In article <Pine.LNX.4.64.1805301436410.25696@yuri.anime.net> you write:
http://www.circleid.com/posts/20180527_icann_files_legal_action_against_doma...
Elliot said that if he had to choose between fighting ICANN and fighting governments, he'd fight ICANN. I can't blame him. http://www.tucows.com/tucows-statement-on-icann-legal-action/ R's, John
And here is the court decision, https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-... gotta love the German wisdom: The Application for preliminary injunction of May 25, 2018 is rejected at the expense of the Applicant. "Insofar as the Applicant bases its claim to relief on a parallel of the so-called "WHOIS" system to international agreements on trade mark registers, the Chamber is unable to follow this. The legal basis for the trademark registers on the basis of international agreements is missing in relation to the "WHOIS" service claimed by the Applicant. The fundamental comparability of the respective general need for protection does not change this." ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of John Levine <johnl@iecc.com> Sent: Wednesday, May 30, 2018 11:16:08 PM To: nanog@nanog.org Subject: Re: ICANN GDPR lawsuit In article <Pine.LNX.4.64.1805301436410.25696@yuri.anime.net> you write:
http://www.circleid.com/posts/20180527_icann_files_legal_action_against_doma...
Elliot said that if he had to choose between fighting ICANN and fighting governments, he'd fight ICANN. I can't blame him. http://www.tucows.com/tucows-statement-on-icann-legal-action/ R's, John
On 31/05/2018 08:14, Badiei, Farzaneh wrote: Gotta love the EU logic: https://inews.co.uk/news/uk/gdpr-eu-commission-not-compliant/ The European Commission is not GDPR compliant even though it was responsible for the new GDPR law "The European Commission has insisted it is *not subject to the strict new data protection law* that it has imposed across Europe after it was revealed the personal information of hundreds of people had been leaked on its website. " -Hank
And here is the court decision, https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-...
gotta love the German wisdom:
The Application for preliminary injunction of May 25, 2018 is rejected at the expense of the Applicant.
"Insofar as the Applicant bases its claim to relief on a parallel of the so-called "WHOIS" system to international agreements on trade mark registers, the Chamber is unable to follow this. The legal basis for the trademark registers on the basis of international agreements is missing in relation to the "WHOIS" service claimed by the Applicant. The fundamental comparability of the respective general need for protection does not change this."
On Wed, 6 Jun 2018 08:01:35 +0300, Hank Nussbacher <hank@efes.iucc.ac.il> may have written:
"The European Commission has insisted it is *not subject to the strict new data protection law* that it has imposed across Europe after it was revealed the personal information of hundreds of people had been leaked on its website. "
Neglecting where it goes on to say "it would be subject to a new law that “mirrors” GDPR which will come into effect in the autumn.". -- Mike Meredith, University of Portsmouth Hostmaster, Security, and Chief Systems Engineer
FWIW a German court has just ruled against ICANN's injunction and in favor of Tucows/EPAG. https://www.icann.org/news/announcement-4-2018-05-30-en -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Thu, 31 May 2018, bzs@theworld.com wrote:
FWIW a German court has just ruled against ICANN's injunction and in favor of Tucows/EPAG. https://www.icann.org/news/announcement-4-2018-05-30-en
Welcome to contact-free whois? -Dan
On 05/31/2018 02:37 PM, Dan Hollis wrote:
On Thu, 31 May 2018, bzs@theworld.com wrote:
FWIW a German court has just ruled against ICANN's injunction and in favor of Tucows/EPAG. https://www.icann.org/news/announcement-4-2018-05-30-en
Welcome to contact-free whois?
-Dan
Already been bitten by it and trying to get the contact info reinstated. -- John PGP Public Key: 412934AC
On 31/05/2018 21:44, John Peach wrote:
On 05/31/2018 02:37 PM, Dan Hollis wrote:
On Thu, 31 May 2018, bzs@theworld.com wrote:
FWIW a German court has just ruled against ICANN's injunction and in favor of Tucows/EPAG. https://www.icann.org/news/announcement-4-2018-05-30-en
Welcome to contact-free whois?
