Re: [anti-abuse-wg] Spamming LIR accounts
I don't think EU laws are useless towards non-EU countries that break them. In the case of privacy, they will not be able to keep doing business with the EU. In a more understanding way, EU (or EU members) reach agreements with specific countries so the sanctions can be applied as well, including fines. For example, when speaking about GDPR, countries like Mauritius and Uruguay, have signed those agreements. I believe the reason is to allow mutual business, it makes a lot of sense: if you are offering applications that collect our citizen data, you must follow our rules, or we will find someone that want to follows them. We do this every other day, in any economic activity. I know that if you violate speed limit in one country the fine will be collected from your account in many other countries, it is just reciprocity. Regards, Jordi @jordipalet El 10/5/20 20:54, "anti-abuse-wg en nombre de Sabri Berisha" <anti-abuse-wg-bounces@ripe.net en nombre de sabri@cluecentral.net> escribió: ----- On May 7, 2020, at 2:26 AM, Nick Hilliard nick@foobar.org wrote: Hi, (And to you Töma, Peace :)) > Töma Gavrichenkov wrote on 07/05/2020 10:03: >> What does GDPR have to say about this? > > You mean the Privacy and Electronic Communications Regulations / PECR. > Spamming is prohibited under article 13. > > National transcriptions of this legislation have implemented this as a > civil offence in some EU countries and a criminal offence in others. Yes, and as long as the sender is safe in a non-EU country, none of the EU "laws" will apply to them nor will they care. It's the same thing as saying bad things about Thailand's king while shouting from a pedestal on St. Petersburg Square. I don't know about you guys, but I have a very effective system for dealing with this kind of crap. It's called *plonk*. Thanks, Sabri ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Hi Jordi, EU laws are for EU and not all countries care if they can do bussines with EU, lots of assumption i guess. Regards, Arash On Tue, 12 May 2020, 20:12 JORDI PALET MARTINEZ via anti-abuse-wg, < anti-abuse-wg@ripe.net> wrote:
I don't think EU laws are useless towards non-EU countries that break them.
In the case of privacy, they will not be able to keep doing business with the EU.
In a more understanding way, EU (or EU members) reach agreements with specific countries so the sanctions can be applied as well, including fines.
For example, when speaking about GDPR, countries like Mauritius and Uruguay, have signed those agreements. I believe the reason is to allow mutual business, it makes a lot of sense: if you are offering applications that collect our citizen data, you must follow our rules, or we will find someone that want to follows them.
We do this every other day, in any economic activity. I know that if you violate speed limit in one country the fine will be collected from your account in many other countries, it is just reciprocity.
Regards, Jordi @jordipalet
El 10/5/20 20:54, "anti-abuse-wg en nombre de Sabri Berisha" < anti-abuse-wg-bounces@ripe.net en nombre de sabri@cluecentral.net> escribió:
----- On May 7, 2020, at 2:26 AM, Nick Hilliard nick@foobar.org wrote:
Hi,
(And to you Töma, Peace :))
> Töma Gavrichenkov wrote on 07/05/2020 10:03: >> What does GDPR have to say about this? > > You mean the Privacy and Electronic Communications Regulations / PECR. > Spamming is prohibited under article 13. > > National transcriptions of this legislation have implemented this as a > civil offence in some EU countries and a criminal offence in others.
Yes, and as long as the sender is safe in a non-EU country, none of the EU "laws" will apply to them nor will they care.
It's the same thing as saying bad things about Thailand's king while shouting from a pedestal on St. Petersburg Square.
I don't know about you guys, but I have a very effective system for dealing with this kind of crap.
It's called *plonk*.
