RIPE NCC Services Working Group
Wednesday, 16 May 2018
4 p.m..
KURTIS LINDQVIST: Welcome everyone, this is the favourite Working Group of you all, as you know this is the NCC Services Working Group. I'm glad you all found a seat. If it's a bit tight... but hopefully you'll fit in.
For those of you who have never attended one of these sessions before, directly after this, we will have the RIPE General Meeting, RIPE NCC General Meeting. If you haven't picked up your little sticker for your badge, now is your last chance to go and do so, otherwise you won't be able to get into the GM, as change from the usual please get out of here, we actually don't need to rush out of here at the end of this session, because the GM will be in the side room, which is allegedly is there, and that's at six o'clock sharp start.
I'm Kurtis Lindqvist, I am one of the chairs of the Working Group together with Bijal, that's all the logistics we need to run through before we start.
We have an agenda that was sent out about a week ago. I don't know any additions to the agenda, there's been one addition as of this morning, which is the presentation from Nurani but with that, we'll start.
And the NCC has kindly provided Vesna to scribe and Marco as the Jabber monitors, as I say we only had the change to the agenda, so with that, that leaves me with the approval of the minutes from the previous meeting, they were posted to the mailing list as per the reminder a week ago and there's been no comments or additions to the minutes. So, hearing nothing else we consider the minutes approved. The minutes are approved.
And with that, I'm going to hand over to Axel from the NCC to give the NCC update and again for those of you who haven't been here before, this is considered part of the GM but it's given here so Axel won't have the give the same presentation twice.
AXEL PAWLIK: Good afternoon. Paul Thornton on Twitter says there is a sunbathing working group outside somewhere. I have complained to Hans Petter Holen, the Chair, because there can be be a sunbathing working group outside. That's a violation of process. I guess it's a BoF or something.
So, update from the RIPE NCC. This is, as we heard, part of the General Meeting, so we're looking back at some of the reports about last year.
So, operational highlights from the end of 2017. Over the course of the year we got 2,593 additional members, that's quite a bit. We have done more than 3,500 /22 allocations, tiny bits, and not quite 2,000 IPv6 allocations, that's good. We had over 2,000 attendees at various events that we organised. In addition to that, we had nearly 100 training courses for 2114 participants on top of the 2,000 before, in 55 locations, that's not bad. 2,389 assisted registry checks were opened and worked through, not totally to the end of course. We had more than 10,000 SLAs probes out there, which is lovely, which is the magical number that we were aiming for. And 328 RIPE Atlas anchors, that's also ‑‑ when did that happen? That's cool. And the other thing that always rattles my mind is the 2.5 million RIPE Stat requests per hour. Very nice, quite proud of what we have done there.
The full annual report is available of course online, and I think it's rather pretty and slightly different from what we have done before as well. So have fun reading it. If you haven't done so yet.
We also have a financial report which is a bit more boring because it's lot of numbers in there and less pictures, I don't know.
But the good news here is totality expenses for last year from 2% under the budget. We have given loads and loads of money back to our members because of obviously we can't control how many members we get. So we budget and when we have more money than what you do.
Reserves are a healthy 12 million. Staff numbers were just over 150 FTEs. The cost per LIR has gone quite significantly down over the course of the year to 9% lower than the year before, that's great.
The result is a deficit of 173K euros. That is, a technicality because when we give back the money to our members, we have to sort of do a guess of how much new members we will get in in the course of the rest of the year, so that's sort of a technical outcome there.
The full report of course also is available and I am sure you have memorised the numbers better than I have.
Focus for this year. The board has given us our marching orders and told us we should look at these main four sort of focal areas for this year in what we are doing and what we are striving to improve.
Registry in the RIPE database to rethink our service delivery and ensure accuracy. We have started that, we of course continually do this but we have put some extra focus on that we have some projects on those things.
Engagement, effective outreach to all stakeholders to stay connected and understanding what they want. To meet the goals of the RIPE NCC. The RIR system, ensure its accountability, transparency and resilience, there is no particular activity on the way, that's something that is sort of going on all the time and we are of source looking at each other, and that's what we're doing there with the RIRs, member base, of course we need to understand what your members want from us and how we can best serve them to meet its needs, the members' needs and also to add value to their business processes and the like. We are doing this, we have done lots and lots and lots of face‑to‑face meetings and other things that we try to get into that place that we understand.
Crazy growth. Nearly 19,000 LIRs, well not nearly, well there is a little bit of May left still. More than 3,000 over the last 12 months. And I think we know what this is, where this is coming from. But of course what this does is, it does impact the last /8 pool. The original last /8 pool is gone by now, as you have seen from the announcements. But of course we had received a couple of address blocks back and we are now allocating from those and we think that those addresses will last us for, if everything goes as planned, another two years roughly.
Transfers, lots and lots of transfers, especially sticking out in 2017. We had seen before that a bit of a decrease in the yearly transfer rate and when we look at the transfers of 2017, that a very large number of them, like 70‑odd percent, are sort of mergers and transfers between parts of one organisation possibly. So, the remaining, I think it was 4 million or so, addresses, so that our regular policy transfers that probably would, or do continue the trend downwards there.
