2022-01 V2 Resource Holders Address
Colleagues I have listened to your comments in recent discussions and had some preliminary talks with the RIPE NCC about what could be implemented. So now we have a second version of my proposal on personal data. I was getting comments from people that LEAs need addresses for their investigations, but also people had serious privacy concerns about publishing their home address in the database. I was considering the idea of publishing addresses with restricted access. However it seems that it is almost impossible to confirm the identity of LEAs (even from within our own region, never mind globally) and perhaps other NGOs that could be eligible to access this restricted data. So that idea is not viable. Then there was an issue over data quality of the addresses currently published in the database. In the ORGANISATION object the address is assumed to be a postal address. This mandatory address is entered and managed by the resource holders. No verification is done on this address. In the database documentation it says: "This is a full postal address for the business contact represented by this organisation object." That could be anyone. They don't even need to be located in the country where the organisation operates it's business. Being so loosely defined, any kind of verification would be impossible. That makes this address almost meaningless. It is on the same level as the "country:" attribute in resource objects. It only has meaning to whoever manages the data. Also by having this unverifiable address mandatory, we are almost inviting those who don't want to be easily located to enter false data. Especially as it is almost impossible to identify any of this postal address data as being true or false. I am therefore suggesting we make this postal address an optional attribute. If any resource holder wishes to enter this optional postal address they can do so. But if it is a personal address they must not enter more than region and country. The full personal address of a natural person must not be entered into the database in any object type. Optional data, when provided, is more likely to be accurate. Making this address optional is in line with a recommendation of the RIPE Database Task Force. Some will still argue that false data is useful if 'bad actors' enter the same false data in different places. That offers investigators an opportunity to cross reference this (false) data over different objects using the free text search facility of the database. In some cases this may be the only way to make these data links. Doing this has many problems. We cannot justify preserving false data in the database to allow some people to use an 'accidental feature'. There is no guarantee the same false data will be used in multiple places. There is a defined purpose of the database that allows LEAs to use public information from the database as part of their investigations. This purpose is actually about granting permission to LEAs to use available data. It does not define any data to be published in the database for the sole benefit of LEAs. So there is no purpose requiring this postal address to be published in the database. Optional is therefore a convenience for anyone who wishes to enter it. cheers denis policy proposer
In message <CAKvLzuFYcfarXvGLesYTNU1S8dviL=ke4Khv0pLy=hXg9P4cRQ@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
I was getting comments from people that LEAs need addresses for their investigations, but also people had serious privacy concerns about publishing their home address in the database...
Who, exactly? Just because you found one small-fry member who has elected to endorse this abject silliness, that hardly constitutes any kind of great outpouring of support, nor does it constitute a persuasive mandate to change the way things have been done for 20+ years worth of precedent, or the way that things are still being done in every other region. You folks in Europe often express amazement that we here in the U.S. are nowadays having daily mass shooting incidents. You wonder how our politics ever got to be so insane. The reason is that a relatively small by noisy minority consistantly drive the public debate about guns in this country. I hope that the same political dynamic will not also drive discussions regarding the historical openness of the RIPE data base, a data base that is supposed to be an open public resource. The fact that a single member insists on their supposed "rights" to BOTH (a) have IP addresses AND also (b) timidly hide out in a virtual cave should not be the sole basis for guiding policy choices that affect an entire planet's worth of Internet users. Regards, rfg P.S. This is NOT much ado about nothing. I sense the beginning of a slippery slope. Today it's mailing addresses, "just" of natural persons, or so we are told. Tomorrow it's phone numbers and names and email addresses. Once one adopts the position that privacy is everything and transparency is nothing, then you might as well just put the whole RIPE WHOIS data base behind a paywall and only allow law enforcement access to it, and even then, only if they get a warrant first. I'm sure that such an outcome would suit certain people just fine. I am not one of them.
Hi Ronald On Fri, 17 Jun 2022 at 11:45, Ronald F. Guilmette via db-wg <db-wg@ripe.net> wrote:
In message <CAKvLzuFYcfarXvGLesYTNU1S8dviL=ke4Khv0pLy=hXg9P4cRQ@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
I was getting comments from people that LEAs need addresses for their investigations, but also people had serious privacy concerns about publishing their home address in the database...
Who, exactly?
Just because you found one small-fry member who has elected to endorse this abject silliness, that hardly constitutes any kind of great outpouring of support,
So natural persons who are "silly small-fry members" should not have a voice against the big-fry global industries?
nor does it constitute a persuasive mandate to change the way things have been done for 20+ years worth of precedent, or the way that things are still being done in every other region.
Money laundering has been commonplace throughout Europe for 20+ years. That is why the EU brought in anti money laundering regulations. That was one of the main driving forces behind brexit. The wealthy elite who run the UK wanted to continue their criminal activities unchecked. Long standing precedents need to be reviewed sometimes...and yes, changed.
You folks in Europe often express amazement that we here in the U.S. are nowadays having daily mass shooting incidents. You wonder how our politics ever got to be so insane. The reason is that a relatively small by noisy minority consistantly drive the public debate about guns in this country.
I hope that the same political dynamic will not also drive discussions regarding the historical openness of the RIPE data base, a data base that is supposed to be an open public resource.
an open, public resource of accurate, verifiable, meaningful data.
The fact that a single member insists on their supposed "rights" to BOTH (a) have IP addresses AND also (b) timidly hide out in a virtual cave should not be the sole basis for guiding policy choices that affect an entire planet's worth of Internet users.
On the other hand a VERY large number of natural persons (think telecom customers) who may have signed a connectivity agreement that mentioned in the small print their name and address will be published in some database they have never heard of, do need to be protected. These are the "rights" the GDPR was introduced to protect.
Regards, rfg
P.S. This is NOT much ado about nothing. I sense the beginning of a slippery slope. Today it's mailing addresses, "just" of natural persons, or so we are told. Tomorrow it's phone numbers and names and email addresses. Once one adopts the position that privacy is everything and transparency is nothing, then you might as well just put the whole RIPE WHOIS data base behind a paywall and only allow law enforcement access to it, and even then, only if they get a warrant first.
The 'slippery slope' argument is usually an attempt to add emotive elements to a discussion when you don't have any constructive arguments... cheers denis proposal author
I'm sure that such an outcome would suit certain people just fine. I am not one of them.
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg
denis walker via db-wg wrote on 16/06/2022 16:05:
I have listened to your comments in recent discussions and had some preliminary talks with the RIPE NCC about what could be implemented. So now we have a second version of my proposal on personal data.
There are some fairly serious structural issues with the justification in this proposal, for example: - that there's something new with GDPR that wasn't there before - that the RIPE database is not GDPR compliant - repeated claims that "In almost all cases, personal data is not needed". - etc GDPR, and previously the 1995 Data Protection Directive, has been addressed continuously by the RIPE NCC over the years. There are some blog posts on the RIPE NCC web site which provide an overview of the current lawful basis for holding and publishing the information:
https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-n...
So in the absence of firm reasoning to the contrary, this policy needs to step back quite far from claiming or hinting at GDPR non-compliance. There are numerous other cases where the current justification presents opinions without providing an adequate factual basis. Incidentally, I'm not arguing that there shouldn't be changes to the scope and style of information contained in the ripe database, but as it stands, the scope of this policy proposal isn't justified by the rationale provided. Nick
Hi Nick I am preparing a reply to your comments. I need to do some research to give you a full response. This week I'm in a rural French village with virtually no Internet connectivity. So a quick response is unlikely. cheers denis Proposal author On Sun, 19 Jun 2022, 16:06 Nick Hilliard, <nick@foobar.org> wrote:
denis walker via db-wg wrote on 16/06/2022 16:05:
I have listened to your comments in recent discussions and had some preliminary talks with the RIPE NCC about what could be implemented. So now we have a second version of my proposal on personal data.
There are some fairly serious structural issues with the justification in this proposal, for example:
- that there's something new with GDPR that wasn't there before - that the RIPE database is not GDPR compliant - repeated claims that "In almost all cases, personal data is not needed". - etc
GDPR, and previously the 1995 Data Protection Directive, has been addressed continuously by the RIPE NCC over the years. There are some blog posts on the RIPE NCC web site which provide an overview of the current lawful basis for holding and publishing the information:
https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-n...
