@Niall : i understand your point and clearly this is not an easy topic when it comes to define what is personal data. But here is my question : If, to you, the legal adress is a personal data, are you also thinking the same way about the telephone number which is so far kept for registrar abuse contact phone ? Speaking about sole trader, if i understand well your point and go beyond, the name by itself might also be considerated as a personal data as it is also a way to identify the person. To me, legal adress is just a way to be assured that the official request are sent to the correct place Pour une administration exemplaire, préservons l'environnement. N'imprimons que si nécessaire. -------- Message original -------- *Sujet: *[INTERNET] ncc-services-wg Digest, Vol 79, Issue 5 *De : *ncc-services-wg-request@ripe.net *Pour : *ncc-services-wg@ripe.net *Date : *10/10/2018 09:20
Send ncc-services-wg mailing list submissions to ncc-services-wg@ripe.net
To subscribe or unsubscribe via the World Wide Web, visit https://lists.ripe.net/mailman/listinfo/ncc-services-wg or, via email, send a message with subject or body 'help' to ncc-services-wg-request@ripe.net
You can reach the person managing the list at ncc-services-wg-owner@ripe.net
When replying, please edit your Subject line so it is more specific than "Re: Contents of ncc-services-wg digest..."
Today's Topics:
1. Re: sara proposal and question to Randy (Niall O'Reilly) 2. Re: sara proposal and question to Randy (Carlos Fria?as) 3. Re: sara proposal and question to Randy (Randy Bush) 4. Re: sara proposal and question to Randy (Randy Bush) 5. back to randy (ROBINOT Stephane DCPJ SDLC)
----------------------------------------------------------------------
Message: 1 Date: Tue, 09 Oct 2018 15:16:58 +0100 From: "Niall O'Reilly" <niall.oreilly@ucd.ie> To: ncc-services-wg@ripe.net Subject: Re: [ncc-services-wg] sara proposal and question to Randy Message-ID: <D607D348-09D8-456C-B412-BB48896A2345@ucd.ie> Content-Type: text/plain; charset="us-ascii"
On 9 Oct 2018, at 14:43, ROBINOT Stephane DCPJ SDLC wrote:
If we all agree that personnal ie individual data has to be removed from direct access and that the legal address has to be published, It is difficult to agree in general to both of these points, as they may, in specific cases, contradict each other.
The crux of the matter appears to be that the legal address of a sole trader is precisely and inevitably personal data.
Best regards, Niall O'Reilly
On 2018 Oct 10 (Wed) at 11:23:54 +0200 (+0200), ROBINOT Stephane DCPJ SDLC wrote: :@Niall : i understand your point and clearly this is not an easy topic :when it comes to define what is personal data. :But here is my question : If, to you, the legal adress is a personal :data, are you also thinking the same way about the telephone number :which is so far kept for registrar abuse contact phone ? : phone number is an optional attribute in role objects (which is what an abuse-c points to). :To me, legal adress is just a way to be assured that the official :request are sent to the correct place : get a warrant.
ROBINOT Stephane DCPJ SDLC wrote on 10/10/2018 10:23:
To me, legal adress is just a way to be assured that the official request are sent to the correct place
At least in some jurisdictions, there would be issues about whether the legal address is the correct place. E.g. it might be a PO box which cannot receive certified delivery post for a summons, or the home address of a director. Or it might be that there is no "legal address" at all because the entity is an informally constituted organisation, or if it is legally constituted, it might not be on the local company registration facility for various reasons (e.g. instituted by act of parliament, etc). Or it could be a natural person. These are all situations which crop up regularly in the UK and Ireland. No doubt in the other 70+ countries in the RIPE NCC service region, there will be many other variations and complications. This is not an argument for or against the policy; merely an observation that this is a more subtle issue than the proposal admits. Nick
On Wed, 10 Oct 2018, Nick Hilliard wrote:
ROBINOT Stephane DCPJ SDLC wrote on 10/10/2018 10:23:
To me, legal adress is just a way to be assured that the official request are sent to the correct place
At least in some jurisdictions, there would be issues about whether the legal address is the correct place. E.g. it might be a PO box which cannot receive certified delivery post for a summons, or the home address of a director. Or it might be that there is no "legal address" at all because the entity is an informally constituted organisation, or if it is legally constituted, it might not be on the local company registration facility for various reasons (e.g. instituted by act of parliament, etc). Or it could be a natural person. These are all situations which crop up regularly in the UK and Ireland. No doubt in the other 70+ countries in the RIPE NCC service region, there will be many other variations and complications.
