Not being a lawyer, maybe I’m wrong, but I don’t think at least according the Spanish law, that if I anyone, a natural person, or an organization, provides a service to inform “who seems to be a spammer” or “what IP addresses or blocks” are frequently sending spam, if the natural person or the organization just keeps something to probe that there was spam or any other kind of abuse, is fine. Otherwise, all those web pages that have public information about BGP hijacking incidents, will be acting against the law as well. *how* you use that information to create filters for your servers, is *your* decision, not the organization providing that information source. Note that I fully understand your point, I can think on it as “they have a dominant position”. However, this is because they are trusted, not because they have got a government contract or anything like that to have it. If I start building a web page with all the spam, intrusion attempts, and other abuse cases that I receive in any of the networks that I care of, and cite in the web page all those companies that don’t care about those abuse cases, and across the years the community think “this is a valuable” service, let’s use it. AND I can keep the records of why I listed them. Do you think I’m doing anything illegal or wrong? Of course I will be doing something wrong if I list organizations with fake abuse reports, but not otherwise. Regards, Jordi @jordipalet El 8/7/20 16:47, "anti-abuse-wg en nombre de Alex de Joode" <anti-abuse-wg-bounces@ripe.net en nombre de alex@idgara.nl> escribió: Jordi, Transparency and accountability are key for services that act like a combined privatised police, court and penal force. Unfortunately Spamhaus does not deliver in that department. While the service certainly has merit, they sometimes feels warranted to enforce policies that hurt legal and valid business models like unmanaged hosting and cloud services, vpn's or tor-exits just to name a few. Judge, Jury and Executioner are 3 distinct roles in western democraties, this is for a reason. As a lot of organisations use Spamhaus, this means they have a fudiciary obligation to have clearand targetted policies, a speedy and transparant complaints procedure and they need to provide some form of arbitrage, just to ensure personal issues and preferences are not a factor. To describe Spamhaus usage as "It is up to each individual or organization to use them or not." fundamentally mislabels their position in the abuse handling ecosystem. (it is a bit like arguing we have a working abuse@ mail address, but do not handle abuse at all) -- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Wed, 08-07-2020 15h 08min, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: In a couple of occasions (many years ago), some of the IPs under my responsibility, were listed at spamhaus. I contacted them and got delisted, no problem. Of course, after that I took measures so my IP addresses are never involved even by accident, in any "bad" activity: it is my duty. My conclusion is that it offers a good service, which I can use or not, it is my decision. I think services such as spamhaus are good, and I don't know if legally they need to be "registered". I could, as a natural person, so no need for registration if is not a business (no incomes), make this kind of service, for free, and for privacy reasons, and understanding that I may be damaging high-level criminal activities, seek my personal and family protection by not disclosing my real data. I don't think there is nothing wrong about that, because I'm not "forcing" anyone to trust my service or use it, or anything similar. It is up to each individual or organization to use them or not. If ISP a, b, and c, are abusing my network in any way, and I decide to create a public web page to list them, if I can keep the demonstration of that, there is no court that can tell me "you're doing something illegal". I'm just telling the world "those guys have abused my network, you can use it to filter them to avoid having the same trouble", and I can do that I an anonymous way. That said, I think it is a bad excuse to say that there is no login to protect freedom of speech. You can do login but not provide that data to "bad" governments. Only if your own country LEA ask for it, because there was a criminal activity on that connection you will need to provide the data. This is the same for *any* other service. I can't agree that VPN's are a different thing. Note that I'm not trying to say if this or that service is good or bad, but to say that rules are made for all. Regards, Jordi @jordipalet ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.