Objection: RE: [admin] Re: EU Official: IP Is Personal

2008-01-28 Thread michael.dillon

> Folks, we'd like to ask that this thread die a quick and 
> painful death. It's gone off topic and it seems to have run 
> whatever short course that it tried. 

I agree.

> While what Europe does 
> is interesting to us as network operators, this is European 
> policy and off topic for NANOG.

Whoa there! You need to re-read the first line of the NANOG
mission statement

  The purpose of NANOG is to provide forums in the North American
  region for education and the sharing of knowledge for the
  Internet operations community. 

In other words, the NA part of NANOG refers to the location of
the forums, *NOT* the scope of the discussions. The Internet
operations community is global in scope and it is natural for
our discussions to also be global in scope. 

Since many North American network operators have infrastructure
in Europe (PoPs, colocated servers) they have to be aware of
uniquely European Internet issues.

And when it comes to solving a domestic problem, nothing puts
things in perspective more than comparing how others approach
the problem.

--Michael Dillon



Is 7bits enough? (was: Re: [admin] Re: EU Official: IP Is Personal)

2008-01-26 Thread Eric Brunner-Williams


My note of yesterday didn't make it to the list, which happens from time 
to time,
but as I'm not asking about automobile licenses or number portability, 
this might

make it past the rather broad kill-this-thread administrative dicta.

Hi,

We (the P3P Spec WG circa pre-9/11) didn't specify what would reasonably 
render
a v6 addr non-PII, and we didn't provide guidance on v4 addrs, other 
than the 7bit

mask.

Since I'm the only former contributor to that activity who gets NANOG mail,
if any of you who have ideas on either of those two forms of endpoint 
identifiers
and PII, if you send them to me, I'll summarize for the purpose of 
offering a specific

update to our final work product, P3P 1.1 [1].

I'll extract the MAC-to-v4 comments for PII in a LAN environment,
which we ignored in the P3P Spec WG.

Eric

[1]  http://www.w3.org/TR/P3P11/



[admin] Re: EU Official: IP Is Personal

2008-01-25 Thread Martin Hannigan

Folks, we'd like to ask that this thread die a quick and painful
death. It's gone off topic and it seems to have run whatever short
course that it tried. While what Europe does is interesting to us as
network operators, this is European policy and off topic for NANOG.

Best Regards,

Martin Hannigan
NANOG Mailing List Comittee




On Jan 25, 2008 3:22 PM, Joseph S D Yao <[EMAIL PROTECTED]> wrote:
>
> On Fri, Jan 25, 2008 at 10:49:48AM +0200, Hank Nussbacher wrote:
> ...
> > I wouldn't be suprised if in a few years some EU/US law mandates IP number
> > portability, just like people have with their cellphones.  Imagine what
> > that will do to the routing tables.  How many /32s can we get into the
> > RIBs these days?  :-)
>
>
> And yet that is said to be one of the advantages of IPv6.
>
>
>
> --
> Joe Yao
> Qinetiq NA / Analex Contractor
>


Re: EU Official: IP Is Personal

2008-01-25 Thread Joseph S D Yao

On Fri, Jan 25, 2008 at 10:49:48AM +0200, Hank Nussbacher wrote:
...
> I wouldn't be suprised if in a few years some EU/US law mandates IP number 
> portability, just like people have with their cellphones.  Imagine what 
> that will do to the routing tables.  How many /32s can we get into the 
> RIBs these days?  :-)


And yet that is said to be one of the advantages of IPv6.


-- 
Joe Yao
Qinetiq NA / Analex Contractor


Re: EU Official: IP Is Personal

2008-01-25 Thread Roland Perry


In article <[EMAIL PROTECTED]>, Stephane Bortzmeyer 
<[EMAIL PROTECTED]> writes



in the UK it [phone number portability] 's done with something
similar to DNS. The telephone system looks up the first N digits of
the number to determine the operator it was first issued to. And
places a query to them. That either causes the call to be accepted
and routed, or they get an answer back saying "sorry, that number
has been ported to operator FOO-TEL, go ask them instead".


What happens when a phone number is ported twice, from BAR-TEL to
FOO-TEL and then to WAZ-TEL? Does the call follows the list? What if
there is a loop?


In the UK, for landlines there are generally only two operators 
available: BT and Virgin (the now sole brand for cable phones). So WAZ 
doesn't exist, all you can do is go back to BAR.