-Dan
Already been bitten by it and trying to get the contact info reinstated.
The entire whois debacle will only get resolved when some hackers attack www.eugdpr.org, ec.europa.eu and some other key .eu sites. When the response they get will be "sorry, we can't determine who is attacking you since that contravenes GDPR", will the EU light bulb go on that something in GDPR needs to be tweaked. -Hank
* hank@efes.iucc.ac.il (Hank Nussbacher) [Fri 01 Jun 2018, 06:56 CEST]:
The entire whois debacle will only get resolved when some hackers attack www.eugdpr.org, ec.europa.eu and some other key .eu sites. When the response they get will be "sorry, we can't determine who is attacking you since that contravenes GDPR", will the EU light bulb go on that something in GDPR needs to be tweaked.
Please stop inciting lawbreaking, and stop spreading long debunked talking points. Both are really inappropriate for this list. -- Niels.
On 01/06/2018 15:24, niels=nanog@bakker.net wrote:
* hank@efes.iucc.ac.il (Hank Nussbacher) [Fri 01 Jun 2018, 06:56 CEST]:
The entire whois debacle will only get resolved when some hackers attack www.eugdpr.org, ec.europa.eu and some other key .eu sites. When the response they get will be "sorry, we can't determine who is attacking you since that contravenes GDPR", will the EU light bulb go on that something in GDPR needs to be tweaked.
Please stop inciting lawbreaking, and stop spreading long debunked talking points. Both are really inappropriate for this list.
-- Niels.
The point was not to encourage law breaking. Sorry if that what was perceived. The point is that the people who designed GDPR did not take whois into consideration in the least. And we all will suffer because of that. -Hank
On 06/01/2018 05:24 AM, niels=nanog@bakker.net wrote:
* hank@efes.iucc.ac.il (Hank Nussbacher) [Fri 01 Jun 2018, 06:56 CEST]:
The entire whois debacle will only get resolved when some hackers attack www.eugdpr.org, ec.europa.eu and some other key .eu sites. When the response they get will be "sorry, we can't determine who is attacking you since that contravenes GDPR", will the EU light bulb go on that something in GDPR needs to be tweaked.
Please stop inciting lawbreaking, and stop spreading long debunked talking points. Both are really inappropriate for this list.
OK, then let's talk about something that IS appropriate for this list. How does your shop, Niels, go about making contact with an operator that is hijacking one of your netblocks, or is doing something weird with routing that is causing your customers problems, or has broken BGP? I will say right now that in large shops, the owner is NOT the right contact. In fact, if things are broken enough you may not be able to send email to the owner -- he could be isolated. The registration authorities want the owner contact for legal reasons. We poor sods in the trenches need tech contacts, preferably contacts with clue. In other words, how do you do your job in light of the GDPR restrictions on accessing contact information for other network operators? Please be specific. A lot of NOC policies and procedures will need to be updated. Right now my policies and procedures book says to use WHOIS. What needs to change?
On 06/01/2018 08:47 AM, Stephen Satchell wrote:
On 06/01/2018 05:24 AM, niels=nanog@bakker.net wrote:
* hank@efes.iucc.ac.il (Hank Nussbacher) [Fri 01 Jun 2018, 06:56 CEST]:
The entire whois debacle will only get resolved when some hackers attack www.eugdpr.org, ec.europa.eu and some other key .eu sites. When the response they get will be "sorry, we can't determine who is attacking you since that contravenes GDPR", will the EU light bulb go on that something in GDPR needs to be tweaked.
Please stop inciting lawbreaking, and stop spreading long debunked talking points. Both are really inappropriate for this list.
