possible abuse case with our emails / spam from euromoney/capacitymedia
Hi all, Since a few days ago, I'm getting spam from Euromoney regarding their Capacity events. Note that I'm not trying to advertise them, but before proceeding with a formal complain to the Data Protection Agencies, I want to know if is an isolated case or a massive one in the RIPE community. After several complaints (they didn't respond initially and continued with the spam) and mail exchange, this company is ensuring me today (I copy literally): "This particular contact does not have any purchase or online registration, it was loaded as a prospect from Capacity Media as an attendee for a 3rd party event (RIPE)." A few minutes ago, I've already asked the NCC to confirm if they have provided our personal data, which I doubt, of course, but I want to know if others are getting the same spam, which will mean that they are abusing our mail exploders or something similar ... Thanks! Regards, Jordi ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Hi Jordi, Thanks for bringing this to our attention. You are quite right - we do not share the personal data of attendees at our organised events with third parties unless this is required in order to help attendees participate in those events. This can happen, for example, when we assist attendees with preparing their visa applications. But in all such cases, personal data is shared only at the request of, and in coordination with, the attendee. We can assure you that we have not provided this organisation with any contact details. Please let us know if we can help support your complaint with the relevant authorities. Kind regards, Fergal Cunningham Marketing and Communications Manager RIPE NCC
Hi Fergal, Thanks for your response. Definitively, if you agree, I will quote your text on this email, in the DPA complaint. I guess also you may want to take legal actions because they are spreading the message about "RIPE" is providing the data ... Let me know in private email (so we don't disturb the list) if you need anything from my side for that. One more information I can provide, is that after sending my email to the list, they responded to another of my complaints indicating that it was LACNIC who provided the data ... Of course, I've asked LACNIC as well. I'm curious if nobody else got this spam in the list. Regards, Jordi -----Mensaje original----- De: ripe-list <ripe-list-bounces@ripe.net> en nombre de Fergal Cunningham <fergalc@ripe.net> Fecha: sábado, 23 de febrero de 2019, 0:57 Para: <ripe-list@ripe.net> Asunto: Re: [ripe-list] possible abuse case with our emails / spam from euromoney/capacitymedia Hi Jordi, Thanks for bringing this to our attention. You are quite right - we do not share the personal data of attendees at our organised events with third parties unless this is required in order to help attendees participate in those events. This can happen, for example, when we assist attendees with preparing their visa applications. But in all such cases, personal data is shared only at the request of, and in coordination with, the attendee. We can assure you that we have not provided this organisation with any contact details. Please let us know if we can help support your complaint with the relevant authorities. Kind regards, Fergal Cunningham Marketing and Communications Manager RIPE NCC ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 2019-02-23 07:32, JORDI PALET MARTINEZ via ripe-list wrote:
I'm curious if nobody else got this spam in the list.
Not on/in the list but I (we. all three that normally attend RIPE meetings from our company) got one at 2019-01-16 12:36. It was about a Subsea EMEA event in Marseilles. Cheers, -- Bengt Gördén Resilans AB
Thanks Bengt, Yes, the spam was NOT thru the list, sorry if I confused someone on that aspect. I got the first email on 15th February and the 2nd one on 21st. The point is that it looks to me very suspicious that they tell me that the data is provided by RIPE (initially) and then by LACNIC. Now your confirmation makes it clear that somehow, they are "capturing" emails from the RIRs communities ... Or maybe they look for the attendance list, which is public, and they do a search for the emails with google, and they lie about "how" they have obtained the data. In any case, even if our emails are "searchable" in Internet, GDPR requires explicit consent to 1) register it in a database, 2) send spam. But further to that, informing that the RIRs itself provided the data, should be legally prosecuted. I'm starting to wonder if it makes sense that the RIRs (IETF, ICANN, etc.), keeps publishing the list of attendees. There is any reason for that from the RIPE community or the RIPE NCC perspective? (please keep reading before responding) I agree that this is very useful for the event participants itself, but it could be made available only for the participants, once they have checked-in (so they are on-site) and once they log-in only. This way we avoid people registering and actually not coming just to get the data. This way also, if a participant is the one that is capturing the data, in addition to the consequences with the DPA, if identified, he/she can be banned for attending further RIR meetings. Regards, Jordi -----Mensaje original----- De: ripe-list <ripe-list-bounces@ripe.net> en nombre de Bengt Gördén <bengan@resilans.se> Organización: Resilans AB Fecha: sábado, 23 de febrero de 2019, 19:38 Para: <ripe-list@ripe.net> Asunto: Re: [ripe-list] possible abuse case with our emails / spam from euromoney/capacitymedia On 2019-02-23 07:32, JORDI PALET MARTINEZ via ripe-list wrote: > I'm curious if nobody else got this spam in the list. Not on/in the list but I (we. all three that normally attend RIPE meetings from our company) got one at 2019-01-16 12:36. It was about a Subsea EMEA event in Marseilles. Cheers, -- Bengt Gördén Resilans AB ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 23/02/2019 12:09, JORDI PALET MARTINEZ via ripe-list wrote:
... I'm starting to wonder if it makes sense that the RIRs (IETF, ICANN, etc.), keeps publishing the list of attendees. There is any reason for that from the RIPE community or the RIPE NCC perspective? (please keep reading before responding)
I agree that this is very useful for the event participants itself, but it could be made available only for the participants, once they have checked-in (so they are on-site) and once they log-in only. This way we avoid people registering and actually not coming just to get the data.