Talking to our members, training is a great important thing there for us and of course, as you know, training is very popular. So, we try to add to that and add new facets to our training portfolio there. Educa is a new thing, it's basically one full day online event that regive together with some members of our community, some experts? Providing support to members who can't make it to the training courses in person, because I don't travel and equal travel costs and similar things. We have done one in April with 170 participants on routing security. The next one is scheduled for June, focussing on IPv6, so if you haven't seen those things, if you have interest, please do come. They are pretty nice.
Fellowships and funding. For quite some years we are thinking about the RIPE community and how sad it is to see some of the old crowd going out into their post‑pension life, and into the pension life. And that we would like to replenish and help to develop the community and get the young folk in. The good thing here is ‑‑ or the very nice thing I have earlier today spoken to a community member who hasn't been here for a couple of years and she says, oh, I do remember some of those faces, that's nice to see them still, that they are still there. Also there is so many new folk, so many young fresh faces, that is brilliant. I think this is all part due to those initiatives. Raising academic corporation and also the various fellowships that we are doing, the outreach that we are doing to other parts of the community, basically talking about RIPE a lot and getting people in. Also, what I hear, we have a couple of new staff members ourselves also who come to a RIPE meeting for the very first time and they say this is very nice, very well organised, we feel pretty much at home and also I hear from others, from new members coming for their very first RIPE meeting saying, you are all so welcoming, it's a nice crowd, I was a bit nervous but the people are so nice. It's a good thing to hear.
Some other recent developments. Internally we have a new ticketing system. That was quite a major production but it's running now. It's working. We promised you the new RPKI validator, that's also there. As I said, we are looking at developing the community and getting in touch with our members more and engaging. So we looked at what we call customer experience improvements, the RIPE NCC contact form aligning end user and LIR transfers, making things easier for you to do. And improving processes in general. We have done some related projects with that and keep come and did sort of the mock member journey and they had a couple of quite interesting remarks and how we are dealing with you and then afterwards sort of the tone changes it's a bit stranger. So, it's interesting information for us to see from some distance and to take action and smooth it out.
And since you are at the RIPE meeting you are probably using the RIPE database networking app and it's the new version and it works better than the old one and nicer and I'm using it myself. It's good stuff.
Other developments. In RIPE Stat, the historical WHOIS now is available on RIPE Stat as well. We have added tagging of measurements, measurements tagging, to the RIPE Atlas, just to make sorting through your measurements a bit easier, grouping them and the like. We have a new probe hardware, you'll see maybe I have seen them somewhere on Facebook also, very colourful printed cases, they are looking very cute but we'll make them a bit more boring as they run through the regular production process.
Anchors as virtual machines, that's something new. The infrastructure geolocation process, slight name‑change there is ongoing. More efficient. BGP Looking Glass. All good stuff, I hope you agree.
On the external engagement, so I was talking to governments, regulators, police forces and things like that. And throughout all parts of our service region, it's still quite a high number of countries and we try to be in contact with everybody as best we can. We also, where we see specific developments in sort of industry specific sectors, we try to make use of that and cater to those as well. Government and law enforcement round‑table meetings we have done in various part of our service region, the first one in Bahrain a couple of months ago. Again, the MOUs, we still find it useful to document what we are doing with different bodies so you are all informed about that.
External engagement, there is the ITU plenipotentiary coming up again. They happen every four years and it feels like, what they just did one. In the UAE at the end of the year, that's one of our external relations focal points there as well to ensure that we know what's going on and that we are influencing the right people the best we can so that we defend your interests.
Other engagements, local community support. We do go out throughout the service region, you see member lunches, member lunches are things that we do when we typically are in a place, for instance with a training, we say people in that city, members, we are here if you want to come for lunch, if you don't come for the training, if you want to come for lunch, talk to us and, you know, meet us and tell us what you like, what you don't like, what you want. So, quite a number of places there we have been to and there are of course more coming up for the rest of the year.
Regional meetings we have planned, the ENOG in Moscow, the SE in []‑‑ some other one, and the regional meeting in Almaty in September. We try to be everywhere, not at the same time.
We also see network operators, you are here, we see network operators groups as sort of our core community too, and we have a nice big map that you can slide around as well, we know that there are over 25 nothings in our service region, number is growing, we try to support them as well. Go and participate in the events and do presentations when they are new and fledgling NOGS, we support them with a little bit of money and advice to how to run those things. We have done a survey there and the results we will use to develop a setting up a nothing guideline basically, helping the new ones there.
I thought there was a meeting, yesterday, on Tuesday, that was very full in the older part of the building, very full and very enthusiastic, so that's nice to see that that is working well. And we have a Plenary session on that on the Friday at 9 a.m., when you are all fresh after the social.