For mobiles, I've never heard of a restriction so it's probably the case 
that the donor network stays the same, but the recipient records are 
updated to point to WAZ instead of FOO.



The solution you describe does not look like the DNS to me. A solution
more DNS-like would be to have a root (which is not an operator)
somewhere and every call triggers a call to the root which then
replies, "send to WAS-TEL".


That's the scheme which was proposed in 2002, and which I'm a bit 
surprised isn't yet deployed (watch the space called ukporting.com [1], 
apparently). However, the current mobile scheme isn't very far off that.


[1] Why not ukporting.org.uk ??
--
Roland Perry


Re: EU Official: IP Is Personal

2008-01-25 Thread Owen DeLong


I don't know about your IP addresses, but, people can use my IP  
addresses

from a number of locations which are nowhere near the jurisdiction in
which my network operates, so, I don't really see the correlation  
here

with license plates or phone numbers.


I'm not clear if you mean legitimately here, or not.  If you've  
authorised
people to relay traffic through you in some way, you'd be the right  
first
contact.  If you're talking about unauthorised spoofing, it's a lot  
like
the first two cases (I'd say a fair bit easier / cheaper than the  
second,

not substantially more so than the first).


In my case, yes, 100% legitimately.

I can be contacted, but, the reality is that I don't track it.  I am  
no longer

in direct contact with a number of people who have legitimate use of
my IP addresses.  If I find them doing something I consider abuse, then,
I'll turn off the access.  However, I don't maintain contact  
information or

the ability to personally identify the correlation between the person
and the access.  So far, abuse has been rare enough that this has
not been an issue.  I've had to turn off two services I used to provide
as a result of abuse in approximately 20 years of operating a network
here.

Owen



Re: EU Official: IP Is Personal

2008-01-25 Thread Owen DeLong



On Jan 25, 2008, at 6:05 AM, Stephane Bortzmeyer wrote:



On Fri, Jan 25, 2008 at 10:42:44AM +,
Roland Perry <[EMAIL PROTECTED]> wrote
a message of 15 lines which said:


in the UK it [phone number portability] 's done with something
similar to DNS. The telephone system looks up the first N digits of
the number to determine the operator it was first issued to. And
places a query to them. That either causes the call to be accepted
and routed, or they get an answer back saying "sorry, that number
has been ported to operator FOO-TEL, go ask them instead".


What happens when a phone number is ported twice, from BAR-TEL to
FOO-TEL and then to WAZ-TEL? Does the call follows the list? What if
there is a loop?

The solution you describe does not look like the DNS to me. A solution
more DNS-like would be to have a root (which is not an operator)
somewhere and every call triggers a call to the root which then
replies, "send to WAS-TEL".


There is a shared root in the US SS7 system.

The security of said root follows a rather interesting model.  At  
least until
fairly recently, any "trusted" carrier (LEC, ILEC, RBOC, or IEC) could  
put

pretty much whatever they wanted into the database.

Of course, the consequence of getting caught with your hand in the  
cookie
jar there was sufficient that it tended to prevent invalid entries  
other than
by accident, but, still, it was a remarkable trust model for such an  
industry.


Owen



Re: EU Official: IP Is Personal

2008-01-25 Thread Stephane Bortzmeyer

On Fri, Jan 25, 2008 at 10:42:44AM +,
 Roland Perry <[EMAIL PROTECTED]> wrote 
 a message of 15 lines which said:

> in the UK it [phone number portability] 's done with something
> similar to DNS. The telephone system looks up the first N digits of
> the number to determine the operator it was first issued to. And
> places a query to them. That either causes the call to be accepted
> and routed, or they get an answer back saying "sorry, that number
> has been ported to operator FOO-TEL, go ask them instead".

What happens when a phone number is ported twice, from BAR-TEL to
FOO-TEL and then to WAZ-TEL? Does the call follows the list? What if
there is a loop?

The solution you describe does not look like the DNS to me. A solution
more DNS-like would be to have a root (which is not an operator)
somewhere and every call triggers a call to the root which then
replies, "send to WAS-TEL".



