personal data in the NCC
Hello, I would like to talk about personal data protection. After the audit process, NCC demands that we send them, together with the contract, the ID of person who signs the End User assignment contract (even if the contract is signed by a person on behalf of company). It seems strange: the CEO of company that wants IP resources signs the contract, probably stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such operations - we should request ID or RIPE NCC will not assign resources for our customers. Even more, RIPE NCC requires scans of ID, and this action violates local laws in some countries (for example, CZ or RU). In Russia, personal data can be processed only after a special agreement (except some cases mentioned in the law), but we will send the ID images without any special agreements to the NCC. I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents. On these grounds, I would like to initiate a change. RIPE NCC should have data protection procedures or RIPE NCC should not request personal IDs of third parties. -- Sergey
Hello, Sergey is right. But it seems that solution is not so simple as proposed and I expect that RIPE NCC will investigate the problem in deep. Dmitry On 20.10.2010 13:25, Sergey Myasoedov wrote:
Hello,
I would like to talk about personal data protection. After the audit process, NCC demands that we send them, together with the contract, the ID of person who signs the End User assignment contract (even if the contract is signed by a person on behalf of company).
It seems strange: the CEO of company that wants IP resources signs the contract, probably stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such operations - we should request ID or RIPE NCC will not assign resources for our customers.
Even more, RIPE NCC requires scans of ID, and this action violates local laws in some countries (for example, CZ or RU). In Russia, personal data can be processed only after a special agreement (except some cases mentioned in the law), but we will send the ID images without any special agreements to the NCC.
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
On these grounds, I would like to initiate a change. RIPE NCC should have data protection procedures or RIPE NCC should not request personal IDs of third parties.
-- Sergey
On 20 Oct 2010, at 10:25, Sergey Myasoedov wrote:
RIPE NCC should have data protection procedures
It does. This is compulsory for any organisation in the EU that holds Personal Data. The NCC is legally obliged to follow the EU Directives on Privacy and Data Protection (primarily 95/46/EC but also parts of 97/66/EC and 2002/58/EC) and how these are enacted in Dutch law. Although I'm not a lawyer, I expect that the EU and Dutch legislation in this area will be compatible with Russian data protection law.
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
Strange. It should be public somewhere. BTW, in general it's usually more of a problem exporting Personal Data from the EU than it is to send that Personal Data there
Jim, the issue is not to comply EC laws, but Russian law. I am not a lawyer, but know that exactly now the comparable issues were raised by registrars regarding their relationships with registries and ICANN. Dima On 20.10.2010 14:30, Jim Reid wrote:
On 20 Oct 2010, at 10:25, Sergey Myasoedov wrote:
RIPE NCC should have data protection procedures
It does. This is compulsory for any organisation in the EU that holds Personal Data. The NCC is legally obliged to follow the EU Directives on Privacy and Data Protection (primarily 95/46/EC but also parts of 97/66/EC and 2002/58/EC) and how these are enacted in Dutch law. Although I'm not a lawyer, I expect that the EU and Dutch legislation in this area will be compatible with Russian data protection law.
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
Strange. It should be public somewhere.
BTW, in general it's usually more of a problem exporting Personal Data from the EU than it is to send that Personal Data there
Dima, in my opinion providing personal IDs of european citizens (CEOs) violates EC/EU law too. But as a member of EB you can ask the NCC to investigate the problem. As you are informed on russian specific of data protection, did you already asked the NCC? When? Wednesday, October 20, 2010, 1:23:34 PM, you wrote: DB> Jim, DB> the issue is not to comply EC laws, but Russian law. DB> I am not a lawyer, but know that exactly now the comparable issues were DB> raised by registrars regarding their relationships with registries and DB> ICANN.
RIPE NCC should have data protection procedures
It does. This is compulsory for any organisation in the EU that holds Personal Data. The NCC is legally obliged to follow the EU Directives on Privacy and Data Protection (primarily 95/46/EC but also parts of 97/66/EC and 2002/58/EC) and how these are enacted in Dutch law. Although I'm not a lawyer, I expect that the EU and Dutch legislation in this area will be compatible with Russian data protection law.
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
Strange. It should be public somewhere.
BTW, in general it's usually more of a problem exporting Personal Data from the EU than it is to send that Personal Data there
-- Sergey
On 20 Oct 2010, at 12:31, Sergey Myasoedov wrote:
in my opinion providing personal IDs of european citizens (CEOs) violates EC/EU law too.
