You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

Database Working Group

Threaded
Collapse

Re: [db-wg] Fwd: proposal: new attribute 'geofeed:

User Image

Hank Nussbacher

2021-01-06 07:01:45 CET

I guess I am not understanding something.
Why do we need a geofeed attribute?  What problem are we trying to solve?

I understand why each block of IPs needs to be associated with a  
country, so that certain language specific auto-customizations will  
work.  But what purpose is there to know that a /24 is in central  
Amsterdam?  Is the purpose to assist marketers in geo-targetted sales?  
  Is the purpose for network engineering (not sure what major problem  
we have that needs this)?

Is the purpose to know where you are so that in the event of an  
emergency (terror, tornado, etc) you can get emergency targeted  
alerts?  If so, then the geofeed has to be at the /32 level and since  
many if not most IPs are mobile, and that is where you will get the  
alert from - from your cellphone provider, I still don't quite  
understand the reason for a geofeed tag.

Can someone clue me in?

Thanks,
Hank

Caveat: The views expressed above are solely my own and do not express  
the views or opinions of my employer


denis walker

2021-01-07 15:59:32 CET

HI Hank, colleagues

Whilst I can't answer your basic question, I could say that if the
IETF approves a change to RPSL, with the RIPE Database data model
based on RPSL, in principle we should implement the RPSL change.

Perhaps another question, to the RIPE NCC legal team, if I have a
fixed IP address or block of addresses, is this geofeed location data
personal data under the terms of GDPR?

cheers
denis
co-chair DB-WG

On Wed, 6 Jan 2021 at 07:01, hank--- via db-wg <db-wg _at_ ripe _dot_ net> wrote:
>
> I guess I am not understanding something.
> Why do we need a geofeed attribute?  What problem are we trying to solve?
>
> I understand why each block of IPs needs to be associated with a
> country, so that certain language specific auto-customizations will
> work.  But what purpose is there to know that a /24 is in central
> Amsterdam?  Is the purpose to assist marketers in geo-targetted sales?
>   Is the purpose for network engineering (not sure what major problem
> we have that needs this)?
>
> Is the purpose to know where you are so that in the event of an
> emergency (terror, tornado, etc) you can get emergency targeted
> alerts?  If so, then the geofeed has to be at the /32 level and since
> many if not most IPs are mobile, and that is where you will get the
> alert from - from your cellphone provider, I still don't quite
> understand the reason for a geofeed tag.
>
> Can someone clue me in?
>
> Thanks,
> Hank
>
> Caveat: The views expressed above are solely my own and do not express
> the views or opinions of my employer
>
>

User Image

Maria Stafyla

2021-01-08 11:27:57 CET

RIPE NCC staff member

Hi Denis, all 

Please allow us some time to look into this and we will get back to you
with our feedback next week.

Kind regards,

Maria Stafyla
Senior Legal Counsel
RIPE NCC


> ---------- Forwarded message ---------
> From: denis walker <ripedenis _at_ gmail _dot_ com>
> Date: Thu, 7 Jan 2021 at 15:59
> Subject: Re: [db-wg] Fwd: proposal: new attribute 'geofeed:
> To: Hank Nussbacher <hank _at_ interall.co _dot_ il>, <legal _at_ ripe _dot_ net>
> Cc: Database WG <db-wg _at_ ripe _dot_ net>
>
>
> HI Hank, colleagues
>
> Whilst I can't answer your basic question, I could say that if the
> IETF approves a change to RPSL, with the RIPE Database data model
> based on RPSL, in principle we should implement the RPSL change.
>
> Perhaps another question, to the RIPE NCC legal team, if I have a
> fixed IP address or block of addresses, is this geofeed location data
> personal data under the terms of GDPR?
>
> cheers
> denis
> co-chair DB-WG
>
> On Wed, 6 Jan 2021 at 07:01, hank--- via db-wg <db-wg _at_ ripe _dot_ net> wrote:
>> I guess I am not understanding something.
>> Why do we need a geofeed attribute?  What problem are we trying to solve?
>>
>> I understand why each block of IPs needs to be associated with a
>> country, so that certain language specific auto-customizations will
>> work.  But what purpose is there to know that a /24 is in central
>> Amsterdam?  Is the purpose to assist marketers in geo-targetted sales?
>>   Is the purpose for network engineering (not sure what major problem
>> we have that needs this)?
>>
>> Is the purpose to know where you are so that in the event of an
>> emergency (terror, tornado, etc) you can get emergency targeted
>> alerts?  If so, then the geofeed has to be at the /32 level and since
>> many if not most IPs are mobile, and that is where you will get the
>> alert from - from your cellphone provider, I still don't quite
>> understand the reason for a geofeed tag.
>>
>> Can someone clue me in?
>>
>> Thanks,
>> Hank
>>
>> Caveat: The views expressed above are solely my own and do not express
>> the views or opinions of my employer
>>
>>

User Image

Michael Kafka

2021-01-08 15:16:55 CET

Dear members,

GDPR is quite specific about personal data:

‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person;

If the geofeed doesn't contain the above mentioned means to directly or
indirectly identify a natural person then GDPR don't apply,
especially if the geofeed refers only to a country or province.

