From malcolm at linx.net Mon May 2 12:25:59 2011 From: malcolm at linx.net (Malcolm Hutty) Date: Mon, 02 May 2011 11:25:59 +0100 Subject: [cooperation-wg] Re: cooperation-wg digest, Vol 1 #25 - 1 msg In-Reply-To: <20110224110004.31123.58693.Mailman@postboy.ripe.net> References: <20110224110004.31123.58693.Mailman@postboy.ripe.net> Message-ID: <4DBE86B7.2030500@linx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/02/2011 11:00, cooperation-wg-request at ripe.net wrote: >> EU Directive 2006/24/EC on Data Retention was a very poor document . >> I hear that the EU is working on such things again. > > Yes, and no. There is a review going on, and a meeting was held in late > November in Brussels. > > Rumours say that COM will not open up the directive, but instead clarify > what is intended. Which to me is another reason for the coop wg to bring > this up. [...] > Patrik This has now moved on, with the publication of the Evaluation Report on the Data Retention Directive. A copy of the report, and a little commentary I wrote are at the URLs that follow http://ec.europa.eu/commission_2010-2014/malmstrom/archive/20110418_data_retention_evaluation_en.pdf https://publicaffairs.linx.net/news/?p=3930 - -- Malcolm Hutty | tel: +44 20 7645 3523 Head of Public Affairs | Read the LINX Public Affairs blog London Internet Exchange | http://publicaffairs.linx.net/ London Internet Exchange Ltd Maya House, 134-138 Borough High Street, London SE1 1LB Company Registered in England No. 3137929 Trinity Court, Trinity Street, Peterborough PE1 1DA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2+hrcACgkQJiK3ugcyKhRSxACgzlsD09TA/44qnCQVptWSXwD3 G2UAn1aShHUEhp54D2lQaOEXluNXy7QZ =4+Cs -----END PGP SIGNATURE----- From malcolm at linx.net Tue May 3 13:39:27 2011 From: malcolm at linx.net (Malcolm Hutty) Date: Tue, 03 May 2011 12:39:27 +0100 Subject: [cooperation-wg] Re: cooperation-wg digest, Vol 1 #28 - 1 msg In-Reply-To: <20110503100005.13396.10099.Mailman@postboy.ripe.net> References: <20110503100005.13396.10099.Mailman@postboy.ripe.net> Message-ID: <4DBFE96F.8010902@linx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/05/2011 11:00, Malcolm Hutty wrote: > This has now moved on, with the publication of the Evaluation Report on > the Data Retention Directive. > > A copy of the report, and a little commentary I wrote are at the URLs > that follow No sooner do I report that relatively happy news, than I receive news of the response from the Council of Ministers. The Presidency has circulated to Member States a questionnaire that reads rather like a rebuttal. In particular the questionnaire invites Member States to say * that even though Data Retention is said to be justified for the purpose of dealing with "serious crime", once data has been retained it can be used for other purposes; and * that when assess the Directive Member States can ignore the evidence and proceed simply on the basis of the expressed wishes of law enforcement. Statewatch obtained a leaked copy, which you can find here: http://www.statewatch.org/news/2011/apr/eu-council-mand-ret-discussion-paper-9439-11.pdf - -- Malcolm Hutty | tel: +44 20 7645 3523 Head of Public Affairs | Read the LINX Public Affairs blog London Internet Exchange | http://publicaffairs.linx.net/ London Internet Exchange Ltd Maya House, 134-138 Borough High Street, London SE1 1LB Company Registered in England No. 3137929 Trinity Court, Trinity Street, Peterborough PE1 1DA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2/6W8ACgkQJiK3ugcyKhQc5QCghbm+/oeBKFCwXz/l1KJXITyh PYkAn1HJorlUln930dpb7Z5aucS0kyMx =gBV2 -----END PGP SIGNATURE----- From vesely at tana.it Thu May 5 17:15:23 2011 From: vesely at tana.it (Alessandro Vesely) Date: Thu, 05 May 2011 17:15:23 +0200 Subject: [cooperation-wg] What governments don't get (feedback on data retention) Message-ID: <4DC2BF0B.1070305@tana.it> Hi all! After applauding Malcom yesterday, I've recognized a parallel between VAT and wiretapping: They both don't work well with layers. Traditionally, telephony is conceived as the service of a single operator. Suppose that the telecom splits among various intermediaries. Actually, several large industries define such kind of split internally, for administrative purposes. However, if the split is real each provider of a service layer has to pay VAT, while departments don't. By a similar logic, if cryptography is deployed at some layers, then wiretapping has to be coordinated with those layers as well --possibly not the network provider or cable operator roles that the directive targets. Can someone suggest a solution that would solve both issues :-) From vesely at tana.it Wed May 18 20:56:20 2011 From: vesely at tana.it (Alessandro Vesely) Date: Wed, 18 May 2011 20:56:20 +0200 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive Message-ID: <4DD41654.70706@tana.it> Hi all, can a tool for lawfully acquiring a user's consent via the Internet motivate SMTP operators to modify their procedures in such a way that spam can be countered more effectively? Let me please expand slightly on this question, I'll try and be concise. It is well known that the Simple Mail Transfer Protocol provides for replacing the envelope recipient with one or more other email addresses. This server forwarding is not to be confused with manually forwarding a message from a client. Mailing lists and newsletters