Thanks,
Sabri
********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Peace, On Tue, May 12, 2020 at 1:29 PM Arash Naderpour <arash.naderpour@gmail.com> wrote:
EU laws are for EU
Perhaps sadly for some, but this is not how it works. EU laws protect EU citizens wherever they are, or the EU citizens' personal and sensitive data wherever it is accessed, processed, or stored. -- Töma
----- On May 12, 2020, at 4:51 AM, Töma Gavrichenkov <ximaera@gmail.com> wrote: Peace,
Peace,
On Tue, May 12, 2020 at 1:29 PM Arash Naderpour <arash.naderpour@gmail.com> wrote:
EU laws are for EU Perhaps sadly for some, but this is not how it works. EU laws protect EU citizens wherever they are, or the EU citizens' personal and sensitive data wherever it is accessed, processed, or stored.
Perhaps sadly for some, but this is not how it works. First of all, there is the requirement for the non-EU company to intentionally provide goods or services to the EU. That can be found in article 3(2)a. This means that, per EU rules, the GDPR will not apply to the mom&pop ice cream shop in San Francisco that takes online orders from a EU citizen that happens to be visiting the U.S. The GDPR only affects companies (in or outside the EU) that market to EU citizens or territories. Second, and most important, for a law to protect it must be enforceable. For a law to be enforceable, a court must be able to issue a judgement, and that judgement must be executable. EU judgements based on the GDPR are not necessarily enforceable outside the EU, at least not in the U.S. Treaties must be in place, and a good example is the Hague Convention on Foreign Judgments in Civil and Commercial Matters. In the U.S., foreign judgements are enforceable if they comply with the Uniform Foreign Money Judgments Recognition Act. This law specifies that a judgement may not be recognized if the foreign court did not have "personal jurisdiction" on the U.S. entity. If that entity does not have a physical presence in the EU, establishing the foreign court’s personal jurisdiction will be very difficult if not impossible. But, for folks that did not go to law school, here is a simpler explanation: [ https://www.youtube.com/watch?v=CD2FlW79PfU | https://www.youtube.com/watch?v=CD2FlW79PfU ] :-) Thanks, Sabri
Peace, On Tue, May 12, 2020, 10:13 PM Sabri
First of all, there is the requirement for the non-EU company to *intentionally* provide goods or services to the EU. That can be found in article 3(2)a.
Well, virtually that's exactly our case: an employee of an Israeli company promotes their services (in multiple local EU languages such as Czech language) through an intentional mailing. Second, and most important, for a law to protect it must be enforceable.
For a law to be enforceable, a court must be able to issue a judgement, and that judgement must be executable.
Still fine: AFAIK Israeli companies with a remote offering directed to the EU citizens are subject to extraterritorial reaches. At least, I've seen some of those working in GDPR compliance. What do I miss here? -- Töma
----- On May 12, 2020, at 12:32 PM, Töma Gavrichenkov <ximaera@gmail.com> wrote:
On Tue, May 12, 2020, 10:13 PM Sabri
First of all, there is the requirement for the non-EU company to intentionally provide goods or services to the EU. That can be found in article 3(2)a.
Well, virtually that's exactly our case: an employee of an Israeli company promotes their services (in multiple local EU languages such as Czech language) through an intentional mailing.
Yes, you are absolutely correct in that.
Second, and most important, for a law to protect it must be enforceable. For a law to be enforceable, a court must be able to issue a judgement, and that judgement must be executable.
Still fine: AFAIK Israeli companies with a remote offering directed to the EU citizens are subject to extraterritorial reaches. At least, I've seen some of those working in GDPR compliance. What do I miss here?
This is the part where I disagree. According to EU law, they are subject to what's called "universal jurisdiction", but unless there are treaties in place, or the local Israeli courts are willing to recognize foreign judgements, that EU law is nothing but a useless piece of paper. The EU cannot enforce their laws in a different country without the local courts granting jurisdiction. And that, in turn, means that EU laws cannot be applied to those outside of its reach. It would be different if said entity (whether that's a person or business) had any assets in the EU. In that case they could be seized upon a monetary judgement. Which is the case with Google, Facebook etc. In more simpler terms: EU courts can award you 100 million euros, but without a way to collect it you're still poor. Hence my recommendation to just plonk the guy into oblivion instead of pursuing a theoretical and practically impossible avenue (GDPR enforcement). Just procmail the guy's emails, and vote for the other candidates. Saves you a lot of headaches :) Thanks, Sabri
would those helpful folk kindly giving us legal opinions please tell us your legal credentials? it would help us better calibrate your legal assertions. thanks. randy
----- On May 12, 2020, at 12:51 PM, Randy Bush randy@psg.com wrote: Hi Randy,
would those helpful folk kindly giving us legal opinions please tell us your legal credentials?