Why the "70+ countries in the RIPE NCC service region" reference...? There are also LIRs (i.e. RIPE NCC members) registered outside the service region, in case you haven't noticed :-)) Best Regards, Carlos
This is not an argument for or against the policy; merely an observation that this is a more subtle issue than the proposal admits.
Nick
On 10/10/2018 11:23 AM, ROBINOT Stephane DCPJ SDLC wrote:
But here is my question : If, to you, the legal address is a personal data, are you also thinking the same way about the telephone number which is so far kept for registrar abuse contact phone ?
If phone number is registered in company name/RegID. Definitely not.
Speaking about sole trader, if I understand well your point and go beyond, the name by itself might also be considered as a personal data as it is also a way to identify the person.
Hard to argue for or against. In its core essence. I will say Yes.
To me, legal address is just a way to be assured that the official request are sent to the correct place
Idea: Publish link to local business registry instead. Alternative: as Hessler wrote. 'get a warrant' Duplicate data results: If data is re-entered into the RIPE NCC Database. When they are often accessible from local business registry. It does not _really_ make sense. As previously mentioned. Down-going rate in data quality is definitely unavoidable over time.
First of all, I want to say that I like the way discussions take place within this group. We all have an opinion based on our experience and day to day job which really help adressing the issue thru its various ways. regarding warrant, that I hear a lot, you have to bear in mind that there is nothing such an international warrant. We are working within UE in order to somehow get one, meaning a way for LEA to adress a request to a company or someone living in another european country than the one the investigator is working. Question remains about how to deal with a no answer. Anyway, today, the only way for an investigator to get answers to its question is by asking his judge to send a Mutual Legal Assistance Request or European Investigative Order to his fellow magistrate in the other country so the police forces will open a case just to get the information back. It may take some months til the request is sent and answered. unfortunatly, it doesn't fit with the need of speed while working cybercrime such as CP where data is moved one month to another. So one question might also be : would you agree answering an official request coming directly from a foreign LEA ? It will help for sure if the answer is yes but it won't change the issue that is global cartography of a network as we speak. Who should I turn to in order to be assured that John Doe, renting this server I am asking you about, isn't renting another server providing exactly the same thing in another country? You might answer RIPE NCC /(that might have to hire people to deal with more legal request, and maybe raise the contract fees, who knows)/. Sure but we are now facing registrants that are not providing the data at all to the registries. I know my writing is going way beyond sara's question (sorry about that) but I'm just trying to explain what our issues are. We just need help from all stakeholders in order to find the best and proper way to work. stephane Pour une administration exemplaire, préservons l'environnement. N'imprimons que si nécessaire. -------- Message original -------- *Sujet: *[INTERNET] Re: [ncc-services-wg] legal adress *De : *netravnen+lists@gmail.com *Pour : *stephane.robinot@interieur.gouv.fr, ncc-services-wg@ripe.net *Date : *10/10/2018 12:20
On 10/10/2018 11:23 AM, ROBINOT Stephane DCPJ SDLC wrote:
But here is my question : If, to you, the legal address is a personal data, are you also thinking the same way about the telephone number which is so far kept for registrar abuse contact phone ? If phone number is registered in company name/RegID. Definitely not.
Speaking about sole trader, if I understand well your point and go beyond, the name by itself might also be considered as a personal data as it is also a way to identify the person. Hard to argue for or against.
In its core essence. I will say Yes.
To me, legal address is just a way to be assured that the official request are sent to the correct place Idea: Publish link to local business registry instead.
Alternative: as Hessler wrote. 'get a warrant'
Duplicate data results: If data is re-entered into the RIPE NCC Database. When they are often accessible from local business registry. It does not _really_ make sense. As previously mentioned. Down-going rate in data quality is definitely unavoidable over time.
