Re: [anti-abuse-wg] Analysis of the Legal Framework and Procedures Proposed by the Data Protection Task Force
There are companies now that download the various whois databases and repackage and resell the data. One company DomainTools.com has their parent company in the EU in Luxembourg. How is it that they download all this data and resell it apparently without a problem. If it was illegal why they don't get prosecuted? This "legal framework" doesn't address any of that. DomainTool.com has filed a lawsuit in the US federal courts asking them to rule that downloading and selling whois data is illegal. the lawsuit in question involves data from Tucows in Canada so it is unclear how a US court can rule on that. In any case none of this stuff in discussed in the legal framework paper. Are there plans to take legal action against DomainTools.com for selling this data? If not, why not? Why are there restrictions on others if some companies are downloading and selling this data anyway? Just like you can't force people to answer their abuse mailboxes I don't see how you can force people to use (or not to use) data in a certain way after it is made public. http://domainnamewire.com/2012/04/06/domain-tools-files-preemptive-lawsuit/
There are companies now that download the various whois databases and repackage and resell the data. One company DomainTools.com has their parent company in the EU in Luxembourg. How is it that they download all this data and resell it apparently without a problem. If it was illegal why they don't get prosecuted? This "legal framework" doesn't address any of that. DomainTool.com has filed a lawsuit in the US federal courts asking them to rule that downloading and selling whois data is illegal. the lawsuit in question involves data from Tucows in Canada so it is unclear how a US court can rule on that. In any case none of this stuff in discussed in the legal framework paper. Are there plans to take legal action against DomainTools.com for selling this data? If not, why not? Why are there restrictions on others if some companies are downloading and selling this data anyway? Just like you can't force people to answer their abuse mailboxes I don't see how you can force people to use (or not to use) data in a certain way after it is made public. http://domainnamewire.com/2012/04/06/domain-tools-files-preemptive-lawsuit/
Instead of trying to grok the text below, I'd suggest to refer to the URL at the end. After reading that page, I still cannot see a direct relevance to the NCC's services or procedures. But it may be within the mandate of the Anti-Abuse WG. Just one comment, as there is a reference to "lawfulness" and *not* quoting a particular law - I presume the north-american legal system is fundamentally different from the approach in other regions. My understnading is that everything is lawful, unless it is forbidden. Then, a reference to a particular law is probably helpful or required. lists@help.org wrote:
There are companies now that download the various whois databases and repackage and resell the data. One company DomainTools.com has their parent company in the EU in Luxembourg. How is it that they download all this data and resell it apparently without a problem. If it was illegal why they don't get prosecuted? This "legal framework" doesn't address any of that.
DomainTool.com has filed a lawsuit in the US federal courts asking them to rule that downloading and selling whois data is illegal. the lawsuit in question involves data from Tucows in Canada so it is unclear how a US court can rule on that. In any case none of this stuff in discussed in the legal framework paper. Are there plans to take legal action against DomainTools.com for selling this data? If not, why not? Why are there restrictions on others if some companies are downloading and selling this data anyway? Just like you can't force people to answer their abuse mailboxes I don't see how you can force people to use (or not to use) data in a certain way after it is made public.
http://domainnamewire.com/2012/04/06/domain-tools-files-preemptive-lawsuit/
Regards, Wilfried
After reading that page, I still cannot see a direct relevance to the NCC's services or procedures.
I believe DomainTools.com also downloads the RIR's whois database and repackages and sells the data along with historical whois data from the domain registrars. Isn't that related to the Data Protection Task Force legal framework? The report says certain procedures and policies were put in place to prevent downloads because it supposedly violates some type of data protection laws. Yet there is a company doing that and they don't seem to be concerned about the law and they seem to be freely selling the data. Do these Data Protection laws actually apply to this situation or are these laws being broken and not enforced? Or maybe some other explanation? It is all unclear to me.
lists@help.org wrote:
After reading that page, I still cannot see a direct relevance to the NCC's services or procedures.
I believe
Well, so this may - or may not - be true.
DomainTools.com also downloads the RIR's
There are 5 of them, so which one(s)?
whois database and repackages and sells the data along with historical whois data from the domain registrars.
From an RIR's point of view, I presume the domain registry stuff is not relevant. Maybe the combining and re-packaging can be used as another argument for violating the AUP(s).
Isn't that related to the Data Protection Task Force legal framework?
I think so, but the linked page didn't include any reference to an IP Resource Registry. I may have missed that though.
The report says certain procedures and policies were put in place to prevent downloads because it supposedly violates some type of data protection laws.
Indeed, both on the administrative side (AUPs), as well as on the technical plane (query limits, anonymizing data before allowing bulk access,...) But I am pretty sure that you als do know, that almost each and every technical measure can be subverted, given a strong (and/or financial) interest :-)
Yet there is a company doing that and they don't seem to be concerned about the law and they seem to be freely selling the data.
Again, a pretty week term: "seem", together with "believe", there isn't too much flesh on the bones to get the legal folks involved, isn't it? They would certainly ask for proof or credible leads, before getting their fingers wet and putting their organisation at (at least a financial) risk.
Do these Data Protection laws actually apply to this situation
They probably do in one way or another, details to be worked out on a case by case basis.
or are these laws being broken and not enforced?
The (legal) enforcement is potentially an entirely different story again, in an international environment, depending on where the breach happened (which part?=, and where the offender can (potentially) be prosecuted or taken to court.
Or maybe some other explanation? It is all unclear to me.
Now, moving a away some distance from "mere" AUP or (C) violations... If you are really interested in getting a handle on "bad stuff" on the Internet, you could try to get involved in the security and incident handling ballpark. (I am to some degeree). Personally, I am convinced that the IP Resource Registry environment is the wrong tree to bark at, in general. There's a whole infrastructure out there (law enforcement, voluntary, commercial, incident response teams, national CERTs,...) that is active with this respect. The RIRs are at the far out periphery of that, at best, although they try to support the "pros" where they can... Hth. Wilfried. Note: I am not representing the NCC with my comments here. But I was a member of the DPTF. And I sometimes get a glance at or information about "funny stuff".
the IP Resource Registry environment is the wrong tree to bark at,
I have no idea what points you are trying to make in your replies. You seem to want to nitpick certain words in some sort of incoherent fashion without making any actual point about the issue at hand. Ripe posted a link to a report about putting restrictions on the whois data because they say use is restricted by law. I pointed out that commercial companies are using this data anyway. In the case of DomainTools.com they have been around for many years and anyone who has used the site knows they compile all this data and make reports. They focus on domain data but they also use the IP whois data (which you can easily see if you use their site). I can't tell exactly what the law is and I don't know exactly what commercial companies are doing with the data. Ripe put out the report and I am asking how it relates to the practical situation of what is happening in the real world as there seems to be disconnect.
hi! my 2 cent: - it's against the terms of the whois-db as provided by ripe to use this for spam/address-dealing or anything else than ip coordination tasks. from what i see this seems to be undisputed. - if sbdy breaches this, uses the whois-db illegally (i think 'probable cause'), charges should be pressed against the respective party. i.e. i'd expect ripe ncc to get this going (as a default: with their local lea) when they obtain knowledge of such a suspicion which they consider to be taken serious. regards, Chris
participants (3)
-
Chris -
lists@help.org -
Wilfried Woeber, UniVie/ACOnet