[anti-abuse-wg] Privacy requirements, was Spam FAQs
russ at consumer.net russ at consumer.net
Sat Dec 17 17:37:06 CET 2011
>The subject is on topic indeed. It has various facets, All my posts in the last couple threads are related to abuse and RIPE but I am making my points in a roundabout way. My main point is that some of the people involved in abuse issues get so wrapped up in one aspect of the problem that they fail to see the overall picture. When we talk about enforcement of the EU privacy laws for the RIPE database many are arguing for a very strict application of EU privacy laws. No consideration was given for pass-through sites like mine or that fact that access to the whois lookups is not a regional issue. This is what happens when we talk about something people don't like (namely getting spam from having a contact address in the RIPE database). Yet when I bring up applying these laws to an anti-spam group suddenly their position changes and they argue for not applying the EU privacy laws strictly. In this case we have an anti-spam mechanism that everybody likes. Some people are applying the laws based on whether they like something or not, not on the actual facts. As for IP addresses and whether they identity a person is a complicated issues. The US courts have been split over whether IP addresses are "Personally Identifiable Information" (PII). There are long complicated discussions of the context in which the information is collected. The EU definition of "personal information" appears to be broader that the PII definition. In the case of spam blacklists or reputation scores the information is generally collected to accuse someone of spamming and blacklist their IP address. If you get put on one these lists by mistake and want to dispute the findings you suddenly see the importance of the privacy aspect. If you blacklist someone you may have to give them the information you collected about them and allow them to dispute it. In my case my web site IP is on RIPE's blacklist. That IP leads directly to my company and identifies me. By bringing up these issue I am now being accused of all sorts of things. My web site was set up in 1998 as a tool to track down and complain about spam, not a harvesting system. Not only that, I used to sue companies for breaking US privacy laws and I even testified at the first "so-called" spam summit at the US Federal Trade Commission. The US telemarketing and junk fax laws you can take companies into small claims court. I took many large corporations to court even sued several companies who harvested by whois info and used it send illegal junk faxes. To claim I am a "harvester" or that I am promoting violating privacy laws is ridiculous. What RIPE did when they implemented this IP address blocking was they reduced security for the sake of privacy. It is now more difficult to get abuse contacts. Sure people can go directly to the database but it makes things more difficult and time comsuming. Several users of my web site took the time to write to me to complain about the block. These were mostly system administrators and abuse staff, not people looking to harvest RIPE e-mail addresses. I get contacted all the time from security companies and law enforcement entities who use the site. No consideration is given to them and the fact that they are users of RIPE services when this block system was implemented. The other issue is the fact that the data is being collected under a government contract with IANA. A contractor is not permitted, on its own, to place restrictions on the data because it doesn't belong to them. Forgetting about EU privacy laws for the moment I noticed ARIN has placed a restriction on their whois data that reads: "You may not use, allow to use, or otherwise facilitate the use of ARIN WHOIS data for advertising, direct marketing, marketing research, or similar purposes." There is no legal basis for this restriction since things like "marketing research" are perfectly legal. The marketing research companies paid their taxes like everyone else and they have right to the public data and they can legally use it any way they want (as long as they don't break a law like sending an illegal junk fax). I believe the whois access issues needs to handled at the level of the Address Council because it is a universal service and any access restrictions need to be coordinated with IANA who, in turn, should coordinate with the US Government as they are required to do under their contract. Certainly I should not have to join a European mailing list to discuss the services I use from North America. Thank You Thank You.