So in the absence of firm reasoning to the contrary, this policy needs to step back quite far from claiming or hinting at GDPR non-compliance.
There are numerous other cases where the current justification presents opinions without providing an adequate factual basis.
Incidentally, I'm not arguing that there shouldn't be changes to the scope and style of information contained in the ripe database, but as it stands, the scope of this policy proposal isn't justified by the rationale provided.
Nick
Hi Nick I'll give you the short answers first, then the detailed reply. So people who don't like to read long emails can skip the detail. On Sun, 19 Jun 2022, 16:06 Nick Hilliard, <nick@foobar.org> wrote:
denis walker via db-wg wrote on 16/06/2022 16:05:
I have listened to your comments in recent discussions and had some preliminary talks with the RIPE NCC about what could be implemented. So now we have a second version of my proposal on personal data.
There are some fairly serious structural issues with the justification in this proposal, for example:
- that there's something new with GDPR that wasn't there before
These issues have always been there. GDPR focused our minds on them in recent years. - that the RIPE database is not GDPR compliant
It isn't. - repeated claims that "In almost all cases, personal data is not needed".
It isn't. - etc
Please expand if you want me to reply.
GDPR, and previously the 1995 Data Protection Directive, has been addressed continuously by the RIPE NCC over the years.
No it hasn't. The first time it was considered was by the task force in 2006. They concluded in 2009. Nothing much was then discussed until GDPR came into effect in 2018. There are some
blog posts on the RIPE NCC web site which provide an overview of the current lawful basis for holding and publishing the information:
https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-n...
These blogs were written over 4 years ago and have quite a number of open issues outstanding. So in the absence of firm reasoning to the contrary, this policy needs
to step back quite far from claiming or hinting at GDPR non-compliance.
Read the detail below for the firm reasoning...
There are numerous other cases where the current justification presents opinions without providing an adequate factual basis.
Please highlight these opinions and I'll offer the factual basis.
Incidentally, I'm not arguing that there shouldn't be changes to the scope and style of information contained in the ripe database, but as it stands, the scope of this policy proposal isn't justified by the rationale provided.
Again, please elaborate and I'll expand on the rationale.
Nick
Now the detailed answers. Let me firstly disclose my interest here. I was a RIPE NCC staff member of the Data Protection Task Force (DPTF) from start to finish. Unlike with the recent Database TF, I wasn't just an advisor. Jochem and I were full and active members of the TF. At the start of the DPTF work, the RIPE NCC had no legal team. We worked with the NCC's external lawyers, who had limited knowledge of the RIPE Database. I drafted the early versions of the RIPE Database Terms & Conditions, Acceptable Use Policy, NRTM and Bulk Access Agreements and much of the Database content of the DPTF report. Towards the end of this work the NCC had a legal council and I worked with Jochem and Athina on final drafts of these documents before community and EB approval. So I have a good knowledge of what is in these documents, the context in which they were created and the mistakes (that still exist) in them. You referenced a series of RIPE Labs articles on GDPR. These articles referenced the DPTF Report. These contain some interesting points, and some errors, partly as a result of the errors in the DPTF report. Bear in mind also that these labs articles were all written over 4 years ago and the DPTF report over 10 years ago. Knowledge and understanding of the issues has increased in this time. 1st labs article ---------------- "In 2005, the RIPE Database Working Group identified a need to comply with data protection legislation by updating the processes and services relating to the RIPE Database. At RIPE 52 in April 2006, the community established the RIPE Data Protection Task Force (DPTF). The DPTF was mandated by the RIPE Database Working Group to recommend steps that the RIPE NCC should take to comply with the legislation." This was the first time the RIPE NCC and community considered privacy and personal data issues. It was a good starting point, but we were a bit naive and the external lawyers had little knowledge of the database. That is why some errors were made and these errors have been duplicated ever since. "According to the Dutch Personal Data Protection Act (prior to the GDPR), personal data may be collected for specific, explicitly defined and legitimate purposes. Once collected, this data must: -Be adequate, relevant and not excessive in relation to the purposes for which it is collected and further processed -Be accurate and, if necessary, kept up-to-date" The big mistake we made was to consider 'registration information' and 'personal data' as single entities. So when looking at the purposes of the database and asking the question "do the purposes allow for the processing of personal data" as a single entity, the answer was yes. But when you break down that personal data, single entity into components the answer is yes and no. The primary purpose of the database is as a public registry of 'who' holds or uses blocks of address space. The key is in the alternative name, 'whois database'. So yes the purposes do justify publishing names. Even for natural persons, there is justification for publishing the names. As a contact database to resolve network issues the purposes also justify processing phone numbers and/or email addresses. BUT none of these need to be personal. In fact in the second labs article it even stresses the business nature of this information. Now when it comes to (postal) address, this is where it is crucial to break down this personal data into components. By definition the postal address of resource holders is "a full postal address for the business contact related to the organisation holding the resource". By this definition this contact can be anyone located anywhere in the world. It has no 'relevance in relation to the purposes'. It also cannot be verified as accurate or up-to-date. Therefore it cannot be justified to be processed according to the purposes, where it is a personal address, under either the Dutch Personal Data Protection Act or the GDPR. 2nd labs article ---------------- "The contact details of a resource holder and their appointed contact persons consist of names, (business) email addresses, (business) phone and fax numbers, and (business) postal addresses." Although broken down here into components and the business nature of the data is stressed, the individual components were not compared with the purposes. "The purpose must be specified, explicit, and legitimate. Personal data may only be collected and processed to fulfil this purpose and must not be further processed in a way that is incompatible with this purpose." Again when personal postal address is compared to the purpose, it cannot be justified. "The purpose described in the third bullet point of Article 3 of the Terms & Conditions "Facilitating coordination between network operators (network problem resolution, outage notification etc.)" is the one that justifies the publication of personal data in the RIPE Database. For this reason, the RIPE Database includes the contact details of resource holders and persons that are responsible for the administration and the technical maintenance of a particular network." These statements are not correct. This need to coordinate between operators does not require any personal data. Contact details of persons is not needed. Contact details can all be business related information. 3rd labs article ---------------- [I am going to disagree with most of this...I have added my comments inside [...] ] Legal grounds for lawful personal data processing In order for the processing of personal data to be lawful, it must be done on a legitimate basis, as defined in Article 6.1 of the GDPR: Processing shall be lawful only if and to the extent that at least one of the following applies: [So which of these apply to the personal data in the RIPE Database?] (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; [Consent is difficult to verify in a database with such a widely distributed data entry. Better not to enter data that is not needed for the purposes, even if consent is given.] (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; [This covers some components of personal data, such as name of resource holder or end user.] (c) processing is necessary for compliance with a legal obligation to which the controller is subject; [Does not apply.] (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; [Does not apply.] (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; [This covers some components of personal data, such as name of resource holder or end user.] