[ncc-announce] [news] The Future of the RIPE Database Proxy Service
Axel Pawlik ripencc-management at ripe.net
Tue Mar 5 11:20:40 CET 2013
Dear colleagues, Following the discussion about the RIPE Database Proxy Service, we have investigated several options for the future of the service. I'd like to first give you an overview of the issue at hand. A detailed analysis is provided below that for those of you who would like to see the finer details. We are now asking for feedback on this issue from the membership. No actions will be taken regarding the service until an appropriate way forward has been indicated by the membership. The aim of the RIPE NCC is to keep the registry open and accessible to everyone at all times, just as it always has been. The options are intended to deal with the potential for republishing and possible abuse arising out of that republishing, which the RIPE NCC believes is the core issue at hand. None of the options we investigated would result in any reduced access to RIPE Database data. Although they can be carried out in a number of ways, there are three basic options as we see it: - Make it a members-only service - A contractual service (free or paid) - Discontinue the service Over the next six-week period, ending 15 April 2013, we would like to invite the membership to discuss and provide input on their preferred way forward. The RIPE NCC Executive Board will summarise the discussion and propose a way forward at the RIPE NCC Services Working Group. If a resolution from members is required, it will take place at the General Meeting. In the meantime, the RIPE NCC will continue to offer the RIPE Database Proxy Service free of charge. However, no new contracts for this service will be issued until its status has been resolved. We therefore urge you to put forward your opinions and preference on how we can best move forward with the RIPE Database Proxy Service by emailing <members-discuss at ripe.net>. Best regards, Axel Pawlik Managing Director RIPE NCC ============================ DETAILED ANALYSIS ============================ The Options ----------- Option 1 - The RIPE Database Proxy Service becomes a member-only service Option 2a - The RIPE Database Proxy Service remains a free contractual service (this is the current situation) Option 2b - The RIPE Database Proxy Service becomes a paid contractual service Option 3a - Discontinue the RIPE Database Proxy Service (the RIPE NCC is the sole official provider of the RIPE Database web-interface) and retain the query limits Option 3b - Discontinue the RIPE Database Proxy Service and remove the query limits Option 3c - Discontinue the RIPE Database Proxy Service and change the default RIPE Database query not to show any personal data, and allow personal data to be returned only when a special query flag with limits is used. The RIPE NCC is able to facilitate any of the options presented here. However, the RIPE NCC Executive Board believes that transitioning the RIPE Database Proxy Service to a member service is most closely in line with the way other contractual services have been handled. In addition, incorporating the service into the membership would minimise costs while continuing the service. General Legal Analysis ---------------------- As noted in the RIPE NCC Data Protection Report, the provision of unlimited access to the RIPE Database could lead to abuse of the personal data in the RIPE Database. In the Acceptable Use Policy, the RIPE NCC clearly defines access limits to the personal data in the RIPE Database. Users exceeding these limits have their access to further personal data blocked for a period of time. The AUP also takes into account queries made to the RIPE Database through web interfaces hosted by third parties (proxies). The RIPE NCC, through the proxy service, gives the authority to third parties to provide access to the RIPE Database through a web interface they operate. Currently, queries through the proxy service are subject to higher query limits because such interfaces are intended to be used by more than one user. Queries from a proxy will be seen as queries from individual IP addresses and individual query limits for personal data apply. The RIPE Data Protection Report: http://www.ripe.net/lir-services/ncc/legal/ripe-ncc-data-protection-report Acceptable Use Policy: http://www.ripe.net/data-tools/support/documentation/aup Options 1 and 2 - Legal Analysis -------------------------------- There is little difference from a legal point of view whether the proxy service is made available only to members or is a contractual service available to anyone. A membership agreement has different rights and obligations and strengthens the legal relationship between the RIPE NCC and the other party. The RIPE Database Terms and Conditions would also need to be updated to include obligations for RIPE Database Proxy service contract holders. Option 3 - Legal Analysis ------------------------- There are no legal implications for option 3a. For option 3b, the query limits were put in place to prevent/impede the harvesting and abuse of personal information in the RIPE Database. The Data Protection Task Force (DPTF) considered this an effective and appropriate part of the RIPE NCC's due diligence. Almost five years after the implementation of this measure, the RIPE community could reassess the effectiveness and proportionality of having query limits. If the measure is deemed to be ineffective and disproportionate, the RIPE NCC could remove query limits. Option 3c offers the best data protection from a legal perspective. This option would limit direct personal data exposure while retaining the query limit. However, from a functionality perspective, this might not be wanted. Option 1 - Administrative and Technical Analysis ------------------------------------------------ This option would have little administrative impact. Administrative processes are already in place, including a proxy agreement for members. Signing up for the service could in the future be integrated in the LIR Portal, removing any need for manual processing of requests. The RIPE NCC website and publications would need to be updated. All customers would need to be informed. Option 2 - Administrative and Technical Analysis ------------------------------------------------ This option would involve more administrative overhead for the RIPE NCC. The proxy service contract holder list would need to be managed manually, or software would need to be developed for this purpose. All contract holders would need to be informed and new agreements would need to be drawn up and sent to the users. The RIPE NCC website and publications would need to be updated. If the service remains free, no further administrative work would be needed. Option 3 - Administrative and Technical Analysis ------------------------------------------------ This option would involve the least amount of work for the RIPE NCC. There would be a small amount of temporary administrative work, including contacting customers to inform them of the action and removing references to the service from the website and publications. General Financial Analysis -------------------------- Generally speaking, the financial impact is minimal. The total costs and the additional revenue is low in all scenarios. The cost to maintain the service from a technical perspective are low, although it adds complexity to the overall RIPE Database software and requires some level of additional maintenance. It is difficult to quantify this indirect cost, but it is contrary to RIPE NCC efforts to clean up legacy software and complexity. The additional revenue resulting from option 1 would, given the current number of active users of the service, be in the range of 5-10 kEUR per annum (there are currently four users). For option 2b, if the fee was to cover the costs of the service including administration and other related overheads, with there being so few users the fee would probably be higher than the current membership fee. In the other scenarios, the additional revenue is irrelevant. Your Feedback ------------- Again, we need your input and ask that you discuss this service and make your opinion known. You can give your feedback by mailing <members-discuss at ripe.net>.