Hello Stephane, Then you should probably work in improving the speed the Mutual Legal Assistance Request of European Investigative Order is processed. When it comes directly from a foreign LEA we will look to it and decide on a case by case situation (it also depends on the information we have and if given the reason for the request). Kind regards, Mark From: ncc-services-wg [mailto:ncc-services-wg-bounces@ripe.net] On Behalf Of ROBINOT Stephane DCPJ SDLC Sent: Wednesday, October 10, 2018 14:22 To: netravnen+lists@gmail.com Cc: ncc-services-wg@ripe.net Subject: [ncc-services-wg] Get a warrant or direct request ? First of all, I want to say that I like the way discussions take place within this group. We all have an opinion based on our experience and day to day job which really help adressing the issue thru its various ways. regarding warrant, that I hear a lot, you have to bear in mind that there is nothing such an international warrant. We are working within UE in order to somehow get one, meaning a way for LEA to adress a request to a company or someone living in another european country than the one the investigator is working. Question remains about how to deal with a no answer. Anyway, today, the only way for an investigator to get answers to its question is by asking his judge to send a Mutual Legal Assistance Request or European Investigative Order to his fellow magistrate in the other country so the police forces will open a case just to get the information back. It may take some months til the request is sent and answered. unfortunatly, it doesn't fit with the need of speed while working cybercrime such as CP where data is moved one month to another. So one question might also be : would you agree answering an official request coming directly from a foreign LEA ? It will help for sure if the answer is yes but it won't change the issue that is global cartography of a network as we speak. Who should I turn to in order to be assured that John Doe, renting this server I am asking you about, isn't renting another server providing exactly the same thing in another country? You might answer RIPE NCC (that might have to hire people to deal with more legal request, and maybe raise the contract fees, who knows). Sure but we are now facing registrants that are not providing the data at all to the registries. I know my writing is going way beyond sara's question (sorry about that) but I'm just trying to explain what our issues are. We just need help from all stakeholders in order to find the best and proper way to work. stephane Pour une administration exemplaire, préservons l'environnement. N'imprimons que si nécessaire. -------- Message original -------- Sujet: [INTERNET] Re: [ncc-services-wg] legal adress De : netravnen+lists@gmail.com Pour : stephane.robinot@interieur.gouv.fr, ncc-services-wg@ripe.net Date : 10/10/2018 12:20 On 10/10/2018 11:23 AM, ROBINOT Stephane DCPJ SDLC wrote: But here is my question : If, to you, the legal address is a personal data, are you also thinking the same way about the telephone number which is so far kept for registrar abuse contact phone ? If phone number is registered in company name/RegID. Definitely not. Speaking about sole trader, if I understand well your point and go beyond, the name by itself might also be considered as a personal data as it is also a way to identify the person. Hard to argue for or against. In its core essence. I will say Yes. To me, legal address is just a way to be assured that the official request are sent to the correct place Idea: Publish link to local business registry instead. Alternative: as Hessler wrote. 'get a warrant' Duplicate data results: If data is re-entered into the RIPE NCC Database. When they are often accessible from local business registry. It does not _really_ make sense. As previously mentioned. Down-going rate in data quality is definitely unavoidable over time.
On 10 Oct 2018, at 13:21, ROBINOT Stephane DCPJ SDLC <stephane.robinot@interieur.gouv.fr> wrote:
So one question might also be : would you agree answering an official request coming directly from a foreign LEA ?
IIUC it doesn't work that way. Overseas law enforcement is supposed to contact the appropriate national law enforcement body and have them make the request on their behalf. Anyone else who approaches a registry should be told to go through the official (MLAT?) channels.
Well, european initiative on Production Order Regulation is taking us to another path, the one that will allow LEA to contact directly any european company. But we are not there ...yet :-) and MLAR or EIO are the key. Pour une administration exemplaire, préservons l'environnement. N'imprimons que si nécessaire. -------- Message original -------- *Sujet: *[INTERNET] Re: [ncc-services-wg] Get a warrant or direct request ? *De : *Jim Reid <jim@rfc1035.com> *Pour : *ROBINOT Stephane DCPJ SDLC <stephane.robinot@interieur.gouv.fr> *Copie à : *RIPE NCC Services WG <ncc-services-wg@ripe.net> *Date : *10/10/2018 15:16
On 10 Oct 2018, at 13:21, ROBINOT Stephane DCPJ SDLC <stephane.robinot@interieur.gouv.fr> wrote:
So one question might also be : would you agree answering an official request coming directly from a foreign LEA ? IIUC it doesn't work that way.