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. [This one is interesting as the exception recognises that, if publishing the home address of resource holders or end users is against the interests of the data subject, that overrides the database purposes.] Personal data of a resource holder As our previous article mentioned, the RIPE NCC has a mandate from the RIPE community to register and distribute Internet number resources and maintain an Internet number resource registry. While the RIPE community defined the purposes of the RIPE Database, the RIPE NCC is responsible for operating it. [The RIPE community is not a legal authority. It cannot mandate the RIPE NCC to force natural persons to publish their full home postal address in the database, especially as this address is not relevant to the defined purposes.] The RIPE Database contains registration information about Internet number resources and, in particular, information about the natural or legal persons that hold these resources. The contact details consist of (legal) name, (business) email address, (business) phone and fax numbers, and (business) legal and postal address(es). [This mixes registration information with contact details. They are not the same. Legal address is not held in the RIPE Database. The definition of the postal address makes it not relevant to the defined purposes.] Contact details of the parties responsible for specific Internet number resources are essential for the smooth and uninterrupted operation of Internet and connectivity. The RIPE Database facilitates communication between the people responsible for networks to address technical issues, allowing for quick coordination between operators that do not have a direct relationship. [This paragraph mixes 3 terms, parties, people and operators. Bottom line is, personal data is not needed for contacts.] For the purpose described above, it is clear that the processing of personal data referring to a resource holder is necessary for the performance of the registry function, which is carried out in the legitimate interest of the RIPE community and the smooth operation of the Internet globally (and is therefore in accordance with Article 6.1.f of the GDPR). [The postal address of resource holders, as defined, is not relavant to the purposes and therefore not in accordance with the GDPR. It also comes under the exception stated in Article 6.1.f above] Personal data of a resource holder's contact person When resource holders are legal persons, they must provide contact details for the individuals responsible for the networks the Internet number resources correspond to, and/or responsible for maintaining information in the RIPE Database. This is also the case for resource holders that are individuals but do not want to have this role themselves. [Not correct. These contacts do not need to be identifiable persons for the purposes of the database.] The contact details usually refer to the technical and administrative employees of a resource holder and consist of names along with a (business) email address, phone, fax number and postal address. [Only business details are needed and no address is needed for a contact.] The purpose for which personal data is requested and made publicly available in the RIPE Database is always the same: ‘Facilitating coordination between network operators (network problem resolution, outage notification etc.). [Absolutely not correct. This purpose does not require any personal data.] In order for consent to serve as the legal ground of a processing activity, the resource holder must be able to demonstrate that the individual has consented to the processing of their personal data... [Consent is a murky area in a database with such a widely distributed data entry responsibility. It is possible to have multiple levels of sub-allocations. Each level introduces another layer of data entry, further removed from the RIPE NCC and resource holders. The data quality and responsibilities may be diminished with each level. Where personal data is not necessary for the purposes, it is better to avoid it rather than allow sporadic consensual data.] DPTF Report ----------- The Dutch Data Protection Act includes the definition: "Personal data is any information relating to an identified or identifiable natural person." So the term 'Personal Data' is an umbrella term for all pieces of personal information. It makes sense to use this umbrella term in some situations. But when considering if the database purposes cover the processing of 'personal data', this must be broken down into it's component pieces of information and each piece needs to be assessed against the purposes. "The data subject has the right to request that the responsible party correct or delete their personal data." In order for the data subject to be able to exercise this right, they must be given details of what personal data is processed and where to find it. It is not sufficient to sign a contract that mentions that personal details will be published in 'the RIPE Database' or 'some database'. cheers denis Proposal author
Before discusing the current proposal any further, I am eager to have denis clarify two rather remarkable comments that he's already/previously made here. Each of these comments remain altogether troubling. I've already asked denis to either clarify or amend these comments, but so far he hasn't. https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007473.html Comment #1: denis> Some telecom companies enter hundreds of thousands of customer details denis> into the RIPE Database including personal names and addresses. rfg> Really? Name two. This alleged "fact" (regarding certain as yet unnamed telecoms) is one basis that denis has used as a justification for the present proposal. Thus, I do believe that it is reasonable to inquire if it is actually true or not. So far, denis has offered no evidence that it actually is. Comment #2: rfg> So now, why don't you re-submit this proposal and instead propose rfg> that *all* mailing address information, including even the country rfg> name, be redacted from the data base for *all* members? denis> It will be optional. I have already and repeatedly expressed my deep and earnest concern that the present proposal will by no means be the end of these efforts to render the WHOIS data base less complete and thus less useful. For his part, denis has suggested that I am being unduly pessimistic or unduly alarmist. The above comment would seem to put the lie to that assertion. The real and true goal, as denis himself is accurately quoted (above) as saying is that *all* location information for *all* categories of members, both natural persons and others, will henceforth become "optional" right down to even the identification of the home country. I feel quite certain that cybercriminals throughout the RIPE region will be dancing in the streets (and making champagne toasts to denis) if in fact it becomes a mater of RIPE policy that even the identification of the countries where their shell companies are incorporated become "optional" disclosures vis a vis the public WHOIS. More to the point, it would seem that this fetish for secrecy and non- transparency has already metastasized beyond what was originally being sold to us as just a way to help the handful of natural persons in the RIPE region who are too dumb to help themselves, e.g. by renting a P.O. box. So I believe that I am right to ask: What's next? What else is going to be quitely disappeared from the data base, and from public view, before this obsession runs its full course? Regards, rfg
Colleagues Let me try to summarise a few points before we move on. Some numbers I have previously quoted have been questioned. Occasionally the RIPE NCC publish some anonymous statistics on the number of person objects related to member organisations. From these authoritative statistics it can be seen that the top entries on the list are member organisations who maintain hundreds of thousands of person objects. It is quite obvious these organisations do not have this many admin, tech and abuse contacts. These person objects relate to their customers. We have about 2m person objects in the database. It is clear that many of these person objects relate to customers and publish names and addresses. We simply do not have 2m contacts in the RIPE region. Perhaps the RIPE NCC can publish the top entries from a new set of these stats. If anyone then wishes to contest the numbers they can take it up directly with the RIPE NCC. After all the discussions in recent years on data quality, I find it hard to believe that anyone can seriously promote the deliberate entering of false data into the database. If that is being presented as a serious solution to an issue, there is clearly a problem that needs to be solved. The problem is the privacy concerns of entering a full postal address of a member or end users home. This address is not required to fulfil the purposes of the RIPE Database. Even if it was, the exception in Article 6.1.f of the GDPR allows a data subjects rights to override the legitimate interests of the data controller. It's also been questioned about breaking down the 'personal data' into it's components. This is a mistake we have made over the last 15 years of discussing privacy issues. Personal data is an umbrella term. Taken as a block you can argue that the database purposes justify the processing of personal data. When you look at the components of personal data, it is clear that the purposes do justify processing the name, phone and email data. They don't justify publishing the full home address of members and end users. Each element of personal data must therefore be validated against the purposes. It has also been questioned if we should allow all the elements of a postal address to be optional for resource holders in the organisation object, including the country they are based in. Let's be clear on the facts here. The legal country that the member is based in is documented by the country attribute which is maintained and verified by the RIPE NCC. This unverified postal address is maintained by the member and by definition relates to any business contract who can be based anywhere in the world. It has little, if any, value to anyone outside of the organisation. Cheers denis
denis walker via db-wg wrote on 22/06/2022 23:54:
Perhaps the RIPE NCC can publish the top entries from a new set of these stats. If anyone then wishes to contest the numbers they can take it up directly with the RIPE NCC.
fwiw, the ripe ncc has consistently been clear that there is a handful of organisations who export very large quantities of registration information to the ripedb, so this issue is not particularly in question. Nick
On Thu, 23 Jun 2022, 12:27 Nick Hilliard, <nick@foobar.org> wrote:
denis walker via db-wg wrote on 22/06/2022 23:54:
Perhaps the RIPE NCC can publish the top entries from a new set of these stats. If anyone then wishes to contest the numbers they can take it up directly with the RIPE NCC.
fwiw, the ripe ncc has consistently been clear that there is a handful of organisations who export very large quantities of registration information to the ripedb, so this issue is not particularly in question.
Yes you are right Nick. Probably the top ten member organisations are responsible for half the 2m person objects. But that still leaves another 1m person objects entered by everyone else. Cheers denis Proposal author
Nick
In message <e7ddcc2c-3d1a-2fbc-8d3e-5472679ad842@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
denis walker via db-wg wrote on 22/06/2022 23:54:
Perhaps the RIPE NCC can publish the top entries from a new set of these stats. If anyone then wishes to contest the numbers they can take it up directly with the RIPE NCC.
fwiw, the ripe ncc has consistently been clear that there is a handful of organisations who export very large quantities of registration information to the ripedb, so this issue is not particularly in question.