Accountability task force, yes, we have had a BoF earlier this week. It feels like it's the end of the week already, but it's not this week, looking at accountability and talking, engaging with the community on the reporting there that the accountability task force wants to do. There will be a report on the Friday also, I think,
ASO review, I talked about this earlier, and we'll hear about that again. The idea here is that we want to get guidance from you how we should engage within ICANN. I won't go into much detail. You probably have seen it already, the other presentation.
All the RIRs are consulting with their communities. We'll wrap it up after the end of June and report back to you what came out of the global feedback loop there.
We have ramped up and more formalise the our various good of the Internet initiatives. The big excitement here, the Rob Blokzijl award will be announced for the first time tomorrow night. Then we continue to contribute to the long term sustainability of the IETF, as we have said before, with 100K per year. And we have the ‑‑ I won't talk too much about that because Alice is looking forward to doing that presentation in a little while. The RIPE NCC community projects fund first time ran through last year and the call for applications will go out for this year really soon now, and that will be on in a little while.
Other things: The identifier technology health indicators is a big project that the RIRs are doing together. I think we reached out to you there as well with the proposal. The review period is finalised. We are looking at implementation details. We have yesterday decided that the NRO AC, my colleagues from the other RIRs, that we give this thing now to the engineers to implement and we are looking forward to hearing from them how quickly they can do it. We do believe that the first measurements will take place later this year. I am being careful here.
I won't talk much about GDPR. We generally are happy with where we are, we feel really confident, but I won't say much more because...
Some staffing changes. Of course there is lots of staffing change going on regularly, that's normal, but we have a couple of visible changes here in our senior management group, we have a new CFO, you'll refer that Jochem used to come to the General Meetings, he left last year, now we have a new CFO, Gwen, you'll see her in the General Meeting part in an hour or two. Andrew, our COO, is leaving after quite a long instant with us. I wish him lots of luck with the new engagement there, I understand that's a thing that he couldn't let pass. Also, of course, he has been with us for a very long time already. So he leaves a pair of big shoes there. And for the time being, Filippe will be our interim COO and then we'll see how we go into next year. So staffing changes.
The General Meeting, we are a membership association. You are probably, most of you, are our members. I understand that you probably have registered already for the meeting, because it's a very interesting meeting, there are elections there. Two board seats are up. We have six candidates. I think that's a first, that's very exciting. Also, we are all very, very happy with those of you who have already registered because for the first time in history, I think, we made the 10% electorate voting registration number, so 10% of our members have actually registered to vote which is bloody brilliant.
So, we are your association. Come and vote and take part in the whole thing, give us feedback and a piece of your mind.
Right. If you have any questions, I am happy to answer them, or point to somebody who can answer them.
KURTIS LINDQVIST: Any questions for Axel? As I said, any questions for Axel? All right. Thank you, Axel.
(Applause)
Next up is Alistair from the NCC Community Projects Fund.
ALASTAIR STRACHAN: Alistair here. I am here to, as just introduced, to present on the Community Projects Fund. As a lot of, you know, the RIPE NCC have had a long history of supporting good of the Internet projects based on innovative ideas. We formalised these efforts last year with the RIPE NCC Community Projects Fund, and it awards financial support to projects on an annual basis.
Now, this slide originally was pretty text‑heavy, but I figured you are really only interested in one number, which is the amount we have. So for this year, for 2018, we have €250,000, which we will be giving to projects.
Now, the independent ‑‑ I am just wondering where the presenter notes are... any ideas? Okay, we'll wing it. The selection committee. So we have an independent selection committee who are in charge of grading and selecting the winning applications. The members of the committee were selected by the Executive Board, and they were chosen on their broad range of experience and knowledge. They consist of one board member and three members of the RIPE community. So we have Mieke, Nuno, Salam and Andreas. I will just say thank you to the selection committee, you have put a lot of your own time to make sure this is a success and it's really appreciated.
The selection process: Now, this is the timeline that we have for the 2018 call for application and fund. So, we have ‑‑ so as of this evening, we'll be launching the call for application at 6 p.m.. and then there will be a six‑week window to submit your applications. Following that, there will be an eight‑week selection period where the selection committee will evaluate the applications submitted, they will then, from all of the applications, they will all pick their top ten applications, which are then discussed and the winners are selected. So once the winners have been selected, we will announce the results to the community. And obviously inform all the applicants, successful or not, we will let them know the situation. And then, finally, we release the funding and the projects can start.
So, 2017. It was a bit of a hit the ground running, the first round. So the application window was open from the 22nd October to the 24th November. We received 81 applications. And from 30 countries. The top five countries, off the top of my head, were the US, UK, Netherlands, France and Italy. We did also have some from all around the world, we had one from Nepal. So it's a very varied locations where we're seeing projects come from. And we saw that they fit really into three gain categories. So there were a lot of community‑based projects, open sourced software and also research. Now, the winners from 2017, unfortunately without my presenter notes I can't give you all the blub about this. The ARTEMIS project is a prefix hijacking DNS ‑‑ what I can say is, they are presenting tomorrow in the Routing Working Group, so I highly recommend going to see that presentation.
