothing is happening.
But I think it's very important, my third point, to listen to what Peter Koch has said, the question about purpose and use and again, speaking to Catherine and other people who have called for better definition of purpose, RIPE, and this is not the RIPE NCC, is already taking steps in that direction by setting up a database task force that will look at this. On the other hand, and now comes my personal opinion, again, the primary purpose of the database is for the membership of the RIPE NCC in the sense that Peter has actually explained quite well, and it's probably a good idea to recognise that there are other societal needs but they are not the primary ones. Thank you.
JULF HELSINGIUS: Thank you.
TATIANA TROPINA: Thank you. So, about deja vu of eBGP and by acronyms and all this, I mean for me this is a panel is a bit of historical moment so I have been so much agreement with lain format and European Commission arguments in my entire life this was just because I thought we were talking about accuracy of what you RIPE community, RIPE NCC, whoever you are, put in your database because if we start talking about use cases or access or you name it, I would be different person sitting here, because I thought that we are talking about the one thing now, which is not simple, it's a complex issue, which is called fix ‑‑ because my message was, like, I see that RIPE NCC has a problem with the database and accuracy of data. Nobody is expecting you to have 100 percent accurate, nobody. I do not believe that European Commission law enforcement can have this strange super high expectation. Just make it more accurate for the beginning. But if we are talking about access to these database and what law enforcement can do with these database, it would be a completely different talk, I thought we are not even talking about it, we are not even talking about use cases because if we are, I would make a completely different argument here.
PETER KOCH: I need to apologise, that was a traumatic deja vu obviously. Apologies. I was not trying to move into that discussion. What I can do with it. But the question is, what is in there, why it's in there in the way it's there and what can you expect around this? And the distinction between purpose and use case when I mentioned it here is just that ‑‑ just because you have been using it for a number of years actually, and it doesn't in all cases deliver what you expect, that's ‑‑ it might be because the use is not reflected in the initial purpose, and the repurposing is something that Daniel made a strong statement about right now.
JULF HELSINGIUS: And then I would like to give the audience a chance to ask a couple of questions.
SPENCER PAYTON: I wanted to echo some of Peter's sentiments about the fact that ‑‑ what you are trying to use this database for. Without going into use cases of course, if you are just focusing on accuracy, again it's not the only level of resource and cooperation that we in the LIR model is willing to offer. If you do think something wrong or us to do some research for you and publicly available information, we are available there as well and do make ourselves available. It's not something this is just fixed DNS and I think there is so much talk about the lack of accuracy, we are not talking about the level of quality of who is in there as well. If you are talking about the lack of something you are not thinking about the benefit of what is sitting there today and the quality of what we have got there right now.
CHRIS LEWIS‑EVANS: So I think if we can make the purpose more clear and I think the purpose really needs to be updated on what we use database for because there is so much more public interest around what is going on so that has changed considerably to when the database was first there, that better informs what we mean by acsee. I think once we have the purpose down we can talk about accuracy. Just to agree with Tatiana, totally, not 100 percent, people always lie, bad people lie. But really it's about raising that bar to make it more difficult so we stop some of the low level actors from getting in and making it much harder environment for bad tons happen.
JULF HELSINGIUS: I am going to open mics for the audience and start with something that gentleman with greyish hair back there.
HANS PETTER HOLEN: Grey hair, RIPE chair, day job in SIS mow, I am both trying to look at this from the community perspective and also from my day job perspective and we want to have as detailed information in the database opening as possible because the police don't have time to help with us attribution so we have to make a nice package and deliver to the police and we have great success with that and cooperation with the police in doing that.
