On Tue, Feb 25, 2014 at 08:50:42PM +0100, Michael Horn wrote:
We believe these options cover situations where the natural persons do not want to provide their identification card or passport.
It is not about not _wanting_ to provide a copy... You are simply in violation of the law if you demand a copy of an official id.
NCC doesn't care about German law, otherwise it would also have to abide to german data protection laws. But a German copying his/her personal ID is certainly violating the law. BTW, this is only true for personal ID card (Personalausweis) and possibly passport, but not for e.g. driving license as far as I'm aware.
It is not about people being concerned that their data might become unintendedly available to a wider audience due to negligence on the RIPE NCC's side,
Wrong. At least for me, it's PRIMARILY about not spreading personal sensitive data to foreign organisations and companies without a factual need for that. Given that NCC cannot authenticate the personal data anyway, there is no point in collecting it for authentication reasons in the first place. This is a fundamental data protection principle in german law (which again, NCC doesn't have to abide to as far as I understand - IANAL): <german> Datenschutz beginnt mit Datenvermeidung </german> (data protection starts with preventing collection of data) To illustrate my point: Just today I phoned the service desk of one of my banks to enquire about some credit card stuff. The only authentication requested from me was my account number (not really private data), my home address (public data, it's even in the RIPE DB) and my BIRTHDATE. And this is the second bank actually pulling off this stunt of using the birthdate as basically only means of caller identification. So, I really consider twice (and more) whom I give my birthdate, let alone other sensitive information. And certainly no photocopies of official ID papers. The fun thing is, NCC asks to TRUST THEM to keep sensitive personal data secure, but TRUSTS NOONE, even if multiple respected, well known members of the RIPE community in perfect standing, as well as the sponsoring LIR tell them they know the resource holder in person as well as having verified original personal ID. BTW, US companies also promise to keep your data secure and private. And then comes PATRIOT and FISA. Can't happen in NL? I wouldn't bet on that.
but compliance with local laws.
That's just one aspect of it, which can be circumvented as NCC correctly pointed out. But the alternatives offered won't fulfil data protection principles or place significant (and IMHO undue) burden on the resource holder (notary declaration will btw. also include sensitive personal data like birth date I fear, I'm about to inform myself about the details now). Best regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0