Skip to main content

Personal Data in the RIPE Database

This policy proposal has been withdrawn
2022-01
Publication date:
10 May 2022
State:
Withdrawn
Draft document
Personal Data in the RIPE Database
Author(s)
Proposal Version
3.0 - 06 Oct 2022
All Versions
Withdrawn
17 Nov 2022
Working Group
Database Working Group
Mailing List
Database Working Group
Proposal type
  • New
Policy term
Indefinite

Summary of Proposal:

Since the beginning of the RIPE Database, personal data has been entered extensively in PERSON objects as well as in other objects’ attributes in the database, such as email addresses for notifications and postal addresses for resource holders. In those early days little consideration was given to privacy and personal data processing. In almost all cases, personal data is not needed. Now the EU General Data Protection Regulation (GDPR) adds legal constraints on personal data and the justification for its use. The RIPE NCC is the data controller and facilitator of the RIPE Database. The servers providing access to the RIPE Database are operated by the RIPE NCC. The RIPE NCC is a Dutch registered organisation based within the EU. Therefore, the GDPR applies to all the personal data contained within the RIPE Database, regardless of where the data subject is located.

In almost all situations, there is no justification for publishing any personal data in the RIPE Database. This policy proposal outlines data that should be used in areas where personal data has been used in the past. All contacts must be documented as roles. There is no need for documenting personal  information about any contacts in the database.

Policy Text:

Abstract

This policy arises from the need for the RIPE Database to avoid the publication of unnecessary personal data. Personal data must not be entered into the RIPE Database unless it can be justified according to the acknowledged purposes of the RIPE Database. The three most significant purposes, defined in the Terms & Conditions, that could be considered as requiring personal data are:

  • Ensuring the uniqueness of Internet number resource usage through registration of information related to the resources and Registrants
  • Facilitating coordination between network operators (network problem resolution, outage notification, etc)
  • Providing information about the Registrant and Maintainer of Internet number resources when the resources are suspected of being used for unlawful activities to parties who are authorised under the law to receive such information

For the first purpose, this information can mostly be business details rather than personal information. Only in the case of a resource holder being a natural person, who may be operating from their home address, is personal data involved.

For contact with network operators, no personal information is necessary.

To investigate unlawful activities, the identity of holders of resources and address blocks is needed by the investigating authorities. A valid address of some form could be helpful.

Although it is generally considered justified to enter personal information if the data subject has given their consent, it should be noted what the RIPE Database is. This is a public database. It is available globally to anyone who has an Internet connection. Once you publish any information in this database, it is public data. The full details of that data may be downloaded and copied by many people. Anyone who is concerned about privacy should not consent to their personal data being published in this database. Once it is published, it is too late to worry about privacy. It is already out there: it is public, and it may have been copied and therefore impossible to take back. This is the reality of the Internet, and even if there is a right to be forgotten, there is no means of being forgotten once you have broadcast your personal data in public.

An open, public database has no privacy protection for personal data once it has been published. A PUBLIC database is accessible by everyone. This is one of the many reasons why the RIPE Database should not publish any personal data unless it is essential to fulfil the purposes of the database.

This policy sets out the principles governing the publishing of personal data in the RIPE Database. These principles must be applied to all personal data published in the database by all data maintainers. 

Content

1.0 Organisations
2.0 Contacts
3.0 Notifications
4.0 Verification 
5.0 Compliance
6.0 Legacy

1.0 Organisations

The RIPE Database is a global, publicly available registry of the legal entities and natural persons holding and using Internet resources in the RIPE region.

The information held in the database about these organisations may include:

  • Name
  • Postal address
  • Phone number
  • Fax number
  • Several email addresses
  • Several contact references

The name of the organisation (which may be the personal data of a natural person) holding an Internet resource or managing part of an Internet resource, for example a sub-allocation, or using a block of addresses, is an essential part of the public registry. This identification is one of the principal purposes of the database. Any valid address could be helpful. Different types of addresses can be considered including postal addresses. The name and address of a natural person holding or using a resource and operating from a home address are the only personal data that can be justified to be published in the RIPE Database, provided there is documentary evidence held by the RIPE NCC, or a sponsoring LIR, or resource holder that registered the subject’s details in the RIPE Database, that the natural person has consented to their name and address being published in this public registry. This consensual identification is a requirement of the public registry for holding an Internet resource or managing or using part of an Internet resource.