are operated that way, as well as redirection configured by means of "dot forward" static files. Since email addresses are personal data, their processing is covered by Directive 95/46/EC. How is the data subject's consent acquired? In response to the Data Protection Directive, operators should have defined a protocol for obtaining and keeping proof of the consent. It never happened. In facts, it is very difficult to introduce new protocols for email --new protocols for web operations come about much more frequently. Evidence that consent has been granted can be provided by the data subject's mail exchanger (MX, a.k.a. the user's incoming mail server). It can digitally sign a notification from the data processor. That way, the user's server becomes aware of a new wanted stream of messages, and can whitelist it. That is, it can skip anti-spam checking for those messages. As bulk messages account for a significant part of legitimate mail, anti-spam measures could then be significantly strengthened. The users' advantage is to have an automatically maintained list of subscriptions, and a uniform interface to manage them. Currently, users have to interact with what can be called a "time-distributed database", in the sense that monthly or yearly they may receive subscription reminders... The obvious shortcoming of this idea is that mail server operators simply won't install any new software if their systems can work acceptably well without it. However, acquiring written consent is such a pain to many businesses that, perhaps, they will install that software if it helps complying with privacy issues. What do you think? TIA for any comment From patrik at frobbit.se Wed May 18 22:25:49 2011 From: patrik at frobbit.se (=?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Wed, 18 May 2011 22:25:49 +0200 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: <4DD41654.70706@tana.it> References: <4DD41654.70706@tana.it> Message-ID: <1AE49CBD-DF5D-439C-A972-B7834BA63D52@frobbit.se> Just a clarifying question...you talk about consent acquired regarding the fact the email address will be processed (i.e. personal data will be processed)? Patrik On 18 maj 2011, at 20.56, Alessandro Vesely wrote: > Hi all, > can a tool for lawfully acquiring a user's consent via the Internet > motivate SMTP operators to modify their procedures in such a way that > spam can be countered more effectively? Let me please expand slightly > on this question, I'll try and be concise. > > It is well known that the Simple Mail Transfer Protocol provides for > replacing the envelope recipient with one or more other email > addresses. This server forwarding is not to be confused with manually > forwarding a message from a client. Mailing lists and newsletters are > operated that way, as well as redirection configured by means of "dot > forward" static files. Since email addresses are personal data, their > processing is covered by Directive 95/46/EC. > > How is the data subject's consent acquired? In response to the Data > Protection Directive, operators should have defined a protocol for > obtaining and keeping proof of the consent. It never happened. In > facts, it is very difficult to introduce new protocols for email --new > protocols for web operations come about much more frequently. > > Evidence that consent has been granted can be provided by the data > subject's mail exchanger (MX, a.k.a. the user's incoming mail server). > It can digitally sign a notification from the data processor. That > way, the user's server becomes aware of a new wanted stream of > messages, and can whitelist it. That is, it can skip anti-spam > checking for those messages. As bulk messages account for a > significant part of legitimate mail, anti-spam measures could then be > significantly strengthened. > > The users' advantage is to have an automatically maintained list of > subscriptions, and a uniform interface to manage them. Currently, > users have to interact with what can be called a "time-distributed > database", in the sense that monthly or yearly they may receive > subscription reminders... > > The obvious shortcoming of this idea is that mail server operators > simply won't install any new software if their systems can work > acceptably well without it. However, acquiring written consent is > such a pain to many businesses that, perhaps, they will install that > software if it helps complying with privacy issues. What do you think? > > TIA for any comment > > From jim at rfc1035.com Wed May 18 23:37:35 2011 From: jim at rfc1035.com (Jim Reid) Date: Wed, 18 May 2011 22:37:35 +0100 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: <4DD41654.70706@tana.it> References: <4DD41654.70706@tana.it> Message-ID: On 18 May 2011, at 19:56, Alessandro Vesely wrote: > How is the data subject's consent acquired? Consent for what? Joining the list? Receiving and posting messages? Being moderated or cross-posted to a newsgroup? > In response to the Data Protection Directive, operators should have > defined a protocol for obtaining and keeping proof of the consent. > It never happened. In > facts, it is very difficult to introduce new protocols for email. I think we need to be careful to avoid confusing each other. For the purposes of this discussion, "protocol" should mean an IETF specification. Let's use "process" to mean "protocol for obtaining