OK, then let's talk about something that IS appropriate for this list. How does your shop, Niels, go about making contact with an operator that is hijacking one of your netblocks, or is doing something weird with routing that is causing your customers problems, or has broken BGP?
I will say right now that in large shops, the owner is NOT the right contact. In fact, if things are broken enough you may not be able to send email to the owner -- he could be isolated. The registration authorities want the owner contact for legal reasons. We poor sods in the trenches need tech contacts, preferably contacts with clue.
In other words, how do you do your job in light of the GDPR restrictions on accessing contact information for other network operators?
Please be specific. A lot of NOC policies and procedures will need to be updated.
Right now my policies and procedures book says to use WHOIS. What needs to change?
$dayjob has approaching 800 domains registered, of which a handful are set up for email and the hostmaster address was on only one of those. We only discovered the problem when a certificate authority attempted to contact us for one of the other domains. At that point I found that Network Solutions had removed all our contact information and trying to find someone with a clue at NetSol is nigh on impossible. -- John PGP Public Key: 412934AC
* list@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
How does your shop, Niels, go about making contact with an operator that is hijacking one of your netblocks, or is doing something weird with routing that is causing your customers problems, or has broken BGP?
The same as we do now, by posting on NANOG "Can someone from ASx / largetelco.com contact me offlist?" -- Niels.
On Jun 1, 2018, at 10:21 AM, niels=nanog@bakker.net wrote:
* list@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
How does your shop, Niels, go about making contact with an operator that is hijacking one of your netblocks, or is doing something weird with routing that is causing your customers problems, or has broken BGP?
The same as we do now, by posting on NANOG "Can someone from ASx / largetelco.com contact me offlist?”
Seriously? You’ve been around long enough to know thats a bull$&^% answer. Feel free to look through the archives of *this* list and look at how many times some $random handle at some $random privacy protected or generic domain asks for someone from $bignetwork to contact them about a network problem. Take you for example. You’ve been around for at least 15-20 years that I recall. But I bet you that 80% of the people on NANOG have *no* idea who you are or who you work for, and given the “useful" information on your website, an op would have to take the time to google you - which is way above the threshold of effort most people would take. And that preassumes that the ops from the tiny little network leaking your routes is actually a) subscribed here, and b) monitoring or filtering appropriately. And before you talk about the fact you stated “ largetelco(dot)com” I would bet that there are large telco’s who don’t have op’s like us who waste their time on NANOG. So, instead of the suggestion you provided, do you have any other suggestions that are useful? I’m asking seriously, because I really do see this as a problem we all have to be able to solve as operators. I believe this is absolutely on-topic for one of the NANOG lists because this is a 100% operational problem, that has appears to have as its only GDPR acceptable solution alternative, following a manual/email thread from *your* next hop network, requesting contacts/intros all the way down to the dumba$$ BGP speaking edge network with a part-time routing guy/antenna installer. /rlj
On Jun 3, 2018, at 14:17 , Rodney Joffe <rjoffe@centergate.com> wrote:
On Jun 1, 2018, at 10:21 AM, niels=nanog@bakker.net wrote:
* list@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
How does your shop, Niels, go about making contact with an operator that is hijacking one of your netblocks, or is doing something weird with routing that is causing your customers problems, or has broken BGP?
The same as we do now, by posting on NANOG "Can someone from ASx / largetelco.com contact me offlist?”
Seriously? You’ve been around long enough to know thats a bull$&^% answer.
Feel free to look through the archives of *this* list and look at how many times some $random handle at some $random privacy protected or generic domain asks for someone from $bignetwork to contact them about a network problem.
Take you for example. You’ve been around for at least 15-20 years that I recall. But I bet you that 80% of the people on NANOG have *no* idea who you are or who you work for, and given the “useful" information on your website, an op would have to take the time to google you - which is way above the threshold of effort most people would take.
And that preassumes that the ops from the tiny little network leaking your routes is actually a) subscribed here, and b) monitoring or filtering appropriately. And before you talk about the fact you stated “ largetelco(dot)com” I would bet that there are large telco’s who don’t have op’s like us who waste their time on NANOG.