We also have the Internet Atlas, which is the tools for digital literacy, that is creating a publication to highlight the monitoring digital rights online. We had the iSEND, which is a lightweight IPv6 secure neighbour discovery implementation for the Android platform. Let's Connect, which is an open source VPN. Open BGPD, that is something I'm pretty certain a lot of you already know about. They actually, this week, secured complete funding, so, there is another seven community bodies who have actually all got behind this project, which really shows it's something the community supports. The Tajikistan K‑root DNS mirror, that went live on the 24th April, so that is now available and reporting an then the cryptography tech project which I think everyone knows about.
Lessons learned. As I said, there were ‑‑ we hit the ground running, we had a very small timeframe for the last round of applications. In fact, we had about, I think, nine weeks to do what felt like a year's worth of work. So, with that, in that timeframe we actually received a lot more applications than we expected. We were ‑‑ as I said, 81 in total in that four‑week period.
Looking back at the last round, there were definitely areas of improvement that were highlighted. Now, the main ones that we have worked on already, the submission system. The submission system was ‑‑ there was no way to stop applications coming in after the cut‑off point, which caused a few issues with time stamps and time frames and applications, but we have improved the submission system so it's now an automated process that cuts off. The application form. The selection committee obviously had 81 application to say run through and the application form previously was very ‑‑ well, was too big. With the help of the Selection Committee, we created a new application form that's more concise and will make it easier for them to actually grade the applications without reading miles and miles of text.
Also, due to that timeframe, the period the Selection Committee actually had last year to grade the applications was very small. So, this year, as I mentioned in my previous slide, they have now actually got eight weeks to run through the application. So it just let's a little bit of stress off the people who are volunteering their time to do this.
Also, something that was fed back by a number of applications that were unsuccessful was clearer communication for the reason. Again, this falls back to the timeframe that we had. But this year we will be making more of an effort to give reasons to both selected and rejected applications.
So, the call for application. Although it says now, that is slightly fake news. It actually opens around 6 p.m. this evening it will go live. The window itself will be open until the 29th June. And the winning projects will be announced in September.
Now, conditions of eligibility. There are a few rules ‑‑ a few conditions in regards to if you are thinking of applying. So one of the main ones is the project must benefit the Internet. Now particularly the RIPE community. I say particularly the RIPE community. The fund was envisaged as a good of the Internet initiative. Something the Internet crosses borders, crosses boundaries, crosses regions. If a project truly benefits the Internet community regardless of the location, it will be considered. The projects must be non‑commercial in nature and can support non‑commercial activity. The funding cannot be used for scholarships and tuition fees. It's not ‑‑ you can't just purchase equipment with the funding. And also, humanitarian aid donations or encouraging political reform is really not what we're after.
So, if you or your organisation or you know someone that has an exciting project that needs help getting off the ground or continuing, please, please send in applications. Please contact us but do consider the conditions of eligibility. There are a full breakdown on the website itself. And when applying, make sure you do provide the necessary supporting documents. So, we need a clear timeline with milestones and deliverables. We need a clear breakdown of the budget and also a clear description of the benefits to the Internet.
So with that, I will thank you. And any questions?
KURTIS LINDQVIST: Any questions?
ALASTAIR STRACHAN: In that case, thank you all.
(Applause)
KURTIS LINDQVIST: Next up we have Maria from the NCC is here to talk to you about something new which you might not have heard before, it's GDPR, it's unknown and unheard of.
MARIA STAFYLA: GDPR. Hello everyone, my name is Maria Stafyla, I am one of the legal counsel of the RIPE NCC and indeed I will give you a presentation on how we approach the GDPR on the RIPE NCC Services. A few words before we get into how we started implementing it. I will give you some information about the background work and what has already been done before the GDPR regime.
Data protection legislation is not something new in Europe and neither is for the RIPE NCC. We were already covered by the EU data protection directive and, in 2006, the RIPE community identified the need to establish a data protection task force in order to evaluate how the RIPE NCC is processing personal data in the RIPE database and in the other RIPE NCC Services. The outcome of this work is documented at the RIPE NCC data protection report that you can find online in case you want to get a more detailed overview.
Just a few words about GDPR. I am sure that you all have heard already what it is. In any case, it is a regulation that describes how personal data may be processed. What are the rights of the individuals. What are the responsibilities and the obligations of the responsible parties. It will become applicable in less than ten days on the 25th May 2018, and it will repeal the privileges legislation.
So, how did we approach the GDPR? When we saw it coming, we identified what we set the goals, what do we want to achieve from this process? So we set three goals.
First of all, to identify and classify the data the RIPE NCC has in its repository and its processing; to ensure ongoing compliance with the GDPR and other related legal frameworks; and to implement an efficient privacy risk management framework that will allow us to respond timely and efficiently in a security or privacy incident.
The first step that we took back in March 2017, we established an internal project, which is a cross‑functional project consisting out of two legal counsels and two information security officers, and of course we requested support from every department of organisation.