I think you may be mistaken. But since I'm not a lawyer, I don't know what I'm talking about either. :-) I seriously doubt that the NCC would have a policy that violated EU or Dutch law. Or that all the NCC's membership, board and management would have failed to spot that if it was the case. BTW, I complained to the UK authorities when the electricity company's call centre demanded my date of birth before they'd talk to me about a billing problem. They wanted that info for authentication. The Information Commissioner's Office dismissed my complaint that this was an unreasonable and disproportionate use of my Personal Data by the power company. So their behaviour was legal even though in my non- expert opinion they had violated the third principle of the EU directive. And yes, I clearly have far too much spare time on my hands if I spend it on things like formal complaints to the ICO. :-)
Jim, I don't know - but as I remember one of the basic principle of this law regarding transborder personal data transfer- such data can be transfered only to countries which comply some requirements (as to have comparable laws and so on). We simply should get legal answer before to discuss. Dima On 20.10.2010 15:50, Jim Reid wrote:
On 20 Oct 2010, at 12:31, Sergey Myasoedov wrote:
in my opinion providing personal IDs of european citizens (CEOs) violates EC/EU law too.
I think you may be mistaken. But since I'm not a lawyer, I don't know what I'm talking about either. :-) I seriously doubt that the NCC would have a policy that violated EU or Dutch law. Or that all the NCC's membership, board and management would have failed to spot that if it was the case.
BTW, I complained to the UK authorities when the electricity company's call centre demanded my date of birth before they'd talk to me about a billing problem. They wanted that info for authentication. The Information Commissioner's Office dismissed my complaint that this was an unreasonable and disproportionate use of my Personal Data by the power company. So their behaviour was legal even though in my non-expert opinion they had violated the third principle of the EU directive.
And yes, I clearly have far too much spare time on my hands if I spend it on things like formal complaints to the ICO. :-)
On 20 Oct 2010, at 12:55, Dmitry Burkov wrote:
I don't know - but as I remember one of the basic principle of this law regarding transborder personal data transfer- such data can be transfered only to countries which comply some requirements (as to have comparable laws and so on).
That's right. The problems tend to be sending data from the EU because its Data Protection framework is stronger than most other parts of the world. It would be good to find out why it's hard to send Personal Data to the EU and what needs to be done about that.
We simply should get legal answer before to discuss.
Yes. None of us are lawyers.
Jim Reid wrote, 20.10.2010 16:01:
On 20 Oct 2010, at 12:55, Dmitry Burkov wrote:
I don't know - but as I remember one of the basic principle of this law regarding transborder personal data transfer- such data can be transfered only to countries which comply some requirements (as to have comparable laws and so on).
That's right. The problems tend to be sending data from the EU because its Data Protection framework is stronger than most other parts of the world. It would be good to find out why it's hard to send Personal Data to the EU and what needs to be done about that.
We simply should get legal answer before to discuss.
Yes. None of us are lawyers.
Hi, I think it's a question of the RIPE NCC procedures rather than Data protection itself. It's not clear why Personal ID was requested. According to ripe-418 RIPE NCC Standard Terms and Conditions 4.1 The Contributor may be a natural person or a legal entity. The same goes to End User contracts. Natural person should provide Personal ID (copy of passport), legal entity should provide Registration certificate to prove legality. With respect, -- Larisa Yurkina RIPN tel: +7(495)737-0604 fax: +7(499)196-4984
On Wed, Oct 20, 2010 at 04:57:08PM +0400, Larisa Yurkina wrote:
It's not clear why Personal ID was requested. According to ripe-418 RIPE NCC Standard Terms and Conditions 4.1 The Contributor may be a natural person or a legal entity. The same goes to End User contracts. Natural person should provide Personal ID (copy of passport), legal entity should provide Registration certificate to prove legality.
http://www.ripe.net/ripe/docs/ripe-462.html says: "If your business has not yet been incorporated and has not been registered in the Commercial Trade Register, please include a photocopy of the requester's valid identity card." (that the requester might just be a natural person or a noncommercial organization is obviously beyond the expectation) I will definately NOT send a plain copy of my passport around. Nowhere else is such a drastic measure ever required, except buying ammunition and firearms via mailorder. Asking for that to get a few numbers assigned is plain over the top. [and RIPE NCC wouldn't be able to verify the validity of that ID copy anyway, so this is bogus in the first place] Best regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
Daniel, thanks for the feedback. Unfortunately, registration services department don't give me a chance: my customers should provide the IDs or they will not receive the IP resources. Of course, most of my customers are registered in the Trade Register, but RIPE NCC requires the photocopy of CEO's ID who is signing the contract. Great, CEOs of small companies will provide the IDs. But what will happens when I'll sign the contract with the goverment's IT department? Should I ask for the ID of prime-minister or deputy prime-minister? OK, not goverment, but the province. Should I ask for the personal ID of the deputy governor? (this is a public person and the province has a website) I understand that the problem is complicated, but I would like to raise up both (local and global) problems together. Wednesday, October 20, 2010, 9:29:18 PM, you wrote:
It's not clear why Personal ID was requested. According to ripe-418 RIPE NCC Standard Terms and Conditions 4.1 The Contributor may be a natural person or a legal entity. The same goes to End User contracts. Natural person should provide Personal ID (copy of passport), legal entity should provide Registration certificate to prove legality.