Re: EU Official: IP Is Personal

2008-01-25 Thread Roland Perry


In article <[EMAIL PROTECTED]>, Andy 
Davidson <[EMAIL PROTECTED]> writes


Tunnels all over the place seems like the only way it'd even be 
halfway practical. It's more-or-less how phone number portability 
works anyway, from what (little) I know.
I don't know about the USA, but in the UK it's done with something 
similar to DNS. The telephone system looks up the first N digits of 
the number to determine the operator it was first issued to. And 
places a query to them. That either causes the call to be accepted and 
routed, or they get an answer back saying "sorry, that number has been 
ported to operator FOO-TEL, go ask them instead".


Not quite, the simplistic overview is that operators have an obligation 
to offer porting wherever practical, so operate ports on a 
accept-then-forward principal.  If I port my number from CarrierA to 
CarrierB, then my calls still pass through A's switch, who transits the 
call to B without charging the end user.


For the benefit of completeness, the regulator has mandated that this 
situation must change, as CarrierB's inward-port customers are not 
protected from the technical or commercial failure of CarrierA.  The 
industry [www.ukporting.com] has responded and is building a framework 
to support all-call-query style lookups to handle number ports.


Apologies, I should have made it clear that I was following up the 
remark about cellphone number portability. Described in 2002 (at the 
beginning of the discussion about migrating to the new system that's 
currently still being built):


"To deliver a call a routing enquiry is made to a Home Location Register 
(HLR) to determine where the subscriber is located and to obtain a 
routing number. The solution for mobile number portability, known as the 
Signalling Relay Function (SRF), is that the donor network sends the 
routing enquiry signal addressed to a ported number to the appropriate 
recipient network for treatment. In this way the recipient network can 
provide the routing number to complete the call."


Although that is also apparently known as "onward routing", even though 
the subsequent call traffic isn't routed onwards.

--
Roland Perry


Re: EU Official: IP Is Personal

2008-01-25 Thread Andy Davidson



On 25 Jan 2008, at 10:42, Roland Perry wrote:

In article <[EMAIL PROTECTED]>, Matt Palmer <[EMAIL PROTECTED] 
> writes
Tunnels all over the place seems like the only way it'd even be  
halfway practical. It's more-or-less how phone number portability  
works anyway, from what (little) I know.
I don't know about the USA, but in the UK it's done with something  
similar to DNS. The telephone system looks up the first N digits of  
the number to determine the operator it was first issued to. And  
places a query to them. That either causes the call to be accepted  
and routed, or they get an answer back saying "sorry, that number  
has been ported to operator FOO-TEL, go ask them instead".


Not quite, the simplistic overview is that operators have an  
obligation to offer porting wherever practical, so operate ports on a  
accept-then-forward principal.  If I port my number from CarrierA to  
CarrierB, then my calls still pass through A's switch, who transits  
the call to B without charging the end user.



For the benefit of completeness, the regulator has mandated that this  
situation must change, as CarrierB's inward-port customers are not  
protected from the technical or commercial failure of CarrierA.  The  
industry [www.ukporting.com] has responded and is building a framework  
to support all-call-query style lookups to handle number ports.


Best wishes,
Andy


Re: EU Official: IP Is Personal

2008-01-25 Thread Roland Perry


In article <[EMAIL PROTECTED]>, Matt Palmer 
<[EMAIL PROTECTED]> writes
Tunnels all over the place seems like the only way it'd even be halfway 
practical. It's more-or-less how phone number portability works anyway, 
from what (little) I know.


I don't know about the USA, but in the UK it's done with something 
similar to DNS. The telephone system looks up the first N digits of the 
number to determine the operator it was first issued to. And places a 
query to them. That either causes the call to be accepted and routed, or 
they get an answer back saying "sorry, that number has been ported to 
operator FOO-TEL, go ask them instead".

--
Roland Perry


Re: EU Official: IP Is Personal

2008-01-25 Thread Tim Franklin

On Fri, January 25, 2008 6:33 am, Owen DeLong wrote:

> In order to be using the license plate, you had to be physically present
> in the car.

Or in any car displaying the same identifier.

> In order to be on the telephone number, you (almost always) need to be
> present at the site where that phone number is terminated.

Or calling from any line that presents the same identifier.  It's
generally true that if you're calling from a POTS line (or BRI, for the
most part), you'll either present correct CLI, or some flavour of
'unavailable' or 'witheld'.

Start buying PRI service, however, and there's not a shortage of telcos
where you can inject whatever CLI you like.  BCP38 is no more universal in
the phone network than it is in the IP one.