Fair point. I dropped out of law school in my third year. I liked engineering more. Strongly considering to go back and add "J.D." to my list of credentials tho. Also, my MBA program consisted of 30% law and regulations related courses. However, I'm sure Anne-of-many-titles and any other person that actually did graduate will agree with my analysis. The concept of personal jurisdiction in the U.S. (and its associated challenges) is something that was discussed during the first year. That said, you are totally right in ignoring all of my legal bla-bla. In the end, only a real court case will decide the matter. IANALYET. Thanks, Sabri Berisha, M.Sc, MBA, JNCIE #261
hi sabri,
would those helpful folk kindly giving us legal opinions please tell us your legal credentials?
fwiw, i did not mean to impugn anyone. the engineering advice on these lists has some variance, though less variance on some lists than others. and the lawyers i hear in real life, including one daughter, use nuance and "it depends" a lot more than i hear it here.
I dropped out of law school in my third year.
which does lend some authority to your opinion. to be clear, i majored in sex, drugs, and rock and roll, but definitely completed the program. :)
I liked engineering more.
i have a saying that lawyers are really social engineers. of course, we funny monkeys a bit more complex and intransigent than bgp.
That said, you are totally right in ignoring all of my legal bla-bla.
i am not ignoring; just seeking calibration in a field in which i have zero expertise. and i much appreciate an honest and open answer; which lends credibility. randy
A good summary Sabri. One of the points that has not been addressed (fully) is the fact that the mailing went out to 'role accounts' which are normally company accounts (if some used a personal email address for that, than this will have suddenly become a business email address), so GDPR applicability would be remote, if at all. Alex (LL.M)-- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Tue, 12-05-2020 21h 12min, Sabri Berisha <sabri@cluecentral.net> wrote:
----- On May 12, 2020, at 4:51 AM, Töma Gavrichenkov <ximaera@gmail.com> wrote:
Peace,
Peace,
On Tue, May 12, 2020 at 1:29 PM Arash Naderpour <arash.naderpour@gmail.com> wrote:
EU laws are for EU Perhaps sadly for some, but this is not how it works. EU laws protect EU citizens wherever they are, or the EU citizens' personal and sensitive data wherever it is accessed, processed, or stored.
Perhaps sadly for some, but this is not how it works. First of all, there is the requirement for the non-EU company to intentionally provide goods or services to the EU. That can be found in article 3(2)a. This means that, per EU rules, the GDPR will not apply to the mom&pop ice cream shop in San Francisco that takes online orders from a EU citizen that happens to be visiting the U.S. The GDPR only affects companies (in or outside the EU) that market to EU citizens or territories. Second, and most important, for a law to protect it must be enforceable. For a law to be enforceable, a court must be able to issue a judgement, and that judgement must be executable. EU judgements based on the GDPR are not necessarily enforceable outside the EU, at least not in the U.S. Treaties must be in place, and a good example is the Hague Convention on Foreign Judgments in Civil and Commercial Matters. In the U.S., foreign judgements are enforceable if they comply with the Uniform Foreign Money Judgments Recognition Act. This law specifies that a judgement may not be recognized if the foreign court did not have "personal jurisdiction" on the U.S. entity. If that entity does not have a physical presence in the EU, establishing the foreign court’s personal jurisdiction will be very difficult if not impossible. But, for folks that did not go to law school, here is a simpler explanation: https://www.youtube.com/watch?v=CD2FlW79PfU :-) Thanks, Sabri