DR> http://www.ripe.net/ripe/docs/ripe-462.html says: DR> "If your business has not yet been incorporated and has not been DR> registered in the Commercial Trade Register, please include a photocopy DR> of the requester's valid identity card." DR> (that the requester might just be a natural person or a noncommercial DR> organization is obviously beyond the expectation) DR> I will definately NOT send a plain copy of my passport around. Nowhere DR> else is such a drastic measure ever required, except buying ammunition DR> and firearms via mailorder. Asking for that to get a few numbers DR> assigned is plain over the top. DR> [and RIPE NCC wouldn't be able to verify the validity of that ID copy DR> anyway, so this is bogus in the first place] -- Sergey
On 20 Oct 2010, at 20:29, Daniel Roesen wrote:
I will definately NOT send a plain copy of my passport around.
+1.
Nowhere else is such a drastic measure ever required, except buying ammunition and firearms via mailorder.
Clearly you've never tried buying beer at a US stadium.... Or opened a bank account recently. :-(
Asking for that to get a few numbers assigned is plain over the top.
I sort of agree. But there are trade-offs here. If you don't like the current policy, you are welcome to suggest changes. The policy making machinery is open to everyone.
[and RIPE NCC wouldn't be able to verify the validity of that ID copy anyway, so this is bogus in the first place]
Not quite. Demanding passports may well be unreasonable. [I wonder how this policy can be applied to people who don't have passports or driving licences and live in enlightened countries that don't have ID cards?] However, the NCC does need to have some way of verifying the identity the other party to the agreement. A government-issued identity document is the easiest way to do that. Perhaps there could be (electronic?) alternatives: eg PGP signatures signed by someone already known to the NCC.
On Thu, Oct 21, 2010 at 01:49:46PM +0100, Jim Reid wrote:
Nowhere else is such a drastic measure ever required, except buying ammunition and firearms via mailorder.
Clearly you've never tried buying beer at a US stadium....
They keep copies of passports?
If you don't like the current policy, you are welcome to suggest changes.
The policy does not require personal ID copies kept by the NCC. http://www.ripe.net/ripe/policies/proposals/2007-01.html In fact, it doesn't even require NCC to establish the identity of requestors via specific means. That's all NCC operational decision: "This proposal does not discuss any particular details of the contract that may be set up between the End User and the RIPE NCC. The RIPE NCC Executive Board will decide on the details of this contract." I'm not sure we're able to do something about it via the policy process if NCC's lawyers say "ask for and keep a copy of IDs" to "be safe".
However, the NCC does need to have some way of verifying the identity the other party to the agreement.
What level of certainty is required? There are other, less intrusive methods, e.g. snail mail token exchange or a dummy credit card charge (1 EUR). Did you ever have to provide passport copy to online shops where you buy goods?
A government-issued identity document is the easiest way to do that.
Only if NCC would have any way of verifying the authenticity (people trying to game the system are able to use photoshop!), and still there is no need to keep a copy, unless Dutch Law requires to keep such copies for normal contracts businesses engage in - which I doubt. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
On 21 Oct 2010, at 14:28, Daniel Roesen wrote:
If you don't like the current policy, you are welcome to suggest changes.
The policy does not require personal ID copies kept by the NCC.
OK, so you want to pick nits. If you don't like the *implementation* of the current policy, you are welcome to suggest changes. Or propose a policy that forbids the NCC to store copies of passports and similar documents. Rather than whine or explore rat-holes, please come forward with some constructive proposals.
I'm not sure we're able to do something about it via the policy process if NCC's lawyers say "ask for and keep a copy of IDs" to "be safe".
Now you're making assumptions and possibly jumping to wrong conclusions. First, it's *your* NCC and it exists to serve its members. If it's not doing so, you absolutely can and should do something about that. The policy machinery and the organisation's bye- laws are the tools for those changes: changing/making policies, voting for the board, calling a General Meeting, etc. I don't know why the NCC is copying passports. It will be for a good reason. [Well, it had better be for a good reason...] Perhaps if this was further explained, we would all have a better understanding of the issue and what options are feasible for making changes?
