Staff Assessment - Internet Number Resources review by AFRINIC-v7

 

Proposal

AFPUB-2016-GEN-001-DRAFT07

Title

Internet Number Resources review by AFRINIC 

Proposal URL

https://www.afrinic.net/policy/2016-gen-001-d7#proposal

Assessed

21 May 2019

 

1.0 Staff Understanding of the Proposal

 

  1. AFRINIC to conduct resource utilization reviews (audits) of IPv4, IPv6 and ASN resources randomly, periodically and/or triggered by a whistle-blower to ensure compliance with policy provisions and all terms of the AFRINIC RSA. 
  2. Non-Compliant resources shall be recovered (and can be Reallocation guidelines have not been clearly stipulated in policy text , so AFRINIC shall apply the current guidelines for reclamation & reallocation). However, AFRINIC shall contact the member in breach to initiate efforts to work towards restoring compliance, which should last at least 6 months. If the member is cooperative and working in good faith to substantially restore compliance or has a valid need for additional time to renumber out of the affected blocks, AFRINIC shall negotiate a longer term. The acceptance level of compliance and duration of the longer term are at AFRINIC staff discretion. The 6-month period to restore compliance will not be given in cases of fraudulent resource acquisition or unlawful usage and abuse.
  3. A review on the same resources for the same member can only be once every two years (24 months) irrespective of nature of complaint. 
  4. Complaints made against any member by a whistle-blower must be backed by evidence. AFRINIC may require that such evidence be submitted in the form of a sworn affidavit or declared to be true before a Commissioner of Oaths (of any jurisdiction - not necessarily Mauritius or country of originator of the complaint). 
  5. Members not happy with the review result have the right to appeal within four weeks of completion of the review. Appeals shall follow an arbitration process as provided for in the 'Code de Procedure Civile (Code of Civil Procedure)' of the Republic of Mauritius. AFRINIC may, on request from an aggrieved party, suggest a pool of arbitrators who shall be knowledgeable volunteers from the community. 
  6. A report of all review/audit activity conducted every year will be published on the website, contents of which must comply with the necessary and appropriate applicable laws and regulations (details at AFRINIC discretion)
  7. Specific staff interpretation/understanding of key proposed clauses:
  1. (13.3.1) Random : By Random Selection, we understand this to mean that equal weight will be given to each member regardless of their category and size. AFRINIC staff will use their discretion to establish a schedule of review for members.
  2. (13.3.2) : Member is selected because of an internal report or due to a lack of contact between AFRINIC and the member. We understand that this section covers cases where for example:- 
    • Internal reports reveal certain whois/business rule inconsistencies or non-compliance with policy and/or the RSA.
    • AFRINIC has received bounces when sending members their annual invoices or other key correspondence.
  3. (13.3.3 A) : Member-Requested review: We understand that this section will cover a Resource Member initiating contact with AFRINIC and requesting that they be reviewed within the guidelines of this policy. The motivation of the Resource Member can be to ensure their degree of compliance with all AFRINIC policies that the resources they hold subject them to.

 