This way also, if a participant is the one that is capturing the data, in addition to the consequences with the DPA, if identified, he/she can be banned for attending further RIR meetings. ...
Jordi, I get more than 10 spams for each message I might want to actually read. I survive with automation and by paying the absolute minimum of effort on unwanted messages. I agree that SPAM is annoying. Therefore I normally stop doing business with those that 'loose' my mail addresses. Personally I am also a privacy advocate since the early 1970s, that's before the Internet became a threat. ;-) However we should not overreact to these practices and threats like you are suggesting! I fully agree that the RIRs should spend reasonable efforts to prosecute abuse of the data we publish. However, publishing less as a reaction to this abuse needs very very careful consideration. Publishing the attendance lists is very useful for research and also for projecting openness and transparency. For instance Shane Kerr has worked on diversity from these published lists: https://labs.ripe.net/Members/shane/measuring-diversity-at-ripe-meetings. I personally am working on these lists right now in order to in support developing the RIPE Chair selection procedure. We also publish mailing list archives that are a treasure trove for research and a means of storing our history and again being open and transparent. Working from published data is key here, because others can re-produce and check their research without needing any permission. Personally I strongly believe that the negative sides of publishing this data are negligible compared to the benefits. I just deal with the spam and other consequences and enjoy the benefits. Banning people from RIPE meetings is so far out that I hope you will re-consider and withdraw that suggestion. Think it through a few steps please: OHow can we maintain openness, transparency and low threshold to participate once we do that? nce we start banning people where do we stop? Best Daniel
Forgot to say something important: There is no proof that the published attendee lists, which contain no e-mail addresses, were abused. Daniel
The company sending the spam said that. Once you get the complete name of people from the attendee list, just make a script to google for the emails ... Other people that coincidently participated in RIPE got the same spam (I'm sure many others, but may be not in this list or just don't responding). As said, at a minimum we should send a clear message by starting a law suit against this company. If we don't do that already, we should have a message, in the attendee list of all our events (past, present and future) in the line of "This list is for the benefit of the participants and RIPE doesn't authorize to use it for marketing prospects or any other activities. We remind that GDPR requires explicit consent to use this data". Regards, Jordi -----Mensaje original----- De: ripe-list <ripe-list-bounces@ripe.net> en nombre de Daniel Karrenberg <dfk@ripe.net> Fecha: lunes, 25 de febrero de 2019, 20:11 Para: RIPE Community <ripe-list@ripe.net> Asunto: [ripe-list] Fwd: possible abuse case with our emails / spam from euromoney/capacitymedia Forgot to say something important: There is no proof that the published attendee lists, which contain no e-mail addresses, were abused. Daniel ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 26/02/2019 02:30, JORDI PALET MARTINEZ via ripe-list wrote:
The company sending the spam said that.
I cannot read it from the text you quoted. There is no indication on *how* the information was obtained. I am also not sure to what extent the statement you quote is truthful. So I would not jump to conclusions.
As said, at a minimum we should send a clear message by starting a law suit against this company.
If we don't do that already, we should have a message, in the attendee list of all our events (past, present and future) in the line of "This list is for the benefit of the participants and RIPE doesn't authorize to use it for marketing prospects or any other activities. We remind that GDPR requires explicit consent to use this data". Fine with me to do in the future. I doubt it will have any effect nor will it strengthen any legal recourse. Retroactively adding it to all historic meeting records is out of proportion. I do not expect spammers to want ancient data. ;-)
Daniel
we should have a message, in the attendee list of all our events (past, present and future) in the line of "This list is for the benefit of the participants and RIPE doesn't authorize to use it for marketing prospects or any other activities. We remind that GDPR requires explicit consent to use this data".