Did you ever have to provide passport copy to online shops where you buy goods?
No. I don't go shopping. And I generally don't buy stuff on-line. The web is full of marketing scumbags who think they are entitled to send me spam if I'm stupid enough to buy from them. I refuse to pay the entrance fee.
On Thu, Oct 21, 2010 at 02:49:56PM +0100, Jim Reid wrote:
If you don't like the current policy, you are welcome to suggest changes.
The policy does not require personal ID copies kept by the NCC.
OK, so you want to pick nits.
That's not nit picking. I just pointed out that there is a distinction between policy (what "we" decided) and implementation (what NCC made out of the policy framework 2007-01). You certainly have a point that the policy probably gives too much a card blanche about implementation to NCC, allowing NCC to be overly heavy-handed about certain aspects. Did I interprete you correctly? I'm not a lawyer, and not into dutch contract law, so I'm not really qualified what the minimum certainty level is required for NCC (but I'm sure that no gov ID is required). So my suggestion would be for NCC to explain reasoning for such drastic measures and come forward with alternatives which they deem legally sufficient. Approaches (sole and/or in combination) I can immediately think of: - use LIR as authentication proxy - dummy financial transaction (e.g. credit card charge) - challenge-response via snail mail Regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
Hi, On Thu, Oct 21, 2010 at 05:24:51PM +0200, Daniel Roesen wrote: [..]
that the policy probably gives too much a card blanche about implementation to NCC, allowing NCC to be overly heavy-handed about certain aspects. [..]
It's interesting to note that at the same time, the RIPE NCC is getting flak from the anti-abuse folks about being too *liberal* in giving out resources to "fake" LIRs in certain countries. Between the lines I hear "this will be hard to get right" and "maybe we can have this on the agenda in the AGM"... Gert Doering -- LIR contact -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
21.10.10 18:30, Gert Doering написав(ла):
It's interesting to note that at the same time, the RIPE NCC is getting flak from the anti-abuse folks about being too *liberal* in giving out resources to "fake" LIRs in certain countries.
May be that's because of there is a big difference between the bureaucracy demands and the real checking? ;) -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
Hi, On Thu, Oct 21, 2010 at 06:50:48PM +0300, Max Tulyev wrote:
21.10.10 18:30, Gert Doering ??????????????(????):
It's interesting to note that at the same time, the RIPE NCC is getting flak from the anti-abuse folks about being too *liberal* in giving out resources to "fake" LIRs in certain countries.
May be that's because of there is a big difference between the bureaucracy demands and the real checking? ;)
So what would you suggest? (Sincere question, I have no experience with "validating the existance of an organization" outside my country). Gert Doering -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Gert, for most of service region countries it is possible to perform an online check of legal entity existance. Within the EU, VAT payers can be checked. Thursday, October 21, 2010, 6:04:39 PM, you wrote:
May be that's because of there is a big difference between the bureaucracy demands and the real checking? ;) GD> So what would you suggest? (Sincere question, I have no experience GD> with "validating the existance of an organization" outside my country).
-- Sergey
And what about the 95% of the service region which is not part of the EU ? On Oct 21, 2010, at 7:10 PM, Sergey Myasoedov wrote:
Gert,
for most of service region countries it is possible to perform an online check of legal entity existance.
Within the EU, VAT payers can be checked.
Thursday, October 21, 2010, 6:04:39 PM, you wrote:
May be that's because of there is a big difference between the bureaucracy demands and the real checking? ;) GD> So what would you suggest? (Sincere question, I have no experience GD> with "validating the existance of an organization" outside my country).
-- Sergey
On Thu, Oct 21, 2010 at 06:10:39PM +0200, Sergey Myasoedov wrote:
for most of service region countries it is possible to perform an online check of legal entity existance.
And what about natural persons? End Users aren't necessarily businesses. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
On 21 Oct 2010, at 16:24, Daniel Roesen wrote:
You certainly have a point that the policy probably gives too much a card blanche about implementation to NCC, allowing NCC to be overly heavy-handed about certain aspects. Did I interprete you correctly?