There are multiple obvious problems with this line of argument/reasoning/logic. First and foremost, if in fact there exist such telecom companies, then -somebody- should be able to give us their names. I'm still waiting. I haven't seen -any- names of any such supposed telecom companies yet. Second as was previously discussed, responsiblity, both legal and otherwise, for any unnecessary "leakage" of PII under GDPR belongs to the party that first leaked the data. So if some telecom company is carelessly shoveling their customer PII into the RIPE data base in a way that is not consistant with GDPR then the entire legal responsibility for that belongs to the telecom companies involved... *not* to RIPE. It is therefore quite obviously false to continue to insist that RIPE needs to take some action because of these specific companies or these specific WHOIS records. It doesn't. Third and lastly, underlying these arguments is a sort-of implicit and unspoken assumption that simply is not true and that can quite easily disproven, i.e. the obviously flawed assumption that the RIPE region is synomymous with the EU and/or the EEA and that thus, GDPR applies throughout the RIPE region. It doesn't. In addition to such notable and significant countries as Russia, Ukraine, and Turkey, it appears that there exist a whole raft of other countries also that are -in- RIPE but -outside- of EU/EEA, for example Aland Islands, Albania, Andorra, Armenia, Azerbaijan... and that's just the As! I'm sure that there are plenty more also. Companies and natural persons in these countries are not bound by GDPR, despite the fact that some would wish it to be so. Thus companies and persons outside of EU/EEA remain free to put whatever they like into the RIPE WHOIS data base, and RIPE is free to publish whatever they do put in there, as has already been discussed and agreed here. (Note that the Personally Identifiable Information involved in many of these cases will pertain to natural persons who themselves reside -outside- of the EU/EEA area, and GDPR is simply not applicable to the PII of any such persons.) I understand the desire of some in Europe to impose GDPR upon the entire rest of the world, and onto all persons and companies from Alaska to Zanzibar, but wishing does not make it so. RIPE is free, morally, ethically, and legally to publish *my* phone number any time it wishes, as I am an American, and thus not a subject of the GDPR regime, and also not least because I myself have, in the first instance, made my own phone number public in my own domain WHOIS records, thus relieving any and all parties of any legal responsibility, under GDPR, for any mere re-publication of this Personally Identifiable Information. Regards, rfg
On Fri, 24 Jun 2022, 01:40 Ronald F. Guilmette via db-wg, <db-wg@ripe.net> wrote:
In message <e7ddcc2c-3d1a-2fbc-8d3e-5472679ad842@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
Perhaps the RIPE NCC can publish the top entries from a new set of
denis walker via db-wg wrote on 22/06/2022 23:54: these
stats. If anyone then wishes to contest the numbers they can take it up directly with the RIPE NCC.
fwiw, the ripe ncc has consistently been clear that there is a handful of organisations who export very large quantities of registration information to the ripedb, so this issue is not particularly in question.
There are multiple obvious problems with this line of argument/reasoning/logic.
First and foremost, if in fact there exist such telecom companies, then -somebody- should be able to give us their names. I'm still waiting. I haven't seen -any- names of any such supposed telecom companies yet.
AFAIK the names of these organisations is not public information, only anonymous statistics have been published. If you have an issue with this I suggest you discuss it directly with the RIPE NCC legal team.
Second as was previously discussed, responsiblity, both legal and otherwise, for any unnecessary "leakage" of PII under GDPR belongs to the party that first leaked the data. So if some telecom company is carelessly shoveling their customer PII into the RIPE data base in a way that is not consistant with GDPR then the entire legal responsibility for that belongs to the telecom companies involved... *not* to RIPE. It is therefore quite obviously false to continue to insist that RIPE needs to take some action because of these specific companies or these specific WHOIS records. It doesn't.
This policy proposal is not about managing the legal responsibilities or liabilities of the RIPE NCC. It is about establishing a set of principles by which those who enter data into this database will manage personal data.
Third and lastly, underlying these arguments is a sort-of implicit and unspoken assumption that simply is not true and that can quite easily disproven, i.e. the obviously flawed assumption that the RIPE region is synomymous with the EU and/or the EEA and that thus, GDPR applies throughout the RIPE region. It doesn't.
The RIPE NCC is the data controller and is a Dutch organisation based in the EU. The RIPE Database is operated from servers within the EU. GDPR therefore applies to all data subjects within this database regardless of where they are located. Article 3.1 of the GDPR states: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
In addition to such notable and significant countries as Russia, Ukraine, and Turkey, it appears that there exist a whole raft of other countries also that are -in- RIPE but -outside- of EU/EEA, for example Aland Islands, Albania, Andorra, Armenia, Azerbaijan... and that's just the As! I'm sure that there are plenty more also. Companies and natural persons in these countries are not bound by GDPR, despite the fact that some would wish it to be so. Thus companies and persons outside of EU/EEA remain free to put whatever they like into the RIPE WHOIS data base, and RIPE is free to publish whatever they do put in there, as has already been discussed and agreed here. (Note that the Personally Identifiable Information involved in many of these cases will pertain to natural persons who themselves reside -outside- of the EU/EEA area, and GDPR is simply not applicable to the PII of any such persons.)
There are Russian lirs who provide address space and services to end users based in the Netherlands. Internet operations and business are not bound by geographical, political or legal jurisdictions. Cheers denis Proposal author
I understand the desire of some in Europe to impose GDPR upon the entire rest of the world, and onto all persons and companies from Alaska to Zanzibar, but wishing does not make it so. RIPE is free, morally, ethically, and legally to publish *my* phone number any time it wishes, as I am an American, and thus not a subject of the GDPR regime, and also not least because I myself have, in the first instance, made my own phone number public in my own domain WHOIS records, thus relieving any and all parties of any legal responsibility, under GDPR, for any mere re-publication of this Personally Identifiable Information.
Regards, rfg
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg
In message <CAKvLzuEE8494HY3OS6Byy1SQ+BJ=c576sgTW=r9fm7dQK5mbDw@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
First and foremost, if in fact there exist such telecom companies, then -somebody- should be able to give us their names. I'm still waiting. I haven't seen -any- names of any such supposed telecom companies yet.
AFAIK the names of these organisations is not public information, only anonymous statistics have been published. If you have an issue with this I suggest you discuss it directly with the RIPE NCC legal team.
Thank you for that helpful suggestion. I feel certain that RIPE legal will be instantly forcoming with the names, just as RIPE legal has always been with regards to all other such particular inquiries. :-) Unfortunately, I cannot engage RIPE legal on this matter at the present time because I am stuck in a non-interruptable wait loop, waiting for Donald Trump's legal team to get back to me and to provide me with the evidence that they assure me really and truly does exist, and that proves that massive election fraud took place in the 2020 U.S. Presidential election.
Second as was previously discussed, responsiblity, both legal and otherwise, for any unnecessary "leakage" of PII under GDPR belongs to the party that first leaked the data. So if some telecom company is carelessly shoveling their customer PII into the RIPE data base in a way that is not consistant with GDPR then the entire legal responsibility for that belongs to the telecom companies involved... *not* to RIPE. It is therefore quite obviously false to continue to insist that RIPE needs to take some action because of these specific companies or these specific WHOIS records. It doesn't.
This policy proposal is not about managing the legal responsibilities or liabilities of the RIPE NCC.
Well, you could have fooled me! If this proposal has nothing to do with legal responsibilities or liabilities, then why do you keep on mentioning GDRP as a justification for this? And why does the proposal itself contain the following telling verbiage? "Now the EU General Data Protection Regulation (GDPR) adds legal constraints on personal data and the justification for its use."
Third and lastly, underlying these arguments is a sort-of implicit and unspoken assumption that simply is not true and that can quite easily disproven, i.e. the obviously flawed assumption that the RIPE region is synomymous with the EU and/or the EEA and that thus, GDPR applies throughout the RIPE region. It doesn't.
The RIPE NCC is the data controller...
No, it isn't. You are simply misinterpreting the definition of "controller" in the actual GDPR legislation. RIPE is *not* the entity that receives the PII in the first instance, and it is thus *not* the "controller" as per GDPR. You need to go back and re-read the definition of "controller" in the actual legislation.
In addition to such notable and significant countries as Russia, Ukraine, and Turkey, it appears that there exist a whole raft of other countries also that are -in- RIPE but -outside- of EU/EEA, for example Aland Islands, Albania, Andorra, Armenia, Azerbaijan... and that's just the As! I'm sure that there are plenty more also. Companies and natural persons in these countries are not bound by GDPR, despite the fact that some would wish it to be so. Thus companies and persons outside of EU/EEA remain free to put whatever they like into the RIPE WHOIS data base, and RIPE is free to publish whatever they do put in there, as has already been discussed and agreed here. (Note that the Personally Identifiable Information involved in many of these cases will pertain to natural persons who themselves reside -outside- of the EU/EEA area, and GDPR is simply not applicable to the PII of any such persons.)
There are Russian lirs who provide address space and services to end users based in the Netherlands.