and keeping proof of the consent" ie not an IETF protocol. A dictionary definition of protocol would include this "process" definition, but let's not use the same word for different things. List managers may need a process to show they have user consent. This might but probably won't need a protocol such as yet another tweak to SMTP. At least I hope it won't need that. With that clarification out of the way, the consent you ask about is probably implicit: eg your employer puts you on company mailing lists as a condition of employment or it's your job to join certain (public) lists. In other cases, the act of joining a mailing list implies consent. If you don't want the list to process your Personal Data (email address), don't join it. In other cases, consent may be inherited from other terms and conditions: eg your ISP or registrar puts you on some mailing list for management of your account or whatever and you agree to that as a part of doing business together. I am not a lawyer and don't play one on TV. However I have dealt with Data Protection issues and had too many non-trivial discussions with a DPA, the UK Information Commissioner's Office. [ICANN gTLD registry contracts and whois, if anyone cares... The scars have nearly healed in case any of you are asking.] The short answer to how your SMTP concern plays out will depend on the view of your DPA. So ask them. Or ask your lawyer first and then ask the national DPA. I would be surprised if there was unanimity or even consensus amongst the EU DPAs on this topic, assuming they have considered this issue in WP29. And yes, I realise this is underpinned by a couple of EU Directives. But how these get enacted and enforced in national law differs from country to country. Then there's the question of how the national DPA sees its responsibilities and priorities. I would expect most will either not care about electronic mailing lists or take the pragmatic view that since list membership is under the user's control, that in itself provides the required consent. However I would not bet money on this. Another rat-hole to explore is what the list manager does with the Personal Data and if consent is needed for adding list members to other lists. Or lists of lists. What constitutes proportionate and fair usage of Personal Data then? My head is now starting to hurt... Perhaps we could invite someone from WP29 to speak about this at the next WG meeting? From staffan.jonson at iis.se Thu May 19 09:10:35 2011 From: staffan.jonson at iis.se (Staffan Jonson) Date: Thu, 19 May 2011 09:10:35 +0200 Subject: SV: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: <4DD41654.70706@tana.it> References: <4DD41654.70706@tana.it> Message-ID: <983F17705339E24699AA251B458249B57EDCBBCF41@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Yes, agree with you. The idea is a shortcoming. My experience says me that law seldom originates from (the need of) individual users or a protocol, byt by legal tradition in the legislation, i.e. eventually, interpretation by 27 member state (MS) legislations will go before directive intentions. This means -if understood correctly - that the data consent procedure is decided upon in each and every MS. In other words, rule may actually vary a bit, which from a protocol view just will make the situation worse. Therefore, I agree with Jim Reid on this: " But how these get enacted and enforced in national law differs from country to country." When interpreting this directive into Swedish law, lawyers currently discuss the criterias for what make an 'active consent' just active. Can the automation of consents by protocols be a way to meet legislators demands on active consent? In the end, it's an interpretation if automation is enough, and we'll probably have a ruling in this by national court, eventually. /Staffan Cell phone: + 46/0 73 317 39 67 Mail: staffan.jonson at iis.se - -----Ursprungligt meddelande----- Fr?n: cooperation-wg-admin at ripe.net [mailto:cooperation-wg-admin at ripe.net] F?r Alessandro Vesely Skickat: den 18 maj 2011 20:56 Till: cooperation-wg at ripe.net ?mne: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive Hi all, can a tool for lawfully acquiring a user's consent via the Internet motivate SMTP operators to modify their procedures in such a way that spam can be countered more effectively? Let me please expand slightly on this question, I'll try and be concise. It is well known that the Simple Mail Transfer Protocol provides for replacing the envelope recipient with one or more other email addresses. This server forwarding is not to be confused with manually forwarding a message from a client. Mailing lists and newsletters are operated that way, as well as redirection configured by means of "dot forward" static files. Since email addresses are personal data, their processing is covered by Directive 95/46/EC. How is the data subject's consent acquired? In response to the Data Protection Directive, operators should have defined a protocol for obtaining and keeping proof of the consent. It never happened. In facts, it is very difficult to introduce new protocols for email --new protocols for web operations come about much more frequently. Evidence that consent has been granted can be provided by the data subject's mail exchanger (MX, a.k.a. the user's incoming mail server). It can digitally sign a