Not quite. I didn't say the NCC was being overly heavy-handed. The policy did leave the NCC to work out the implementation detail. Which is usually fine. Nobody else really wants to get involved in that and sometimes implementation depends on internal procedures and operations at the NCC itself. So RIPE as a general rule would leave the NCC to get on with this and trust them to do the Right Thing. This is how it should be. And if things are not going right, there are feedback controls to deal with that. Now if the implementation of this policy is causing problems, then there are existing mechanisms which can be used to address them. A quiet word with the CEO or a Board Member can usually help. [Axel, I don't want the NCC to have a copy of my passport: what's the story here?] If the difficulties are more complex and not easily rectified, then there are more formal mechanisms. Like proposing a new policy or changing an existing one. I think we've thrashed this issue to death by now. So the next stage is finding out what the underlying problem is and what other implementation details can be used to deal with them. Over to you...
On Thu, Oct 21, 2010 at 05:09:41PM +0100, Jim Reid wrote:
You certainly have a point that the policy probably gives too much a card blanche about implementation to NCC, allowing NCC to be overly heavy-handed about certain aspects. Did I interprete you correctly?
Not quite. I didn't say the NCC was being overly heavy-handed.
I didn't state that you did say that. "allowing NCC to..." is a consequence of the carte blanche. "heavy-handed" was my own characterization. I didn't mean to lay that in your mouth. Sorry, English is not my native language. Apologies of not being clear enough.
The policy did leave the NCC to work out the implementation detail. Which is usually fine.
Agreed.
Nobody else really wants to get involved in that and sometimes implementation depends on internal procedures and operations at the NCC itself. So RIPE as a general rule would leave the NCC to get on with this and trust them to do the Right Thing. This is how it should be.
Agreed as well.
Now if the implementation of this policy is causing problems, then there are existing mechanisms which can be used to address them. A quiet word with the CEO or a Board Member can usually help. [Axel, I don't want the NCC to have a copy of my passport: what's the story here?]
Well, the usual party line brought forward is "if you have an issue, bring it up on the mailing lists". Now we're doing that, and are being suggested to go private with execs first. Hrm. Regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
On 21 Oct 2010, at 20:23, Daniel Roesen wrote:
Well, the usual party line brought forward is "if you have an issue, bring it up on the mailing lists". Now we're doing that, and are being suggested to go private with execs first. Hrm.
I refer you to what I said in an earlier posting: please come forward with some constructive proposals. You didn't do that, at least not yet. The issue is at layer-9 or above, possibly in lawyer-land. Neither of us are lawyers or know why the NCC felt it had to take the action it did. So your mission, if you choose to accept it, is to nicely ask the NCC management to explain why copying passports is necessary. Once you have that info, you can raise this on the list for discussion instead of debating speculation. That info would also help someone submit a proposal to amend the policy which upsets you. Any such policy proposal will also need to be circulated, possibly here and in the AP WG. Clear? So now it's up to you. Please get some hard facts and make a positive contribution. That would greatly improve the signal to noise ratio which we'd all appreciate.
Jim, in general - you know the situation with Data Protection laws deployment around the world (as minimum, partly). There are still a lot of undresolved issues as even perfect law sometimes tell nothing about how deploy in real life. Dima On 20.10.2010 15:50, Jim Reid wrote:
On 20 Oct 2010, at 12:31, Sergey Myasoedov wrote:
in my opinion providing personal IDs of european citizens (CEOs) violates EC/EU law too.
I think you may be mistaken. But since I'm not a lawyer, I don't know what I'm talking about either. :-) I seriously doubt that the NCC would have a policy that violated EU or Dutch law. Or that all the NCC's membership, board and management would have failed to spot that if it was the case.
BTW, I complained to the UK authorities when the electricity company's call centre demanded my date of birth before they'd talk to me about a billing problem. They wanted that info for authentication. The Information Commissioner's Office dismissed my complaint that this was an unreasonable and disproportionate use of my Personal Data by the power company. So their behaviour was legal even though in my non-expert opinion they had violated the third principle of the EU directive.
And yes, I clearly have far too much spare time on my hands if I spend it on things like formal complaints to the ICO. :-)
-----Original Message----- From: ncc-services-wg-admin@ripe.net [mailto:ncc-services-wg- admin@ripe.net] On Behalf Of Jim Reid Sent: Wednesday, October 20, 2010 1:31 PM To: Sergey Myasoedov Cc: ncc-services-wg@ripe.net
On 20 Oct 2010, at 10:25, Sergey Myasoedov wrote:
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
Strange. It should be public somewhere.
Wouldn't that be <URL:http://www.ripe.net/legal/privacy-statement.html>? -- Thor Kottelin http://www.anta.net/
does ncc provide personal data of ncc ceo for their side of the contract? randy
Randy, no, they didn't provide IDs when I asked. I received the following answer from the NCC (smile!):
Our legal team has informed me that as a transparent and open company all our employees pictures and names are available on our public webpages so it is clear all of our contacts are known to the public.