Irrelevant and immaterial. RIPE is *still* neither the data "controller" nor the data "processor" as per the definitions of these terms in the GDPR legislation, regardless of the location of the legal entity that gives the data to RIPE. (That entity, whoever it is and wherever it is, is the data "controller"... *not* RIPE.) Regards, rfg P.S. Here is the public data from my own domain name WHOIS record for my own domain, tristatelogic.com: Registrant Name: Ronald F. Guilmette Registrant Street: 1751 E Roseville Pkwy Registrant Street: Apt 1828 Registrant City: Roseville Registrant State/Province: CA Registrant Postal Code: 95661 Registrant Country: US Registrant Phone: +1.9167867945 Registrant Email: rfg-dynadot@tristatelogic.com Ten seconds after I hit send on this email, the above data will be placed into the *public* web-accessible mailing list archive for this Working Group... a public archive which is operated and maintained by RIPE and within the EU region. In short, ten seconds after I hit send on this email, RIPE will be publishing, to the entire world, a great deal of *my* Personally Identifiable Information (PII). By your logic, eleven seconds after I hit the send button, I will have a perfectly valid and viable legal cause of action against RIPE for publishing my private information, which RIPE will be doing in violation of GDPR. This is the demonstratably absurd outcome that arises, inevitably, from your misunderstanding of GDPR's definitions of the key terms "controller" and "processor".
Ron, Ronald F. Guilmette via db-wg wrote on 24/06/2022 00:40:
Second as was previously discussed, responsiblity, both legal and otherwise, for any unnecessary "leakage" of PII under GDPR belongs to the party that first leaked the data. So if some telecom company is carelessly shoveling their customer PII into the RIPE data base in a way that is not consistant with GDPR then the entire legal responsibility for that belongs to the telecom companies involved... *not* to RIPE.
the RIPE NCC is a GDPR joint controller of the PII published in the ripedb. This is acknowledged by the RIPE NCC:
With regards to the RIPE Database, the RIPE NCC fills the role of “Data Controller” - that is, the entity legally responsible for all personal data stored in the RIPE Database.
From: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr/
Third and lastly, underlying these arguments is a sort-of implicit and unspoken assumption that simply is not true and that can quite easily disproven, i.e. the obviously flawed assumption that the RIPE region is synomymous with the EU and/or the EEA and that thus, GDPR applies throughout the RIPE region. It doesn't.
there is no assumption, implicit or otherwise, that the RIPE service region is synonymous with the EU. However, as the RIPE NCC is legally constituted and operates in The Netherlands, it is subject to dutch and EU law. If you explicitly give consent for them to publish your personal information, that's fine. As this information is published in NL, your PII is subject to Dutch and EU law, and is therefore subject to the GDPR. In addition to your right to provide consent to publish your PII, you have lots of other rights, including the rights of access, rectification, restriction, and others. If you're concerned by the fact that your PII is now subject to the GDPR, perhaps you'd like to exercise your right of erasure? Nick
In addition to such notable and significant countries as Russia, Ukraine, and Turkey, it appears that there exist a whole raft of other countries also that are -in- RIPE but -outside- of EU/EEA, for example Aland Islands, Albania, Andorra, Armenia, Azerbaijan... and that's just the As! I'm sure that there are plenty more also. Companies and natural persons in these countries are not bound by GDPR, despite the fact that some would wish it to be so. Thus companies and persons outside of EU/EEA remain free to put whatever they like into the RIPE WHOIS data base, and RIPE is free to publish whatever they do put in there, as has already been discussed and agreed here. (Note that the Personally Identifiable Information involved in many of these cases will pertain to natural persons who themselves reside -outside- of the EU/EEA area, and GDPR is simply not applicable to the PII of any such persons.)
Zanzibar, but wishing does not make it so. RIPE is free, morally, ethically, and legally to publish *my* phone number any time it wishes, as I am an American, and thus not a subject of the GDPR regime, and also not least because I myself have, in the first instance, made my own phone number public in my own domain WHOIS records, thus relieving any and all parties of any legal responsibility, under GDPR, for any mere re-publication of this Personally Identifiable Information.
Regards, rfg
Dear DB-WG, <tl;dr> The legal team at RIPE NCC has made it easier for us to got a clear picture [1] of their implementation of the GDPR regulatory framework; within the RIPE Database. ...i'm mostly quoting their related publication series to conclude that this Draft Policy Proposal (DPP) is not needed; when it comes to help RIPE NCC in any quest of GDPR regulatory framework's compliance regarding PII data insertion w/ the RIPE Database. The legal team has said that their need could be about *query* [6]... </tl;dr> Please find more context below, inline... Thanks. Le vendredi 24 juin 2022, Nick Hilliard via db-wg <db-wg@ripe.net> a écrit :
Ron,
Ronald F. Guilmette via db-wg wrote on 24/06/2022 00:40:
Second as was previously discussed, responsiblity, both legal and otherwise, for any unnecessary "leakage" of PII under GDPR belongs to the party that first leaked the data. So if some telecom company is carelessly shoveling their customer PII into the RIPE data base in a way that is not consistant with GDPR then the entire legal responsibility for that belongs to the telecom companies involved... *not* to RIPE.
the RIPE NCC is a GDPR joint controller of the PII published in the ripedb. This is acknowledged by the RIPE NCC:
With regards to the RIPE Database, the RIPE NCC fills the role of “Data Controller” - that is, the entity legally responsible for all personal data stored in the RIPE Database.
From: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr/
Hi Nick, Thanks for sharing that precious URI, brother! ...fwiw, we should start by questioning whether that [1] *old* publication series is still reflecting the actual understanding of RIPE NCC in how PII data shall be managed within the RIPE Database. __ [1]: < https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-n...
This first precaution is needed, due to the fact that its very content [2,3,4] seems to prove that RIPE NCC has nearly no problem in regards to its implementation of the GDPR regulatory framework; within the RIPE Database. <quote1> "The RIPE NCC considers that it is the responsibility of the one who inserts the data in the RIPE Database (i.e. the maintainer) to ensure that they have obtained valid consent for the processing to take place." </quote1> __ [2]: https://labs.ripe.net/author/athina/how-were-implementi ng-the-gdpr-legal-grounds-for-lawful-personal-data- processing-and-the-ripe-database/#:~:text=The%20RIPE%20NCC% 20considers,the%20processing%20to%20take%20place <quote2> "We’ve heard feedback that there’s a lot of interest in the way personal data is processed in the RIPE Database and how it will be affected by the GDPR implementation. Spoiler alert: our assessment indicates that current operations are in line with the legislation." </quote2> __ [3]: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-the-ripe-... . <quote3> "Conclusion The RIPE NCC is confident that the current RIPE Database operations are in line with the requirements of the GDPR. Having said that, we do see some room for improvement in the relevant documentation and we are currently reviewing our procedures accordingly." </quote3> __ [4]: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-the-ripe-... . The above add more doubt in the rational between the goal and problem statement attached to this Draft Policy Proposal (DPP) :-/ <quote4> "Responsible party’s obligations As mentioned above, the responsible parties are identified by the maintainer object (referenced by the “mnt-by:” attribute in any data object), which is mandatory for all objects in the RIPE Database, and indicates who is really responsible for specific personal data recorded in the RIPE Database. In summary, the maintainer is responsible for: • The accuracy of the personal data they insert into the RIPE Database, that it is appropriate for the purpose of the RIPE Database and that it is kept up- to-date • Informing the data subjects that their data is being processed, of the purposes of the RIPE Database, the RIPE NCC's role, and the maintainer’s role as the responsible party • Receiving the data subject's consent (before their personal data is entered) • Handling any request from persons whose personal data is inserted regarding correction or deletion of personal data • Accepting liability for any damage resulting from the data being inaccurate, not relevant or out-of- date, and any damage resulting from not informing the data subjects, or receiving their consent or not handling their requests These responsibilities are already described in the RIPE Database Terms and Conditions and the resource holders, including the maintainers, are contractually bound to these obligations." </quote4> __ [5]: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-legal-gro... . Given that RIPE NCC has no record of fines for have violating the GDPR since 2018; is there any chance to find some valid usecases which could justify such apparent need to change the *purpose* of the RIPE Database?
Third and lastly, underlying these arguments is a sort-of implicit and unspoken assumption that simply is not true and that can quite easily disproven, i.e. the obviously flawed assumption that the RIPE region is synomymous with the EU and/or the EEA and that thus, GDPR applies throughout the RIPE region. It doesn't.
there is no assumption, implicit or otherwise, that the RIPE service region is synonymous with the EU. However, as the RIPE NCC is legally constituted and operates in The Netherlands, it is subject to dutch and EU law.
