[anti-abuse-wg] Analysis of the Legal Framework and Procedures Proposed by the Data Protection Task Force
Wilfried Woeber, UniVie/ACOnet Woeber at CC.UniVie.ac.at
Thu Apr 12 23:11:43 CEST 2012
lists at help.org wrote: >>After reading that page, I still cannot see a direct relevance to the > NCC's services or procedures. > > I believe Well, so this may - or may not - be true. > DomainTools.com also downloads the RIR's There are 5 of them, so which one(s)? > whois database and > repackages and sells the data along with historical whois data from the > domain registrars. >From an RIR's point of view, I presume the domain registry stuff is not relevant. Maybe the combining and re-packaging can be used as another argument for violating the AUP(s). > Isn't that related to the Data Protection Task > Force legal framework? I think so, but the linked page didn't include any reference to an IP Resource Registry. I may have missed that though. > The report says certain procedures and policies > were put in place to prevent downloads because it supposedly violates > some type of data protection laws. Indeed, both on the administrative side (AUPs), as well as on the technical plane (query limits, anonymizing data before allowing bulk access,...) But I am pretty sure that you als do know, that almost each and every technical measure can be subverted, given a strong (and/or financial) interest :-) > Yet there is a company doing that > and they don't seem to be concerned about the law and they seem to be > freely selling the data. Again, a pretty week term: "seem", together with "believe", there isn't too much flesh on the bones to get the legal folks involved, isn't it? They would certainly ask for proof or credible leads, before getting their fingers wet and putting their organisation at (at least a financial) risk. > Do these Data Protection laws actually apply > to this situation They probably do in one way or another, details to be worked out on a case by case basis. > or are these laws being broken and not enforced? The (legal) enforcement is potentially an entirely different story again, in an international environment, depending on where the breach happened (which part?=, and where the offender can (potentially) be prosecuted or taken to court. > Or maybe some other explanation? It is all unclear to me. Now, moving a away some distance from "mere" AUP or (C) violations... If you are really interested in getting a handle on "bad stuff" on the Internet, you could try to get involved in the security and incident handling ballpark. (I am to some degeree). Personally, I am convinced that the IP Resource Registry environment is the wrong tree to bark at, in general. There's a whole infrastructure out there (law enforcement, voluntary, commercial, incident response teams, national CERTs,...) that is active with this respect. The RIRs are at the far out periphery of that, at best, although they try to support the "pros" where they can... Hth. Wilfried. Note: I am not representing the NCC with my comments here. But I was a member of the DPTF. And I sometimes get a glance at or information about "funny stuff".