Overseas law enforcement is supposed to contact the appropriate national law enforcement body and have them make the request on their behalf. Anyone else who approaches a registry should be told to go through the official (MLAT?) channels.
Il 10/10/18 11:23, ROBINOT Stephane DCPJ SDLC ha scritto:
Speaking about sole trader, if i understand well your point and go beyond, the name by itself might also be considerated as a personal data as it is also a way to identify the person.
We should be extremely careful about what data is published in the whois database, because whois is easily and fully accessible by anyone in the world. Whois is all-or-nothing, you can't authenticate, you can't choose what to disclose, you can't exert any kind of access control, you can't even identify who queried it. it's PUBLIC! Whois is harvested and abused daily NOT for its intended purpose. That's why you see so many abuse@ noc@ registry@ email addresses! You want a list of addresses for your job? Fine, do it. sell it. keep it secret. We don't care. Whois is not the right place to FORCE someone to publish any kind of information if he doesn't want to. If you really want a legal address, there are more specialized and regulated databases for that. Cross referencing is not so hard. Unless you want to be sketchy and want to go around some restriction, there is no point to make whois worse. Regards, -- Nik Soggia - TELNET S.r.l. Phone: +39-0382-529751 Via Buozzi, 5 - 27100 Pavia, Italy Fax: +39-0382-528074
Hello Nik, and NCC-Services-WG, I fully support your view on this topic. Especially the statements marked in bold. Regards, Kurt Am 10.10.2018 um 12:34 schrieb Nik Soggia:
Il 10/10/18 11:23, ROBINOT Stephane DCPJ SDLC ha scritto:
Speaking about sole trader, if i understand well your point and go beyond, the name by itself might also be considerated as a personal data as it is also a way to identify the person.
We should be extremely careful about what data is published in the whois database, because whois is easily and fully accessible by anyone in the world.
Whois is all-or-nothing, you can't authenticate, you can't choose what to disclose, you can't exert any kind of access control, you can't even identify who queried it. it's PUBLIC!
Whois is harvested and abused daily NOT for its intended purpose. That's why you see so many abuse@ noc@ registry@ email addresses!
You want a list of addresses for your job? Fine, do it. sell it. keep it secret. We don't care. Whois is not the right place to FORCE someone to publish any kind of information if he doesn't want to. If you really want a legal address, there are more specialized and regulated databases for that. Cross referencing is not so hard. Unless you want to be sketchy and want to go around some restriction, there is no point to make whois worse.
Regards,
On 10 Oct 2018, at 10:23, ROBINOT Stephane DCPJ SDLC wrote:
@Niall : i understand your point and clearly this is not an easy topic when it comes to define what is personal data.
It seems to me that the part that is not easy is not the definition itself, since we can look to GDPR/RGPD/DSGVO for that. The difficult part is the burden of care which GDPR (or even common decency) requires. It's difficult for everyone (private or corporate persons and LEAs or other state actors alike) to be meticulous enough. The trouble with special pleading for LEAs is that the distinction between "brave policier" and "salaud de keuf" is not an easy topic either. I think the way forward has to be based, in principle, on respect for due process and, in practice, on streamlining procedures for mutual assistance between LEAs. How the data held by the RIPE NCC is involved in this is not immediately evident to me.
But here is my question : If, to you, the legal adress is a personal data, are you also thinking the same way about the telephone number which is so far kept for registrar abuse contact phone ?
Speaking about sole trader, if i understand well your point and go beyond, the name by itself might also be considerated as a personal data as it is also a way to identify the person.
Depending on the circumstances, almost any identifier can turn out to be a personally identifying item of data, either on careful immediate analysis or following some future change in legislation or jurisprudence.
To me, legal adress is just a way to be assured that the official request are sent to the correct place
I think Nick Hilliard addressed this point already. Best regards, Niall O'Reilly
participants (10)
-
Carlos Friaças -
Jim Reid -
Kurt Kayser -
Mark Scholten -
netravnen+lists@gmail.com -
Niall O'Reilly -
Nick Hilliard -
Nik Soggia -
Peter Hessler -
ROBINOT Stephane DCPJ SDLC