[anti-abuse-wg] Analysis of the Legal Framework and Procedures Proposed by the Data Protection Task Force

lists at help.org wrote:

>>After reading that page, I still cannot see a direct relevance to the
> NCC's services or procedures.
> 
> I believe

Well, so this may - or may not - be true.

> DomainTools.com also downloads  the RIR's

There are 5 of them, so which one(s)?

> whois database and
> repackages and sells the data along with historical whois data from the
> domain registrars.

>From an RIR's point of view, I presume the domain registry stuff is not
relevant. Maybe the combining and re-packaging can be used as another
argument for violating the AUP(s).

> Isn't that related to the Data Protection Task
> Force legal framework?

I think so, but the linked page didn't include any reference to an IP
Resource Registry. I may have missed that though.

>  The report says certain procedures and policies
> were put in place to prevent downloads because it supposedly violates
> some type of data protection laws.

Indeed, both on the administrative side (AUPs), as well as on the technical
plane (query limits, anonymizing data before allowing bulk access,...) But
I am pretty sure that you als do know, that almost each and every technical
measure can be subverted, given a strong (and/or financial) interest :-)

>  Yet there is a company doing that
> and they don't seem to be concerned about the law and they seem to be
> freely selling the data.

Again, a pretty week term: "seem", together with "believe", there isn't too
much flesh on the bones to get the legal folks involved, isn't it? They would
certainly ask for proof or credible leads, before getting their fingers wet
and putting their organisation at (at least a financial) risk.

>  Do these Data Protection laws actually apply
> to this situation

They probably do in one way or another, details to be worked out on a case by
case basis.

> or are these laws being broken and not enforced?

The (legal) enforcement is potentially an entirely different story again, in an
international environment, depending on where the breach happened (which part?=,
and where the offender can (potentially) be prosecuted or taken to court.

> Or maybe some other explanation?  It is all unclear to me.

Now, moving a away some distance from "mere" AUP or (C) violations...

If you are really interested in getting a handle on "bad stuff" on the Internet,
you could try to get involved in the security and incident handling ballpark. (I
am to some degeree). Personally, I am convinced that the IP Resource Registry
environment is the wrong tree to bark at, in general.

There's a whole infrastructure out there (law enforcement, voluntary, commercial,
incident response teams, national CERTs,...) that is active with this respect. The
RIRs are at the far out periphery of that, at best, although they try to support
the "pros" where they can...

Hth.
Wilfried.

Note: I am not representing the NCC with my comments here. But I was a member of
      the DPTF. And I sometimes get a glance at or information about "funny stuff".