Next time I'll use such words when visiting the notary. Wednesday, October 20, 2010, 1:11:55 PM, you wrote: RB> does ncc provide personal data of ncc ceo for their side of the RB> contract? RB> randy -- Sergey
no, they didn't provide IDs when I asked. I received the following answer from the NCC (smile!):
Our legal team has informed me that as a transparent and open company all our employees pictures and names are available on our public webpages so it is clear all of our contacts are known to the public.
no problem. when ncc asks for your ceo's id, point them to your web site randy
On 20/10/2010 11:25, Sergey Myasoedov wrote:
I would like to talk about personal data protection. After the audit process, NCC demands that we send them, together with the contract, the ID of person who signs the End User assignment contract (even if the contract is signed by a person on behalf of company).
It seems strange: the CEO of company that wants IP resources signs the contract, probably stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such operations - we should request ID or RIPE NCC will not assign resources for our customers.
Even more, RIPE NCC requires scans of ID, and this action violates local laws in some countries (for example, CZ or RU). In Russia, personal data can be processed only after a special agreement (except some cases mentioned in the law), but we will send the ID images without any special agreements to the NCC.
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
You're probably looking for http://www.ripe.net/legal/privacy-statement.html Regards, James
Dear Sergey, Thank you for your email. All personal data obtained by the RIPE NCC is handled in accordance with Dutch law and European Union data protection legislation, as required for an organisation operating in the Netherlands. The RIPE NCC Privacy Statement is publicly available on the RIPE website, and describes the situations in which personal data may be requested and the RIPE NCC's responsibilities when handling such data: http://www.ripe.net/legal/privacy-statement.html Please note the following sections: - "Except as described herein or when under a statutory duty to do so, the RIPE NCC does not share or transfer any personal data." [Section 2.1] - "The RIPE NCC maintains a high level of physical security and protection for all its computer and network facilities, and, in particular, for those in which personal information may be stored." [Section 3] As a registry, the RIPE NCC has a mandate to ensure the accuracy of our registration data. Verifying the identity of LIR representatives is directly relevant to this mandate. I hope this clarifies the RIPE NCC's position in relation to this matter. Best regards, Andrew de la Haye Chief Operations Officer, RIPE NCC On Oct 20, 2010, at 11:25 AM, Sergey Myasoedov wrote:
Hello,
I would like to talk about personal data protection. After the audit process, NCC demands that we send them, together with the contract, the ID of person who signs the End User assignment contract (even if the contract is signed by a person on behalf of company).
It seems strange: the CEO of company that wants IP resources signs the contract, probably stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such operations - we should request ID or RIPE NCC will not assign resources for our customers.
Even more, RIPE NCC requires scans of ID, and this action violates local laws in some countries (for example, CZ or RU). In Russia, personal data can be processed only after a special agreement (except some cases mentioned in the law), but we will send the ID images without any special agreements to the NCC.
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
On these grounds, I would like to initiate a change. RIPE NCC should have data protection procedures or RIPE NCC should not request personal IDs of third parties.
-- Sergey
Dear Andrew, In your e-mail, you state:
As a registry, the RIPE NCC has a mandate to ensure the accuracy of our registration data. Verifying the identity of LIR representatives is directly relevant to this mandate.
It is however my understanding that the question of Mr. Myasoedov relates to PI resources assigned to end users through the LIR in which he is a representative, where the end user is an organization, and the requested personal identification documents were required for the representatives of the end user organization, rather than the LIR itself. The intention of the RIPE NCC to not only collect personal identification documents from representatives of organizational end users, but to externalize this burden to individual LIRs which process PI requests on behalf of end users was not apparent from proposal 2007-01, nor from subsequent operational discussions on its implementation. Instead, it was understood, and has previously been the operational reality, that organizational users will submit a certificate of incorporation or similar document attesting the organization's existence under the laws of their country of origin, and a contract which meets the requirements outlined in policy proposal 2007-01. Could you please elaborate on the circumstances which required this deviation from the standard operational procedure and the situations in which this new condition will be invoked? Such unannounced changes can be very disruptive to an established administrative workflow between a LIR and its end users if imposed suddenly, and while I am certain that the RIPE NCC is acting with the goal of improving accountability in resource assignment, a balance must be maintained between the mandate the community has granted the RIPE NCC with the introduction of policy 2007-01, and its ability to spontaneously introduce new administrative conditions to resource assignment. -- Respectfully yours, David Monosov On 10/20/2010 03:11 PM, Andrew de la Haye wrote:
Dear Sergey,
Thank you for your email. All personal data obtained by the RIPE NCC is handled in accordance with Dutch law and European Union data protection legislation, as required for an organisation operating in the Netherlands.