If you explicitly give consent for them to publish your personal information, that's fine. As this information is published in NL, your PII is subject to Dutch and EU law, and is therefore subject to the GDPR.
...we do not need to deal with the usecase shared by Ronald; because, imho, the legal team within RIPE NCC has already concluded [2,5], even in case where PII of data subjects, from a country in EU, are inserted into the RIPE Database, without formal consent, by the *responsible* resource holder... Now! the very *who is* question raised by Ronald makes more sense :-/ <quote5> "We have concluded that the processing of personal data is in line with the GDPR and no changes are necessary in this regard. In this article, we’re taking a closer look at the queries the RIPE Database allows; we will conclude that some amendments are necessary to ensure GDPR compliance." </quote5> __ [6]: https://labs.ripe.net/author/maria_stafyla/how-were-implementing-the-gdpr-am... . :-/ so! the problem identified by RIPE NCC was not about inserting PII into the RIPE Database; but its query... ...here's a problem which might need a fix.
In addition to your right to provide consent to publish your PII, you have lots of other rights, including the rights of access, rectification, restriction, and others.
If you're concerned by the fact that your PII is now subject to the GDPR, perhaps you'd like to exercise your right of erasure?
Thanks for noting this, as Athina has also listed [7] the rights of data subjects regarding any request of PII data removal [8]. <quote6> "Removal of Personal Data An individual whose personal data has been inserted into the RIPE Database has the right to ask for their personal data to be corrected or removed. As most of the personal data contained in the RIPE Database is not managed by the RIPE NCC but by the persons indicated in the maintainer object referenced in the "mnt-by:" attribute (mainly the resource holders), it is the responsibility of the maintainer to remove this personal data and replace it with the personal data of another individual. If a maintainer fails to fulfill these responsibilities, the RIPE NCC will intervene and modify or delete personal data in the RIPE Database. However, the resource holder must find another individual who is willing to share their personal data in the RIPE Database." </quote6> __ [7]: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-the-ripe-... . [8]: Procedure for the Removal of Personal Contact Details from the RIPE Database < https://www.ripe.net/manage-ips-and-asns/db/support/documentation/removal-of...
Note that, all these provisions appear to add more arguments to the fact that RIPE NCC needs almost no help to continue to manage the RIPE Database in compliance to the GDPR regulatory framework. <quote7> "It must be highlighted that this procedure [6] was established by the RIPE community through the Data Protection Task Force as the right balance between maintaining the accountability of resource holders and safeguarding the data protection rights of individuals." </quote7> __ https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-the-ripe-... . Thanks. Shalom, --sb.
Nick
[...]
-- Best Regards ! __ baya.sylvain[AT cmNOG DOT cm]|<https://cmnog.cm/dokuwiki/Structure> Subscribe to Mailing List: <https://lists.cmnog.cm/mailman/listinfo/cmnog/> __ #LASAINTEBIBLE|#Romains15:33«Que LE #DIEU de #Paix soit avec vous tous! #Amen!» #MaPrière est que tu naisses de nouveau. #Chrétiennement «Comme une biche soupire après des courants d’eau, ainsi mon âme soupire après TOI, ô DIEU!»(#Psaumes42:2)
NOTE: Some or all of the following may perhaps have been rendered moot by the just-posted response of Sylvain Baya <abscoco@gmail.com> in this thread, but I'd like to get this all on the record anyway, especially since I spent over a hour composing it. :-) In message <d565baed-9c34-0ba5-9f8a-55b8c078d718@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
the RIPE NCC is a GDPR joint controller of the PII published in the ripedb. This is acknowledged by the RIPE NCC:
With regards to the RIPE Database, the RIPE NCC fills the role of “Data Controller” - that is, the entity legally responsible for all personal data stored in the RIPE Database.
From: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr/
This assertion, that RIPE is a "controller" under the GDPR, is simply wrong, at least with regards to these alleged millions of personal end-customer records that are alleged to have been stuffed into the RIPE WHOIS data base by these various alleged telecom companies, and or by any other third- party that sits between the natural person(s) whose PII is at issue and RIPE. Note that Ms. Fragkouli's assertion, as quoted above, is stated without any caveats or qualifications of any kind, and also without any reference to the actual text of GDPR, and lastly also without citation to any other statutory authority or to any existing case law. This is a perfect example of what I have been ranting about. Without any firm basis in either law or precedent it appears that Ms. Fragkouli, and others, have persuaded themselves that secrecy is a Good Thing and that thus, any excuse that may come to hand that may seem to permit even more excessive, arbitrary, and capricious secrecy must be, by definition, a Good Thing. I take issue with this viewpoint, which is arguably extreme, and I challenge both Ms. Fragkouli and any and all other parties to provide here the factual and legal basis they are claiming as support for this clear misinterpretation of the fundamental terms of reference of the actual GDPR legislation, as differentiated from the personal views of Ms. Fragkouli or any other member of the community. (A modest suggestion: It would perhaps be Helpful if some of the membership debating this issue would actually read the GDPR legislation, rather than simply speculating about what it actually says.) Again, to be clear, it is possible that RIPE may qualify, under the terms of reference of GDPR, as the data "controller" in those instances where there is no third party sitting between the natural person whose PII is at issue and RIPE, however even in those cases it is my assertion that the actual legal applicability of GDPR may be tempered by the explicit terms of the contractual relationship between the parties. In any and every case where there _is_ some third-party sitting between RIPE and the natural persons whose PII is at issue, I do not believe that there can be any question whatsoever that RIPE is not the data "controller", for purposes of GDPR, and that thus, RIPE bears no leagl responsibility of any kind in these instances.
If you explicitly give consent for them to publish your personal information, that's fine.
Now you are just playing with words. I _did not_ "explicitly" give consent to RIPE to publish any of my personal information. I simply included my personal information into an email message which was sent to this mailing list. Nontheless, subsequent to that RIPE _did_ in fact publish my private information. So now, do I have a legal cause of action against RIPE? Can I now sue RIPE for millions of dollars? Because that is one obvious possible implication of your use of the ever-so-maleable word "explicitly".
As this information is published in NL, your PII is subject to Dutch and EU law, and is therefore subject to the GDPR.
No, it isn't, and you are making the mistake of assuming, without any supporting evidence or any legal basis I might add, that GDPR applies to either natural persons or to data controllers that exist extirely outside of GDPR's legal jurisdiction (i.e EU+EEA). This is simply false, and GDPR does not have such broad extra-territorial jurisdiction over either natural persons or data controllers that exist entirely outside the GDPR jurisdictional region. (This is also one of my several pet peeves that I have been ranting about. I understand that there is a lot of wishful thinking associated with various bits of public speculation about the actual jurisdictional limits of GDPR, but the legislation just doesn't say either what many think it says or what many would like it to say.) In the example of my prior posting here I included some of my own PII. I am (and was) the "data controller" for purposes of GDPR with respect to that specific instance of "leakage" of my PII... not RIPE. To assert otherwise is to demonstrate a clear misunderstanding of the fundamental terms of reference of GDPR. And that misunderstanding becomes obvious when the legal implications of this misinterpretation of the term "controller" are adequately contemplated and found to lead to patently absurd practical outcomes. I cannot in fact sue RIPE over the fact that it has published my PII for all the world to see because as I have said, RIPE is not the controller in this example. Indeed, under the very explicit and specific terms of GDPR, I cannot even sue myself for having leaked my personal PII for the following TWO reasons: 1) I am a natural person residing outside of GDPR's jurisdiction, and thus, my own PII is not something that GDPR even has anything at all to say about. 2) I am (and was), for purposes of GDPR, the data "controller" when I posted my PII to this list. As a data controller which itself resides entirely outside of the GDPR jurisdictional area, GDPR does not provide me, as a natural person, with any grounds to sue myself, as a data controller, because the "data controller" is outside of GDPR's physical/territorial jurisdiction. If one of you Europeans gives your PII to some company that has a physical presence only in, say, Russia, or Ukraine, or Turkey, or Azerbaijan, or the United States for that matter, and if that company then splatters out PII all over the Internet, GDPR does not provide you with any basis for legal action. In summary, there has been and continues to be a great deal of mistaken misinformation and misinterpretation of the actual text of the GDPR legislation, much of which would lead to obviously absurd outcomes if taken seriously. These misinterpretations relate not only to the basic terms of reference, e.g. "controller", but also to the actual jurisdictional limitations and constraints of GDPR with respect to persons, places, entities and data. GDPR is not actually quite so boundless with respect to any of these things as some would wish, and mere misinterpretations of GDPR should not and cannot be used as a justification for ill-founded RIPE policies. Regards, rfg P.S. In order to forestall the inevitable assertions that I have herein been a sexist pig, or that I have in any way unfairly picked on Ms. Fragkouli or her expertise, I will say now quite plainly that all she has done is to write and publish a single somewhat overbroad sentence (quoted again above) regarding the applicability of GDPR to RIPE, and that one sentence is correct in some contexts, even as it is incorrect or inapplicable in others. For the sake of brevity, I assume, Ms. Fragkouli failed to attach to that one sentence relevant and important caveats which would qualify the sentence. More recently, and since the time Ms. Fragkouli wrote and published that one sentence, it has been others who have postulated what I believe to be incorrectly expansive interpretations of Ms. Fragkouli's single sentence on this topic. She is surely not not to blame in any way for these subsequent and arguably agressive misinterpretations.