Sorry Jordi. I think this is worthless bullshit. There's no way to express this tactfully. These sorts of disclaimers are no different from the stupid legalese that gets appended to far too many corporate emails: "if you are not the intended recipient... blah, blah, blah". Spammers and marketing scum will pay no attention to your suggested disclaimer. And I very much doubt someone could successfully prosecute or sue whenever a breach has occurred on the basis of that disclaimer. If someone's violated GDPR, it'll make no difference whether or not this sort of disclaimer exists. I think we should concentrate on making sure our personal data are protected from mis-use rather than sticking up yet another warning notice on our front door. IMO we've already got too many of them. And, dubious virtue signalling aside, I'm not convinced they do any good. Has anyone got any evidence to show that warnings like the one above have actually reduced the volume of spam or made a marketroid behave properly? Until that evidence emerges, we should stop going down this path - and very probably stop this thread too.
Hi Jim, I don't agree. Sometimes courts/DPAs will not take cases in consideration if there is not an explicit reminder. I've seen that already in real cases. I realized today that this message is already there and I missed it before (or maybe it has been added after this discussion). In any case, thanks a lot for that! A couple of examples: https://www.ripe.net/membership/indices/data/ru.netup.html https://ripe73.ripe.net/attend/attendee-list/ https://ripe77.ripe.net/attend/attendee-list/ Regards, Jordi -----Mensaje original----- De: ripe-list <ripe-list-bounces@ripe.net> en nombre de Jim Reid <jim@rfc1035.com> Fecha: martes, 26 de febrero de 2019, 10:47 Para: RIPE Community <ripe-list@ripe.net> Asunto: Re: [ripe-list] Fwd: possible abuse case with our emails / spam from euromoney/capacitymedia > we should have a message, in the attendee list of all our events (past, present and future) in the line of "This list is for the benefit of the participants and RIPE doesn't authorize to use it for marketing prospects or any other activities. We remind that GDPR requires explicit consent to use this data". Sorry Jordi. I think this is worthless bullshit. There's no way to express this tactfully. These sorts of disclaimers are no different from the stupid legalese that gets appended to far too many corporate emails: "if you are not the intended recipient... blah, blah, blah". Spammers and marketing scum will pay no attention to your suggested disclaimer. And I very much doubt someone could successfully prosecute or sue whenever a breach has occurred on the basis of that disclaimer. If someone's violated GDPR, it'll make no difference whether or not this sort of disclaimer exists. I think we should concentrate on making sure our personal data are protected from mis-use rather than sticking up yet another warning notice on our front door. IMO we've already got too many of them. And, dubious virtue signalling aside, I'm not convinced they do any good. Has anyone got any evidence to show that warnings like the one above have actually reduced the volume of spam or made a marketroid behave properly? Until that evidence emerges, we should stop going down this path - and very probably stop this thread too. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 6 Mar 2019, at 15:23, JORDI PALET MARTINEZ via ripe-list <ripe-list@ripe.net> wrote:
I don't agree. Sometimes courts/DPAs will not take cases in consideration if there is not an explicit reminder.
Maybe Jordi. But that depended on the pre-GDPR circumstances. We're all in a *very* different environment now that GDPR is in force. Thanks to GDPTR there's no need to say "don't misuse personal data" any more or put that on every bloody email and web page. Any misuse of an EU citizen's personal data is a violation now and it doesn't matter if there's a disclaimer or not. This is all beside the point anyway. I repeat what I said before:
I think we should concentrate on making sure our personal data are protected from mis-use rather than sticking up yet another warning notice on our front door. IMO we've already got too many of them. And, dubious virtue signalling aside, I'm not convinced they do any good.
Has anyone got any evidence to show that warnings like the one above have actually reduced the volume of spam or made a marketroid behave properly? Until that evidence emerges, we should stop going down this path - and very probably stop this thread too.
And in the specific of the marketing scum who triggered this thread, I suggest the NCC sends them a cease and desist warning in writing. FWIW I did that ~10 years ago when someone spammed dns-wg-chair@ripe.net. The spam stopped. And I assume the data harvesting that started it. Next, we randomly insert a use-once bogus entry in the attendee list from time to time. If someone spams that list, we can prove where they got the data from and sue or prosecute them. This is what phone companies do/did with paper-based directories. {Remember them?] If someone violates the (compilation copyright?) IPR, these sorts of nonce entries provide the proof that's needed in court.