notification from the data processor. That way, the user's server becomes aware of a new wanted stream of messages, and can whitelist it. That is, it can skip anti-spam checking for those messages. As bulk messages account for a significant part of legitimate mail, anti-spam measures could then be significantly strengthened. The users' advantage is to have an automatically maintained list of subscriptions, and a uniform interface to manage them. Currently, users have to interact with what can be called a "time-distributed database", in the sense that monthly or yearly they may receive subscription reminders... The obvious shortcoming of this idea is that mail server operators simply won't install any new software if their systems can work acceptably well without it. However, acquiring written consent is such a pain to many businesses that, perhaps, they will install that software if it helps complying with privacy issues. What do you think? TIA for any comment -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBTdTCazQ/UxhHDVilAQj/uQf/diTT50upnSEEzdZ1xwl+noBR8LT0nc04 m/jZPZllSNO6TOCCpzMDt43Q5zxWbF/ur3f6q2w/tfvs6EFwRi+gZ3cUV1eX9HR6 iaAMjfMHADhmOCWDwew9aMRLsXZTCfBpzAtpjXCIHYTpfX8Oi1R+igKq4+74jpyV V9Mpxm1V65KxpB6otxVJ4jDV4JlYVUP/zR8+h6FWuCf7m/851Fkg2BMqLUXGw1TF Wmjf21ykxzOgLaqyrPOtWw3MyUBJA9Mg7+8irZyzLDxXUTlxWy1CBKY8U/F4u0gO XP7vtsUtBfpmf8295amxYZ4UKfT7vC8sPWOupOxUFtDalnT3CCc2Iw== =BzQY -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From noreply at ripe.net Thu May 19 17:31:02 2011 From: noreply at ripe.net (Axel Pawlik) Date: Thu, 19 May 2011 17:31:02 +0200 Subject: [cooperation-wg] Participate Now: RIPE NCC Membership and Stakeholder Survey Message-ID: <4DD537B6.7020702@ripe.net> [Apologies for duplicate emails] Dear colleagues, You still have time to take part in the RIPE NCC Membership and Stakeholder Survey 2011. The survey can be taken at: https://www.ripe.net/survey2011 ================== Important Feedback ================== This survey comes at a critical point as it will influence the strategy of the RIPE NCC following the depletion of the IPv4 address pool. The analysis of the survey results will be conducted by the Oxford Internet Institute, and all identifying information will be removed before the data is given to the RIPE NCC. For the first time, the survey is open to all stakeholders in the RIPE community in addition to RIPE NCC members. So far, over 300 people have responded to the survey. We aim to receive 1,000 responses by the survey closing date of 10 June. The survey should take only 10-15 minutes to complete. =========== Win an iPad =========== To encourage participation in the survey, the RIPE NCC is giving away five iPads to respondents chosen at random by the OII. Next week, we will announce the "early bird" winner of the first iPad, who will be drawn from those who responded to the survey by 16 May. The other four iPads will be drawn at random from all respondents. We look forward to receiving your input. Best regards, Axel Pawlik Managing Director RIPE NCC From vesely at tana.it Thu May 19 20:35:50 2011 From: vesely at tana.it (Alessandro Vesely) Date: Thu, 19 May 2011 20:35:50 +0200 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: References: <4DD41654.70706@tana.it> Message-ID: <4DD56306.90206@tana.it> Hi, thank you all for your interest. I am touched and happier. I reply to comments by Patrik, Jim, and Staffen in this message. On 18/May/11 22:25, Patrik F?ltstr?m wrote: > Just a clarifying question...you talk about consent acquired > regarding the fact the email address will be processed (i.e. > personal data will be processed)? Yes. On 18/May/11 23:37, Jim Reid wrote: > On 18 May 2011, at 19:56, Alessandro Vesely wrote: > >> How is the data subject's consent acquired? > > Consent for what? Joining the list? Receiving and posting messages? > Being moderated or cross-posted to a newsgroup? Consent for keeping the email address, any accompanying data, and any related processing, such as receiving posts, moderation, archiving, copyright, et cetera. >> In response to the Data Protection Directive, operators should have >> defined a protocol for obtaining and keeping proof of the consent. >> It never happened. In facts, it is very difficult to introduce new >> protocols for email. > > I think we need to be careful to avoid confusing each other. For the > purposes of this discussion, "protocol" should mean an IETF > specification. Let's use "process" to mean "protocol for obtaining and > keeping proof of the consent" ie not an IETF protocol. A dictionary > definition of protocol would include this "process" definition, but > let's not use the same word for different things. List managers may > need a process to show they have user consent. This might but probably > won't need a protocol such as yet another tweak to SMTP. At least I > hope it won't need that. It's ok for these terms, for the sake of this discussion. In case we want to expand it, we'll have to give it a name and a specification. Further steps would be implementing it, testing, and find how to publish it as an RFC. The process core had probably better be separate from SMTP. However, mail filters may help. For example, an SMTP extension may allow a receiving server to tell to a sending Mailing List Manager (MLM) that it supports the process, in case the MLM is interested. > With that