So, what have we done so far? We reviewed several of the RIPE NCC Services and in order to do that, we went through all of the processes and services and procedures and tools and softwares, software that we that involved personal and non‑personal data. We classified the various datasets that we have according to their criticality and to their sensitivity. According to the information that we got provided, we reviewed ‑‑ and the data that we have internally, we reviewed our obligations and documentations and some new legislation elements that are introduced by the GDPR. We implemented some changes and amendments. I will give more details later on.
As an organisation, we also use third‑party service providers. When these services involve personal data, we reviewed our contracts in order to ensure that the responsibilities of the parties are clearly defined. And we established that data processing was required. Also, we updated our internal procedures in order to ensure that the rights and the responsibilities of the relevant parties are in place.
Besides the legal review, we also engaged with our ‑‑ with other interested partners. We kept in the loop the RIPE community and our colleagues, of course, and we published several Labs articles where we are describing how we are implementing the GDPR, and of course there is more to follow.
So, what services have we reviewed so far? So, we looked into the RIPE database and this was our first point of focus. And we reviewed the current status in line with the work that was done by the data protection task force from 2006 till 2010, and we reviewed the current status in line with a basic principles of processing of personal data and the GDPR. We identified some issues. And we are currently discussing how to tackle them. We gave a more detailed overview at the previous RIPE Database Working Group. If you have any questions you can always go back to the slides or approach Athina or myself.
We also looked at various conduct forms and obligation forms that we are using as an organisation. As Alistair mentioned for the RIPE NCC community project funding there is an application form, and for these kinds of application forms where we ask the individuals to pride us with certain information we reviewed our personal processes for specifically what data is required for what reason for what purposes who may have access to it, and this exercise resulted in updated privacy text where information is provided in a clear and transparent manner for the individual.
A new element that is introduced by the GDPR is the obligation to report data breach notification, to report data breach to the relevant authorities. This is not something new for the RIPE NCC, because the obligation already exists in the Netherlands since 2016. So what we did, we reviewed the already existing procedure, and we made necessary changes and we reminded our colleagues about this obligation and what they have to be aware of.
Another element that was ‑‑ that we evaluated is the appointment of a data protection officer. Again, this is something new that is introduced by the GDPR. It is an obligation under certain circumstances, and we evaluated whether this is something ‑‑ whether the RIPE NCC is obliged to and we concluded that it is not.
So, what is still in progress?
In order to register and participate in one of the meetings that the RIPE NCC is organising, you have to provide us with certain information. And also in some cases, some of you have to provide us with additional information in order to provide you with a visa invitation letter. Part of the RIPE meeting and the purpose that is we serve in order to facilitate communication between the attendees and also to enhance the open and transparent policy development process, we publish the attendee lists, what we are currently evaluating is for how long can they remain publicly available.
Another part of policy development process is the mailing list. The RIPE NCC is operating various mailing lists. Some of them are RIPE community mailing lists and some of them are RIPE NCC membership mailing list. For the RIPE community mailing lists, for both mailing lists, I'm sorry, for both mailing lists we are reviewing the subscription process and also how is the ‑‑ how is it for a user to unsubscribe from one of the mailing lists. We are also looking at the mailing lists archives and for the RIPE community it is very important that the archives are publicly available and open to everyone in order to promote ‑‑ in order to be able to show transparency and accountability of the policy development process in the RIPE community. And what we are currently discussing is for how long ‑‑ should we keep the membership mailing list open to everyone or should they be restricted to subscribers only?
Our core document where we provide information on how we process your personal data is the RIPE NCC privacy statement, which already gives a clear and a good overview of the personal data that we require for what reason, how we treat them, what are your rights? And we are currently reviewing it in order to make sure that we provide all the required information in a clear and transparent manner an of course to give it in a way that is easy for a user to navigate to the relevant section.
One of the services that is currently in review is the RIPE Atlas. Not only the core service but also related processes, for example the RIPE Atlas ambassadors have to provide us with a contact details of the future hosts. Therefore, we are reviewing, if sufficient information is provided, if any change is required to take place in the documentation information.
One more element that is introduced by the GDPR is the obligation of the controllers and processors to maintain records of their processing activities. This is meant as a record keeping mechanism in order for the responsible party to be able to show easily what personal data is processed for what reasons. It is an obligation under circumstances. We evaluated whether this is the case for us, and indeed it is. And the benefits that we see from having such a record in place is not only our compliance with the law, but also having such a record in place will allow us to respond officially ‑‑ efficiently to individuals requests and also to demonstrate accountability to the authorities.
So what's coming next?
We will look into the RIPE registry data, which consists of ‑‑ and speaking of RIPE registry data, we talk about non‑publicly‑available personal and non‑personal data. In order to fulfil our role as a regional Internet registry, it is very crucial to maintain certain historical information. We see ourselves as a very similar to a land registry, and historic information is very important not only in order to preserve the integrity of the registry, but also to be able to resolve future disputes over registration of Internet number resources and also to be able to demonstrate the chain of custody, how resources went from one organisation to another one.