Hi Daniel, Responding below in-line. Regards, Jordi -----Mensaje original----- De: ripe-list <ripe-list-bounces@ripe.net> en nombre de Daniel Karrenberg <dfk@ripe.net> Fecha: lunes, 25 de febrero de 2019, 19:24 Para: RIPE Community <ripe-list@ripe.net> Asunto: Re: [ripe-list] possible abuse case with our emails / spam from euromoney/capacitymedia On 23/02/2019 12:09, JORDI PALET MARTINEZ via ripe-list wrote: > ... I'm starting to wonder if it makes sense that the RIRs (IETF, ICANN, etc.), keeps publishing the list of attendees. There is any reason for that from the RIPE community or the RIPE NCC perspective? (please keep reading before responding) > > I agree that this is very useful for the event participants itself, but it could be made available only for the participants, once they have checked-in (so they are on-site) and once they log-in only. This way we avoid people registering and actually not coming just to get the data. > > This way also, if a participant is the one that is capturing the data, in addition to the consequences with the DPA, if identified, he/she can be banned for attending further RIR meetings. ... Jordi, I get more than 10 spams for each message I might want to actually read. I survive with automation and by paying the absolute minimum of effort on unwanted messages. I agree that SPAM is annoying. Therefore I normally stop doing business with those that 'loose' my mail addresses. Personally I am also a privacy advocate since the early 1970s, that's before the Internet became a threat. ;-) I've the same problem and with a similar ratio approximately. However, for many reasons, I've around 20 live different emails accounts, so most of the time, those numbers are x10-x12 or close to that (fortunately not all the account receive all the spam copies). Fortunately, also, spamassassin is doing a good job and 90% of the spam is already pre-classified in the spam in-box, but I still need to take a "quick" lock into that every day, as to avoid that "fine-tuning" filters wanted emails as spam ones. I don't think the people realize how damaging is the spam and the personal data collection. I know a lawyer who the court claimed 40.000 Euros because his case was lost because the email with the order for the audience was filtered as spam ... and that's without considering how much time per day we use in filtering emails ... millions of people. For me they are criminals, and they deserve several years of jail, in addition to compensating people (automatically without courts, just claiming to the DPAs, in addition to the DPAs imposed fines). Unfortunately, in European-Roman law to get this compensation you need to invest in a case and demonstrate the judge for every cent (which is impossible), of damages they caused you ... British/American law looks better in the sense of allowing you to just claim an amount with compensates your time/damages. I also decided several years ago to claim in the DPA those cases of persistent spam. Typically, about 1.000 claims per year. One day I should write an article about the email-marketing companies mafia around this ... and how they try to jump over the law ... but that's another topic and probably will require some journalist to get involved to complete a good research work. However we should not overreact to these practices and threats like you are suggesting! I don't think I'm overreacting. I think that by default when registering into the events the publication of our names must be blocked (and you opt-in to allow it), except for other on-site participants. May be is already the case but didn't realized it before, because never got a suspicious that this is happening in our events. Now I've a different view, clearly. I fully agree that the RIRs should spend reasonable efforts to prosecute abuse of the data we publish. However, publishing less as a reaction to this abuse needs very very careful consideration. Ok, then let's make sure that we sent a clear signal that we are going to do that, and let's take legal actions against this criminal company that is at least saying the RIPE and LACNIC provide the data. Publishing the attendance lists is very useful for research and also for projecting openness and transparency. For instance Shane Kerr has worked on diversity from these published lists: https://labs.ripe.net/Members/shane/measuring-diversity-at-ripe-meetings. I personally am working on these lists right now in order to in support I've not said that this must be banned for researchers. I think this is great, but we must have the control of at least know "this guy or group is using our data". developing the RIPE Chair selection procedure. We also publish mailing list archives that are a treasure trove for research and a means of storing our history and again being open and transparent. Working from published data is key here, because others can re-produce and check their research without needing any permission. And it is extremely useful as well ! and now I'm wondering if GDPR allows that to be disclosed to anyone willing to consult the archive and not part of the list, if the subscriber express his willingness to not be disclosed, but that's another topic. It is just curiosity, I'm fine with that because don't think that is the source of the spam right now. Personally I strongly believe that the negative sides of publishing this data are negligible compared to the benefits. I just deal with the spam and other consequences and enjoy the benefits. I think the way I suggested, and authorizing the access to researchers don't have any negative consequences, and probably GDPR, already mandate that our names are only published with explicit consent. We will need to look into that, if it has not been done already. From now on, I'm clear that I don't want my name in the public list. Banning people from RIPE meetings is so far out that I hope you will re-consider and withdraw that suggestion. Think it through a few steps please: OHow can we maintain openness, transparency and low threshold to participate once we do that? nce we start banning people where do we stop? No, I don't think so. This is community decision. If somebody is abusing the community this way, we have the right the restrict their participation. May be they aren't coming to the meetings and they just got the info in the web site ... May be is just my opinion, maybe not, and others think the same way (they express it or not), may be this can't be done even if the community decides it and requires a court order, I don't know, but I have thought it several times before writing my previous email. I've seen frequently surprising court orders, for example, banning people from using public transport when they use it to do robberies. This doesn't mean that the public transport is not open to all. I think it is very similar to our case for banning people abusing the system. We may disagree, but everybody has different views of everything and that's perfectly fine. Best Daniel ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
participants (5)
-
Bengt Gördén
-
Daniel Karrenberg
-
Fergal Cunningham
-
Jim Reid
-
JORDI PALET MARTINEZ