clarification out of the way, the consent you ask about is > probably implicit: eg your employer puts you on company mailing lists > as a condition of employment or it's your job to join certain (public) > lists. In other cases, the act of joining a mailing list implies > consent. If you don't want the list to process your Personal Data > (email address), don't join it. In other cases, consent may be > inherited from other terms and conditions: eg your ISP or registrar > puts you on some mailing list for management of your account or > whatever and you agree to that as a part of doing business together. Yes, consent is implicit, but difficult to prove. And we are talking about MLMs, the most privacy-compliant example of mail forwarding. Let me note that MLMs, by design, used to protect their subscribers much before 1995. IOW, the only change they made in response to privacy laws was the wording in their footers and/or web sites. For newsletters and dot-forward files, the improvements brought in by the "process" are much more noticeable. For example, dot-foward files can be reworked in order to obtain an effect similar, in practice, to email address portability. > I am not a lawyer and don't play one on TV. However I have dealt with > Data Protection issues and had too many non-trivial discussions with a > DPA, the UK Information Commissioner's Office. [ICANN gTLD registry > contracts and whois, if anyone cares... The scars have nearly healed > in case any of you are asking.] The short answer to how your SMTP > concern plays out will depend on the view of your DPA. So ask them. Or > ask your lawyer first and then ask the national DPA. > > I would be surprised if there was unanimity or even consensus amongst > the EU DPAs on this topic, assuming they have considered this issue in > WP29. And yes, I realise this is underpinned by a couple of EU > Directives. But how these get enacted and enforced in national law > differs from country to country. Then there's the question of how the > national DPA sees its responsibilities and priorities. I would expect > most will either not care about electronic mailing lists or take the > pragmatic view that since list membership is under the user's control, > that in itself provides the required consent. However I would not bet > money on this. Yes, you are perfectly right on this. IANAL too, and have serious difficulties following such kind of discussions. I'm a programmer and would rather implement something. For such task, the wording on the web page is about as important as its background color. However, yes, lawyers should talk about what the process would do, and check that member states can agree uniformly. I think they did an egregious theoretical work with Directive 95/46/EC. Further directives on he same subject seem to me to be somewhat weaker (and they never mention actual IETF protocols.) Staffan also expresses some concerns on this point. I reply to him below. > Another rat-hole to explore is what the list manager does with the > Personal Data and if consent is needed for adding list members to > other lists. Or lists of lists. What constitutes proportionate and > fair usage of Personal Data then? My head is now starting to hurt... > > Perhaps we could invite someone from WP29 to speak about this at the > next WG meeting? MLMs conceptual model is fine as it is. Software would only need minor changes, possibly none. There are still lists that have no web interface, so one could just add the "process" on top of them. Those who implement a confirmation page, may want to change it. For example, user's confirmation (the consent) could even be done by the user's server, and transmitted to the MLM thereafter. On 19/May/11 09:10, Staffan Jonson wrote: > Yes, agree with you. The idea is a shortcoming. Yeah, possibly :-) > My experience says me that law seldom originates from (the need of) > individual users or a protocol, but by legal tradition in the > legislation, i.e. eventually, interpretation by 27 member state > (MS) legislations will go before directive intentions. Apparently, this is indeed the best we (Europeans) have been able to do. IMHO, testing if it works for the Internet era is an interesting exercise in its own respect. EDI has undergone similar issues, and more will come. > This means -if understood correctly - that the data consent > procedure is decided upon in each and every MS. In other words, > rule may actually vary a bit, which from a protocol view just will > make the situation worse. > > Therefore, I agree with Jim Reid on this: > "But how these get enacted and enforced in national law differs > from country to country." Fragmentation should be avoided. On the opposite, if the process works correctly and proves to be useful, then it will likely be adopted beyond Europe. >From my point of view, the fact that the process can save paperwork is a side effect that helps its initial diffusion. The main aim is understanding mail streams so as to dominate spam. OTOH, that paperwork is a waste of resources and, personally, I won't do it anyway. I wonder for how long the people who does it will want to continue doing so... > When interpreting this directive into Swedish law, lawyers > currently discuss the criterias for what make an 'active consent' > just active. Can the automation of consents by protocols be a way > to meet