A postal address may optionally be added by the resource holder or manager. Where the resource holder, manager or user is a natural person, the parts of any type of address more specific than country and region must not be entered in any object attribute.

The phone numbers, fax numbers and email addresses must not include any personal data for any form of organisation.

The holder of any contact email address and phone number must be aware of the registration and publication of these contact details in the RIPE Database and will be required to verify that they are the holder of these contact details.

2.0 Contacts

There are several types of contacts listed in the RIPE Database. These include:

  • Technical
  • Administrative
  • Abuse
  • Zone
  • Route ping

The information historically held in the database about these contacts includes:

  • Name
  • Postal address
  • Phone number
  • Fax number
  • Several email addresses 

Phone numbers, fax numbers and email addresses must not include any personal data for any form of contact. Phone numbers and contact email addresses must be verified when entered. The name of a contact should reflect the role(s) this contact has within the organisation. There is no need to publish any form of address for a contact. Contact details must be documented in the database as roles, not as people. Contacts must only be entered into the database if they can fulfil a role for one of the acknowledged types of contacts according to the purposes of the RIPE Database. There must be at least one verified method of contact included for each role.

3.0 Notifications

All mandatory and optional notifications currently defined in the RIPE Database use email as the notification mechanism. Other mechanisms may be introduced in the future. Personal data must not be included in any notification details documented in the RIPE Database.

4.0 Verification 

Email addresses added as contact details and all phone numbers entered into the RIPE Database must be verified. Updates to database objects will fail if the verification fails. If existing contact emails and phone numbers fail to be verified, the RIPE NCC will follow up in compliance with relevant RIPE Policies and RIPE NCC procedures. No one should be able to enter the email address or phone number of another organisation without its permission. Fax numbers will not be verified.

5.0 Compliance

It is not sufficient to have this policy in place and assume all resource holders and users have read, understood and are in compliance with the policy. All organisations holding resources allocated or assigned by the RIPE NCC, or documented in the RIPE Database, must sign a declaration that they have read and understood this policy and that either all the data for their organisation and resources contained in the RIPE Database is fully compliant with this policy or they are working towards full compliance. If they are working towards compliance, the RIPE NCC will follow up in accordance with relevant RIPE Policies and RIPE NCC procedures. For any new organisation that becomes a member of the RIPE NCC and either requests resources from the RIPE NCC or receives them in a transfer, this declaration must be included in their membership contract with the RIPE NCC, and they must be fully compliant.

6.0 Legacy

This policy applies to all organisations and Internet resources documented in the RIPE Database, including legacy resources under a direct or indirect contractual relationship with the RIPE NCC.

Rationale:

GDPR has been in force for several years, and there were other privacy protections before that. We are still living with the mindset that personal data is, for some reason, needed in the RIPE Database. In most situations, it is simply not necessary to fulfil the defined purposes of the database. Contacts are intended to address specific types of issues, such as administrative, technical or abuse issues. These contacts do not need to be natural persons. Rather, they must be business roles. The natural persons behind those roles do not need to be identified for the purposes of the database. We need to move away from the mindset of personally identifying people.

There are still around two million personal data sets contained in the RIPE Database in PERSON objects and potentially large amounts of personal data referenced in ORGANISATION and resource objects and as notifications. Some ROLE objects also contain personal data. The amount of personal data contained in the database is still growing over time. This policy addresses the issue directly. The main purposes of the RIPE Database, a public registry of holders and users of Internet resources, facilitating contact between operators and administrators of networks using these resources and identifying bad actors, can be achieved without the need for personal data in almost all situations. The purposes of the RIPE Database have evolved over time and will continue to do so. Any new purpose attached to the database should keep the amount of personal data required to be publicly available to a minimum and justify any collection, storage and use of personal data in the RIPE Database.

