[anti-abuse-wg] What is Personal information?
U.Mutlu security at mutluit.com
Mon Jan 16 17:54:03 CET 2012
russ at consumer.net wrote, On 2012-01-16 16:38: > RIPE is now claiming the IP addresses they are collecting on their blacklist are not "personal information." I thought business contacts are considered "personal information" under the EU privacy directives? IP addresses allocated to businesses are in various whois databases. Reverse lookups identify domains which also lead to businesses. It seems to me that the blacklisting done by RIPE falls into this category when it is used to specifically blacklist a business. How is is that the contacts in the RIPE database are "personal information" yet the IP addresses associated with those contacts are not? Aren't they associated by doing a whois lookup that anyone can do? > > RIPE won't explain or acknowledge my request to have the matter reviewed by the Dutch Data Protection office. All I got was the vague response shown below. > > Thank You > > > >On 1/16/2012 10:22 AM, RIPE Database Manager wrote: > >Dear Russ, > > >Please note that we do not collect any personal informations. > >The access block to the RIPE Database is based only on the IP address. > >I hope to have informed you sufficiently. The RIPE AUP has some more info on this issue: http://www.ripe.net/db/support/db-aup.pdf I think RIPE just wants to prevent abuse done by some egoistic people who endlessly query the database and/or misuse the service for commercial purpose. Ie. that's similar to protecting against "Denial of Service" attacks. IMHO it's legitimate to protect the system, I personally wouldn't do any different. But I would unblock the culprits automatically after a predefined period (x hours or days). And: not sure it there exists any ready-to-use caching whois servers (like it is the case with DNS servers), but if you are a programmer then you could also add a local whois lookup cache into your application, or to one of your systems, and do all queries via that cache... to reduce the number of physical connections to RIPE... Makes sense of course only if the same records are queried over and over again...