So, instead of the suggestion you provided, do you have any other suggestions that are useful? I’m asking seriously, because I really do see this as a problem we all have to be able to solve as operators. I believe this is absolutely on-topic for one of the NANOG lists because this is a 100% operational problem, that has appears to have as its only GDPR acceptable solution alternative, following a manual/email thread from *your* next hop network, requesting contacts/intros all the way down to the dumba$$ BGP speaking edge network with a part-time routing guy/antenna installer.
/rlj
Yeah, what Niels is really leaving out here is the open question of whether or not GDPR will eventually lead to the destruction of Peering DB. Owen
Yeah, what Niels is really leaving out here is the open question of whether or not GDPR will eventually lead to the destruction of Peering DB.
Owen
Of course it will not. We just need to accept that only roles not people are published. Those people will change job anyway and nobody updates whois. GDPR does not apply to companies, so you can still publish the owner of domains and IP prefixes as company names with contact information. Regards Baldur
On Jun 3, 2018, at 22:44 , Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
Yeah, what Niels is really leaving out here is the open question of whether or not GDPR will eventually lead to the destruction of Peering DB.
Owen
Of course it will not. We just need to accept that only roles not people are published. Those people will change job anyway and nobody updates whois.
GDPR does not apply to companies, so you can still publish the owner of domains and IP prefixes as company names with contact information.
Regards
Baldur
Much of the information in Peering DB is people. In fact, IIRC, peering DB doesn’t really have “role” accounts. Peering DB is unrelated to whois. Owen
man. 4. jun. 2018 20.58 skrev Owen DeLong <owen@delong.com>:
Much of the information in Peering DB is people. In fact, IIRC, peering DB doesn’t really have “role” accounts.
Peering DB is unrelated to whois.
Owen
No actually I just checked and peeringdb has none of my personal information. It has the phone number and email address for our NOC. This is just company info and does not go to a specific person. As long that is an option, peeringdb can also allow people to publish their direct contact information. It is true opt in when the alternative works just as well. Do not make more of it than needs to be. Regards Baldur
Peering DB is also a directory service. The only 'service' they provide is to distribute contact information. Therefor maintaining and distributing information is in fact 'essential'. Further, Peering DB make it easy to remove contact information. The difference in legal systems makes Peering DB a very low risk in the EU. Whois is more 'at risk' because it doesn't require individual information to maintain a net block. BUT, most whois can be handled by role accounts and privacy guard services. Best practice is to use role accounts. Privacy guard deals with the now rare condition where a net block is owned by an individual. Most domain name services have provided a privacy guard option for years. Most network providers simply want an email address that works. I don't really care if it is joe or the purple people eater as long as it gets a response from an intelligent entity that can fix a routing issue. For this purpose a level 1 tech capable of escalating an issue counts as an intelligent entity. Mack -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Owen DeLong Sent: Monday, June 04, 2018 12:58 PM To: Baldur Norddahl <baldur.norddahl@gmail.com> Cc: nanog@nanog.org Subject: Re: ICANN GDPR lawsuit
On Jun 3, 2018, at 22:44 , Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
Yeah, what Niels is really leaving out here is the open question of whether or not GDPR will eventually lead to the destruction of Peering DB.
Owen
Of course it will not. We just need to accept that only roles not people are published. Those people will change job anyway and nobody updates whois.
GDPR does not apply to companies, so you can still publish the owner of domains and IP prefixes as company names with contact information.
