Re: [v6ops] [SUSPECTED SPAM] Google Alert

In 2003, I was involved with the EU working party (art. 29) in charge for the decision about considering or not IPs as personal data.

We didn’t succeed, and finally they concluded that IP is personal data.

My arguments, about that included many topics, including the possibility to use privacy addresses, many prefixes, and what Fred mentions, that there is no way you can actually say even if this is your computer, that any specific action is being done by you, a friend, a bot, or somebody that is using remotely your computer/network.

I also was explaining that the most interesting way for any “bad guy” to track someone, is actually not the IP address, but information disclosed by the browsers and many other apps that we commonly use. I recall having seen several web sites that actually dig into your browser and tell you how much you’re disclosing.

At the end, the EU courts accept that you, store IP data, like any other personal data that can be captured automatically, if you have a valid purpose for that (for operational purposes of the network), or it is your customer, but you disclose that data.

For example, to explain it better, I will do it with another type of personal data “emails”. I could capture in my database any email publicly found if I’ve a valid purpose for that (“I’m going to do a research of what are the most common domains or text used in emails”). To do so, you need to inform the data owner that you have registered it and the way he can access, amend, or cancel that data in your database. What I can’t do, for example, is to use that data to send any kind of commercial info which has not previous and explicitly accepted by the owner of the email. Not informing the user for having captured the email is an unlawful act, sending spam is another unlawful act. Both can be fined up to 600.000 euros by data protection agencies, and the owner can request also economical compensation for the use of his/her personal data in the courts.

Of course, if you’re customer of an operator, or customer from a hotspot, etc., you accept a contract, that explicitly should say that they are capturing that data (including IP) as it is required for the network operation, etc.

Regards,
Jordi

-----Mensaje original-----
De: v6ops <v6ops-bounces@ietf.org> en nombre de Fred Baker <fredbaker.ietf@gmail.com>
Responder a: <fredbaker.ietf@gmail.com>
Fecha: lunes, 30 de octubre de 2017, 3:41
Para: Mark Smith <markzzzsmith@gmail.com>
CC: "v6ops@ietf.org" <v6ops@ietf.org>, Tore Anderson <tore@fud.no>, Dave O'Reilly <rfc@daveor.com>
Asunto: Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6

    > On Oct 29, 2017, at 11:48 PM, Mark Smith <markzzzsmith@gmail.com> wrote:
    > 
    > Geoff Huston's article on
    > 
    > Metadata Retention and the Internet
    > 
    > https://telsoc.org/ajtde/2015-04-v3-n1/a4
    > 
    > might be of interest.
    > 
    > "The Metadata Retention measures being considered in Australia make some sweeping assumptions about the semantics of IP addresses and their association with individual subscribers to the Internet. But are these assumptions warranted?"

    In that context, the European Data Retention Directive (which has now been struck down by the European Privacy Court) and the activities by the "Five Eyes" in that regard, notably the US NSA, have been very much about metadata. I asked a Dutch agency representative once what their reason for lawful intercept in general and metadata capture specifically was, and he indicated "mapping criminal networks". They wanted to determine who spoke with whom, with a view to identifying members of a community, presumably an evil community.

    I note that the European Privacy Court has (apparently) specified that an IP address is "Individually Identifiable Information", the kind of thing that might be discussed in https://tools.ietf.org/html/rfc7721. I have asked repeatedly what privacy folks think might be an IID below the application layer, and that is the one thing they have come up with. On the point, I would argue that data of that type is not *identification*, but it might be possible to correlate it with other information due to operational practice. To my mind, stomping out correlations is a game of whack-a-mole; someone that desperately wants to find a correlation will probably find something that mostly works for their purposes, even if they have to discard spurious correlations to do so. In my view, that's what we see here: we might be able to correlate an IP address with a computer or subscriber, but we can't stop people in a business or family from using each other's computers. It is at best an investigative tool, not proof of something in particular.
    _______________________________________________
    v6ops mailing list
    v6ops@ietf.org
    https://www.ietf.org/mailman/listinfo/v6ops

**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.