Hi everbody, what do you say to the answer below I got from RIPE? Doesn't RIPE already have a mandate for keeping the whois database uptodate with all the vital public data like contact email address for abuse reporting etc? Normally its just a simple database scan to find the records with such missing vital data, ie. one can even automate this job to periodically request from the owners the missing data. BTW, is the RIPE community somehow organized? Any speaker/contact person etc.? U.Mutlu mutluit.com -------- Original Message -------- Subject: Re: NCC#2012010449 Missing contact data for Abuse Reporting for IP 84.240.196.128 and 84.240.197.0 Date: Wed, 04 Jan 2012 14:38:31 +0100 From: RIPE NCC <ncc@ripe.net> Reply-To: RIPE NCC <ncc@ripe.net> To: U.Mutlu <security@mutluit.com> Dear Mr. Mutlu, Thank you for your email. Indeed there is no email contact but there are some phone contact details that you can find on our DB query page. There may be options we could pursue to check the validity of the contact data in the objects in the RIPE Database. Where we have a direct relationship with the owners of these objects we could request that they update this information. But we do not have a mandate from the RIPE community to allocate any resources to this activity. If you feel this should have a higher priority then you may raise the issue on the Database Working Group or Anti Abuse Working Group or Address Policy Working Group mailing lists. You can find information about the mailing lists here http://www.ripe.net/ripe/groups/wg These are open working groups and views are welcomed from anyone who wishes to discuss relevant issues. Best regards, Natasa Mojsilovic ------------------ Customer Services RIPE NCC ============================================================ Visit www.IPv6ActNow.org, the one-stop website that explains everything you need to know about IPv6. ============================================================ On Wed, 04 Jan 2012 12:56:43 +0100, U.Mutlu wrote:
I want to point you to some missing data in the RIPE DB:
Your webpage below says about RIPE queries: 'Please do not use the email address in the âchangedâ line.' ( https://www.ripe.net/data-tools/db/faq/faq-hacking-spamming/what-can-i-do-ab... )
But the following IP's have no other email contact specified except those marked as "changed" and "upd-to" (yes I used the "-B" switch): 84.240.196.128 84.240.197.0
And also the Abuse Finder page at https://apps.db.ripe.net/search/abuse-finder.html doesn't find any abuse contact for these IPs.
Regards,
U.Mutlu SysAdm mutluit.com
There may be options we could pursue to check the validity of the contact data in the objects in the RIPE Database. Where we have a direct relationship with the owners of these objects we could request that they update this information. But we do not have a mandate from the RIPE community to allocate any resources to this activity.
RIPE has a contract with IANA (the RIR MOU) which is where the mandate comes from. IANA, in turn, has a contract with the US Government to ensure the accuracy of the data. When contacting RIPE about this they just keep ignoring this issue just keep saying "mandate from RIPE community" over and over again. RIPE is manipulating the community by not providing complete information or addressing obvious issues. All they do is repeat stuff over and over again without addressing the substantive issues. Thank You
RIPE is now claiming the IP addresses they are collecting on their blacklist are not "personal information." I thought business contacts are considered "personal information" under the EU privacy directives? IP addresses allocated to businesses are in various whois databases. Reverse lookups identify domains which also lead to businesses. It seems to me that the blacklisting done by RIPE falls into this category when it is used to specifically blacklist a business. How is is that the contacts in the RIPE database are "personal information" yet the IP addresses associated with those contacts are not? Aren't they associated by doing a whois lookup that anyone can do? RIPE won't explain or acknowledge my request to have the matter reviewed by the Dutch Data Protection office. All I got was the vague response shown below. Thank You
On 1/16/2012 10:22 AM, RIPE Database Manager wrote: Dear Russ,
Please note that we do not collect any personal informations.
The access block to the RIPE Database is based only on the IP address.
I hope to have informed you sufficiently.
-----Original Message----- From: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg- bounces@ripe.net] On Behalf Of russ@consumer.net Sent: Monday, January 16, 2012 5:39 PM To: anti-abuse-wg@ripe.net
RIPE is now claiming the IP addresses they are collecting on their blacklist are not "personal information."
RIPE won't explain or acknowledge my request to have the matter reviewed by the Dutch Data Protection office.
Although I am not familiar with Dutch procedural law, the filing of a complaint is often incumbent on the complainant. The contact information of the Dutch Data Protection Authority appears to be available at http://www.dutchdpa.nl/Pages/en_ind_contact.aspx. -- Thor Kottelin http://www.anta.net/
Although I am not familiar with Dutch procedural law, the filing of a complaint is often incumbent on the complainant. The contact information of the Dutch Data Protection Authority appears >to be available at http://www.dutchdpa.nl/Pages/en_ind_contact.aspx.
I probably don't standing to file a complaint since I am outside the EU. I had contacted them for more information but i have not yet received an acknowledgement.
russ@consumer.net wrote, On 2012-01-16 16:38:
RIPE is now claiming the IP addresses they are collecting on their blacklist are not "personal information." I thought business contacts are considered "personal information" under the EU privacy directives? IP addresses allocated to businesses are in various whois databases. Reverse lookups identify domains which also lead to businesses. It seems to me that the blacklisting done by RIPE falls into this category when it is used to specifically blacklist a business. How is is that the contacts in the RIPE database are "personal information" yet the IP addresses associated with those contacts are not? Aren't they associated by doing a whois lookup that anyone can do?