Of course we have more RIPE NCC Services and tools to look at. We give some examples in the slides. We have more third‑party contracts for external tools and software that we use. We want to implement internal policies on data access and availability and this is not just about personal data but every data that we are processing.
And as I mentioned before, to implement an efficient privacy risk management framework that will allow us to respond efficiently.
So, what is your message on GDPR? It is a legal obligation to continue monitoring and ensuring compliance. We have done our homework and we feel confident on the way that we process personal data. This was already done back in the days when the EU data protection directive was there. We will continue doing that. And let's keep in mind that the right to data protection is not an absolute right. The GDPR promotes a risk‑based approach and we will keep reviewing our practices and procedures while keeping a balance between our role as a regional Internet registry, the interests of the RIPE community, and of course the legal obligations.
So, for us, compliance does not end on the 25th May. We'll keep calm and carry on.
And questions?
JORDI PALET: I think you mentioned somehow what I was thinking in one of your last slides where you have other NCC Services and you have websites. I think the key thing here is considering that IP addresses are personal data according to European Union, so that means that you need to take care of all the locks which have IP data, so it's not just websites, but DNS and many other aspects, and I was wondering also if that's a consideration for Atlas measurements and so on, so just an idea to take a look on that just in case.
MARIA STAFYLA: Of course and thank you for the feedback. We will look into logs and what we keep internally is of course something that we will evaluate. And whenever we have an outcome we will keep informing the RIPE community about the outcome of our evaluation.
AUDIENCE SPEAKER: Hello, this is Athina, head of legal in RIPE NCC, and a colleague of course of Maria. Just a clarification. When we talk about RIPE Atlas and IP addresses and logs and whether IP addresses are personal data or not, there is not a yes or no answer. It's not like it is or it isn't. It depends. And it depends, a lawyer says it very often. But it really depends on what other information the data controller has around this IP address. So if we only have an IP address and time stamps, it doesn't say a lot about the user. So, if we don't have the information about the user, this is not considered as personal data. Just a clarification on that. Thank you.
KURTIS LINDQVIST: Any other questions? No. All right. Thank you very much.
(Applause)
Next up is Keith on the RIPE NCC conflict arbitration.
KEITH MITCHELL: Hello. I am Keith Mitchell. I am one of the RIPE NCC arbiters panel, I have been on the panel pretty much since it started which is quite a long time now.
Really, the purpose of this presentation is to give a quick recap of the arbitration process for those of you who may not be familiar with it, and also to basically put to the community a question that came up at a recent arbiters workshop we had at the end of last year.
So, to set the arbitration in context. It is an informal procedure. There is within Dutch law where the RIPE NCC legal entity is, this concept of arbitration, which is a formal thing, which is a formal process attached to it, and basically it's part of the court process. The idea is that the RIPE NCC arbitration process is an informal one. It doesn't fall within the formal scope of the Dutch law. And, you know, at the end of the arbitration process it's entirely possible that a lawsuit could follow, it would proceed in a normal Dutch court.
But, the legal context and authority of the RIPE NCC arbitration process comes from a service agreement. If you sign the service agreement as an LIR for resources, then you are agreeing to be subject to the arbitration process and to be bound by the outcome of that.
And this is all done within the context of RIPE's policies and RIPE NCC procedures.
How does the process work? Basically, if the party which may be an LIR in general requests arbitration of a dispute they may have with another resource owner or with the NCC itself, the first step is they should attempt to resolve it between themselves. Arbitration can only start if the actual dispute started within the past calendar year and the arbitration process needs to be completed within two months.
There is a panel of arbiters. We have had maybe ten or a dozen of these in the past, some new blood is called for, so, the General Meeting will consider some new candidates that have been recruited and stepping forward. Anyway, usually the party will select the arbiter depending on things like language, legal jurisdiction, possibly some other criteria. When the arbiter accepts it, they introduce them to the parties. There is also a process whereby the arbiter may have conflicts of interest in terms of prior relations or existing relationships with either of the parties. And also, all parties need to sign an indemnification statement so that the arbiter himself is not subject to personal liability. There is then a clock which starts ticking. First step is the arbiter requests all the information that they require from the parties, which they must respond to within two weeks.
The arbiter then has the option of going back to them within after reviewing materials within four weeks, to basically ask for further information, which again the parties must supply within two weeks, if requested.
During the process, the arbiter may decide to request external advice from technical experts or legal experts if required. And the whole process is supposed to wrap‑up within 12 weeks from the start of a procedure. And you know, that's to make sure for example, that a party is not submitting a spurious complaint just to stall things.
When the arbiter comes up with a ruling there are certain requirements. It must have a clear action and be enforceable. It must actually resolve the dispute. And it's got to be based on RIPE policies, publicly available RIPE NCC documents and information that's provided. It's also possible for the arbiter to give recommendations, for example maybe possible changes to policies or procedures that might avoid a similar dispute in future.