Taking on my RIPE chair hat, the problems base is slightly more different. The database is to ‑‑ two very different things: It's the registry that is clearly RIPE NCC's responsibility to keep up to date and we all rely on the registry to be updated and correct so that we have unique addresses and so somebody else tonight sell my addresses or I don't sell Peter's addresses? I think that we fully agree upon almost. Since you talked about regulation, I think that if you look at what happens with phone numbers, if you go to the regulator, they keep a directory of this registration that we have registered to telephone companies, they don't keep a database of who is using all the individual numbers, they just keep a registry of the blocks. And I think that is the analogy between the registry and what the Regulator does. What the RIPE database does is actually taking the customer list of all the phone companies and putting it in one public database. That's kind of like the Yellow Pages but you could ‑‑ white pages actually. I think moving forward and I'm provoking the discussion here, maybe the time for the RIPE database is gone, we don't need that any more, maybe what RIPE NCC and this community should focus is on keeping the registry up to date. The police would have to go to the ISP, KPR, Telenor, Deutsch Telecom and get the customer information from there and they will have to keep this updated according to local laws and regulations. From the police point of view that is nightmare because if this comes from Kazakhstan, I have to do an Mlat and that is very difficult. I think that is the easiest framework to put into today's legislation.
ALEXANDER ISAVNIN: Not so great hairs but some. From Russian Federation. First of all, I would like to point out, that to European RIPE region, membership, European Union and different approaches and regulations already have, so that's just a little disappointment. How about accuracy of working police or quality? We have, I would like to remenber ‑‑ well, maybe when Europol officer came, okay, I made a Whois request to RIPE database and then to Google Maps, and was not able to find a criminal. How about our request to police guys stand up and go work, go to KPN go to others, where you have rights, well for wire tapping, I won't believe I am saying this. Don't ask us, operate community, historical community to do your work for you. Even in Russia, I don't like police because I don't like Russian police, first of all. Sorry guys. In Russia, Russian police have bad typing, stored information, data retention everything. Anything with cyber crime, nothing. You just want to bring something Russian police already have to Europe, no. In Russia we have a joke, you can go to corrupted police officer and buy your driving licence, but you can't ‑‑ you can't buy your driving skills. If you can't buy or obtain other way, driving skills don't try buy it from RIPE community, go and work.
And the last point, sorry, it is said that all this international organisations should not do politics while they are doing policies. Again, all this discussion shows that we should start in doing policy because otherwise regulators will come to us and create stupid regulations. Do RIPE NCC, do ICANN, shows to governments and now you are the chief force of the Internet, what we know I would like to point this to European Commission person, I can't see her but I hope she hears me. You already failed packet network, you already with OSI and standards, you failed creation. If you don't like how Internet works or request special ideas use other ISI networks which was developed by IETU, don't come to us, we have power to push back governments. If you don't like the rules and traditions, it's called business traditions here. If you don't like it, don't use it. That's simple thing, I think. Thank you very much.
JULF HELSINGIUS: Thank you. Do you want to really quickly respond to that?
TATIANA TROPINA: I actually do. I see one similarity in Hans Petter Holen's ideas and Alexander intervention and see big similarities to what I have heard in 2014 when there was a big threat of regulation. I see the resistance and it's like, yeah, you know if you are not going to use what RIPE community already has, go to Kazakhstan and ask them and and let's do this and that, use whatever Internet if you don't like what we have but this is what I was saying when I said you have to meet each other in the middle, otherwise you will be regulated, otherwise there would be regulated in one way or another, they will come to you and better if you start collaborating now on your own and build something voluntary because you know as we say in Russian, you know better ‑‑ bad peace than good war. So thank you.
ALEXANDER ISAVNIN: Short follow‑up. As from real ‑‑ they will discuss it. That's how government works. I hope Russian work not exactly like Europeans but same thing.
JULF HELSINGIUS: Do we have any vodka available?
CHRIS LEWIS‑EVANS: Very, very quick. So we come to for two reasons, someone to access to the data that's obvious, sometimes you are the victim as well and we have a responsibility to all victims whether they are a network operator or an end user so we to need to know your details as well so we can treat you as a victim and give you support.
JULF HELSINGIUS: This wonderful new light system we have now links red to me which we are in over time. No new microphones but you three can still go ahead.