RIPE won't explain or acknowledge my request to have the matter reviewed by the Dutch Data Protection office. All I got was the vague response shown below.
Thank You
On 1/16/2012 10:22 AM, RIPE Database Manager wrote: Dear Russ,
Please note that we do not collect any personal informations. The access block to the RIPE Database is based only on the IP address. I hope to have informed you sufficiently.
The RIPE AUP has some more info on this issue: http://www.ripe.net/db/support/db-aup.pdf I think RIPE just wants to prevent abuse done by some egoistic people who endlessly query the database and/or misuse the service for commercial purpose. Ie. that's similar to protecting against "Denial of Service" attacks. IMHO it's legitimate to protect the system, I personally wouldn't do any different. But I would unblock the culprits automatically after a predefined period (x hours or days). And: not sure it there exists any ready-to-use caching whois servers (like it is the case with DNS servers), but if you are a programmer then you could also add a local whois lookup cache into your application, or to one of your systems, and do all queries via that cache... to reduce the number of physical connections to RIPE... Makes sense of course only if the same records are queried over and over again...
I think RIPE just wants to prevent abuse done by some egoistic people who endlessly query the database and/or misuse the service for commercial purpose.
I have already explained that RIPE says this is not the issue and there is no problem with the queries if the "-r" is used. The issue is the "personal information" in the database and the WU and Dutch privacy laws.
Under Dutch (and European) privacy directives, any information that can uniquely distinguish a natural person (ie. NOT 'a business'...) is to be considered 'personal information'. So, an IP address CAN be personal information, if the data collector can link it to a person without too much hassle. Think webshops who log your IP at logon, they can connect that to your account data, so in *that* case an IP address is logged by the shop is indeed considered 'personal information' and must be protected by the shop accordingly. In your case with RIPE, your IP address is probably not considered 'personal information'. IANAL. Check out http://en.wikipedia.org/wiki/Data_Protection_Directive.
-----Oorspronkelijk bericht----- Van: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg-bounces@ripe.net] Namens russ@consumer.net Verzonden: maandag 16 januari 2012 18:30 Aan: anti-abuse-wg@ripe.net Onderwerp: Re: [anti-abuse-wg] What is Personal information?
I think RIPE just wants to prevent abuse done by some egoistic people >who endlessly query the database and/or misuse the service for commercial purpose.
I have already explained that RIPE says this is not the issue and there is no problem with the queries if the "-r" is used. The issue is the "personal information" in the database and the WU and Dutch privacy laws.
+++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail@opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail@opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message.
In other words, Russ could probably approach the Dutch privacy regulator with a query, cc RIPE NCC legal, and then accept whatever ruling applies? I seriously doubt if anybody on this list other than the three parties above is qualified to comment definitely on this issue. So - Russ, please take it offlist, and do come back to let us know what ruling you get. I personally would be interested in what you learn. thanks --srs On Tue, Jan 17, 2012 at 2:11 PM, Vissers, Pepijn <P.Vissers@opta.nl> wrote:
Under Dutch (and European) privacy directives, any information that can uniquely distinguish a natural person (ie. NOT 'a business'...) is to be considered 'personal information'.
So, an IP address CAN be personal information, if the data collector can link it to a person without too much hassle. Think webshops who log your IP at logon, they can connect that to your account data, so in *that* case an IP address is logged by the shop is indeed considered 'personal information' and must be protected by the shop accordingly. In your case with RIPE, your IP address is probably not considered 'personal information'. IANAL.
Check out http://en.wikipedia.org/wiki/Data_Protection_Directive.
-----Oorspronkelijk bericht----- Van: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg-bounces@ripe.net] Namens russ@consumer.net Verzonden: maandag 16 januari 2012 18:30 Aan: anti-abuse-wg@ripe.net Onderwerp: Re: [anti-abuse-wg] What is Personal information?
>I think RIPE just wants to prevent abuse done by some egoistic people >who endlessly query the database and/or misuse the service for commercial purpose.
I have already explained that RIPE says this is not the issue and there is no problem with the queries if the "-r" is used. The issue is the "personal information" in the database and the WU and Dutch privacy laws.
+++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail@opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend.
This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail@opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
In other words, Russ could probably approach the Dutch privacy regulator with a query, cc RIPE NCC legal, and then accept whatever ruling applies? I seriously doubt if anybody on this list >other than the three parties above is qualified to comment definitely on this issue. So - Russ, please take it offlist, and do come back to let us know what ruling you get. I personally would be >interested in what you learn.
Under Dutch (and European) privacy directives, any information that can uniquely distinguish a natural person (ie. NOT 'a business'...) is to be considered 'personal information'. So, an IP >address CAN be personal information, if the data collector can link it to a person without too much hassle. Think webshops who log your IP at logon, they can connect that to your account >data, so in *that* case an IP address is logged by the shop is indeed considered 'personal information' and must be protected by the shop accordingly. In your case with RIPE, your IP address is >probably not considered 'personal information'. IANAL. Check out http://en.wikipedia.org/wiki/Data_Protection_Directive.
