There are two things with regards the informations recorded in the data base. I am certainly glad that you talked with the Dutch Data Protection Authority but as fas as I know it is the laws and regulations of the country concerned which matters. Sure you could say that the RIPE DB is located in the Caymen Island but if we are a European Institution and if this Institution wants to be respected by the different EU countries, it has to follows the rules of the different countries. I can't talk about what rules are in other countries because I don't know them enough but in France you have to have done a proper declaration to a French body (CNIL) which takes care of this and you must have the authorisation from the people whose information is recorded. Other countries probably have other rules. I don't know if the RIPE DB has done the needed paper work with the French CNIL but if not, then NOT one French LIR should record information in the DB. The risk is heavy fine and jail. This is just an an example but with the EU Rules being somewhat different in each country this subject of privacy should be seriously reviewed and the right lawyer put onto it. This is not just privacy but even just recording information in a DB about the LIR's subscribers is forbidden in France unless properly declared through the body CNIL. As far as spam is concerned: spammers are using the e mail addresses recorded in the data base. I receive spams daily on the addresses (role addresses for that matter) which have been entered in the data base. THe RIPE DB is one of the best source to obtain mailing list: it has the name of the LIR and roles which in turns redistribute to internal mailing lists of the LIR or of subscribers of the LIR. I don't have solutions to the above points but these are important topics which could be discussed in the next Ripe meeting. I have seen the efforts to clean the DB. There are plenty of positive things but as far as I know the privacy and just recording personal infos in the DB could use a little review. Pascal Julienne President Directeur General EURO CONNECT SA 130, rue du Bourg-Bele - BP 21099 - 72001 LE MANS Cedex 1 - FRANCE Tel : (33) 02 43 14 12 76 - Fax : (33) 02 43 14 12 77 http://www.euroconnect.fr Le contenu de ce message ne represente en aucun cas un engagement de la part d'Euro Connect sous reserve de tout accord conclu par ecrit entre vous et Euro Connect. Toute publication ou diffusion, meme partielle, doit etre autorisee prealablement. -----Message d'origine----- De : address-policy-wg-admin@ripe.net [mailto:address-policy-wg-admin@ripe.net]De la part de Shane Kerr Envoye : jeudi 14 aout 2003 18:04 A : Pascal Julienne Cc : address-policy-wg@ripe.net; db-wg@ripe.net Objet : Re: [address-policy-wg] IP Addressing policy on personal contact info (kf) Pascale Julienne, Pascal Julienne wrote:
In France there is such a thing as unlisted phone numbers which remain private and unknown. Further, the RIPE DB is becoming the best spam list in the world. So yes, responsability lays with LIR, yes let's clean the DB, yes respect privacy.
I think there are two sides to this issue. One is what the RIPE NCC can and has done to increase the privacy of people who have contact information in the Database. We have been trying to increase the privacy protections in the Database over time: - person/role objects removed from public FTP site - DB automatically rate limits access to person/role objects - mntner/irt objects removed from public FTP site - .DE person object deletion - automatic cleanup of unreferenced person/role objects The Allocation Editor on the LIR Portal should allow LIRs to keep their contact data up-to-date. We have talked with the Dutch Data Protection Authority about the Database as well, to make sure that we don't run afoul of the EU privacy directives. There has been some discussion at the last RIPE meeting about how the Database both aids and hinders spammers. Suggestions such as checking validity of contact information, as well as possibly putting fake entries in the Database and tracking spam they receive were mentioned. The second issue is deciding on what contact data *should* be in the Database. This is the job of the address-policy-wg, and perhaps the db-wg. A related issue is how the data should be accessed, which is also something that can be decided by the same groups. Katri Forsberg did a service by raising the issue. As a final issue, I am curious why you say the RIPE Database is becoming the best spam list in the world! I think that it probably generates a lot of spam for LIRs, because they have their contact information on many objects in the Database. I don't know any way to avoid this if the Database is public. I hope that for the end users who's information is in the Database for only a small number of addresses that they do not get much spam originating from the publication in the Database. The RIPE NCC is certainly interested in mechanisms that we can set up to prevent such use, as it is explicitly *not* allowed by the license that we provide for the Database. -- Shane Kerr RIPE NCC