Re: [db-wg] Fwd: proposal: new attribute 'geofeed:
I guess I am not understanding something. Why do we need a geofeed attribute? What problem are we trying to solve? I understand why each block of IPs needs to be associated with a country, so that certain language specific auto-customizations will work. But what purpose is there to know that a /24 is in central Amsterdam? Is the purpose to assist marketers in geo-targetted sales? Is the purpose for network engineering (not sure what major problem we have that needs this)? Is the purpose to know where you are so that in the event of an emergency (terror, tornado, etc) you can get emergency targeted alerts? If so, then the geofeed has to be at the /32 level and since many if not most IPs are mobile, and that is where you will get the alert from - from your cellphone provider, I still don't quite understand the reason for a geofeed tag. Can someone clue me in? Thanks, Hank Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer
HI Hank, colleagues Whilst I can't answer your basic question, I could say that if the IETF approves a change to RPSL, with the RIPE Database data model based on RPSL, in principle we should implement the RPSL change. Perhaps another question, to the RIPE NCC legal team, if I have a fixed IP address or block of addresses, is this geofeed location data personal data under the terms of GDPR? cheers denis co-chair DB-WG On Wed, 6 Jan 2021 at 07:01, hank--- via db-wg <db-wg@ripe.net> wrote:
I guess I am not understanding something. Why do we need a geofeed attribute? What problem are we trying to solve?
I understand why each block of IPs needs to be associated with a country, so that certain language specific auto-customizations will work. But what purpose is there to know that a /24 is in central Amsterdam? Is the purpose to assist marketers in geo-targetted sales? Is the purpose for network engineering (not sure what major problem we have that needs this)?
Is the purpose to know where you are so that in the event of an emergency (terror, tornado, etc) you can get emergency targeted alerts? If so, then the geofeed has to be at the /32 level and since many if not most IPs are mobile, and that is where you will get the alert from - from your cellphone provider, I still don't quite understand the reason for a geofeed tag.
Can someone clue me in?
Thanks, Hank
Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer
Dear members, GDPR is quite specific about personal data: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; If the geofeed doesn't contain the above mentioned means to directly or indirectly identify a natural person then GDPR don't apply, especially if the geofeed refers only to a country or province. In general anonymization is assumed with K > 5, e.g. geographic information covering more than 5 natural persons. RIPE should be on the safe side if such geographic information refers to a province, region or country. (This is a brief summary of a discussion with Dr. Jur. Christoph Tschohl about this topic) Much more critical are the 100k or maybe even millions of RIPE-db entries, containing name and street address of natural persons which are under the sole control of RIPE. Best regards, MiKa On 2021-01-07 15:59, denis walker via db-wg wrote:
HI Hank, colleagues
[... ...]
Perhaps another question, to the RIPE NCC legal team, if I have a fixed IP address or block of addresses, is this geofeed location data personal data under the terms of GDPR?
cheers denis co-chair DB-WG
If the geofeed doesn't contain the above mentioned means to directly or indirectly identify a natural person then GDPR don't apply, especially if the geofeed refers only to a country or province.
note that the geofeed spec, RFC8805, is separate from the rpsl-based means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds. i was not involved in the geofeed spec, but it was done by friends of the family who gossip :) i was told that the reason there is no postal code in the geofeed file spec is because, in some cases, it resolves with sufficient precision to identify individuals. randy
On 2021-01-08 18:15, Randy Bush via db-wg wrote:
If the geofeed doesn't contain the above mentioned means to directly or indirectly identify a natural person then GDPR don't apply, especially if the geofeed refers only to a country or province.
note that the geofeed spec, RFC8805, is separate from the rpsl-based means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds.
that wouldn't make a difference here. if the RIPE database points immediately to personal information GDPR applies.
i was not involved in the geofeed spec, but it was done by friends of the family who gossip :)
i was told that the reason there is no postal code in the geofeed file spec is because, in some cases, it resolves with sufficient precision to identify individuals.
randy
the precision of postal codes (e.g. in great britain) is a good point! MiKa
As far as I'm aware, since IP addresses _can_ uniquely identify a person (think of static IPs offered by some ISPs), it is considered personal data by authorities. GDPR leaves a huge grey area that is up to interpretation, which in practice boils down to companies trying to avoid even said grey area and keeping a very strict GDPR policy. Been there, done that (doing that, in fact). Painful as it is, that's the law. Agoston On Sun, Jan 10, 2021 at 7:36 AM Michael Kafka via db-wg <db-wg@ripe.net> wrote:
On 2021-01-08 18:15, Randy Bush via db-wg wrote:
If the geofeed doesn't contain the above mentioned means to directly or indirectly identify a natural person then GDPR don't apply, especially if the geofeed refers only to a country or province.
note that the geofeed spec, RFC8805, is separate from the rpsl-based means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds.
that wouldn't make a difference here. if the RIPE database points immediately to personal information GDPR applies.
i was not involved in the geofeed spec, but it was done by friends of the family who gossip :)
i was told that the reason there is no postal code in the geofeed file spec is because, in some cases, it resolves with sufficient precision to identify individuals.
randy
the precision of postal codes (e.g. in great britain) is a good point!