Regards
Baldur
Much of the information in Peering DB is people. In fact, IIRC, peering DB doesn’t really have “role” accounts. Peering DB is unrelated to whois. Owen E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
GDPR doesn't play well with directory listing services. BUT since providing contact information is exactly what a directory listing service does, It is safe to assume that this is 'essential' under GDPR. Ie. Unlike the US, an EU judge would find it silly that you signed up for a directory listing Service and were upset they listed your contact information. Similarly keeping contact Information of entities you have an ongoing peering relationship with would be essential. In physical terms, a milk delivery company has to keep track of its customers addresses and Billing information in order to deliver the milk and bill the customers. GDPR doesn't want individuals information collected or retained that isn't essential to providing services, nor can you share that information without permission unless it is essential. Obviously that is a one run-on sentence over simplification of a regulation that could take many volumes to fully decipher. Unlike the US, EU law is based on fairness and reasonableness so generally their society is not as litigious. Mack -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Owen DeLong Sent: Sunday, June 03, 2018 10:00 PM To: Rodney Joffe <rjoffe@centergate.com> Cc: NANOG <nanog@nanog.org> Subject: Re: ICANN GDPR lawsuit
On Jun 3, 2018, at 14:17 , Rodney Joffe <rjoffe@centergate.com> wrote:
On Jun 1, 2018, at 10:21 AM, niels=nanog@bakker.net wrote:
* list@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
How does your shop, Niels, go about making contact with an operator that is hijacking one of your netblocks, or is doing something weird with routing that is causing your customers problems, or has broken BGP?
The same as we do now, by posting on NANOG "Can someone from ASx / largetelco.com contact me offlist?”
Seriously? You’ve been around long enough to know thats a bull$&^% answer.
Feel free to look through the archives of *this* list and look at how many times some $random handle at some $random privacy protected or generic domain asks for someone from $bignetwork to contact them about a network problem.
Take you for example. You’ve been around for at least 15-20 years that I recall. But I bet you that 80% of the people on NANOG have *no* idea who you are or who you work for, and given the “useful" information on your website, an op would have to take the time to google you - which is way above the threshold of effort most people would take.
And that preassumes that the ops from the tiny little network leaking your routes is actually a) subscribed here, and b) monitoring or filtering appropriately. And before you talk about the fact you stated “ largetelco(dot)com” I would bet that there are large telco’s who don’t have op’s like us who waste their time on NANOG.
So, instead of the suggestion you provided, do you have any other suggestions that are useful? I’m asking seriously, because I really do see this as a problem we all have to be able to solve as operators. I believe this is absolutely on-topic for one of the NANOG lists because this is a 100% operational problem, that has appears to have as its only GDPR acceptable solution alternative, following a manual/email thread from *your* next hop network, requesting contacts/intros all the way down to the dumba$$ BGP speaking edge network with a part-time routing guy/antenna installer.
/rlj
Yeah, what Niels is really leaving out here is the open question of whether or not GDPR will eventually lead to the destruction of Peering DB. Owen E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
man. 4. jun. 2018 17.31 skrev McBride, Mack <C-Mack.McBride@charter.com>:
GDPR doesn't play well with directory listing services. BUT since providing contact information is exactly what a directory listing service does, It is safe to assume that this is 'essential' under GDPR.
No it is very clear that publishing private information about individuals is in fact not necessary to assign netblocks and domains to companies. It is a little less clear when the ressource is assigned to an individual. But considering there already exist privacy options for domains, the same solutions could be implemented for other ressource types. Regards Baldur Regards Baldur
at 2:40 PM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
man. 4. jun. 2018 17.31 skrev McBride, Mack <C-Mack.McBride@charter.com>:
GDPR doesn't play well with directory listing services. BUT since providing contact information is exactly what a directory listing service does, It is safe to assume that this is 'essential' under GDPR.
No it is very clear that publishing private information about individuals is in fact not necessary to assign netblocks and domains to companies.
It is a little less clear when the ressource is assigned to an individual. But considering there already exist privacy options for domains, the same solutions could be implemented for other ressource types.