In general anonymization is assumed with K > 5, e.g. geographic
information covering more than 5 natural persons. RIPE should be on
the safe side if such geographic information refers to a province,
region or country.

(This is a brief summary of a discussion with
Dr. Jur. Christoph Tschohl about this topic)

Much more critical are the 100k or maybe even millions of RIPE-db
entries, containing name and street address of natural persons which
are under the sole control of RIPE.

Best regards,

MiKa


On 2021-01-07 15:59, denis walker via db-wg wrote:
> HI Hank, colleagues
> 
[... ...]
> 
> Perhaps another question, to the RIPE NCC legal team, if I have a
> fixed IP address or block of addresses, is this geofeed location data
> personal data under the terms of GDPR?
> 
> cheers
> denis
> co-chair DB-WG
> 

User Image

Randy Bush

2021-01-08 18:15:41 CET

> If the geofeed doesn't contain the above mentioned means to directly
> or indirectly identify a natural person then GDPR don't apply,
> especially if the geofeed refers only to a country or province.

note that the geofeed spec, RFC8805, is separate from the rpsl-based
means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds.

i was not involved in the geofeed spec, but it was done by friends of
the family who gossip :)

i was told that the reason there is no postal code in the geofeed file
spec is because, in some cases, it resolves with sufficient precision to
identify individuals.

randy

User Image

Michael Kafka

2021-01-10 07:36:28 CET

On 2021-01-08 18:15, Randy Bush via db-wg wrote:
>> If the geofeed doesn't contain the above mentioned means to directly
>> or indirectly identify a natural person then GDPR don't apply,
>> especially if the geofeed refers only to a country or province.
> 
> note that the geofeed spec, RFC8805, is separate from the rpsl-based
> means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds.

that wouldn't make a difference here. if the RIPE database points
immediately to personal information GDPR applies.

> i was not involved in the geofeed spec, but it was done by friends of
> the family who gossip :)
> 
> i was told that the reason there is no postal code in the geofeed file
> spec is because, in some cases, it resolves with sufficient precision to
> identify individuals.
> 
> randy


the precision of postal codes (e.g. in great britain) is a good point!

MiKa

Horváth Ágoston János

2021-01-10 11:47:12 CET

As far as I'm aware, since IP addresses _can_ uniquely identify a person
(think of static IPs offered by some ISPs), it is considered personal data
by authorities.

GDPR leaves a huge grey area that is up to interpretation, which in
practice boils down to companies trying to avoid even said grey area and
keeping a very strict GDPR policy. Been there, done that (doing that, in
fact). Painful as it is, that's the law.

Agoston


On Sun, Jan 10, 2021 at 7:36 AM Michael Kafka via db-wg <db-wg _at_ ripe _dot_ net>
wrote:

> On 2021-01-08 18:15, Randy Bush via db-wg wrote:
> >> If the geofeed doesn't contain the above mentioned means to directly
> >> or indirectly identify a natural person then GDPR don't apply,
> >> especially if the geofeed refers only to a country or province.
> >
> > note that the geofeed spec, RFC8805, is separate from the rpsl-based
> > means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds.
>
> that wouldn't make a difference here. if the RIPE database points
> immediately to personal information GDPR applies.
>
> > i was not involved in the geofeed spec, but it was done by friends of
> > the family who gossip :)
> >
> > i was told that the reason there is no postal code in the geofeed file
> > spec is because, in some cases, it resolves with sufficient precision to
> > identify individuals.
> >
> > randy
>
>
> the precision of postal codes (e.g. in great britain) is a good point!
>
> MiKa
>
>
User Image

Randy Bush

2021-01-11 00:36:16 CET

>>> If the geofeed doesn't contain the above mentioned means to directly
>>> or indirectly identify a natural person then GDPR don't apply,
>>> especially if the geofeed refers only to a country or province.
>> 
>> note that the geofeed spec, RFC8805, is separate from the rpsl-based
>> means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds.
> 
> that wouldn't make a difference here. if the RIPE database points
> immediately to personal information GDPR applies.

cool!  i was in need of an authoritative legal opinion.  when are we
removing the key-cert: and person: objects?

> the precision of postal codes (e.g. in great britain) is a good point!

as today's legal authority, can you tell me if gdpr applies to all parts
of the british isles?  asking for a friend.

randy

Nick Hilliard

2021-01-11 13:43:07 CET

Randy Bush via db-wg wrote on 10/01/2021 23:36:
> as today's legal authority, can you tell me if gdpr applies to all parts
> of the british isles?  asking for a friend.