When you also factor in that publishing personal data in a PUBLIC database is an irreversible step, maintainers of this data should seriously avoid entering it unless it is necessary.

This policy proposal outlines the principles for processing personal data in the RIPE Database. How these principles are turned into objectives to apply to the database and all the data maintainers is outside the scope of the proposal. A migration plan and any detailed technical changes necessary should be discussed in a follow-up to this proposal if approved.

a. Arguments Supporting the Proposal

  • It is a legal requirement under GDPR that all personal data in the RIPE Database complies with the evolving purposes of the database.
  • These changes do not affect the references in address policies to registration and contact data.
  • The proposal acknowledges the consequences of entering personal data into a public database.

b. Arguments Opposing the Proposal

  • Achieving full compliance for all existing data contained within the RIPE Database may require follow-up contact by the RIPE NCC with many organisations holding resources to adjust data and verify compliance. This could result in a project running over a number of years.

Impact Analysis

Note: to support understanding of the proposal, details of an impact analysis carried out by the RIPE NCC are included below. This analysis is based on existing data and should be viewed only as an indication of the potential impacts that might result if the proposal is accepted and implemented.

Executive Summary

If this proposal is accepted:

  1. Personal data, especially personal contact details, will no longer be required for the RIPE Database to fulfil its purpose. Therefore, personal contacts can no longer be added to the RIPE Database. Although the legality of having published data prior to this policy will not be affected, existing data will have to be re-evaluated based on this policy. The RIPE NCC will have to follow-up with resource holders to ensure they comply with the policy by removing all personal data from the database. This will be required even if the resource holder or their contact person prefers to use personal data in the RIPE Database.

    This also means that:
    • 1.8 million PERSON objects will need to be deleted or replaced; 1 million email addresses and 1.3 million phone numbers will also have to be validated or deleted.
    • RIPE Database objects with contact information (emails and phone numbers) can only be created/updated after verification and active confirmation from the resource holder or the relevant contact person.
    • In cases where the resource holder is a natural person, the person who creates/updates an object containing a postal address must explicitly confirm that they have their approval.
    • The RIPE NCC has the right to follow up and ultimately deregister Internet number resources and terminate contractual agreements in the case of non-compliance with the RIPE policy and related RIPE NCC procedures.

  2. Implementing the policy will require significant resources and substantially increase the RIPE NCC’s workload as it will need to handle the verification process and subsequent questions and complaints.

For more details on these points please see the relevant sections in the impact analysis below.

A. RIPE NCC's Understanding of the Proposed Policy

It is the RIPE NCC’s understanding that by accepting this proposal, the community agrees that personal data, especially personal contact details, is no longer required for the specified purposes of the RIPE Database, except when it is to show who holds specific Internet number resources.

This policy will set requirements for the registration of personal data in the RIPE Database. This will exclude data referenced in database objects which are solely related to LEGACY resources not under direct or indirect contract with the RIPE NCC.

The publication of postal addresses will be optional for all organisations. Postal address will be limited to country and region for natural persons. All contacts will refer to roles instead of people, without referencing a postal address.

The policy will give the RIPE NCC a mandate to verify that the publication of email addresses and phone numbers referenced in ORGANISATION objects and in contacts is actively confirmed by the resource holder. The creation of new database objects and updates to existing ones will not be possible if this verification fails.

While membership termination or de-registration of resources could happen as a result of non-compliance with the policy, the RIPE NCC will focus on assisting LIRs to correct any non-compliant contacts.

B. Impact of Policy on Registry and Addressing System

The RIPE NCC does not anticipate any significant impact on Internet number resource consumption, fragmentation or aggregation if this proposal is implemented.

C. Impact of Policy on RIPE NCC Operations/Services

The policy will require the RIPE NCC’s Member Services, Registration Services and Registry Monitoring teams to review and update their procedures. These new procedures can only be followed once the relevant web documentation has been updated and the LIR Portal and other internal systems aligned accordingly. This implementation work will affect staff availability for handling requests and performing their regular duties.