legislators demands on active consent? In the end, it's an > interpretation if automation is enough, and we'll probably have a > ruling in this by national court, eventually. Yes, that is not much different from companies deciding to use a given software tool, but on national scale. >From a governmental point of view, I think they should also wonder how long citizens will want to obey to laws that require obsolete manual procedures. Lawyers should understand the difference between processes that work in practice versus paperwork that can be considered "theoretical" inasmuch those papers are seldom read. Given an opportunity to ease and enhance citizens' work, they should take it --but who knows? From jim at rfc1035.com Fri May 20 13:46:20 2011 From: jim at rfc1035.com (Jim Reid) Date: Fri, 20 May 2011 12:46:20 +0100 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: <4DD56306.90206@tana.it> References: <4DD41654.70706@tana.it> <4DD56306.90206@tana.it> Message-ID: On 19 May 2011, at 19:35, Alessandro Vesely wrote: > It's ok for these terms, for the sake of this discussion. In case we > want to expand it, we'll have to give it a name and a specification. > Further steps would be implementing it, testing, and find how to > publish it as an RFC. I think you may be too far ahead of everyone Alessandro. It's not clear to me that there is a problem here that needs fixing. So far, no DPA appears to be demanding action about this issue or even saying that more formal consent processes are needed for mailing lists. I'd be inclined to wait until WP29 comes forward with a clear problem statement and set of requirements. Doing protocol development without these foundations is unlikely to produce anything useful: ie the IETF comes up with a solution to a different problem from the one that the DPAs care about. It would be nice if a DPA could come to this WG to talk about this issue. After all the WG exists to facilitate this sort of industry- government dialogue. From vesely at tana.it Fri May 20 18:06:55 2011 From: vesely at tana.it (Alessandro Vesely) Date: Fri, 20 May 2011 18:06:55 +0200 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: References: <4DD41654.70706@tana.it> <4DD56306.90206@tana.it> Message-ID: <4DD6919F.4010509@tana.it> Jim, you've pinned the crux of the matter. On 20/May/11 13:46, Jim Reid wrote: > So far, no DPA appears to be demanding action about this issue or > even saying that more formal consent processes are needed for > mailing lists. I'd be inclined to wait until WP29 comes forward > with a clear problem statement and set of requirements. Doing > protocol development without these foundations is unlikely to > produce anything useful: ie the IETF comes up with a solution to a > different problem from the one that the DPAs care about. More likely, there will be no "IETF solution" at all, because of lack of traction. On the one hand, the IETF consider they cannot compel protocols deployment. On the other hand, WP29 assume they cannot get down to protocol level details. How can we use both hands together? > It would be nice if a DPA could come to this WG to talk about this > issue. After all the WG exists to facilitate this sort of > industry-government dialogue. Honestly, I didn't know about the Article 29 Working Party until you wrote about it. I've also been told about an International Working Group on Data Protection in Telecommunications (IWGDPT). I have no idea who exactly they are, and guess I'd just catch many headaches if I try to contact them directly. It would be nice to find law-oriented participants in this WG, who feel like liaising the dialogue. BTW, "industry-government" is not exact if this will result in a legally endorsed IETF solution implemented with free software. From patrik at frobbit.se Sat May 21 09:05:44 2011 From: patrik at frobbit.se (=?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Sat, 21 May 2011 09:05:44 +0200 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: <4DD6919F.4010509@tana.it> References: <4DD41654.70706@tana.it> <4DD56306.90206@tana.it> <4DD6919F.4010509@tana.it> Message-ID: <736B7ED0-C0BC-4235-82F6-7980B827A3A9@frobbit.se> I still do not see what you are after, given the various rules regarding "temporary storage" that exists. Patrik On 20 maj 2011, at 18.06, Alessandro Vesely wrote: > Jim, > you've pinned the crux of the matter. > > On 20/May/11 13:46, Jim Reid wrote: >> So far, no DPA appears to be demanding action about this issue or >> even saying that more formal consent processes are needed for >> mailing lists. I'd be inclined to wait until WP29 comes forward >> with a clear problem statement and set of requirements. Doing >> protocol development without these foundations is unlikely to >> produce anything useful: ie the IETF comes up with a solution to a >> different problem from the one that the DPAs care about. > > More likely, there will be no "IETF solution" at all, because of lack > of traction. On the one hand, the IETF consider they cannot compel > protocols deployment. On the other hand, WP29 assume they cannot get > down to protocol level details. How can we use both hands together? > >> It would be nice if a DPA could come to this WG to talk about this >> issue. After all the WG exists to facilitate this sort of >> industry-government dialogue. > > Honestly, I didn't know about the Article 29 Working