The same reasoning that says RIPE database information is "personal information" can be applied to IP addresses (in some cases). If the IP is registered you would get those contacts by running a whois (or doing a reverse lookup would identify a domain which can bee looked up). It seems to me if the RIPE database entries are "personal information" then so it the IP address associated with that record. Even if is is personal information the issue is then whether they gave permission to have it posted in a public database. If the RIPE NCC legal department had an answer it would have been put on the public reports and/or they would answer the inquiries put forth my me and others. I have sent an inquiry to the Dutch privacy office but, while these offices sound good in theory, they are usually a bureaucratic nightmare. Since I dot live within the region I think it is unlikely I would get an answer. If the process is legitimate I would have thought RIPE would have gone to the office for a ruling before they changed the access policy. the fact is RIPE won't supply their legal department's analysis and they won't respond to my request to have the Dutch privacy office review the matter. There would be a much better chance of getting a ruling if RIPE would ask them ... but they don't seem to want to do that so I can only speculate why they would not want to do the obvious thing. Thank You
Den 1/13/12 6:30 PM, skrev U.Mutlu:
Hi everbody,
what do you say to the answer below I got from RIPE?
Doesn't RIPE already have a mandate for keeping the whois database uptodate with all the vital public data like contact email address for abuse reporting etc?
Generally, everyone could/should help with this. If you find incorrect information, tell the owner of the incorrect information about it and they will update it.
Normally its just a simple database scan to find the records with such missing vital data, ie. one can even automate this job to periodically request from the owners the missing data.
There is no email address requirement, so nothing is missing. You can however use the other contact information listed.
Hi, The RIPE NCC has no mandate from the community to perform regular checks on the contact data provided by a member. This has been much discussed in recent times. Right now there is no proposal formally asking the NCC to do this, nor is the Abuse Contact Management Task Force looking at this, however I suspect it will not be long before the matter is raised here or in another RIPE WG formally again. As to whether the RIPE community is organised, there is substantial information on this matter on this matter here: http://www.ripe.net/ripe The community acts through the working group mailing lists and twice a year it comes together at a full RIPE meeting. There are also regional meetings, but ultimately policy is discussed and decided on the mailing list. If you have any specific questions you can contact the Co-Chairs of this working group at aa-wg-chairs@ripe.net Brian, Co-Chair, Anti-Abuse WG "U.Mutlu" wrote the following on 13/01/2012 17:30:
Hi everbody,
what do you say to the answer below I got from RIPE?
Doesn't RIPE already have a mandate for keeping the whois database uptodate with all the vital public data like contact email address for abuse reporting etc?
Normally its just a simple database scan to find the records with such missing vital data, ie. one can even automate this job to periodically request from the owners the missing data.
BTW, is the RIPE community somehow organized? Any speaker/contact person etc.?
U.Mutlu mutluit.com
-------- Original Message -------- Subject: Re: NCC#2012010449 Missing contact data for Abuse Reporting for IP 84.240.196.128 and 84.240.197.0 Date: Wed, 04 Jan 2012 14:38:31 +0100 From: RIPE NCC <ncc@ripe.net> Reply-To: RIPE NCC <ncc@ripe.net> To: U.Mutlu <security@mutluit.com>
Dear Mr. Mutlu,
Thank you for your email. Indeed there is no email contact but there are some phone contact details that you can find on our DB query page.
There may be options we could pursue to check the validity of the contact data in the objects in the RIPE Database. Where we have a direct relationship with the owners of these objects we could request that they update this information. But we do not have a mandate from the RIPE community to allocate any resources to this activity. If you feel this should have a higher priority then you may raise the issue on the Database Working Group or Anti Abuse Working Group or Address Policy Working Group mailing lists. You can find information about the mailing lists here
http://www.ripe.net/ripe/groups/wg
These are open working groups and views are welcomed from anyone who wishes to discuss relevant issues.
Best regards,
Natasa Mojsilovic ------------------ Customer Services RIPE NCC
============================================================
Visit www.IPv6ActNow.org, the one-stop website that explains everything you need to know about IPv6.
============================================================
On Wed, 04 Jan 2012 12:56:43 +0100, U.Mutlu wrote:
I want to point you to some missing data in the RIPE DB:
Your webpage below says about RIPE queries: 'Please do not use the email address in the âchangedâ line.' ( https://www.ripe.net/data-tools/db/faq/faq-hacking-spamming/what-can-i-do-ab... )
But the following IP's have no other email contact specified except those marked as "changed" and "upd-to" (yes I used the "-B" switch): 84.240.196.128 84.240.197.0
And also the Abuse Finder page at https://apps.db.ripe.net/search/abuse-finder.html doesn't find any abuse contact for these IPs.
Regards,
U.Mutlu SysAdm mutluit.com
participants (7)
-
Brian Nisbet -
Jørgen Hovland -
russ@consumer.net -
Suresh Ramasubramanian -
Thor Kottelin -
U.Mutlu -
Vissers, Pepijn