9 Nov 2021
New CPM art 13.0
1. Summary of the problem being addressed by this proposal
Recent discussions in the RPD and unprecedented situations in AFRINIC demonstrated that some of the information provided for the justification of the requests for resources could be used maliciously and not discovered at a first sight when those recourses are allocated/assigned.
This is especially harmful to the community and the AFRINIC region in general when resources are being exhausted as is the case now for IPv4 and must be avoided.
At the same time, it is understandable that the justification of a request for resources can be confidential as it can provide insights into a business plan to competitors. However, it is also obvious that in the Internet business, time passes very quickly and the need for confidentiality vanishes very quickly. It is difficult to believe, for example, that you request resources for the next 5 years and only in year 5 your business will be public.
In summary, the problem is that long-term confidentiality of a resource request justification is against the principles of openness, transparency and fairness.
2. Summary of how this proposal addresses the problem
This simple proposal looks for the publication of information about resource request justifications after a community agreed period of time unless there is a valid demonstration of the need to extend the confidentiality period.
Note that the information to be published is not the already existing resource registration in whois as per the actual CPM. This proposal looks for publication of the overall resource request justification (justification of the need), which allows understanding of the justified need is sustained at the publication time or not.
New 13.0 of the CPM, as follows:
13.0 Publication of Information
Following the principles of openness, transparency and fairness and considering that we are dealing with community resources that aren’t property, after 2 years of every accepted resource request, a short summary of the justification of that request must be published.
The decision of how to publish the information (e.g. link into whois, new web page, etc.), is left to the discretion of AFRINIC.
The resource member will be warned 3 months before the publication with a draft of the summary to be published. In case there are reasons (such as patents or similar ones), that avoid the publication of that summary and demonstrate the unique nature of the services offered which, if disclosed, could damage the resource member business, it will have up to 1 month, to provide an alternative text to be published or request an extension of 1 year on that publication.
AFRINIC will have 1 month to accept the justification and, in doubt, escalate to the Board that must resolve in a maximum of 1 month after hearing the resource holder.
This policy shall be implemented in such a way that all the resources allocated/assigned for over 2 years, will be chronologically warned, allowing the staff to process the possible responses of “non-disclosure” without requiring extra human resources.
|9 Nov 2021||
Version 2: AFPUB-2021-GEN-001-DRAFT02
|11 Oct 2021||Version 1: AFPUB-2021-GEN-001-DRAFT01
AFRINIC Policy Impact Assessment
AFRINIC Staff Assessment
15 November 2021
1.0) Staff Interpretation & Understanding of the proposal
- AFRINIC allocates resources(IPv4, IPv6, and ASN) to its members based on the latter submitting their needs to justify the resource requests.
- As per this proposal, AFRINIC must publicly publish a short summary of the justifications provided in the resource requests two years after the resource has been issued to the Resource Member.
- The proposal leaves the decision of where to publish these justification summaries to staff.
- The proposal explains that this will be done as follows:-
- AFRINIC will monitor the resources that have reached 21 monthly anniversary date
- AFRINIC staff will prepare a summary of the justification needs for these resources, based on the information that is held in tickets pertaining to these resource requests
- AFRINIC will send a notification to those members holding the said resources, which will also contain the summary (this happens 3 months prior to the 2-year anniversary date)
- The Resource can either agree to the publication or provide an alternative text or defer the communication by stating their reasons(extension of 1 year) within one month of receiving the notification.
- AFRINIC has one month to accept the justification for non-publication of the details of its needs and can escalate to the AFRINIC Board if in doubt.
- Mention is made that 'This policy shall be implemented in such a way that all the resources allocated/assigned for over 2 years, will be chronologically warned, allowing the staff to process the possible responses of “non-disclosure” without requiring extra human resources. Staff interprets this as meaning the implementation will be done so that resource members automatically receive a notification request with a copy of their
and the Resource Members shall confirm to AFRINIC if the text can be published or provide alternate text or request for an extension.
2.0) AFRINIC Staff Comments
- AFRINIC has issued ~6500 ASNs, IPv4 and IPv6 prefixes to its members since 2005
- ~5000 of the above have reached their 2-year anniversary to date.
- The needs justifications are provided to AFRINIC through the different platforms made available to gather such information and are therefore kept in tickets that are logged as a result of a resource request.
- The information submitted by AFRINIC Resource Members is bound to be confidential and used only for the evaluation of the resource requests in compliance with the resource policies in the policy manual. ]
- AFRINIC neither keeps a summary of these justifications nor has sought the agreement of the AFRINIC Resource Member so that same can be published.
- The AFRINIC Resource Members to whom resources have already been issued have not provided any agreement/consent that AFRINIC can publish a summary of their justification.
- The author has clarified that staff is being mandated by the proposal to summarise the needs and share the latter with the Resource Members in the warning issued 3 months before the 2-year anniversary date of a particular resource. For ~5000 resources that have reached their 2-year anniversary date(issuance date is up to Nov 2019), staff will have to examine ~5000 records and make a summary
- Staff will therefore do more work than "process the possible responses of “non-disclosure” without requiring extra human resources" & additional human resources will be required, even if a phased approach is being suggested by the author.
- The proposal as styled lacks an element in regard to AFRINIC explicitly seeking the consent of the Resource Members to publicly publish its justification summary and the consequences of a member refusing to comply.
- The attention of the author is drawn to the statement "allowing the staff to process the possible responses of “non-disclosure” without requiring extra human resources" and that staff will need to process ~5000 records pertaining to the ~5000 resources that have reached their 2-year anniversary. To date, AFRINIC has also issued ~6500 resources to its Resource Members.
- AFRINIC takes note of the author's comments that automation may not be possible and further mentions that the justified needs do not exist on AFRINIC systems at the moment in a single standardised way.
- We would like to mention that AFRINIC expects resulting questions, clarifications, and disagreements in respect to the text to be published or consent.
- On the other hand, in the case of new member requests, the organisations may be requested to furnish an additional summary of their needs justification, in addition to the detailed needs, and provide their consent that the said summary will be publicly published 2 years from the date they were allocated/assigned their IPv4 and/or IPv6, ASN resources.
3.0) Staff Comments On Areas of Impact
Impact on Registry Functions
The attention of the PDWG and Author is drawn to Section 4(d) of the Registration Services Agreement "AFRINIC will comply with all applicable data protection and privacy laws of the Republic of Mauritius in its handling of data and information submitted to it by the Applicant in furtherance of an application for services and use thereof." The proposal as written exposes AFRINIC to a potential breach of section 4d of the Registration Services Agreement, should it be driven by the proposal to publish a public summary in the case where no feedback or consent is received from the member within 30 days.
The proposal will introduce an additional workload for the registry operations team to draw summaries for ~5000 support requests that have already reached the 2 years threshold. In addition, human resources will be required to handle the workload as well as manage the Resource members' subsequent requests.
The legal observations on the texts of the proposal are as follows:
- The present proposal aims at providing for the disclosure/publication of information pertaining to a Resource Member’s needs, i.e. information which would have been shared with AFRINIC during the pre-contractual stage.
- It is apposite to state that all information exchanged between AFRINIC and an applicant (resource member) either prior or during the tenure of the RSA fall under the regime of confidentiality at common law such that AFRINIC cannot, without the express consent of the concerned resource member or pursuant to a Judge's Order, disclose this information to third parties. In fact, this is not something that can unilaterally be imposed on individual resource members by AFRINIC through the latter’s PDP framework. Accordingly, there is no legal soundness to this proposal.
This section will be updated once clarifications have been received and confidentiality concerns have been addressed.
The timeline will be made available once issues have been clarified.