It occurs to me that operators might want to opt-in to have their data published through PeeringDB. From a purely pragmatic standpoint, I won’t peer with anyone I can’t reach out to and if you don’t have a 24/7 NOC chances are good that you’re going to get depeered the first time there’s a technical issue and I can’t reach you for help. An academic exercise, for sure. But one that would render this line of thinking rather moot.
man. 4. jun. 2018 20.56 skrev Daniel Corbe <dcorbe@hammerfiber.com>:
It occurs to me that operators might want to opt-in to have their data published through PeeringDB. From a purely pragmatic standpoint, I won’t peer with anyone I can’t reach out to and if you don’t have a 24/7 NOC chances are good that you’re going to get depeered the first time there’s a technical issue and I can’t reach you for help.
An academic exercise, for sure. But one that would render this line of thinking rather moot.
If it is a true 24/7 NOC you can not possibly expect a specific person to answer the call. It will be whoever is on duty or on call at that time. You do not need a name. Just the number and the email address. And that is exactly what many operators put into peeringdb as is. No changes needed. Regards Baldur
PeeringDB is already 100% opt-in. Mack -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Daniel Corbe Sent: Monday, June 04, 2018 12:56 PM To: Baldur Norddahl <baldur.norddahl@gmail.com> Cc: nanog@nanog.org Subject: Re: ICANN GDPR lawsuit at 2:40 PM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
man. 4. jun. 2018 17.31 skrev McBride, Mack <C-Mack.McBride@charter.com>:
GDPR doesn't play well with directory listing services. BUT since providing contact information is exactly what a directory listing service does, It is safe to assume that this is 'essential' under GDPR.
No it is very clear that publishing private information about individuals is in fact not necessary to assign netblocks and domains to companies.
It is a little less clear when the ressource is assigned to an individual. But considering there already exist privacy options for domains, the same solutions could be implemented for other ressource types.
It occurs to me that operators might want to opt-in to have their data published through PeeringDB. From a purely pragmatic standpoint, I won’t peer with anyone I can’t reach out to and if you don’t have a 24/7 NOC chances are good that you’re going to get depeered the first time there’s a technical issue and I can’t reach you for help. An academic exercise, for sure. But one that would render this line of thinking rather moot. E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
There is a major difference between a directory listing service where the primary goal is to advertise potentially protected information and a domain registration or net block registration where the information is secondary and its dissemination is not what you are actually requesting. Remember peering DB has a sole purpose of disseminating names, phone numbers and email addresses. Mack From: Rubens Kuhl [mailto:rubensk@gmail.com] Sent: Tuesday, June 05, 2018 1:41 PM To: McBride, Mack <C-Mack.McBride@charter.com> Cc: Daniel Corbe <dcorbe@hammerfiber.com>; Baldur Norddahl <baldur.norddahl@gmail.com>; nanog@nanog.org Subject: Re: ICANN GDPR lawsuit On Tue, Jun 5, 2018 at 4:31 PM, McBride, Mack <C-Mack.McBride@charter.com<mailto:C-Mack.McBride@charter.com>> wrote: PeeringDB is already 100% opt-in. Domain registration is also opt-in, and still registrars, registries and ICANN have to change things to comply with GDPR. Rubens E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
If they are hijacking a netblock, it is safe to assume they will also hijack an ASN. The best method of dealing with hijacking is still deaggregation and contacting Upstreams providers from a registered whois address which should be a role account. Mack -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Rodney Joffe Sent: Sunday, June 03, 2018 3:17 PM To: NANOG <nanog@nanog.org> Subject: Re: ICANN GDPR lawsuit
On Jun 1, 2018, at 10:21 AM, niels=nanog@bakker.net wrote:
* list@satchell.net (Stephen Satchell) [Fri 01 Jun 2018, 14:51 CEST]:
How does your shop, Niels, go about making contact with an operator that is hijacking one of your netblocks, or is doing something weird with routing that is causing your customers problems, or has broken BGP?
The same as we do now, by posting on NANOG "Can someone from ASx / largetelco.com contact me offlist?”