The RIPE NCC Privacy Statement is publicly available on the RIPE website, and describes the situations in which personal data may be requested and the RIPE NCC's responsibilities when handling such data: http://www.ripe.net/legal/privacy-statement.html
Please note the following sections: - "Except as described herein or when under a statutory duty to do so, the RIPE NCC does not share or transfer any personal data." [Section 2.1] - "The RIPE NCC maintains a high level of physical security and protection for all its computer and network facilities, and, in particular, for those in which personal information may be stored." [Section 3]
As a registry, the RIPE NCC has a mandate to ensure the accuracy of our registration data. Verifying the identity of LIR representatives is directly relevant to this mandate.
I hope this clarifies the RIPE NCC's position in relation to this matter.
Best regards,
Andrew de la Haye Chief Operations Officer, RIPE NCC
On Oct 20, 2010, at 11:25 AM, Sergey Myasoedov wrote:
Hello,
I would like to talk about personal data protection. After the audit process, NCC demands that we send them, together with the contract, the ID of person who signs the End User assignment contract (even if the contract is signed by a person on behalf of company).
It seems strange: the CEO of company that wants IP resources signs the contract, probably stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such operations - we should request ID or RIPE NCC will not assign resources for our customers.
Even more, RIPE NCC requires scans of ID, and this action violates local laws in some countries (for example, CZ or RU). In Russia, personal data can be processed only after a special agreement (except some cases mentioned in the law), but we will send the ID images without any special agreements to the NCC.
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
On these grounds, I would like to initiate a change. RIPE NCC should have data protection procedures or RIPE NCC should not request personal IDs of third parties.
-- Sergey
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear David, The RIPE Policy ripe-452, "Contractual Requirements for Provider Independent Resource Holders in the RIPE NCC Service Region", requires that End Users who receive independent resources from a sponsoring LIR have a contractual agreement with that LIR. Specifically, it states, "The intention of this policy document is to ensure that the RIPE NCC, as the intermediate manager of provider independent resource assignments to End Users, can confirm that the End User exists, continues to exist and that they continue to fulfil their obligations to comply with the original assignment conditions." The policy concludes, "without contractual links in place between the End User and the RIPE NCC, it is impossible for the RIPE NCC to fulfil its obligations of responsible stewardship of Internet resources." The full policy is available at: http://ripe.net/ripe/docs/ripe-452.html The RIPE NCC needs to have evidence of the contractual agreement, so we ask for a copy of the signed contract between the End User and the LIR, and the registration papers of the company requesting the resources. If the End User is not a registered company, we ask for identification. This is to ensure that the RIPE NCC has complete and correct data about the holder of the resources. The only other occasion when the RIPE NCC requests identification papers is if there are doubts about the validity of a contract. If this is the case, the RIPE NCC asks for the identification to ensure that the contracts are valid and that the person signing the contracts is a real person. However, this only happens on rare occasions and when the RIPE NCC believes it is absolutely necessary to confirm the validity of contracts. This is standard procedure for diligent verification of contracts. All personal data received by the RIPE NCC is handled in an appropriate manner and in accordance with our Privacy Statement. The RIPE NCC will only discuss individual cases with the LIR concerned, and this is something we are always happy to do. I hope this clarifies matters and answers your question. If you have any further questions, please feel free to contact me. Best regards, Andrea Cima Registration Services Manager RIPE NCC David Monosov wrote:
Dear Andrew,
In your e-mail, you state:
As a registry, the RIPE NCC has a mandate to ensure the accuracy of our registration data. Verifying the identity of LIR representatives is directly relevant to this mandate.
It is however my understanding that the question of Mr. Myasoedov relates to PI resources assigned to end users through the LIR in which he is a representative, where the end user is an organization, and the requested personal identification documents were required for the representatives of the end user organization, rather than the LIR itself.
The intention of the RIPE NCC to not only collect personal identification documents from representatives of organizational end users, but to externalize this burden to individual LIRs which process PI requests on behalf of end users was not apparent from proposal 2007-01, nor from subsequent operational discussions on its implementation.
Instead, it was understood, and has previously been the operational reality, that organizational users will submit a certificate of incorporation or similar document attesting the organization's existence under the laws of their country of origin, and a contract which meets the requirements outlined in policy proposal 2007-01.
Could you please elaborate on the circumstances which required this deviation from the standard operational procedure and the situations in which this new condition will be invoked?