If you're referring to the UK, the EU GDPR no longer applies there, at 
least not since our close colleagues left the EU. They still use the UK 
Data Protection Act 2018, which is based on the EU GDPR though, and 
which provides full equivalence.

The EU GDPR does apply to the Republic of Ireland (which remains part of 
the EU), but not Northern Ireland, which is part of the UK.

UK post codes only identify the area where someone lives, so cannot be 
used to identify individuals, and therefore would be unlikely to be 
covered by the UK Data Protection Act 2018.  OTOH, each RoI postcode 
identifies an exact building, so there would be a case that there were 
GDPR implications there.

Nick

denis walker

2021-01-11 15:26:36 CET

Hi guys

GDPR applies to the entire RIPE Database because the RIPE NCC, who
operate the database, is based in the EU. It does not matter where the
data subject or data maintainer is based.

cheers
denis
co-chair DB-WG

On Mon, 11 Jan 2021 at 13:43, Nick Hilliard via db-wg <db-wg _at_ ripe _dot_ net> wrote:
>
> Randy Bush via db-wg wrote on 10/01/2021 23:36:
> > as today's legal authority, can you tell me if gdpr applies to all parts
> > of the british isles?  asking for a friend.
>
> If you're referring to the UK, the EU GDPR no longer applies there, at
> least not since our close colleagues left the EU. They still use the UK
> Data Protection Act 2018, which is based on the EU GDPR though, and
> which provides full equivalence.
>
> The EU GDPR does apply to the Republic of Ireland (which remains part of
> the EU), but not Northern Ireland, which is part of the UK.
>
> UK post codes only identify the area where someone lives, so cannot be
> used to identify individuals, and therefore would be unlikely to be
> covered by the UK Data Protection Act 2018.  OTOH, each RoI postcode
> identifies an exact building, so there would be a case that there were
> GDPR implications there.
>
> Nick
>

User Image

Ed Shryane

2021-01-11 15:46:30 CET

RIPE NCC staff member

Hi Michael,

> On 8 Jan 2021, at 15:16, Michael Kafka via db-wg <db-wg _at_ ripe _dot_ net> wrote:
> 
> Dear members,
> 
...
> Much more critical are the 100k or maybe even millions of RIPE-db
> entries, containing name and street address of natural persons which
> are under the sole control of RIPE.
> 
> Best regards,
> 
> MiKa
> 

If you are referring to PERSON objects, then out of 2 million PERSON objects in the RIPE database, only 14,841 are maintained by the RIPE NCC.

13,277 of these are (previously unmaintained) locked person objects, which we are in the process of cleaning up.

The vast majority of PERSON objects are referenced from inet(6)num allocations and assignments (i.e. maintained by LIRs and End Users).

Regards
Ed Shryane
RIPE NCC


User Image

Randy Bush

2021-01-11 19:07:29 CET

> Hi guys

ahem

> GDPR applies to the entire RIPE Database because the RIPE NCC, who
> operate the database, is based in the EU.

appreciate the legal opinion.  how come person: objects are allowed?

randy

denis walker

2021-01-11 19:23:54 CET

Hi Randy

On Mon, 11 Jan 2021 at 19:07, Randy Bush <randy _at_ psg _dot_ com> wrote:
>
> > Hi guys
>
> ahem
>
> > GDPR applies to the entire RIPE Database because the RIPE NCC, who
> > operate the database, is based in the EU.
>
> appreciate the legal opinion.  how come person: objects are allowed?
>

I asked this very specific question about coverage of GDPR over the
data set quite recently to the NCC's legal team and that is the answer
they gave me.

PERSON objects are not allowed in the way they are currently used...we
need to do something about that...(I am working on it :) )

cheers
denis
co-chair DB-WG

> randy

User Image

Carlos Friacas

2021-01-12 10:46:01 CET

Greetings,

I still see "purpose" on having person: objects in the database.

Contact information for networks and abuse contacts need to be available 
to anyone. I consider these contacts to be professional, not personal.

If anyone has the same personal and professional details, they don't stop 
to be professional by that fact. A new postal address is not something 
which is "free", but it is a service that can be subscribed in most 
places, right?

A new EU NIS2 directive is also upcoming. I hope the need for 
whois/rdap/whatever accurate data could be clarified in some of its 
articles.

Regards,
Carlos




On Mon, 11 Jan 2021, Randy Bush via db-wg wrote:

>> Hi guys
>
> ahem
>
>> GDPR applies to the entire RIPE Database because the RIPE NCC, who
>> operate the database, is based in the EU.
>
> appreciate the legal opinion.  how come person: objects are allowed?
>
> randy
>

User Image

Randy Bush

2021-01-12 18:36:25 CET

> I still see "purpose" on having person: objects in the database.

the network manager handbook used to sit on my desk.  i used it a lot.
whois has become less and less useful.

randy