Limited access to personal data in bulk
Dear colleagues, Following recent discussions on this mailing list regarding personal data, the RIPE NCC would like to clarify a few points. The main issue is the limited access to what is considered personal data. One of the consequences of this limit is our access control system. That system automatically bans IP addresses that hit the daily limit of queries with personal data several times. There are some important points to bear in mind here: - The EU Directive sets minimum requirements for protecting personal data - The RIPE NCC is the secretariat for the RIPE community and as such implements the policies and wishes of the RIPE community - The RIPE NCC does not make any policies - The RIPE NCC itself is neutral regarding the choice of allowing either full or restricted public access to that information in bulk - As part of the RIPE Policy Development Process, the RIPE NCC may recommend a legal review of a policy proposal A few years ago, the RIPE Data Protection Task Force was formed to consider the whole issue of data protection for the data contained within the RIPE Database. After discussing different scenarios and analysing their impacts, the Task Force reported back to the RIPE Database Working Group. It was recognised by the Task Force that all the personal data contained within the RIPE Database must remain publicly available. Each individual personal data set can be queried by using the interfaces made available to the RIPE Database. The RIPE Database Working Group placed a number of action points on the RIPE NCC to implement some features, including restricting access to *bulk* personal data. The current policies impose restrictions on accessing *bulk* personal data to prevent possible abuse of the personal data contained within the database. Imposing any restrictions will have consequences. One of the consequences is restricted access to abuse contacts as currently stored in the RIPE Database. RIPE Policy Proposal 2011-06 is being discussed by the Anti-Abuse Working Group to address this specific issue. This policy will require an abuse contact related to Internet resources. This contact can be clearly marked and documented as a public field that, from the beginning, will not be regarded as personal data and will not be subject to any access restrictions, even bulk access. I would like to emphasise that the RIPE NCC executes the wishes of the RIPE community. When the community reaches consensus for a certain functionality or process, the RIPE NCC will implement and/or execute the functionality or process. In case of legal limitations, the RIPE NCC will strive for a solution that is as close as possible to the original community wishes. The RIPE NCC always reports back on this implementation and its details. There has been a suggestion that what is considered personal data should be publicly available in bulk, without any restrictions. If the community has any concerns about this restriction, perhaps this can be discussed as a specific issue on the Anti-Abuse or RIPE Database Working Group mailing list to determine if there is any consensus within the community to amend this restriction. As always, the RIPE NCC will follow all discussions and will do its best to implement the wishes of the community. The RIPE NCC always welcomes direct feedback from its members and the community. However for issues such as this, addressing concerns directly to the RIPE NCC has little effect because the RIPE NCC does not have the authority to make such a decision on behalf of the community. I hope this has helped explain some background to the concerns and ways to move forward if the issues are not resolved. Please let me know if there are any further questions, or put them to the community using the mailing lists. Kind Regards, Kaveh. --- Kaveh Ranjbar RIPE NCC Database Group Manager
Following recent discussions on this mailing list regarding personal data, the RIPE NCC would like to clarify a few points.
I have a few questions to RIPE and the RIPE community: -The issue of whois access is not specific to an RIR so why isn't the issue elevated to the ASO so the policies are consistent across RIR's? -What requirements does the EU set for personal information where the owner has agreed to place the information in a publicly available database? Each discussion I have seen merely says personal information must be protected without any discussion as to whether permission was given to make the information available. -Why is the abuse contact fundamentally different than the other types of contacts as it relates to the protection of personal information? -Once RIPE reviewed the report from the task force was apparently a legal review completed. Is that review available to the public? -Why does task force report have little or no useful information about how the conclusions were reached? -Since these mailing lists and meetings are only a tiny fraction of Internet users what initiatives are there to solicit opinions of those being affected by the decisions? In this case spam, abuse, and access to the whois data is a universal issue and not limited within a region. there is a large gap between the task force report and the implementation of the AUP. Isn't this policy setting by the RIPE NCC? (such as setting a limit of a certain number of queries per day, disregarding the fact that some requests are "pass-through" and the IP they detect is not the actual IP address, definition of "bulk" access, etc.) -Since the current restriction do little or nothing to stop "harvesters" from collecting the information (since they use a distributed system of IP's) what is the purpose of IP address restrictions (other than cases of DOS attacks which is obvious)? -What exactly is "abuse of the information"? Is this defined anywhere? It seems to me that each person will have a different idea of what is "abuse" depending on their personal view of the world. Thank You
Russ,
-The issue of whois access is not specific to an RIR so why isn't the issue elevated to the ASO so the policies are consistent across RIR's?
Any past attempts to normalize WHOIS access has failed miserably (I was involved with at least one). The RIR system is designed to have different policies in each region, so this is not too surprising. Asking for a global policy seems to mean we would have to take on all of the WHOIS issues for every region, all at once. For example, in APNIC they have issues about languages, character sets, and national sovereignty regarding this kind of information that luckily we don't have too much of in the RIPE region.
