Re: Monitoring, Flow Stats (Re: spam whore, norcal-systems)
Here is something germane to this thread.
Date: Tue, 02 Feb 1999 19:42:43 -0500 From: "vinton g. cerf" <vcerf@MCI.NET> Subject: EC Directive on IP Addresses and Privacy X-Sender: vcerf@shoe.reston.mci.net To: "ISOC Members Discussion" <isoc-members-discuss@lyris.isoc.org> Reply-To: ISOC Members Discussion <isoc-members-discuss@lyris.isoc.org> List-Owner: <mailto:ISOC-members-discuss-owner@lyris.isoc.org> X-Message-To: [rmeyer@mhsc.com]
I thought this would interest you - these are NOT my words but the words of the source of the message to me:
"Yesterday, I learned from a very well-placed U.S. Government source that European law enforcement officials have told their American counterparts that they interpret the E.C. Data Protection Directive as prohibiting Internet service providers from maintaining records of users' IP addresses unless necessary for service or billing. This position indicates that E.C. officials consider both dynamic and static IP addresses to be subject to the Directive as "personal data'...relating to an...identifiable natural person" under Article 2(a) of the Directive. Therefore, it is being interpreted that the European Directive prohibits the retention of dynamic IP addresses even by an ISP unless it is used for billing purposes (which is rarely the case).
If shared by others in the E.C., the position could have significant implications for Internet business models." =================================================================
See you at INET'99, San Jose, CA, June 22-25,1999 http://www.isoc.org/inet99/
___________________________________________________ Roeland M.J. Meyer - e-mail: mailto:rmeyer@mhsc.com Internet phone: hawk.lvrmr.mhsc.com Personal web pages: http://staff.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com ___________________________________________________ KISS ... gotta love it!
On Wed, 3 Feb 1999, Roeland M.J. Meyer wrote:
Here is something germane to this thread.
Date: Tue, 02 Feb 1999 19:42:43 -0500 From: "vinton g. cerf" <vcerf@MCI.NET> Subject: EC Directive on IP Addresses and Privacy ...
[Cerf quoting someone not named:]
"Yesterday, I learned from a very well-placed U.S. Government source that European law enforcement officials have told their American counterparts that they interpret the E.C. Data Protection Directive as prohibiting Internet service providers from maintaining records of users' IP addresses unless necessary for service or billing. This position indicates that E.C. officials consider both dynamic and static IP addresses to be subject to the Directive as "personal data'...relating to an...identifiable natural person" under Article 2(a) of the Directive. Therefore, it is being interpreted that the European Directive prohibits the retention of dynamic IP addresses even by an ISP unless it is used for billing purposes (which is rarely the case).
If shared by others in the E.C., the position could have significant implications for Internet business models."
While it isn't clear exactly what a "European law enforcement official" is or why they would be concerned with the Data Protection Directive, I can assure you that not only do European ISPs maintain Radius logs that tie dynamic IP addresses to user accounts but they are also strongly encouraged to do this by their national governments in most or all member states of the European Union. In the UK, for example, the London Internet Exchange (the LINX) and ISPA UK, the trade association, have formally endorsed a Traceability BCP that includes as a recommended practice the archiving of Radius logs to allow spam and illegal content to be traced back to the responsible individual. I understand that in France ISPs are *required* to archive their Radius logs. EuroISPA, the European ISP trade association, checked with officials at DG XV, the relevant directorate of the European Commission, for their opinion regarding the statements quoted above. So far their opinion appears to be that maintenance of such logs is OK so long as customers are aware that logs are being kept and the logs are not kept for too long. We talked to DG XV this morning. We will continue to pursue this matter both with the European Commission and with the UK government until we have a good understanding of what our position is. Incidentally, to the best of my knowledge non-compliance with the Data Protection Act is not a criminal matter. If you don't comply, you get sued. -- Jim Dixon VBCnet GB Ltd http://www.vbc.net tel +44 117 929 1316 fax +44 117 927 2015
participants (2)
-
Jim Dixon
-
Roeland M.J. Meyer