RIPE NCC staff often refer to contacts registered in the RIPE Database, for instance: when establishing the chain of who has held legacy resources, when contacts in the LIR Portal are unresponsive, when asking if resources can be returned, or when trying to reach End Users who hold Provider Independent resources about a change of sponsorship. Once the policy is implemented, reaching the right person without knowing their name could become complicated, especially when phone numbers in the RIPE Databases lead to the switchboard or the reception of large organisations, or when sending emails to unspecified recipients. This could increase the number of resource holders that are unreachable or unresponsive and have their resources de-registered as a result. 

The policy could also impact the RIPE NCC's reporting and data analysis abilities if many organisations decide to omit or remove the postal address from their ORGANISATION objects. Although by no means perfect, this data often provides a rough idea of where the resource holder is located. This can be helpful when investigating Internet events and outages.

The required verification of email addresses and phone numbers will increase the time needed to evaluate and approve new memberships, as well as processing resource and update requests. It will also make Assisted Registry Checks (ARCs) take longer, by requiring additional checks on the part of both RIPE NCC Internet Resource Analysts and LIRs.

Verification might be unsuccessful for different reasons, such as delays in the resource holder’s response or possible tool outages. This could prevent the creation of new database objects or updates to existing ones. Especially in the initial phase of implementation, a high number of tickets will be generated by LIRs' questions and complaints, asking how and why they need to correct their existing data. Extra effort will be required to inform LIRs about the need to keep registering persons as contacts in the LIR Portal alongside the new policy requirement to register only roles in the RIPE Database.

While we will automate the verification process as much as possible, it is unlikely that the increased workload can be covered with the current resources of the RIPE NCC.

RIPE Database:

There will be no technical obstacles to apply the following changes to the RIPE Database:

  • Deprecate PERSON objects
  • Remove the “address:” attribute from ROLE objects
  • Modify the status of the “address:” attribute in ORGANISATION objects from mandatory to optional

There are currently more than 1.8 million PERSON objects in the RIPE Database that will need to be gradually deleted and replaced by ROLE objects. An indeterminable number of the 153,000 ROLE objects which refer to a person’s name will also need to be corrected.

It will not be possible to implement a technical solution that ensures:

  • ORGANISATION objects for legal entities and ROLE objects do not contain any personal data
  • Name, country and region are the only personal data published in the RIPE Database in ORGANISATION objects referencing natural persons

At the moment there are about 1 million distinct email addresses and 1.3 million distinct phone numbers in the RIPE Database; this increases to 1.7 million and 2 million (respectively) when considering multiple instances of the same value. For context, around 5,000 new email addresses and 7,000 new phone numbers were added to the RIPE Database in July 2022.

Verification will pose significant operational challenges to the RIPE NCC, as we will have to:

  • Verify the use of each email address and phone number, every time it is added
  • Develop or find a reliable external service to verify phone numbers and email addresses
  • Receive positive confirmation from every contact that they approve the use of their data
  • Communicate with users across our service region who may not speak English or understand what we are asking them to confirm
  • Manually respond to a high number of questions

Even if we verify that the email addresses and phone numbers are valid and active, we will not be able to guarantee that these and other contact details such as fax numbers are not personal data. We will also be unable to prevent the registration of personal data in free-text attributes like “role:”, “remarks:”, “descr:” and “notify:”.

There are more than 122,000 organisations with Internet number resources in the RIPE Database. All of these will need to be validated. The “address:” attribute will need a new structured syntax that allows only the registration of country and region in ORGANISATION objects related to natural persons.

Learning & Development:

Implementing this policy will require a full review and update of the learning goals, content, activities and visuals for the RIPE Database and LIR related face-to-face courses and webinars, RIPE Database e-learning course and microlearning videos, and the RIPE Database Certified Professionals exam.

These updates will impact the development and delivery of the L&D portfolio as a whole, as the team’s capacity for other activities will be considerably affected. This will limit the team’s ability to develop new courses and to maintain, deliver, and evaluate its existing ones.