Colleagues There were 2 very long emails this weekend, both pretty much along the same lines. These points have been made several times. I believe I have adequately addressed these points in my earlier reply here: https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007482.html Now let's try to wrap this issue up with a reality check. In the text of the proposed policy, GDPR is not mentioned anywhere. The opening two lines of the proposed policy Abstract basically sum up what this proposed policy is about: "This policy arises from the need for the RIPE Database to avoid the publishing of unnecessary personal data. Personal data must not be entered into the RIPE Database unless this can be justified according to the acknowledged purposes of the RIPE Database." Regardless of what part of the RIPE region any data maintainer or data subject is based in, regardless of legal jurisdiction, regardless of what personal data protection laws apply, regardless of who is considered to be the data controller of the data contained within the RIPE Database, this policy proposal is suggesting that these are the basic principles that the RIPE Database should operate under across the region. I don't think anyone can argue against the RIPE Database not containing unnecessary personal data or personal data that cannot be justified by the agreed purposes of the database. The GDPR is a good guideline and benchmark to assess the database against as it does apply, without question, to a large part of the RIPE region and a large amount of the personal data contained within the database. But it is not the only consideration. To focus so heavily on the GDPR alone is a distraction. The bottom line is that this policy proposal is about establishing reasonable, common sense principles for processing personal data across the RIPE region, supported by the agreed purposes of the RIPE Database. cheers denis Proposal author
Dear RIPE DB-WG, Hope this email finds you in good health! Please find my comments below, inline... Thanks. Le lundi 27 juin 2022, denis walker via db-wg <db-wg@ripe.net> a écrit :
Colleagues
There were 2 very long emails this weekend, both
Hi Denis, Thanks for your email, brother.
pretty much along the same lines. These points have been made several times. I believe I
Sure, you tried...and thanks brother, it helped me to better understand two or three things along...
have adequately addressed these points in my earlier reply here: https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007482.html
...i went through it again, and it appears to not satify me, though :-/ What i understand is that your understanding of the actual state of the RIPE DB compliance with GDPR diverge to the public statement of RIPE NCC's Legal Team, on the same topic... :-/ Given that you have a very insightful point of view on the topic, i ask myself, what could justify that *unexpected* divergence?
Now let's try to wrap this issue up with a reality check. In the text of the proposed policy, GDPR is not mentioned anywhere.
Right! but, who said it's part of the draft proposal to be implemented; if it reaches consensus?
The opening two lines of the proposed policy Abstract basically sum up what this proposed policy is about: "This policy arises from the need for the RIPE Database to avoid the publishing of unnecessary personal data. Personal data must not be entered into the RIPE Database unless this can be justified according to the acknowledged purposes of the RIPE Database."
...who have first invoqued [1] the GDPR regulatory framework? <quote> "Summary of Proposal: Since the beginning of the RIPE Database, personal data has been entered extensively in PERSON objects as well as in other objects’ attributes in the database, such as email addresses for notifications and postal addresses for resource holders. In those early days little consideration was given to privacy and personal data processing. In almost all cases, personal data is not needed. Now the EU General Data Protection Regulation (GDPR) adds legal constraints on personal data and the justification for its use. The RIPE NCC is the data controller and facilitator of the RIPE Database. The servers providing access to the RIPE Database are operated by the RIPE NCC. The RIPE NCC is a Dutch registered organisation based within the EU. Therefore, the GDPR applies to all the personal data contained within the RIPE Database, regardless of where the data subject is located. In almost all situations, there is no justification for publishing any personal data in the RIPE Database. This policy proposal outlines data that should be used in areas where personal data has been used in the past. All contacts must be documented as roles. There is no need for documenting personal information about any contacts in the database." </quote> __ [1]: https://www.ripe.net/participate/policies/proposals/2022-01#:~:text=Summary%...
Regardless of what part of the RIPE region any data maintainer or data subject is based in, regardless of legal jurisdiction, regardless of what personal data protection laws apply, regardless of who is considered to be the data controller of the data contained within the RIPE Database, this policy proposal is suggesting that these are the basic principles that the RIPE Database should operate under across the region.
Fine! then, let's just bound on that. Or no? :-/ ...having read and commented [2] the publication series [3] from the RIPE NCC's Legal Team, i can tell you that: *insertion* of PII into RIPE DB seems to be actually in line with both the *GDPR* and right of data subjects. Then if/when you find *a lot* of PII the only ones to blame are the resource holders. Because they have signed more than one legal documents where they agreed to not *pour* PII of their client within the RIPE DB. __ [2]: <https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007501.html> [3]: < https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-n...
The RIPE NCC's Legal Team concluded that: 1| the RIPE DB has no *insertion* problem; 2| the remaining problem with the RIPE DB is in its *query* to retrieve data it contains; 3| the RIPE Community should act accordingly; 4| ... ...i expect that those RIPE NCC Legal Team's publication series[3] would be targeted as obsolete, when the above will become false or inconsistent with their assessment of the situation. ...i call anyone from RIPE NCC to, please, bring the clarification needed to understand the current state of the RIPE DB; regarding its compliance to GDPR.
I don't think anyone can argue against the RIPE Database not containing unnecessary personal data or personal data that cannot be justified by the agreed purposes of the database.
You are right, imho! ...i, for myself, am opposed to any attempt to change the *purpose* of the RIPE Database. BtW! could you find anyone who can argue against the good standing, interest and usefulness of the RIPE DB's *purpose*?
The GDPR is a good guideline and benchmark to assess the database against as it does apply, without question, to a large part of the RIPE region and a large amount of the personal data contained within the database.
But it is not the only consideration.
Any other? Thanks to add it here [1], brother.
To focus so heavily on the GDPR alone is a distraction.
< https://dict.org/bin/Dict?Form=Dict1&Query=distraction&Strategy=*&Database=*> [1]?
The bottom line is that this policy proposal is about establishing reasonable, common sense principles for processing personal data across the RIPE region, supported by the agreed purposes of the RIPE Database.
If it's that the goal, then could we, please, start by considering the following: s0| identify, in all the twenty one (21) RIPE DB's type of objects, attributes which could contain unwilling PII; s1| filter output in 's0' to catch the more dangerous attributes to be balanced against (i) the purpose of the RIPE DB, and (ii) privacy considerations; s2| consult the members & community through a survey about the appropriate path to follow; s3| split the proposal {as suggested by Ronald}: s4| one separate DPP (Draft Policy Proposal) to address the problem, if any, with the general principles for processing data within the RIPE DB; s5| one separate DPP to address the problem, if any, with *insertion* of PII within the RIPE DB; s6| one separate DPP to adress the problem, with the *query* of the RIPE Database; s7| one separate DPP to adress the problem, if needed, with current PII present into the RIPE DB; s8| ... Hope this clarifies my personal PoV :-) Thanks. Shalom, --sb.
cheers denis Proposal author
[...]