Seriously? You’ve been around long enough to know thats a bull$&^% answer. Feel free to look through the archives of *this* list and look at how many times some $random handle at some $random privacy protected or generic domain asks for someone from $bignetwork to contact them about a network problem. Take you for example. You’ve been around for at least 15-20 years that I recall. But I bet you that 80% of the people on NANOG have *no* idea who you are or who you work for, and given the “useful" information on your website, an op would have to take the time to google you - which is way above the threshold of effort most people would take. And that preassumes that the ops from the tiny little network leaking your routes is actually a) subscribed here, and b) monitoring or filtering appropriately. And before you talk about the fact you stated “ largetelco(dot)com” I would bet that there are large telco’s who don’t have op’s like us who waste their time on NANOG. So, instead of the suggestion you provided, do you have any other suggestions that are useful? I’m asking seriously, because I really do see this as a problem we all have to be able to solve as operators. I believe this is absolutely on-topic for one of the NANOG lists because this is a 100% operational problem, that has appears to have as its only GDPR acceptable solution alternative, following a manual/email thread from *your* next hop network, requesting contacts/intros all the way down to the dumba$$ BGP speaking edge network with a part-time routing guy/antenna installer. /rlj E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
On Fri, Jun 1, 2018 at 8:47 AM, Stephen Satchell <list@satchell.net> wrote:
In other words, how do you do your job in light of the GDPR restrictions on accessing contact information for other network operators?
Please be specific. A lot of NOC policies and procedures will need to be updated.
Publish role accounts in whois instead of personal information? Sorry, I don't mean to break up an energetic tirade but a phone number is not PII when it's attached to "hostmaster" instead of "John Doe". You and I like knowing that there's a specific person there and it certainly helps when auditing public policy compliance but as a technical matter contact doesn't have to work that way. I noticed that Namecheap solved their GDPR problem by simply making their "WhoisGuard" product free. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
The whois guard solution seems workable where the registrar just forwards information. It would be nice if there were corporate phone numbers as GDPR doesn't apply to corporations. For routing whois information there aren't going to be many individuals and it would seem that the corporations who employee individuals should be the ones protecting those individuals work emails by providing a generic contact email forward. Which is good practice anyway since people leave and go on vacation and problems still happen. And the routing whois information is a lot more relevant to most of us here. Of course anyone posting to a public list should be aware that their email address is part of that information. Which is particularly relevant to this list. Mack -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of William Herrin Sent: Friday, June 01, 2018 9:24 AM To: list@satchell.net Cc: nanog@nanog.org Subject: Re: ICANN GDPR lawsuit On Fri, Jun 1, 2018 at 8:47 AM, Stephen Satchell <list@satchell.net> wrote:
In other words, how do you do your job in light of the GDPR restrictions on accessing contact information for other network operators?
Please be specific. A lot of NOC policies and procedures will need to be updated.
Publish role accounts in whois instead of personal information? Sorry, I don't mean to break up an energetic tirade but a phone number is not PII when it's attached to "hostmaster" instead of "John Doe". You and I like knowing that there's a specific person there and it certainly helps when auditing public policy compliance but as a technical matter contact doesn't have to work that way. I noticed that Namecheap solved their GDPR problem by simply making their "WhoisGuard" product free. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/> E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
On 06/01/2018 09:37 AM, McBride, Mack wrote:
For routing whois information there aren't going to be many individuals and it would seem that the corporations who employee individuals should be the ones protecting those individuals work emails by providing a generic contact email forward. Which is good practice anyway since people leave and go on vacation and problems still happen. And the routing whois information is a lot more relevant to most of us here.