-Why is the abuse contact fundamentally different than the other types of contacts as it relates to the protection of personal information?
I think the idea forming in people's heads is that the abuse contact will be only corporate contact information in the future. Apparently companies have no privacy protection in the EU. I guess maybe the USA is the only place where companies have more rights than people instead of fewer rights than actual human beings. ;)
-Since these mailing lists and meetings are only a tiny fraction of Internet users what initiatives are there to solicit opinions of those being affected by the decisions? In this case spam, abuse, and access to the whois data is a universal issue and not limited within a region.
All crime is a universal issue, yet each country has its own laws. Indeed in many countries there are also state, county, and city laws, as well as neighborhood ordinances, and even "house rules" for both businesses and private homes! Probably submitting to a global policy-making body would result in less representation for Internet users rather than more, so I'm not so eager to see this situation change.
-Since the current restriction do little or nothing to stop "harvesters" from collecting the information (since they use a distributed system of IP's) what is the purpose of IP address restrictions (other than cases of DOS attacks which is obvious)?
It's designed to make it more expensive than collecting e-mail addresses from other sources, not to make it impossible. Anyone who can set up a distributed cloud to gather e-mail addresses from the RIPE database could probably save money just by buying a list of spam targets. Cheers, -- Shane
Apparently companies have no privacy protection in the EU. I guess maybe the USA is the only place where companies have more rights than people instead of fewer rights than actual human beings. ;)
You pointed out the problem with the whois blocking. Those are corporate contacts meant for public dissemination. There is no privacy protection for such information under the USA or EU. What is being said is that corporate contacts in the whois database deserve protection but similar information collected by RIPE is somehow not worthy of protection. This is what happens when you get involved in trying to use the regulatory laws to deceive people. Companies are made up of actual human beings so I don't see a distinction. Companies (unlike regulatory agencies) create jobs. Thank You
Below is the response from the Ducth DPA to my inquiry. From what I gather from the translation the Ducth DPA has decided to refuse to accept e-mail inquiries! I need to translate so I can't call and I need electronic copies to copy and paste. This is why people should not put faith into these regulatory bodies. Can you image a profit-making company telling their customers that they will no longer accept e-mail communications? This is what happens when you set up all these feel-good regulations with regulatory bodies who answer to no one. This is also why RIPE gives all kinds of evasive, contradictory, and incomplete answers. They know there is no recourse for the average person so they just say "screw you" and let you waste your time with these useless regulatory bodies. Once all the regulatory bodies (like RIPE and the Dutch DPA) destroy all the profit-making businesses that support them then they go crying to the people making money to bail them out. Thank You Dutch DPA response: U heeft het College bescherming persoonsgegevens (CBP) om zijn emailadres gevraagd om een vraag voor te leggen. *_Nieuwe werkwijze CBP_* Vanaf 1 juli 2011 beantwoordt het College bescherming persoonsgegevens (CBP) geen vragen meer per e-mail. Daarom krijgt u geen inhoudelijk antwoord op uw mail. Wij verwijzen u graag naar onze websites of het telefonisch spreekuur. U kunt ook een signaal doorgeven aan het CBP. *_Informatie op websites CBP_* Op MijnPrivacy.nl en CBPweb.nl vindt u veel informatie over privacy en de bescherming van uw persoonsgegevens. Wellicht staat het antwoord op uw vraag hier al tussen. Mocht u er toch niet uitkomen, dan kunt u altijd terecht op het speciale spreekuur voor privacyvragen. *_Telefonisch spreekuur voor privacyvragen_* Tijdens het spreekuur zijn de publieksvoorlichters van het CBP rechtstreeks telefonisch bereikbaar. U kunt bellen op werkdagen van 9:30 uur tot 12:30 uur via 0900-2001 201 (vijf cent per minuut). De voorlichters helpen u dan verder door het geven van algemene informatie die van toepassing is op uw vragen. *_Signaal geven over privacy_* Twijfelt u of er wel zorgvuldig met uw persoonsgegevens wordt omgegaan? Denkt u dat een bedrijf of organisatie de privacywetgeving overtreedt? Geef dan een signaal door aan het CBP via het signaalformulier op MijnPrivacy.nl. Het CBP vertrouwt erop u hiermee voldoende te hebben geïnformeerd. Hoogachtend, Namens het College bescherming persoonsgegevens, Mw. Z. Maazouzi-Makhloufi Medewerker Frontoffice Antwoord op uw privacyvragen Heeft u een vraag over de bescherming van uw persoonsgegevens? U vindt algemene informatie op de websites www.mijnprivacy.nl en www.cbpweb.nl. Is uw vraag daarmee niet beantwoord, dan kunt u bellen met het telefonisch spreekuur via 0900-2001 201 (vijf cent per minuut). Dit spreekuur is bereikbaar op werkdagen van 09.30 tot 12.30 uur.