Such unannounced changes can be very disruptive to an established administrative workflow between a LIR and its end users if imposed suddenly, and while I am certain that the RIPE NCC is acting with the goal of improving accountability in resource assignment, a balance must be maintained between the mandate the community has granted the RIPE NCC with the introduction of policy 2007-01, and its ability to spontaneously introduce new administrative conditions to resource assignment.
-- Respectfully yours,
David Monosov
On 10/20/2010 03:11 PM, Andrew de la Haye wrote:
Dear Sergey,
Thank you for your email. All personal data obtained by the RIPE NCC is handled in accordance with Dutch law and European Union data protection legislation, as required for an organisation operating in the Netherlands.
The RIPE NCC Privacy Statement is publicly available on the RIPE website, and describes the situations in which personal data may be requested and the RIPE NCC's responsibilities when handling such data: http://www.ripe.net/legal/privacy-statement.html
Please note the following sections: - "Except as described herein or when under a statutory duty to do so, the RIPE NCC does not share or transfer any personal data." [Section 2.1] - "The RIPE NCC maintains a high level of physical security and protection for all its computer and network facilities, and, in particular, for those in which personal information may be stored." [Section 3]
As a registry, the RIPE NCC has a mandate to ensure the accuracy of our registration data. Verifying the identity of LIR representatives is directly relevant to this mandate.
I hope this clarifies the RIPE NCC's position in relation to this matter.
Best regards,
Andrew de la Haye Chief Operations Officer, RIPE NCC
On Oct 20, 2010, at 11:25 AM, Sergey Myasoedov wrote:
Hello,
I would like to talk about personal data protection. After the audit process, NCC demands that we send them, together with the contract, the ID of person who signs the End User assignment contract (even if the contract is signed by a person on behalf of company).
It seems strange: the CEO of company that wants IP resources signs the contract, probably stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such operations - we should request ID or RIPE NCC will not assign resources for our customers.
Even more, RIPE NCC requires scans of ID, and this action violates local laws in some countries (for example, CZ or RU). In Russia, personal data can be processed only after a special agreement (except some cases mentioned in the law), but we will send the ID images without any special agreements to the NCC.
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
On these grounds, I would like to initiate a change. RIPE NCC should have data protection procedures or RIPE NCC should not request personal IDs of third parties.
-- Sergey
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkzATOkACgkQXOgsmPkFrjM9pgCgmqNsEpLlc9c7pFH2U74AMxkh amAAoI6xf2guTElG3eHzmJI7JbGff6Nu =XvUw -----END PGP SIGNATURE-----
Hi All, I read the thread about it, and there is something to dig out for me. As for my experience in working with RIPE NCC hostmasters, they often request a lot of information they never can check. It is the MAC address lists, some kind of graphs, some papers issued by companies they never can reach, etc. All these data can be relatively easy obtained and processed. The other way is the personal data, and so important data like photo ID or passport. Request and handle that data is difficult and is a subject of a number of laws, such as The Law about Personal Data in Russia. By that law, the legal obtaining of that data is almost impossible for RIPE NCC, so it means RIPE can NEVER check the russian passport you send them. The question is: what EXACTLY do RIPE NCC staff do with the photo IDs we are sending them? Is it really important, or it is just for a extra bureaucracy? Also, let's imaging bad and good guys. The bad guy will make the "photo ID" in the Photoshop in a few minutes (and look up this message - RIPE NCC can't check it), but the good guy will experience a lot of problems. So why? 20.10.10 12:25, Sergey Myasoedov написав(ла):
Hello,
I would like to talk about personal data protection. After the audit process, NCC demands that we send them, together with the contract, the ID of person who signs the End User assignment contract (even if the contract is signed by a person on behalf of company).
It seems strange: the CEO of company that wants IP resources signs the contract, probably stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such operations - we should request ID or RIPE NCC will not assign resources for our customers.
Even more, RIPE NCC requires scans of ID, and this action violates local laws in some countries (for example, CZ or RU). In Russia, personal data can be processed only after a special agreement (except some cases mentioned in the law), but we will send the ID images without any special agreements to the NCC.
I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents.
On these grounds, I would like to initiate a change. RIPE NCC should have data protection procedures or RIPE NCC should not request personal IDs of third parties.
-- Sergey
-- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
participants (14)
-
Andrea Cima -
Andrew de la Haye -
Daniel Roesen -
David Monosov -
Dmitry Burkov -
Gert Doering -
James Aldridge -
Jim Reid -
Larisa Yurkina -
Marco Hogewoning -
Max Tulyev -
Randy Bush -
Sergey Myasoedov -
Thor Kottelin