This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] EU Data Protection
- Previous message (by thread): [anti-abuse-wg] RIPE Autonomous System Numbers
- Next message (by thread): [anti-abuse-wg] EU Data Protection
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Wed Nov 5 10:31:04 CET 2014
In message <20141105063836.GB58573 at cilantro.c4inet.net>, Sascha Luck <lists-ripe at c4inet.net> wrote: >>So there is no trace... no chain of documentation on how an AS got to >>be an AS. Is that correct? Is that really what you are telling me? > >It is not. There is a contract for every independent resource assigned >after -525 came into force and when Phase 3 is completed, there will be >contracts for legacy ASN/PI resources also. >These contracts are confidential and not public information. On this >side of the pond, we call it "data protection" and it is the law. I admit to being eager to be further educated, by you and/or others, about the law of which you speak, and especially how it may relate to the disbursment, or lack thereof, of various bits of information held by RIPE NCC. As a result of your response, I've already tried to educate myself, at least a little bit, about the subject of "data protection" regulation within the EU. I began here, and started reading: http://en.wikipedia.org/wiki/Data_Protection_Directive Of course, I don't take anything appearing in Wikipedia as being the absolute correct and final word on any subject, so perhaps, since you know about the law you have referred to... at least presumably a bit better than this ignorant American, who has never had to deal with it or live under it... perhaps you can explain one or two small points which are still eluding me. To begin with, I noticed this within the above Wikipedia page: Scope Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject");... I am asuming that, in this context, "natural person" has the same meaning on both your side of the pond and mine, i.e. a carbon-based life form, and an entity composed of flesh and blood. Does that term have that meaning also within the EU? Assuming, just for the sake of argument, that it does, I am wondering how the EU data protection law applies to the particular sorts of entities that typically register ASNs within the EU. I'll just pick one at random, for the purposes of example... let's say the AS from which you sent the e-mail message to which I am now responding, AS47720. It appears from the RIPE data base record for AS47720... a record which I believe is generally available, without restriction, to the public at large on all parts of planet earth, and in some cases perhaps even beyond... that the entity that registered AS47720 is known as, or wishes to be known as "Chip Electronic Services Limited". So, um, using that as just an arbitrary, but perhaps representative ex- ample of the kinds of entities that might typically register ASNs with RIPE NCC, and assuming that this entity is not in fact a "natural person", per se... at least as I understand that term... I am left rather befuddled, because Wikipedia seems to say that EU data protection only applies to "natural persons" and yet it seems that you just asserted the opposite, i.e. that the registrant of AS47720... or of any arbitrary AS for that matter... is entitled to have its name and, perhaps more importantly, any an all other identifying details protected under EU data protection regulations. So, um, which view is correct? Do EU data protection regulations apply to all European entities, natural or otherwise, as it seems you have said? Or do they in fact only apply to natural persons, as Wikipedia says? If the latter, then it remains unclear why... as you seem to have asserted... "{all} contracts {with RIPE} are confidential and not public information". Do EU data protection regulations prevent RIPE from being open and trans- parent with respect to the contracts which it has entered into with things which are not "natural persons", e.g. Chip Electronic Services Limited? Well, leaving that aside for the moment, even if, as I believe you have correctly stated, RIPE, which is resident within the EU and which deals with EU data, is obligated to obey EU data protection directives... either for all entities it has data on or only the natural ones... I do confess that I am still terrifically puzzled by your assertion that RIPE is somehow obligated to keep *everything* secret. I am puzzled by that assertion for the simple reason that it seems self evident that in fact RIPE does not do so. Even though RIPE is clearly subject to EU data protection regulations, I, here in the United States, just now had no trouble at all fetching from the RIPE data base the following record, which, I believe, contains some very specific types of "protected" information relating to _both_ a legal (business) entity _and_ also to a protected "natural person": ========================================================================= % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Information related to 'JS6689-RIPE' person: Jerry Sweeney address: Cork Internet Exchange Hollyhill Ind. Estate Cork, Ireland e-mail: js at cix.ie phone: +353 21 4854300 nic-hdl: JS6689-RIPE mnt-by: MNT-CIX changed: sascha at cix.ie 20100622 source: RIPE % This query was served by the RIPE Database Query Service version 1.75 (DB-1) ========================================================================= So, as I say, I am perplexed. You tell me that RIPE has a legal obligation to protect secrecy/privacy, and I _do_ believe you. The several online articles I've read on the subject this evening are all quite clear that this is indeed correct. Nontheless, the clear evidence which is right before my eyes (and which is reproduced just above) would seem to indicate that it, RIPE NCC, has found some legally tenable way around these draconian EU privacy regulations. If it had not, then how was it able to send me the above data base record without some humorless unforgiving EU data protection commissar coming down on them like the proverbial ton of bricks? And if, as would seem to be the case, RIPE *has* indeed found a legally viable way to be transparent about certain things... e.g. the entries in its data base... even while still remaining within bounds of EU data protection regulations... then why can it not do so also with respect to all those contracts that it signs with things which are not natural persons? I do look forward to being enlightened on both of the above points. Regards, rfg P.S. I learned something relevant today. The web-based WHOIS service for the .EU TLD _will_ show the user full contact details for any domain which is registered by something other than a natural person. Those details are however suppressed, selectively, in the WHOIS output, but only in cases where the registrant is a natural person. Anyway, the point is that the operators of the .EU registry seem to have mastered this dicotomy... between "natural" and other-than-natural registrants... and to have done so within the EU data protection legal framework, even while being as transparent as possible. Is there some specific reason that I am not aware of why RIPE cannot do likewise?
- Previous message (by thread): [anti-abuse-wg] RIPE Autonomous System Numbers
- Next message (by thread): [anti-abuse-wg] EU Data Protection
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]