I’m not sure if this is true in all the cases, because a physical person can also have PI resources and then a personal email in the database. There is one more point, which I’m discussing with the Spanish DPA in the constitutional court, and it is the classification between personal and company emails, when they have your name and family name, you use it for personal matters (even if the domain is from a company – example, you can have separate emails for business and personal, bus using the same domain), and if the collection of data was authorized or not, and if it was just data collection or also spam. Is not easy. In Spain, the spam (even with business emails) is not allowed according to a further law (LSSI). I guess it varies from country to country. Anyway, I think it has been said a few days ago, harvesting the databases for spam is against the AUP. Regards, Jordi @jordipalet El 12/5/20 23:27, "anti-abuse-wg en nombre de Alex de Joode" <anti-abuse-wg-bounces@ripe.net en nombre de alex@idgara.nl> escribió: A good summary Sabri. One of the points that has not been addressed (fully) is the fact that the mailing went out to 'role accounts' which are normally company accounts (if some used a personal email address for that, than this will have suddenly become a business email address), so GDPR applicability would be remote, if at all. Alex (LL.M) -- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Tue, 12-05-2020 21h 12min, Sabri Berisha <sabri@cluecentral.net> wrote: ----- On May 12, 2020, at 4:51 AM, Töma Gavrichenkov <ximaera@gmail.com> wrote: Peace, Peace, On Tue, May 12, 2020 at 1:29 PM Arash Naderpour <arash.naderpour@gmail.com> wrote: EU laws are for EU Perhaps sadly for some, but this is not how it works. EU laws protect EU citizens wherever they are, or the EU citizens' personal and sensitive data wherever it is accessed, processed, or stored. Perhaps sadly for some, but this is not how it works. First of all, there is the requirement for the non-EU company to intentionally provide goods or services to the EU. That can be found in article 3(2)a. This means that, per EU rules, the GDPR will not apply to the mom&pop ice cream shop in San Francisco that takes online orders from a EU citizen that happens to be visiting the U.S. The GDPR only affects companies (in or outside the EU) that market to EU citizens or territories. Second, and most important, for a law to protect it must be enforceable. For a law to be enforceable, a court must be able to issue a judgement, and that judgement must be executable. EU judgements based on the GDPR are not necessarily enforceable outside the EU, at least not in the U.S. Treaties must be in place, and a good example is the Hague Convention on Foreign Judgments in Civil and Commercial Matters. In the U.S., foreign judgements are enforceable if they comply with the Uniform Foreign Money Judgments Recognition Act. This law specifies that a judgement may not be recognized if the foreign court did not have "personal jurisdiction" on the U.S. entity. If that entity does not have a physical presence in the EU, establishing the foreign court’s personal jurisdiction will be very difficult if not impossible. But, for folks that did not go to law school, here is a simpler explanation: https://www.youtube.com/watch?v=CD2FlW79PfU :-) Thanks, Sabri ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
I have been told both things. That company email accounts wouldn't fall on its scope (even if they contained the full name) and that such usage would be improperly treating PII. GDPR seems to mostly leave that part to Directive 2002/58/EC, which isn't completely clear: Article 13 Unsolicited communications 1. The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent. 2. Notwithstanding paragraph 1, where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use. 3. Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing, in cases other than those referred to in paragraphs 1 and 2, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation. 4. In any event, the practice of sending electronic mail for purposes of direct marketing disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease, shall be prohibited. 5. Paragraphs 1 and 3 shall apply to subscribers who are natural persons. Member States shall also ensure, in the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected. It talks mainly about natural persons, but others should as well have adequate, protections. so... ¯\_(ツ)_/¯ https://gdpr-info.eu/issues/email-marketing/ https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058&from=EN The fact that in RIPE database all those role accounts emails are considered "personal data sets" in the RIPE db may or may not also influence how it should be treated w.r.t its treatments. In any case, not complying with the RIPE Database Terms and Conditions may make such use unlawful even if it would be otherwise acceptable. Best regards Ángel El mar, 12-05-2020 a las 23:41 +0200, JORDI PALET