Arbiters are all volunteers, they volunteer their time. So, a lot of the administrative nitty gritty, the clerical support is provided by the RIPE NCC. Or optionally, if the RIPE NCC is implicated in dispute and there's a potential conflict by a third party, basically the RIPE NCC can assist with procedural material questions. They screen requests. Sometimes things that come into the arbiters' panel are actually completely random and actually nothing to do with the intended purpose or there may be a lack of clarity, it may be simply a customer service issue, a communication issue. And then basically, they can scope the arbitration proceeding, they can provide a framework for the material assessment of all the information that's coming in. And to help the arbiter in dealing with questions of evidence, but the RIPE NCC's role in this is neutral. They are not basically implicated in generating the decision.
It's also possible the arbiter can use the NCC for a second pair of eyes on a draft decision, just to make sure the wording is correct or clear or such like. And also help with generating the arbitration past case reports finish up on the website.
So, that is basically the current procedure. The arbiters have been through a number of these over the years, there is not a huge number of these cases per year, but they come in bursts and there is a reasonable sort of case history that's been building and precedent that's been built up now. So what's good about the current procedure in terms of, you know, how we have used it and learned and attempted to improve it over the years.
It's fast, it's simple, it doesn't cost a lot of money. It's flexible. The arbiters are people that you know from the RIPE community. We can focus on the community's technical and policy standards without getting sucked down legal rat holes and the legitimacy of the process is potential, you know, if there is a legal test, then that's down to the courts.
Basically, the discussion that we spent some time on at the arbiters workshop is that, well, we have this thing in Dutch law which is basically formalising a formal arbitration process which would effectively replace the possibility of doing these things in the court. So, essentially the question for the community is: Do we stick with the existing informal procedure or does the community feel that the formal procedure would be more appropriate? If it's formalised, then apart from the fact that this basically takes the Court out of the loop, it means that the arbiters are going to have to consider a whole bunch of legal framework issues in terms of the formal process. So we'll be relying very much more on legal input. And really, that means that the arbiters are not people that come from the RIPE community any more. They would be formally qualified people from outside. That's going to cost a lot more money. And it's probably going to be less accessible to you, as community members.
One of the things that the NCC legal team did was they had a look at SIDNs, dispute resolution, which is used for .nl and the other top level domains that they operate. Obviously again there is a Dutch legal entity involved, its membership organisation, and basically what they have done is that their process is actually similar to the RIPE one, which is it's informal, the decisions are binding, the courts remain competent in the event of a dispute over these decisions.
One difference is that, again being a domain name register, actually has ‑‑ accredits WIPO, World Intellectual Property Organisation, and they are very much involved in such things and have a framework for them. So they are basically used to do the administration rather than it being done. Also, SIDN insists on a mediation process at the start of the procedure so the parties agree to mediation before you get into the actual arbitration.
So, that's the main question. I hope that the update on the arbitration process was useful for those of you who are not freshly familiar with it. There is myself, there is Jaap, who is one of the other arbiters here, we are happy to take your questions, and also the NCC legal team who provide the arbitration framework, in case there is anything you want to ask about. So I see ‑‑
AUDIENCE SPEAKER: Carsten Schiefner. I just wonder to what extent all the findings of the arbiter panel have been final so far in that both parties were accepted the finding or the conclusion, or whether to what extent either one of these parties went to the next layer which would be a formal court ruling then?
KEITH MITCHELL: If I recall correctly I don't think we have had an arbitration, a ruling from an arbiter taken beyond that. In general, the ruling has been accepted but thereof certainly been one or two situations where there's been some part ‑‑ you know, somebody submitting the complaint has kind of squirmed against the requirements of the arbitration process because it's maybe asking them difficult questions that they didn't particularly want to answer, but as far as I am aware, there is never been an actual legal challenge to the arbitration ruling.
AUDIENCE SPEAKER: Marco from RIPE NCC. A question on RFC from Sascha Luck speaking for himself. Is binding arbitration even legal everywhere in the service region?
KEITH MITCHELL: That would be one of the differences between the ‑‑ a formal and informal process. The informal process, the binding authority comes from the service agreement. So, I guess if they are signing the service agreement in general, you know, the same legal jurisdiction rules apply to obtaining RIPE NCC Services. I believe that if a formal process was entered into, then there is, and again I am not a lawyer, but I believe that there are formal legal treaties in place which would involve recognition of the ruling of courts in one jurisdiction by another because a formal arbitration was entered into.
AUDIENCE SPEAKER: He just added the clarification that he was specifically, he was specific about declaring the justice system incompetent.
KEITH MITCHELL: I don't think that's a question that I can answer.
KURTIS LINDQVIST: Any other questions for Keith? Thank you.
(Applause)
Next up is Nurani to give us an update on the IANA service Review Committee.
NURANI NIMPUNO: Thank you. I work for Asteroid but I'm here in the capacity of the Chair of the IANA Numbering Services Review Committee. So what is this? Well, you might remember in 2016 we went through this thing called the IANA stewardship transition where basically the IANA services provided by ICANN at the time was managed with ‑‑ through a contract with the US government, the NTIA. And as a result of the transition, it has now managed through an SLA between the five RIRs and ICANN.
