[ripe-list] possible abuse case with our emails / spam from euromoney/capacitymedia

Hi Daniel,

Responding below in-line.

Regards,
Jordi
 
 

-----Mensaje original-----
De: ripe-list <ripe-list-bounces at ripe.net> en nombre de Daniel Karrenberg <dfk at ripe.net>
Fecha: lunes, 25 de febrero de 2019, 19:24
Para: RIPE Community <ripe-list at ripe.net>
Asunto: Re: [ripe-list] possible abuse case with our emails / spam from euromoney/capacitymedia

    
    
    On 23/02/2019 12:09, JORDI PALET MARTINEZ via ripe-list wrote:
    > ... I'm starting to wonder if it makes sense that the RIRs (IETF, ICANN, etc.), keeps publishing the list of attendees. There is any reason for that from the RIPE community or the RIPE NCC perspective? (please keep reading before responding)
    > 
    > I agree that this is very useful for the event participants itself, but it could be made available only for the participants, once they have checked-in (so they are on-site) and once they log-in only. This way we avoid people registering and actually not coming just to get the data.
    > 
    > This way also, if a participant is the one that is capturing the data, in addition to the consequences with the DPA, if identified, he/she can be banned for attending further RIR meetings. ...
    
    
    Jordi,
    
    I get more than 10 spams for each message I might want to actually read.
    I survive with automation and by paying the absolute minimum of effort
    on unwanted messages. I agree that SPAM is annoying. Therefore I
    normally stop doing business with those that 'loose' my mail addresses.
    Personally I am also a privacy advocate since the early 1970s, that's
    before the Internet became a threat. ;-)

I've the same problem and with a similar ratio approximately. However, for many reasons, I've around 20 live different emails accounts, so most of the time, those numbers are x10-x12 or close to that (fortunately not all the account receive all the spam copies). Fortunately, also, spamassassin is doing a good job and 90% of the spam is already pre-classified in the spam in-box, but I still need to take a "quick" lock into that every day, as to avoid that "fine-tuning" filters wanted emails as spam ones.

I don't think the people realize how damaging is the spam and the personal data collection. I know a lawyer who the court claimed 40.000 Euros because his case was lost because the email with the order for the audience was filtered as spam ... and that's without considering how much time per day we use in filtering emails ... millions of people.

For me they are criminals, and they deserve several years of jail, in addition to compensating people (automatically without courts, just claiming to the DPAs, in addition to the DPAs imposed fines). Unfortunately, in European-Roman law to get this compensation you need to invest in a case and demonstrate the judge for every cent (which is impossible), of damages they caused you ... British/American law looks better in the sense of allowing you to just claim an amount with compensates your time/damages.

I also decided several years ago to claim in the DPA those cases of persistent spam. Typically, about 1.000 claims per year. One day I should write an article about the email-marketing companies mafia around this ... and how they try to jump over the law ... but that's another topic and probably will require some journalist to get involved to complete a good research work.
    
    However we should not overreact to these practices and threats like you
    are suggesting!

I don't think I'm overreacting. I think that by default when registering into the events the publication of our names must be blocked (and you opt-in to allow it), except for other on-site participants. May be is already the case but didn't realized it before, because never got a suspicious that this is happening in our events. Now I've a different view, clearly.    

    I fully agree that the RIRs should spend reasonable efforts to prosecute
    abuse of the data we publish. However, publishing less as a reaction to
    this abuse needs very very careful consideration.

Ok, then let's make sure that we sent a clear signal that we are going to do that, and let's take legal actions against this criminal company that is at least saying the RIPE and LACNIC provide the data.
    
    Publishing the attendance lists is very useful for research and also for
    projecting openness and transparency. For instance Shane Kerr has worked
    on diversity from these published lists:
    https://labs.ripe.net/Members/shane/measuring-diversity-at-ripe-meetings.
    I personally am working on these lists right now in order to in support

I've not said that this must be banned for researchers. I think this is great, but we must have the control of at least know "this guy or group is using our data".

    developing the RIPE Chair selection procedure. We also publish mailing
    list archives that are a treasure trove for research and a means of
    storing our history and again being open and transparent.
    Working from published data is key here, because others can re-produce
    and check their research without needing any permission.

And it is extremely useful as well ! and now I'm wondering if GDPR allows that to be disclosed to anyone willing to consult the archive and not part of the list, if the subscriber express his willingness to not be disclosed, but that's another topic. It is just curiosity, I'm fine with that because don't think that is the source of the spam right now.
    
    Personally I strongly believe that the negative sides of publishing this
    data are negligible compared to the benefits. I just deal with the spam
    and other consequences and enjoy the benefits.

I think the way I suggested, and authorizing the access to researchers don't have any negative consequences, and probably GDPR, already mandate that our names are only published with explicit consent. We will need to look into that, if it has not been done already. From now on, I'm clear that I don't want my name in the public list.
   
    Banning people from RIPE meetings is so far out that I hope you will
    re-consider and withdraw that suggestion. Think it through a few steps
    please: OHow can we maintain openness, transparency and low threshold to
    participate once we do that? nce we start banning people where do we stop?

No, I don't think so. This is community decision. If somebody is abusing the community this way, we have the right the restrict their participation. May be they aren't coming to the meetings and they just got the info in the web site ... May be is just my opinion, maybe not, and others think the same way (they express it or not), may be this can't be done even if the community decides it and requires a court order, I don't know, but I have thought it several times before writing my previous email.

I've seen frequently surprising court orders, for example, banning people from using public transport when they use it to do robberies. This doesn't mean that the public transport is not open to all. I think it is very similar to our case for banning people abusing the system.

We may disagree, but everybody has different views of everything and that's perfectly fine.
    
    Best
    
    Daniel
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.