The total expected time required for the updates is six to nine months of work, depending on whether updates to different courses can be done synchronously.

D. RIPE NCC Executive Board

While the board appreciates any attempt to clean up the database, we feel that a requirement to remove all person records from the database is taking things a step too far. 

Specifically, with regards to this policy proposal:

It significantly reduces the usability for one of its core purpose - being able to contact resource holders about their number resources.

It enforces business practices across all resource holders (for example role accounts) where this is not currently the case - especially since not all resources are held by organisations.

GDPR allows for the storing personal data for valid business reasons. This proposal requires removal of all PERSON records, regardless of valid business reasons.

This proposal also covers legacy registrations under a (direct or indirect) contractual relationship with the RIPE NCC. The proposal does not provide any alternative or means of recourse if the RIPE NCC cannot reach these legacy holders.

It puts at risk the public chain of custody of Internet number resources.

We would welcome a discussion that focuses more on which parts of the data are publicly available, rather than a sweeping removal. Clean-up of person records that are not linked to any number resources has been standard practice for years.

The RIPE Database provides information about the legitimate holders of Internet number resources and their technical and administrative contacts. The contact details for both resource holders and their appointed contact persons consist of various information, such as names, (business) email addresses, (business) phone and fax numbers and (business) postal addresses.

It is currently up to the resource holder to decide what contact details to add to the RIPE Database, and whether they wish to appoint a role/team or prefer a specific person to act as their contact for handling technical and administrative matters with regards to Internet number resources registered to them and their network.

When the processing of personal data is involved, this must adhere to some basic principles in order to comply with GDPR (not an exhaustive list):

  • Data must be processed on valid legal grounds
  • Data must be processed for a specified, explicit and legitimate purpose
  • Data must be relevant and limited to what is necessary
  • Data must be kept no longer than needed for the purpose it was initially collected

Currently, the processing of personal data relating to resource holders is necessary for the performance of registry function. This function is carried out in the legitimate interest of the RIPE community and supports the smooth operation of the Internet globally (and is therefore in accordance with Article 6.1.f of the GDPR). Before adding a person’s contact details to the RIPE Database, resource holders must first obtain their consent (in accordance with Article 6.1.a of the GDPR).

Although the resource holders themselves are responsible for the registration details they add to the RIPE Database, the RIPE NCC is responsible for operating it. Under GDPR, that creates shared responsibilities on the RIPE NCC’s side with regards to the personal data added and processed in the RIPE Database.

If this proposal becomes policy, it means that the RIPE community agrees that, although the purposes of the RIPE Database have not changed, personal data is no longer necessary for them to be fulfilled and generic contact details should suffice.  Even if the resource holder and/or their appointed contact persons wish themselves to add personal data to their contact details, because for example this better matches their business requirements, it will not be allowed under this policy.

Existing registration details were added according to the - until now - valid consensus of the RIPE community that personal data is necessary to fulfil the purposes of the RIPE Database.  Accepting this proposal will not affect the legality of the existing registration details as they were made under the current status quo in which the processing of personal data is considered necessary for the defined purposes. The policy requires the RIPE NCC to verify existing registration details as well. This means that all personal contact details will be replaced by generic email addresses. We will also explain to the resource holders that they are no longer allowed to enter any personal contact details anywhere in the RIPE Database.

If this proposal is accepted, the postal address will become optional for all resource holders.  Resource holders that are natural persons will only be allowed to register their country and region. In these cases, the party responsible for registering the natural person resource holder’s details in the database will have to obtain ‘documentary evidence’ that the holder has consented to their name and country/region being registered in the RIPE Database.

At the moment, allowing the processing of the name and postal address of a natural person resource holder in the RIPE Database is on the legal basis of pursuing the legitimate interests of the RIPE community, and the mandate to perform the registry function. If this policy proposal is accepted, it means that the community agrees that although the name of the resource holder is needed at all times for the purposes of the RIPE Database, the postal address is not. The resource holder’s name will continue to be processed lawfully on the basis of pursuing the legitimate interests of the RIPE community and the mandate to perform the registry function, therefore their consent is not required. Consent will be the appropriate legal ground to justify the processing of their postal address. The RIPE NCC will have to technically ensure that whenever a resource holder withdraws their consent for this processing, they (or whoever maintains their registration data) will be able to remove it from the relevant objects.