NURANI NIMPUNO: Just a response to the questions about this sort of dance with regulators and I am not going to speak on behalf of Hans Petter but I actually would like to support his approach, you can talk about use cases and you can talk about purpose, but what we are actually talking about now is that we need to have something that fits in the legislative environment that we have today, and that's just a practical matter, so I think Hans Petter was not saying that you know let's make things more difficult for law enforcement, he was simply saying that the database that we have created that had a particular purpose, maybe that does not fit in this legislative environment that we have today and maybe we need to find a practical solution that. I am not convinced exactly what that solution is but I do think that we need to be practical about it and we can have the greatest purpose for the database but if it doesn't work in ‑‑ with the ‑‑ also need to abide by it today we need to find something else. Thanks.
AUDIENCE SPEAKER: Rabobank. I am very glad for some parts of our connectivity to Internet that there is this lack of accuracy and I will explain it: Amongst others, we have a sub‑delegation of IP space from one of our ISPs and we see that ‑‑ those IP addresses to get connectivity to all kinds of third parties and have that connectivity not registered the RIPE database because, as soon as it is registered in the RIPE database it becomes publicly known there is Rabobank and if you ever ‑‑ since they are not in the RIPE database and I have been challenging and following up with my ISPs that they should not mention us up there, since we had not up there, it is a bit of a security by obscurity, I admit that, but so far it has been very effective and where we have suffered massive DDoS attacks on our published IP space, so far we have been safe on our non‑published IP space. Thank you.
SPENCER PAYTON: Again that raises a very tricky area because what you are saying is that the registration effectively doesn't really say who is using it but the fact is registration should be in place in some format and at the very least, were there to be a problem with those somewhere there should be a valid and accurate contact that is available to make, to make sure there is transfer policy there is a problem they can reach whoever is responsible for that space.
AUDIENCE SPEAKER: That would be the ISP.
SPENCER PAYTON: Exactly. As long as it's somewhere available and it is viable.
JULF HELSINGIUS: We are really running out of time and I will be yelled at the ‑‑ so I will be yelled at anyway. Can we really keep it short.
AUDIENCE SPEAKER: Thank you, we haven't had much of a discussion about one of the points listed on your slide there that I know is of considerable interest so to some of our colleagues from law enforcement, the question concerning our PDP and limited number of members dominating a process and motion of consensus, I thought I could assist those that are ‑‑ that I know are very interested in this question especially when they find resistance to proposals they bring forward, the RIPE Task Force on accountability spent two years investigating a number of issues and spent a particular amount of time considering the second question in particular in great detail, and by implication the first as well. The conclusions from that are documented in the RIPE Task Force's report which was agreed by the RIPE community as a whole I think last Christmas or something. Got a publication number in July as RIPE 723. The definition of consensus is not something that is precise, it is somewhat qualitative and there is some ‑‑ considerable judgment that is invested in the chairs in determining whether consensus a has been found and a lot of principles and discussion as though to how those principles can be applied and should be applied both for the guidance of chairs and for the the whole community. So if this is something that is exercising you RIPE 723 I think will give you a lot of information.
JULF HELSINGIUS: Thank you.
HANS PETTER HOLEN: I will promise not to complain about you going over time then. Two things: First of all, challenge accepted, we will not lay back and wait for the regulators we have started task force to look at the purpose of the database and there is participant from Europol in there, Peter is in there so I am eager to see the outcome of that, they will present themselves at the community plenary tomorrow so that's kind of my second point, the RIPE policy development process and its fit for purposeness is actually on the agenda there as well for discussion so that's also a discussion that we plan to start now. With this new slot on the agenda RIPE community plenary we can address some of these more fundamental issues with what we have been to go, we can't fix everything at once it will take some time but the conversation has started.
JULF HELSINGIUS: Thank you. Thank you to all of you on the panel. This has been an excellent discussion. Thanks.
LIVE CAPTIONING BY AOIFE DOWNES, RPR