+1 Perhaps the Right Thing(SM) to do is to update the best practices documents regarding role e-mail accounts for network operators. 1. Add "networkmaster@example.com" to the list of required role accounts. 2. Require that e-mail sent to role "networkmaster@example.com" be accessible in some way by all technical people for the network in question. This can be done using a ticket system, or a simple mail exploder. 3. Require that e-mail sent to role account "abuse@example.com" by accessible in some way by all members of the abuse desk. This can be done using a ticket system, or a simple mail exploder. 4. Require the WHOIS information specify exactly these role accounts for TECH and ABUSE, not a person. This gets around the GDPR requirements while maintaining the usefulness of the WHOIS without having to go through an intermediate party or web site. ICANN may want to consider this idea when adjusting its contracts with registrars to eliminate GDPR exposure.
On Fri, Jun 1, 2018 at 1:56 AM, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
On 31/05/2018 21:44, John Peach wrote:
On 05/31/2018 02:37 PM, Dan Hollis wrote:
On Thu, 31 May 2018, bzs@theworld.com wrote:
FWIW a German court has just ruled against ICANN's injunction and in favor of Tucows/EPAG. https://www.icann.org/news/announcement-4-2018-05-30-en
Welcome to contact-free whois?
-Dan
Already been bitten by it and trying to get the contact info reinstated.
The entire whois debacle will only get resolved when some hackers attack www.eugdpr.org, ec.europa.eu and some other key .eu sites. When the response they get will be "sorry, we can't determine who is attacking you since that contravenes GDPR", will the EU light bulb go on that something in GDPR needs to be tweaked.
Usually, identifying attackers at other online services is a duty on RIR directories, and even the RIPE one is not suffering that many changes due to GDPR. Also, GDPR doesn't prevent law enforcement access. Rubens
On Mon, 4 Jun 2018, Rubens Kuhl wrote:
On Fri, Jun 1, 2018 at 1:56 AM, Hank Nussbacher <hank@efes.iucc.ac.il> wrote: Usually, identifying attackers at other online services is a duty on RIR directories, and even the RIPE one is not suffering that many changes due to GDPR.
Also, GDPR doesn't prevent law enforcement access.
It might be desirable to provide enough contact information to mitigate issues before it has to end up in the hands of law enforcement. black hats and bullet proof hosting are definitely going to enjoy using gdpr to hide behind though. -Dan
On Mon, Jun 4, 2018 at 9:34 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
On Mon, 4 Jun 2018, Rubens Kuhl wrote:
On Fri, Jun 1, 2018 at 1:56 AM, Hank Nussbacher <hank@efes.iucc.ac.il> wrote: Usually, identifying attackers at other online services is a duty on RIR directories, and even the RIPE one is not suffering that many changes due to GDPR.
Also, GDPR doesn't prevent law enforcement access.
It might be desirable to provide enough contact information to mitigate issues before it has to end up in the hands of law enforcement.
Specifically on gTLD domains GDPR effects, domain contacts will still be reachable thru a web-form or short-term anonymised email. European ccTLDs adopted a myriad of solutions but they usually trend towards maintaining reachability somehow.
black hats and bullet proof hosting are definitely going to enjoy using gdpr to hide behind though.
Like they already do signing up for domain privacy services ? Currently, only the poor criminals or the newbie ones do not elect privacy when registering domains. Rubens
whoisnt On Thu, May 31, 2018 at 2:37 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
On Thu, 31 May 2018, bzs@theworld.com wrote:
FWIW a German court has just ruled against ICANN's injunction and in favor of Tucows/EPAG. https://www.icann.org/news/announcement-4-2018-05-30-en
Welcome to contact-free whois?
-Dan
-- :o@>
participants (17)
-
Badiei, Farzaneh
-
Baldur Norddahl
-
bzs@theworld.com
-
Dan Hollis
-
Daniel Corbe
-
Hank Nussbacher
-
John Levine
-
John Peach
-
McBride, Mack
-
Mike Meredith
-
niels=nanog@bakker.net
-
Oliver O'Boyle
-
Owen DeLong
-
Rodney Joffe
-
Rubens Kuhl
-
Stephen Satchell
-
William Herrin