Party until you > wrote about it. I've also been told about an International Working > Group on Data Protection in Telecommunications (IWGDPT). I have no > idea who exactly they are, and guess I'd just catch many headaches if > I try to contact them directly. > > It would be nice to find law-oriented participants in this WG, who > feel like liaising the dialogue. > > BTW, "industry-government" is not exact if this will result in a > legally endorsed IETF solution implemented with free software. > > From vesely at tana.it Sat May 21 12:18:18 2011 From: vesely at tana.it (Alessandro Vesely) Date: Sat, 21 May 2011 12:18:18 +0200 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: <736B7ED0-C0BC-4235-82F6-7980B827A3A9@frobbit.se> References: <4DD41654.70706@tana.it> <4DD56306.90206@tana.it> <4DD6919F.4010509@tana.it> <736B7ED0-C0BC-4235-82F6-7980B827A3A9@frobbit.se> Message-ID: <4DD7916A.6040309@tana.it> On 21/May/11 09:05, Patrik F?ltstr?m wrote: > I still do not see what you are after, given the various rules > regarding "temporary storage" that exists. I'm not sure what rules you mean. Let's assume, for example, that I have the addresses of all cooperation-wg subscribers on my personal address-book. Then, if I send a message to all of us, my outgoing mail server will temporarily store the corresponding personal data for the sake of running my post through its queue. I think Data Protection Directive imposes no duty in such case. Is this what you mean? Let me note again how transparent a MLM is in doing its job. It lets recipients know which specific (non-temporary) list their address was extracted from. Not all list exploders work this way. From patrik at frobbit.se Sat May 21 14:29:06 2011 From: patrik at frobbit.se (=?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Sat, 21 May 2011 14:29:06 +0200 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: <4DD7916A.6040309@tana.it> References: <4DD41654.70706@tana.it> <4DD56306.90206@tana.it> <4DD6919F.4010509@tana.it> <736B7ED0-C0BC-4235-82F6-7980B827A3A9@frobbit.se> <4DD7916A.6040309@tana.it> Message-ID: <98139D1F-A13B-4B16-A20B-9DF5A614441B@frobbit.se> On 21 maj 2011, at 12.18, Alessandro Vesely wrote: > On 21/May/11 09:05, Patrik F?ltstr?m wrote: >> I still do not see what you are after, given the various rules >> regarding "temporary storage" that exists. > > I'm not sure what rules you mean. Let's assume, for example, that I > have the addresses of all cooperation-wg subscribers on my personal > address-book. Then, if I send a message to all of us, my outgoing > mail server will temporarily store the corresponding personal data for > the sake of running my post through its queue. I think Data > Protection Directive imposes no duty in such case. Is this what you mean? Yes, as it is a temporary thing. And, it is absolutely not clear at all if email addresses by themselves impose privacy information if they for example are not even connected to the name of a person. Etc. > Let me note again how transparent a MLM is in doing its job. It lets > recipients know which specific (non-temporary) list their address was > extracted from. Not all list exploders work this way. Correct. But also, it depends on what information was sent to people when they subscribed, if they subscribed themselves, or if they where subscribed. Etc. I think we should be careful of not making a rooster out of a feather. We are still a few sandwiches short of a picnic. Patrik From fweimer at bfk.de Mon May 23 09:09:59 2011 From: fweimer at bfk.de (Florian Weimer) Date: Mon, 23 May 2011 07:09:59 +0000 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: <4DD41654.70706@tana.it> (Alessandro Vesely's message of "Wed, 18 May 2011 20:56:20 +0200") References: <4DD41654.70706@tana.it> Message-ID: <824o4lj3js.fsf@mid.bfk.de> * Alessandro Vesely: > How is the data subject's consent acquired? In response to the Data > Protection Directive, operators should have defined a protocol for > obtaining and keeping proof of the consent. It never happened. It seems to me that the industry has come up with a pretty widely adopted protocol: send a probe message to the mailbox, and if that is confirmed, include the address in the distribution list. At this point, the potential subscriber can also be told about list policies, including archival of messages submitted. > The users' advantage is to have an automatically maintained list of > subscriptions, and a uniform interface to manage them. Currently, > users have to interact with what can be called a "time-distributed > database", in the sense that monthly or yearly they may receive > subscription reminders... There are standardized mail headers which help to manage mailing list subscriptions. They are rarely used in commercial environments, though. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From vesely at tana.it Mon May 23 11:15:28 2011 From: vesely at tana.it (Alessandro Vesely) Date: Mon, 23 May 2011 11:15:28 +0200 Subject: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive In-Reply-To: <824o4lj3js.fsf@mid.bfk.de> References: <4DD41654.70706@tana.it> <824o4lj3js.fsf@mid.bfk.de> Message-ID: <4DDA25B0.7@tana.it> On 23/May/11 09:09, Florian Weimer wrote: > * Alessandro Vesely: > >> How is the data subject's consent acquired? In response to the Data >> Protection Directive, operators should have defined a protocol for >> obtaining and keeping proof of the consent. It never happened. > > It seems to me that the industry has come up with a pretty widely > adopted protocol: send a probe message to the mailbox, and if that is > confirmed, include the address in the distribution list. At this point, > the potential subscriber can also be told about list policies, including > archival of messages submitted. Mailing lists have been doing so for 40 years, they just miss proofs of consent. OTOH, commercial newsletters collect consent once, in writing, e.g. as a checkbox on a manually signed printed form, and then skip confirming the email address. The latter behavior is compliant with Directive 95/46/EC, but the relevant data cannot be used for whitelisting because it is not machine-readable. Thus, we (Europeans) suffer the downside of privacy laws without enjoying the advantages. In some cases, users may consent that their personal data be shared with other newsletters. Such subscriptions are not going to be notified to users: they'll receive messages without knowing how senders got their addresses. Finally, some brain damaged senders seek users' consent via email :-O >> The users' advantage is to have an automatically maintained list of >> subscriptions, and a uniform interface to manage them. Currently, >> users have to interact with what can be called a "time-distributed >> database", in the sense that monthly or yearly they may receive >> subscription reminders... > > There are standardized mail headers which help to manage mailing list > subscriptions. They are rarely used in commercial environments, though. Yeah, if List-Id and List-Unsubscribe were used consistently, with SPF or DKIM authentication, it would be possible to gather subscriptions and unsubscriptions unilaterally at recipients'. But such bulk mailer behavior is not currently specified by an official standard, AFAIK. From chrisb at ripe.net Mon May 30 10:45:48 2011 From: chrisb at ripe.net (chrisb at ripe.net) Date: Mon, 30 May 2011 10:45:48 +0200 (CEST) Subject: [cooperation-wg] IPv6 at EuroDIG Message-ID: <64224.194.247.204.225.1306745148.squirrel@webmail.ripe.net> Dear colleagues, The EuroDIG conference (European Dialogue on Internet Governance) is taking place today and tomorrow (30-31 May) in Belgrade, Serbia. While the Critical Internet Resources section of the conference is being devoted to new gTLD issues, the RIPE NCC is working with a number of other groups to hold a side event on IPv6 adoption and the issues it raises for Internet governance. If you are attending the event, the discussion will take place at 11:30 (CET) on Tuesday morning. More information is available here: http://www.eurodig.org/eurodig-2011/programme/plenary/side-events Unfortunately, as a side event, remote participation will not be provided. However, other plenary and workshop sessions at the conference feature remote participation, inlcluding webcast, live stenography and Webex participation. Ypou can access these services from: http://www.eurodig.org/webcast Best regards, Chris Buckridge External Relations Officer, RIPE NCC From chrisb at ripe.net Tue May 31 10:15:50 2011 From: chrisb at ripe.net (chrisb at ripe.net) Date: Tue, 31 May 2011 10:15:50 +0200 (CEST) Subject: [cooperation-wg] IPv6 at EuroDIG In-Reply-To: <64224.194.247.204.225.1306745148.squirrel@webmail.ripe.net> References: <64224.194.247.204.225.1306745148.squirrel@webmail.ripe.net> Message-ID: <2572.194.247.204.225.1306829750.squirrel@webmail.ripe.net> Dear colleagues, A quick update - this session has now been moved to 14:00 (CET) today, and will feature remote participation. The session will include input from the RIPE NCC, ISOC UK and the European Commission, amongst others. If you are interested in joining the discussion or simply listening in, you can access the remote participation tools from: http://www.eurodig.org/webcast Chris > Dear colleagues, > > The EuroDIG conference (European Dialogue on Internet Governance) is > taking place today and tomorrow (30-31 May) in Belgrade, Serbia. > > While the Critical Internet Resources section of the conference is being > devoted to new gTLD issues, the RIPE NCC is working with a number of other > groups to hold a side event on IPv6 adoption and the issues it raises for > Internet governance. > > If you are attending the event, the discussion will take place at 11:30 > (CET) on Tuesday morning. More information is available here: > http://www.eurodig.org/eurodig-2011/programme/plenary/side-events > > Unfortunately, as a side event, remote participation will not be provided. > However, other plenary and workshop sessions at the conference feature > remote participation, inlcluding webcast, live stenography and Webex > participation. Ypou can access these services from: > http://www.eurodig.org/webcast > > > Best regards, > Chris Buckridge > External Relations Officer, RIPE NCC > > From ford at isoc.org Tue May 31 10:59:05 2011 From: ford at isoc.org (Matthew Ford) Date: Tue, 31 May 2011 09:59:05 +0100 Subject: [cooperation-wg] IPv6 at EuroDIG In-Reply-To: <2572.194.247.204.225.1306829750.squirrel@webmail.ripe.net> References: <64224.194.247.204.225.1306745148.squirrel@webmail.ripe.net> <2572.194.247.204.225.1306829750.squirrel@webmail.ripe.net> Message-ID: On 31 May 2011, at 09:15, chrisb at ripe.net wrote: > ISOC UK England, please. Mat