MiKa
If the geofeed doesn't contain the above mentioned means to directly or indirectly identify a natural person then GDPR don't apply, especially if the geofeed refers only to a country or province.
note that the geofeed spec, RFC8805, is separate from the rpsl-based means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds.
that wouldn't make a difference here. if the RIPE database points immediately to personal information GDPR applies.
cool! i was in need of an authoritative legal opinion. when are we removing the key-cert: and person: objects?
the precision of postal codes (e.g. in great britain) is a good point!
as today's legal authority, can you tell me if gdpr applies to all parts of the british isles? asking for a friend. randy
Randy Bush via db-wg wrote on 10/01/2021 23:36:
as today's legal authority, can you tell me if gdpr applies to all parts of the british isles? asking for a friend.
If you're referring to the UK, the EU GDPR no longer applies there, at least not since our close colleagues left the EU. They still use the UK Data Protection Act 2018, which is based on the EU GDPR though, and which provides full equivalence. The EU GDPR does apply to the Republic of Ireland (which remains part of the EU), but not Northern Ireland, which is part of the UK. UK post codes only identify the area where someone lives, so cannot be used to identify individuals, and therefore would be unlikely to be covered by the UK Data Protection Act 2018. OTOH, each RoI postcode identifies an exact building, so there would be a case that there were GDPR implications there. Nick
Hi guys GDPR applies to the entire RIPE Database because the RIPE NCC, who operate the database, is based in the EU. It does not matter where the data subject or data maintainer is based. cheers denis co-chair DB-WG On Mon, 11 Jan 2021 at 13:43, Nick Hilliard via db-wg <db-wg@ripe.net> wrote:
Randy Bush via db-wg wrote on 10/01/2021 23:36:
as today's legal authority, can you tell me if gdpr applies to all parts of the british isles? asking for a friend.
If you're referring to the UK, the EU GDPR no longer applies there, at least not since our close colleagues left the EU. They still use the UK Data Protection Act 2018, which is based on the EU GDPR though, and which provides full equivalence.
The EU GDPR does apply to the Republic of Ireland (which remains part of the EU), but not Northern Ireland, which is part of the UK.
UK post codes only identify the area where someone lives, so cannot be used to identify individuals, and therefore would be unlikely to be covered by the UK Data Protection Act 2018. OTOH, each RoI postcode identifies an exact building, so there would be a case that there were GDPR implications there.
Nick
Hi Randy On Mon, 11 Jan 2021 at 19:07, Randy Bush <randy@psg.com> wrote:
Hi guys
ahem
GDPR applies to the entire RIPE Database because the RIPE NCC, who operate the database, is based in the EU.
appreciate the legal opinion. how come person: objects are allowed?
I asked this very specific question about coverage of GDPR over the data set quite recently to the NCC's legal team and that is the answer they gave me. PERSON objects are not allowed in the way they are currently used...we need to do something about that...(I am working on it :) ) cheers denis co-chair DB-WG
randy
Greetings, I still see "purpose" on having person: objects in the database. Contact information for networks and abuse contacts need to be available to anyone. I consider these contacts to be professional, not personal. If anyone has the same personal and professional details, they don't stop to be professional by that fact. A new postal address is not something which is "free", but it is a service that can be subscribed in most places, right? A new EU NIS2 directive is also upcoming. I hope the need for whois/rdap/whatever accurate data could be clarified in some of its articles. Regards, Carlos On Mon, 11 Jan 2021, Randy Bush via db-wg wrote:
Hi guys
ahem
GDPR applies to the entire RIPE Database because the RIPE NCC, who operate the database, is based in the EU.
appreciate the legal opinion. how come person: objects are allowed?
randy
I still see "purpose" on having person: objects in the database.
the network manager handbook used to sit on my desk. i used it a lot. whois has become less and less useful. randy
Hi Michael,
On 8 Jan 2021, at 15:16, Michael Kafka via db-wg <db-wg@ripe.net> wrote:
Dear members,
...
Much more critical are the 100k or maybe even millions of RIPE-db entries, containing name and street address of natural persons which are under the sole control of RIPE.
Best regards,
MiKa
If you are referring to PERSON objects, then out of 2 million PERSON objects in the RIPE database, only 14,841 are maintained by the RIPE NCC. 13,277 of these are (previously unmaintained) locked person objects, which we are in the process of cleaning up. The vast majority of PERSON objects are referenced from inet(6)num allocations and assignments (i.e. maintained by LIRs and End Users). Regards Ed Shryane RIPE NCC
participants (8)
-
Carlos Friaças
-
denis walker
-
Edward Shryane
-
hank@interall.co.il
-
Horváth Ágoston János
-
Michael Kafka
-
Nick Hilliard
-
Randy Bush