MARTINEZ via anti-abuse-wg escribió: I’m not sure if this is true in all the cases, because a physical person can also have PI resources and then a personal email in the database. There is one more point, which I’m discussing with the Spanish DPA in the constitutional court, and it is the classification between personal and company emails, when they have your name and family name, you use it for personal matters (even if the domain is from a company – example, you can have separate emails for business and personal, bus using the same domain), and if the collection of data was authorized or not, and if it was just data collection or also spam. Is not easy. In Spain, the spam (even with business emails) is not allowed according to a further law (LSSI). I guess it varies from country to country. Anyway, I think it has been said a few days ago, harvesting the databases for spam is against the AUP. Regards, Jordi @jordipalet El 12/5/20 23:27, "anti-abuse-wg en nombre de Alex de Joode" <anti-abuse-wg-bounces@ripe.net<mailto:anti-abuse-wg-bounces@ripe.net> en nombre de alex@idgara.nl<mailto:alex@idgara.nl>> escribió: A good summary Sabri. One of the points that has not been addressed (fully) is the fact that the mailing went out to 'role accounts' which are normally company accounts (if some used a personal email address for that, than this will have suddenly become a business email address), so GDPR applicability would be remote, if at all. Alex (LL.M) -- IDGARA | Alex de Joode | alex@idgara.nl<mailto:alex@idgara.nl> | +31651108221 | Skype:adejoode On Tue, 12-05-2020 21h 12min, Sabri Berisha <sabri@cluecentral.net<mailto:sabri@cluecentral.net>> wrote: ----- On May 12, 2020, at 4:51 AM, Töma Gavrichenkov <ximaera@gmail.com<mailto:ximaera@gmail.com>> wrote: Peace, Peace, On Tue, May 12, 2020 at 1:29 PM Arash Naderpour <arash.naderpour@gmail.com<mailto:arash.naderpour@gmail.com>> wrote: EU laws are for EU Perhaps sadly for some, but this is not how it works. EU laws protect EU citizens wherever they are, or the EU citizens' personal and sensitive data wherever it is accessed, processed, or stored. Perhaps sadly for some, but this is not how it works. First of all, there is the requirement for the non-EU company to intentionally provide goods or services to the EU. That can be found in article 3(2)a. This means that, per EU rules, the GDPR will not apply to the mom&pop ice cream shop in San Francisco that takes online orders from a EU citizen that happens to be visiting the U.S. The GDPR only affects companies (in or outside the EU) that market to EU citizens or territories. Second, and most important, for a law to protect it must be enforceable. For a law to be enforceable, a court must be able to issue a judgement, and that judgement must be executable. EU judgements based on the GDPR are not necessarily enforceable outside the EU, at least not in the U.S. Treaties must be in place, and a good example is the Hague Convention on Foreign Judgments in Civil and Commercial Matters. In the U.S., foreign judgements are enforceable if they comply with the Uniform Foreign Money Judgments Recognition Act. This law specifies that a judgement may not be recognized if the foreign court did not have "personal jurisdiction" on the U.S. entity. If that entity does not have a physical presence in the EU, establishing the foreign court’s personal jurisdiction will be very difficult if not impossible. But, for folks that did not go to law school, here is a simpler explanation: https://www.youtube.com/watch?v=CD2FlW79PfU9PfU :-) Thanks, Sabri ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. -- INCIBE-CERT - CERT of the Spanish National Cybersecurity Institute https://www.incibe-cert.es/ PGP Keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ======================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ======================================================================== Disclaimer: This message may contain confidential information, within the framework of the corporate Security Management System.If you are not the intended recipient, please notify the sender and delete this message without forwarding or retaining a copy, since any unauthorized use is strictly prohibited by law. ========================================================================
participants (7)
-
Alex de Joode -
Arash Naderpour -
JORDI PALET MARTINEZ -
Randy Bush -
Sabri Berisha -
Töma Gavrichenkov -
Ángel González Berdasco