Russ, I know you'll likely cry foul at this and tell me that I'm part of the problem, but I think this conversation has gone a long way past any usefulness. The NCC responded to most of the points you have raised and I am willing to bring any remaining points up with them when I meet them next week. However you are now repeating yourself and you are unwilling to actually attempt to change the situation via a proposal or appeal to the RIPE arbiters. There appears to be no back-up on list for your complaints nor consensus that a change is required. Please do post if you have something constructive or useful to say, but further complaints regarding perceived and unsubstantiated unfairness or conspiracy theories are not welcome. Brian, Co-Chair, RIPE AA-WG On 24/01/2012 17:45, russ@consumer.net wrote:
Below is the response from the Ducth DPA to my inquiry. From what I gather from the translation the Ducth DPA has decided to refuse to accept e-mail inquiries! I need to translate so I can't call and I need electronic copies to copy and paste.
This is why people should not put faith into these regulatory bodies. Can you image a profit-making company telling their customers that they will no longer accept e-mail communications? This is what happens when you set up all these feel-good regulations with regulatory bodies who answer to no one. This is also why RIPE gives all kinds of evasive, contradictory, and incomplete answers. They know there is no recourse for the average person so they just say "screw you" and let you waste your time with these useless regulatory bodies. Once all the regulatory bodies (like RIPE and the Dutch DPA) destroy all the profit-making businesses that support them then they go crying to the people making money to bail them out.
Thank You
Dutch DPA response:
U heeft het College bescherming persoonsgegevens (CBP) om zijn emailadres gevraagd om een vraag voor te leggen.
*_Nieuwe werkwijze CBP_*
Vanaf 1 juli 2011 beantwoordt het College bescherming persoonsgegevens (CBP) geen vragen meer per e-mail. Daarom krijgt u geen inhoudelijk antwoord op uw mail. Wij verwijzen u graag naar onze websites of het telefonisch spreekuur. U kunt ook een signaal doorgeven aan het CBP.
*_Informatie op websites CBP_*
Op MijnPrivacy.nl en CBPweb.nl vindt u veel informatie over privacy en de bescherming van uw persoonsgegevens. Wellicht staat het antwoord op uw vraag hier al tussen. Mocht u er toch niet uitkomen, dan kunt u altijd terecht op het speciale spreekuur voor privacyvragen.
*_Telefonisch spreekuur voor privacyvragen_*
Tijdens het spreekuur zijn de publieksvoorlichters van het CBP rechtstreeks telefonisch bereikbaar. U kunt bellen op werkdagen van 9:30 uur tot 12:30 uur via 0900-2001 201 (vijf cent per minuut). De voorlichters helpen u dan verder door het geven van algemene informatie die van toepassing is op uw vragen.
*_Signaal geven over privacy_*
Twijfelt u of er wel zorgvuldig met uw persoonsgegevens wordt omgegaan? Denkt u dat een bedrijf of organisatie de privacywetgeving overtreedt? Geef dan een signaal door aan het CBP via het signaalformulier op MijnPrivacy.nl.
Het CBP vertrouwt erop u hiermee voldoende te hebben geïnformeerd.
Hoogachtend,
Namens het College bescherming persoonsgegevens,
Mw. Z. Maazouzi-Makhloufi
Medewerker Frontoffice Antwoord op uw privacyvragen Heeft u een vraag over de bescherming van uw persoonsgegevens? U vindt algemene informatie op de websites www.mijnprivacy.nl en www.cbpweb.nl. Is uw vraag daarmee niet beantwoord, dan kunt u bellen met het telefonisch spreekuur via 0900-2001 201 (vijf cent per minuut). Dit spreekuur is bereikbaar op werkdagen van 09.30 tot 12.30 uur.
Please do post if you have something constructive or useful to say, but further complaints regarding perceived and unsubstantiated unfairness or conspiracy theories are not welcome.
All you do is make posts claiming I have no proof so I keep posting the proof over and over. You (and people like you) are a big part of the problem. if you don't like my messages then don't read them ... or are you threatening to throw me off the list because you don't the facts I am presenting or my opinion? I would not be surprised at that type of threat. If this was few hundred years ago and I said the world was round I am sure you would be head of the committee to have my head chopped off. Who are you to tell people what opinions are welcome and what is not? I am sorry I don't fit into your little group of insiders who want things a certain way but that is your problem, not mine. I have posted numerous questions that RIPE will not address and I want answers. If you want to cover the monetary loss caused by RIPE NCC then send me some cash. The fact is you just don't people to bring up all the problems you have caused by not following a legitimate procedure in your little so-called working groups. Anyone who disagrees is "not constructive" and "not welcome." If you have any complaints I suggest you take them up with RIPE NCC as they caused all this by damaging business and not responding in a legitimate way. thank You
participants (4)
-
Brian Nisbet -
Kaveh Ranjbar -
russ@consumer.net -
Shane Kerr