So, in essence, if you look at the 'before' chart here, you can see that there was a contractual accountability between the NTIA and ICANN, and after there is now this contractual accountability between the five RIRs and ICANN. And as part of the proposal for this IANA transition, there was this element as well where we introduced this Review Committee and the idea there was to make sure that there was accountability towards the community as well and the community would have the possibility to provide advice in this process.
So, we completed the IANA transition, and look how happy we were. I even got a flower and I thought this is good, I can move on with my life and we're all done, this is all done and dusted.
Then all of a sudden I get an e‑mail saying, hey, remember this Review Committee that you guys proposed, you are now on it. So, that's when we introduced the term 'volintold' into the vocabulary of the RIR communities. The idea was that the Review Committee would consist of members of the community as well as an RIR staff from each five regions, so it would be three times five, and 15 members in total.
So, we did very much as we were told and we formed this Review Committee. And so in the last ‑‑ it was formed last year, we worked on defining ourselves, the charter, operational procedures, trying to do some announcements so that people knew that this was going on. And the role is really very simple. It's for the Review Committee to advise and assist the NRO EC in the review of the services provided by the IANA numbering ‑‑ by IANA, also by PTI as it's now called.
And it's really, in many ways it's an important role but it's also quite a boring role, because these services have been provided for a couple of decades, and for as long as I have been involved in the community, which is almost as long, there have been zero incidents. So, the idea is not that the Review Committee should come up with a new work for the community to do, but it's there for the community to sort of keep an eye on this, and should anything ever go wrong or should there be an incident or anything we needed to address, then the community has a way to do that.
So, every year, apart from the fact that the IANA has been asked to provide a regular updates on its website, on its performance, the RIRs put together this matrix which basically gives an overview of the performance throughout the whole year, and very simply, the Review Committee takes this and we throw it to the community and we say have a look at this, are there any concerns, do you have any comments, any feedback, let us know and we take that feedback and together with our own evaluation of this matrix, we produce a report. It is for the NRO EC as advice, but it's a public process so we put it out there nor everyone to see.
So, this is what it looks like. The Review Committee members in the RIPE region are myself, Filiz Yilmaz and also Andrew de la Haye as RIPE NCC representatives.
What's the current status? We is you at the end of the January we received the matrix. From the performance matrix from the RIRs. It was a very boring, pretty but boring matrix to everyone's satisfaction. And it basically showed that there had been no incidents. So, we followed our process, we tut it out to the community and we received zero comments. You could say that that's a good thing because there were no incidents but it could also be that the community doesn't actually understand that they can comment, so that's one of the reasons I'm here to make sure that the community knows that we have a voice in this process. And we published our report in April. And we basically now all go back to our day jobs and then start our work again next year when the next matrix comes out.
So, what happened in the last year? Well there were not that many transactions in March and July. There was an IPv4 request
TORE ANDERSON: ASN number requests, it was acknowledge on time, implemented on time and implemented architectural accurately. And in September December 2017, there was another IPv4 requests and ASN number request and also no incident.
So that's how exciting this gets. So, four requests in total. We were satisfied with the performance there. We can't see that there is any indication of failure or near failure when it comes to the SLA obligations. And also no concerning, or interesting pattern detected. We got very little input from the community, but that was maybe expected. But we think, but this is why I'm here as well, that we did do sufficient outreach.
It is very much, it's part of the charter that each community representative has their responsibility to do this outreach.
So, that's basically it. I am throwing a few questions back at you. Are you aware of this process? Are you aware that the community now has a role in this? Do you have any thoughts or concerns? Do you have any thoughts or concerns when it comes to the actual performance of IANA over the last year? Or even the way the report interpreted this? Feedback, thoughts and observations...
With that I'm done.
KURTIS LINDQVIST: Any questions for Nurani?
AUDIENCE SPEAKER: Paul Rendek. From the RIPE NCC. I don't have any questions, I just have a comment for you Nurani. I just wanted to thank you on behalf ‑‑ it says it's on but it's not on. Actually I just have a comment for you Nurani, not a question. I wanted to say that I know you have worked really hard on this and you put a lot of your time in on this and you make it look very simple here, but we're watching this and we're supporting you from the secretariat side of the RIPE NCC, I just wanted to say thanks so much for stepping up and always like representing this community really nicely out there. So thank you.
(Applause)
KURTIS LINDQVIST: Any other questions? No. Okay. Thank you.
With that, we're done, we have the usual open microphone. As a matter of fact we have quite a lot of time for open microphone, I'm not encouraging you, but the purpose of the open microphone is that the community can bring any issues, questions, topics, regarding the NCC and their services forward if they want. There doesn't seem to be any rush to the microphones. So, with that, we are done. Thank you all for coming. The GM starts at 6 o'clock in the side room, so we will see you all there. Thank you.
LIVE CAPTIONING BY
MARY McKEON, RMR, CRR, CBC
DUBLIN, IRELAND.
