This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[db-wg] 2022-01 New Version Policy Proposal (Personal Data in the RIPE Database)
- Previous message (by thread): [db-wg] Ronald and code of conduct
- Next message (by thread): [db-wg] 2022-01 New Version Policy Proposal (Personal Data in the RIPE Database)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Mon Jun 20 07:02:17 CEST 2022
In message <CAKvLzuFA0y8mOzPiiy4tHBCRUNUBbQgJc-DD54E-S+0TW=StiA at mail.gmail.com> denis walker <ripedenis at gmail.com> wrote: >The RIPE NCC does not enter or maintain the data in question and will not >be obscuring anything. Alright then. Who exactly ARE you proposing to assign the task of redacting the snail-mail address fields to? >As an armchair lawyer you have totally failed. GDPR does require the >purposes of the database to justify the processing of personnel data. The >current defined purposes do not do this for this data. I see. So I am a rank amateur while you however are licensed to dispense legal opinions. Would it be inappropriate then for me to ask to see a copy of -your- law license? More to the point, even if you were correct in your assesment of applicable GDPR provisions... and I do not by any means conceed that you are... then might it not also and likewise be successfully argued that GDPR requires RIPE to redact all natural person phone numbers, email addresses, and even their names? And if that is true, then why aren't you proposing THAT even more extensive set of (forced) redactions? >> I am opposed to there being an -official- condoning and/or (even worse) an >> official -enforcement- of deliberate obfsucation of any fields of the >> WHOIS data base. > >So voluntary obfuscation is ok? As a practical matter, it hadly matters whether *I* think it is OK or not. As you yourself noted, it is being done, right now, by many parties, whether you or I like it or not, and regardless of whether it is officially condoned or not. People who felt some need for such "privacy" have already implemented their own "self serve" WHOIS privacy without any prompting or encouragement from any of us. I personally view this as a problem, but as long as RIPE has zero rules and zero procedures which would prevent members from putting whatever they like into their WHOIS records, people are going to do whatever they like. So really, the only question before us now is: Do we want to "officially" encourage this sort of thing, or do we want to officially discourage this sort of thing. I want the latter, while you want the former. >Some telecom companies enter hundreds of thousands of customer details into >the RIPE Database including personal names and addresses. Really? Name two. >These people, in >reality, have probably never heard of the RIPE Database or the RIPE NCC. >These are the very people GDPR is intended to protect. Wait! In the scenario you've just described... which I have yet to be persuaded is even something that's actually going on... if the natural persons who had their names, email addresses, phone numbers, and street addresses exposed as a result of the (alleged) actions of these (alleged) telecoms were to actually sue somebody for these blatant affronts to their privacy rights, then who would they sue? RIPE? Or those wayward and careless telecoms that, in the first instance, dispensed all this personal information in clear violation of GDPR? It seems to me that in the scenario as you've described it, it is the telecoms alone that would be clearly and solely at fault for the eggregious spilling of PII in clear contravention to the edicts of GDPR, and that RIPE would bear -zero- liability or responsibility for the unnecessary transmittal or publication of private data. Consider an analogy: I run a dry cleaning shop in Hamburg. You are my friend. One day I let you into my back office and let you copy down the names and addresses of many, most, or all of my customers. You then go back home to the U.S.A. or to Zimbabwe, or at any rate to some jurisdiction where GDPR does not apply. You then put all those names and address on your public web site? Who is liable for this "leak" of PII, under GDPR? Me or you? I am really looking forward to seeing your list of EU telecoms that are doing bulk transfers, willy nilly, of customer PII, into the RIPE data base. >> What gives you or anyone the right to take away a member's rights to have >> their true and actual mailing address in their own public WHOIS records? > >Again you simply don't understand the issue. "their true and actual". This >address is 'defined' in the database documentation as "The postal address >of a contact related to the organisation". That can be anyone based in any >location in the world, as Europol have discovered. Sounds like a definite problem to me! So lets fix that. Let's require *at least* the REAL name and address of each member to be present in that member's public WHOIS record. Every new member has to submit some identifying documents at the time they first become members, right? If it is a corporation, then a copy of the formal and legal incorporation document(s) must be submitted as part of the application process. If it is person, then either a copy of that person's passport or some other form of government-issued identification document must be submitted as part of the new/prospective member's application for membership, right? So we take this "real" member name & address info, copy it off those bona fide documents, and stick the same data into the member's public-facing WHOIS record. Is this just, like, too simple, or what? As I have said, if there are natural person journalists, or activists, or other folks who have other issues pertaining to lifestyle or whatever, and who can make at least a prima facia case that they need to have both (a) number resources AND also (b) privacy of their PII, then allow NCC to accept their requests to be exempt from publication of their PII on a case by case basis. For everybody else however, what you see (in the public WHOIS) is what you get, i.e. the real names and the real addresses. Problem solved! And everybody's happy. The only people who could be against this are people intent on committing fraud or some other kind of nefarious skulduggery on the Internet WHILE USING THEIR ASSIGNED NUMBER RESOURCES. >> So now, why don't you re-submit this proposal and instead propose that *all* >> mailing address information, including even the country name, be redacted >> from the data base for *all* members? > >It will be optional. Wait... WHAT??? Could you please repeat that? I want to make sure that even the people way in the back heard that. So your -actual- proposal is to make *all* WHOIS information for *all* classes of RIPE members "optional"??? Take your time. If you misspoke, then by all means, please rephrase so as clarify what you really meant to say. Regards, rfg
- Previous message (by thread): [db-wg] Ronald and code of conduct
- Next message (by thread): [db-wg] 2022-01 New Version Policy Proposal (Personal Data in the RIPE Database)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]