 2.0 Staff Comments

  1. The RSA as written already provides for reviews/investigations/audits. Article 4(c)(iii) of the RSA, states: "The Applicant hereby irrevocably... further acknowledges that AFRINIC may at its own discretion and for good cause and common Interest of the stability of the Internet, investigate or cause to be investigated, the Applicant’s use of the services by the appropriate and competent authority(ies)" , further reinforced by articles 4(a) and (b).
  2. Under proposed 13.3.3(b), the text "There has been a community complaint made against them that warrants investigation":
    1. As per policy, AFRINIC shall evaluate the facts and determine whether a complaint warrants investigation.  
    2. Is it mandatory for staff to conduct a review of the Resource Member when a community complaint has been received? Our understanding is that :-
      • AFRINIC receives a community complaint against a Resource Member. 
      • AFRINIC staff assesses the complaint based on the evidence provided.
      • AFRINIC staff may conclude that the complaint does not warrant that a review be initiated.
  3. In 13.5, authors should clarify if the arbitration process can be initiated by the member anytime during or (only) after the review is completed. There also needs to be a time limit around when the arbitration process must complete (for the arbitration team to produce their findings/report). The words "within the four weeks" could be reworded to indicate at what point the 4-week period starts.
  4. All review requests shall be handled First in, First Out (at staff discretion). A review request could take a very short time or a very long time depending on how readily all requested information has been provided, the class of review and quantity of resources under review. Although uncertain, there could be considerable overload on staff depending on the influx of review requests.
  5.  On the clause: “The review shall be conducted in full transparency and neutrality” - Authors and the community need to understand that AFRINIC cannot disclose details of an ongoing audit/review to the public while doing the review - (if this is what authors meant by "transparency").
  6. On the Clause: “AFRINIC shall publish the resources to be recovered for a period of three (3) months; during which the organization may at any time, seek compliance” - AFRINIC will add “remarks” attributes to the concerned whois database objects. Information in the attributes will indicate that those objects are under audit. We think that this is sufficient to address the "publish" requirement in this clause
  7. Proposed 13.4 A states "AFRINIC shall attempt to contact the organization and correct any discrepancy towards the RSA. Except in cases of fraudulent resource acquisition or unlawful usage and abuse, the organization shall be given a minimum of six months to effect the return of the resources. If the organization is cooperative and working in good faith to substantially restore compliance or has a valid need for additional time to renumber out of the affected blocks, AFRINIC shall negotiate a longer term. The acceptance level of compliance and duration of the longer term are at AFRINIC staff discretion." We suggest re-wording to: AFRINIC shall attempt to contact the organization and correct any discrepancy towards the RSA. Except in cases of fraudulent resource acquisition or unlawful usage and abuse, the organization shall be given a minimum of six months to effect the return of the resources. Query:  How much time shall those who fit “cases of  fraudulent resource acquisition or unlawful usage and abuse” be given ? 
  8. Proposed 13.4 states “ AFRNIC shall initiate the resource recovery process.” We request some clarifications from the authors as follows :-
    1. Does this mean that AFRINIC shall mandatorily reclaim all resources held by the Resource Member? 
    2. It may happen that an AFRINIC Resource member has not completely registered the usage of its resources on the AFRINIC whois database. Shall they be informed that if they do not fix this, AFRINIC shall reclaim all the resources they hold? 
    3. If a member requested for and qualified for a /16 IPv4 prefix in 2012, and the time of review, we note that they are only using a /20 worth of resources of that allocation, what shall AFRINIC do ? Reclaim the /16 or perhaps negotiate for a return of the resources (a change request as per RSA can easily cover such cases)
  9. The RSA, article 4(a), allows a member to notify AFRINIC of any changes to their usage. The RSA, article 6(d)(vii), requires a member to correct any breach. In draft-06 of the review proposal, section 13.4 seemed clear that the organisation would be given the opportunity to correct any breach, and that this could include notifying AFRINIC of any changes, consistent with RSA 4(a) and 6(d)(vii).  However, in the current draft-07 of the review proposal , the text of section 13.4 has changed significantly, and it is no longer clear whether the organisation will have the ability to notify AFRINIC of any changes or to correct any breach. Staff recommends that the text should be clarified to ensure that members retain the right to correct any breach or notify AFRINIC of any changes to their usage, provided such usage is consistent with adopted policies.

 

3.0 Comments from Legal Counsel 

Legal advisor expressed reservations about the publication of the resources which may be recovered over a period of three months. Since in the RSA AFRINIC has bound itself to comply with data protection and confidentiality laws, there is need to be cautious regarding the information published, as this could be seen to amount to a naming and shaming exercise.

 

 4.0 Implementation

 

4.1 Timeline & Impact

The proposal will be implemented within the stipulated schedule in the PDP.

 

4.2  Implementation Requirements

Updates to internal processes as appropriate

 

Last Modified on -