This will also have an effect on the historical RIPE Database records. The RIPE NCC will have to put processes in place so that historical resource holder postal addresses are not returned in historical queries for those who do not wish their postal address to be in the RIPE Database anymore.

Regarding the requirement to obtain ‘documentary evidence’, the RIPE Database Terms and Conditions (see Art 6.3) currently require the person adding data to the RIPE Database to make sure they have the appropriate legal grounds for doing so. Every time a database object is created or updated, the user agrees to the RIPE Database Terms and Conditions. In order to obtain ‘documentary evidence’, the RIPE NCC will consider how to obtain an explicit confirmation from the person who creates/updates a database object that they have the resource holder’s approval. This might require an additional step in the process of creating/updating database objects. To verify compliance with the policy, the RIPE NCC will have the right to ask the party who registered a resource holder’s details in the RIPE Database to submit this documentary evidence.

Lastly, regarding the address, the policy mentions that ‘any valid address could be helpful’. The RIPE Database Requirements Task Force has identified four data management principles that should guide how users should insert data in the RIPE Database, one of them being ‘data consistency’. In light of this principle, the RIPE NCC sees the value of agreeing on the type of address resource holders are supposed to add if they wish to do so (e.g. legal, postal, network location).

The ultimate action the RIPE NCC may take in case of non-compliance with RIPE policies or RIPE NCC procedures is to deregister the relevant Internet number resources and terminate the relevant contractual agreement (e.g. RIPE NCC Standard Service Agreement, Legacy Agreement). The policy does not provide concrete timeframes for the RIPE NCC to allow existing resource holders to update their registration details in order to ensure compliance. For the sake of clarity and managing expectations, the RIPE NCC will have to clarify this in its implementation plan.

The policy also requires all resource holders (both new and existing) to sign a declaration that confirms their agreement to this policy. The RIPE policies form is already an integral part of the RIPE NCC Standard Service Agreement (see Art. 6.1 of the SSA). Regarding Provider Independent resources, it is required in the RIPE policy ‘Contractual Requirements for Provider Independent Resource Holders in the RIPE NCC Service Region’ that resources will be used in accordance with the RIPE policies. However, if this policy requires the RIPE NCC to ask for a separate signed declaration for compliance especially with this policy, this will create a precedent over the applicability of other RIPE policies.

F. Implementation

Due to the large amount of work involved, the new policy will be implemented in phases and automated as much as possible, eventually involving new tools. There will be a long transitional period where only new data and/or updates will be affected, while old data will not be acted upon.

The RIPE NCC will not be able to ensure full compliance with the policy at any given time. This is because it is technically impossible to establish whether email addresses and phone numbers, as well as data registered as free text in the RIPE Database, are personal contacts. It is also impossible to ensure that, even after verification, resource holders will be aware of new registration instances unless the object’s maintainer decides to notify them.

With the information currently available, it is expected that implementation of the proposal, even with clear requirements, will have a very high impact in terms of the software development needed to facilitate policy changes. Internal and external processes and documentation will also need to be updated.

Initially, PERSON objects will be deprecated. When creating or updating ORGANISATION and ROLE objects, registration of new email addresses and phone numbers will trigger an automatic verification that will allow publication of the objects in the RIPE Database when successful.

Correcting existing ORGANISATION and ROLE objects containing personal data will be done when we receive external reports, during ARCs, and when handling tickets. This is expected to be an ongoing activity for years to come. Even if run as a dedicated project, it will not be possible to ensure the full compliance of the information entered as part of free text attributes. It is also worth noting that, should the community reverse this decision in the years to come, this would also be a significant project for the RIPE NCC.

It is expected that implementation of the policy can start after six to nine months from the date the proposal is accepted.