-- Best Regards ! __ baya.sylvain[AT cmNOG DOT cm]|<https://cmnog.cm/dokuwiki/Structure> Subscribe to Mailing List: <https://lists.cmnog.cm/mailman/listinfo/cmnog/> __ #LASAINTEBIBLE|#Romains15:33«Que LE #DIEU de #Paix soit avec vous tous! #Amen!» #MaPrière est que tu naisses de nouveau. #Chrétiennement «Comme une biche soupire après des courants d’eau, ainsi mon âme soupire après TOI, ô DIEU!»(#Psaumes42:2)
On Mon, 27 Jun 2022 at 18:23, Sylvain Baya via db-wg <db-wg@ripe.net> wrote:
have adequately addressed these points in my earlier reply here: https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007482.html
...i went through it again, and it appears to not satify me, though :-
Now let's try to wrap this issue up with a reality check. In the text of the proposed policy, GDPR is not mentioned anywhere.
Right! but, who said it's part of the draft proposal to be implemented; if it reaches consensus?
Two of you seem to be focussing all your attention on GDPR
Regardless of what part of the RIPE region any data maintainer or data subject is based in, regardless of legal jurisdiction, regardless of what personal data protection laws apply, regardless of who is considered to be the data controller of the data contained within the RIPE Database, this policy proposal is suggesting that these are the basic principles that the RIPE Database should operate under across the region.
Fine! then, let's just bound on that. Or no? :-/
...having read and commented [2] the publication series [3] from the RIPE NCC's Legal Team, i can tell you that: *insertion* of PII into RIPE DB seems to be actually in line with both the *GDPR* and right of data subjects.
We are going round in circles so I am not going to respond to these same points again. It is not ALL in line with either. Some resource holders and end users 'reluctantly' agree to some elements of their personal details (home address in particular) being entered into this database otherwise they will not get the resources they need for their business. Their home postal address is not needed to fulfill the database purposes. So some of this data is entered without the support of the database purposes and against the wishes of the data subject. That contravenes both GDPR and the rights of the data subject. To get around this some people are forced to enter false data into the database.
Then if/when you find *a lot* of PII the only ones to blame are the resource holders. Because they have signed more than one legal documents where they agreed to not *pour* PII of their client within the RIPE DB.
We are not playing the blame game. It doesn't matter whose fault it is that some PII data ends up in the database that should not be there. We are trying to establish principles that will ensure that only the necessary data is entered into the database.
__ [2]: <https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007501.html> [3]: <https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-ncc>
The RIPE NCC's Legal Team concluded that:
1| the RIPE DB has no *insertion* problem; 2| the remaining problem with the RIPE DB is in its *query* to retrieve data it contains; 3| the RIPE Community should act accordingly; 4| ...
...i expect that those RIPE NCC Legal Team's publication series[3] would be targeted as obsolete, when the above will become false or inconsistent with their assessment of the situation.
...i call anyone from RIPE NCC to, please, bring the clarification needed to understand the current state of the RIPE DB; regarding its compliance to GDPR.
Again you are obsessed with GDPR.
I don't think anyone can argue against the RIPE Database not containing unnecessary personal data or personal data that cannot be justified by the agreed purposes of the database.
You are right, imho!
...i, for myself, am opposed to any attempt to change the *purpose* of the RIPE Database.
BtW! could you find anyone who can argue against the good standing, interest and usefulness of the RIPE DB's *purpose*?
My proposal does not attempt to change the database purposes.
The GDPR is a good guideline and benchmark to assess the database against as it does apply, without question, to a large part of the RIPE region and a large amount of the personal data contained within the database. But it is not the only consideration.
Any other?
Many other countries in the RIPE region, outside of the EU, have their own legislation on privacy...the UK for example.
The bottom line is that this policy proposal is about establishing reasonable, common sense principles for processing personal data across the RIPE region, supported by the agreed purposes of the RIPE Database.
If it's that the goal, then could we, please, start by considering the following:
s0| identify, in all the twenty one (21) RIPE DB's type of objects, attributes which could contain unwilling PII; s1| filter output in 's0' to catch the more dangerous attributes to be balanced against (i) the purpose of the RIPE DB, and (ii) privacy considerations; s2| consult the members & community through a survey about the appropriate path to follow; s3| split the proposal {as suggested by Ronald}: s4| one separate DPP (Draft Policy Proposal) to address the problem, if any, with the general principles for processing data within the RIPE DB; s5| one separate DPP to address the problem, if any, with *insertion* of PII within the RIPE DB; s6| one separate DPP to adress the problem, with the *query* of the RIPE Database; s7| one separate DPP to adress the problem, if needed, with current PII present into the RIPE DB; s8| ...
You are asking for 4 policies to do what one can do. That makes no sense at all. It would take about a year to even consider 4 consecutive policies. cheers denis (single) Proposal author
Hope this clarifies my personal PoV :-)
Thanks.
Shalom, --sb.
Colleagues Some people are still questioning the GDPR in relation to the RIPE Database and this policy proposal and a series of articles written by the RIPE NCC a few years ago. Most of us on this list are not lawyers. This is why the RIPE NCC employs a team of expert legal professionals to (re)assess these issues. They will do so as part of the impact analysis after the discussion period ends. I have certainly reached the limit of my legal understanding of the GDPR issues. Therefore I will not address any more questions specifically on GDPR aspects until after we have the legal review of the discussion points raised already. cheers denis Proposal author
In message <CAKvLzuHetmjyvHcZK-5EQSaT=M6s-mx-WMHYE=xp_skTa4_+Sw@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
"According to the Dutch Personal Data Protection Act (prior to the GDPR), personal data may be collected for specific, explicitly defined and legitimate purposes. Once collected, this data must:
-Be adequate, relevant and not excessive in relation to the purposes for which it is collected and further processed -Be accurate and, if necessary, kept up-to-date"
I invite everyone who still doesn't understand why I have gotten so exercized over these issues to perform a simple thought experiment: What would happen if the entire RIPE WHOIS data base was taken permamently and entirely offline tomorrow? Would the entire Europen Internet immediately cease to function? No. Would even any significant portion of the European Internet cease to function? No. As long as every RIPE member continued to behave themselves and to use only those number resources that had been assigned to them, the entire European Internet would continue to function as normal, and pretty much the same tomorrow as it did today. People and companies would continue to use their assigned IP blocks and their assigned AS numbers, and inter-company peering arrangements would continue in effect. In short, although it would arguably be sub-optimal for the entire RIPE WHOIS data base to disappear from public view tomorrow, it would not be in any sense catastrophic, and indeed, almost no one would even notice that anything at all was amiss. Technical contacts already have the names, phone numbers and email addresess of their immediate peers in their personal rolodexes, and most glitches or problems could be ironed out by simply making use of that (peer) contact info. This simple thought experiment -proves- that the entire RIPE WHOIS data base is arguably "excessive in relation to the purposes for which it is collected" because even if the entire data base were to disappear tomorrow, mountains would not fall, the seas would not dry up, and no other biblical-scale catastrophies would befall the European Internet. It is thus an obvious corollary to these obvious facts that if RIPE were to go by the letter of the law, AND if "the letter of the law" in this case were construed in its most expansive plausible interpretation... as some folks apparently want it to be... then the whole data base MUST be taken offline, and immediately, because no absolutely compelling case can be easily made that the WHOS data base is not "excessive in relation to the purposes for which it is collected". What part of this is either un-obvious or difficult to comprehend? The bottom line is that interpreting either Dutch law or GDRP expansively can lead to only one final and inevitable outcome: The entire elimination of all public access to the entire RIPE WHOIS data base. If that is where this is all going... and I have every reasone to believe that it is, for the reasons I've just explained... and if that's actually what the community wants, then so be it. In my opinion, if this is where things end up then it will be probably be the worst disaster to have ever hit the European Internet, but the members have the right to vote in favor of taking the whole WHOIS data base offline if that is their wish. That would surely result in a cascade of unfixable technical problems AND an absolute explosion in unchecked cybercrime, but if that's what you all want then who am I to stand in the way? I just wish that as this process unfolds people would be a bit less disingenuous, and that people would stop pretending not to know where this is all inevitably going to end up. Once you start arguing like a lawyer that "this little bit of data doesn't, strictly speaking, need to be public" then you can just easily make the same argument for -every- bit of data in the WHOIS data base. Regards, rfg
participants (4)
-
denis walker -
Nick Hilliard -
Ronald F. Guilmette -
Sylvain Baya