> I don't know about your IP addresses, but, people can use my IP addresses
>  from a number of locations which are nowhere near the jurisdiction in
> which my network operates, so, I don't really see the correlation here
> with license plates or phone numbers.

I'm not clear if you mean legitimately here, or not.  If you've authorised
people to relay traffic through you in some way, you'd be the right first
contact.  If you're talking about unauthorised spoofing, it's a lot like
the first two cases (I'd say a fair bit easier / cheaper than the second,
not substantially more so than the first).

Those looking to reach a person should be aware of the possibility that
any of these presented identifiers could be forged.  That doesn't mean
that the owner of the identifier isn't a useful person to talk to in the
first instance - and hence they all, to a first approximation, function as
personal identifiers.

Regards,
Tim.




Re: EU Official: IP Is Personal

2008-01-25 Thread Roland Perry


In article <[EMAIL PROTECTED]>, Hank 
Nussbacher <[EMAIL PROTECTED]> writes
I wouldn't be suprised if in a few years some EU/US law mandates IP 
number portability, just like people have with their cellphones.


I doubt it. The portability of Internet Addressing arises from the use 
of DNS.


You wouldn't expect anyone to mandate that IMEI, rather than cellphone 
number, was made portable between handsets, would you?


Making analogies between phone numbers and IP addresses has its limits.
--
Roland Perry


Re: EU Official: IP Is Personal

2008-01-25 Thread Roland Perry


In article <[EMAIL PROTECTED]>, 
[EMAIL PROTECTED] writes

So - if you can work backwards from license plate info, telephone numbers,
and IP addresses, and get a good idea of who the person is, and there's
general agreement that the first two are "personal information" that allows
(at least speculative) identification of the person, why are people having
trouble with the concept that the third is personally identifying information
as well?


Because they are IP engineers and they have lots of anecdotes about how 
an IP Address *might* be misleading when identifying an individual.


If they worked in a car maintenance shop, they'd be able to tell you how 
licence plates *might* be misleading when identifying an individual.


But in both cases they are missing the point: which is that EU Data 
Protection law looks at things from the opposite point of view.


ie If an IP address might *sometimes* reliably identify an individual, 
then everyone has to err on the side of caution and treat *all* IP 
addresses as personal data.

--
Roland Perry


Re: EU Official: IP Is Personal

2008-01-25 Thread Johnny Eriksson

Hank Nussbacher <[EMAIL PROTECTED]> wrote:

> I wouldn't be suprised if in a few years some EU/US law mandates IP number 
> portability, just like people have with their cellphones.  Imagine what 
> that will do to the routing tables.  How many /32s can we get into the 
> RIBs these days?  :-)

The next obvious step would be complete street address portability, for
all kinds of usage, like telling the cab driver where to go to get you
home.  Once you have lived on 1234 Main Street, it should be yours!

> -Hank

--Johnny


Re: EU Official: IP Is Personal

2008-01-25 Thread Matt Palmer

On Fri, Jan 25, 2008 at 10:49:48AM +0200, Hank Nussbacher wrote:
> On Fri, 25 Jan 2008, [EMAIL PROTECTED] wrote:
> >On Thu, 24 Jan 2008 22:33:20 PST, Owen DeLong said:
> >>>And oddly enough, license plates on cars act *exactly the same way* - but
> >>>nobody seems at all surprised when police can work backwards from a plate
> >>>and come up with a suspect (who, admittedly, may not have been
> >>>involved if
> >>>the car was borrowed/stolen/etc).
> >>>
> >>In order to be using the license plate, you had to be physically
> >>present in the car.
> >
> >"It wasn't me at the hit-and-run, my car was stolen last night"
> >
> >"It wasn't me, my PC got zombied"
> >
> >Like I said, they work *exactly the same way*.
> >
> >But I'm giving up.  We've got people here who work for companies that have
> >business models that boil down to "given an IP address, figure out who to
> >bill" - but although it identifies a person well enough to send them an
> >invoice, they think it isn't enough to identify them.
> 
> I wouldn't be suprised if in a few years some EU/US law mandates IP number 
> portability, just like people have with their cellphones.  Imagine what 
> that will do to the routing tables.  How many /32s can we get into the 
> RIBs these days?  :-)

That'd be a fun law to try and enforce, especially against the people who
refuse to accept such long routes (which is, after all, the only thing
that's stopping such long announcements from appearing already).  Tunnels
all over the place seems like the only way it'd even be halfway practical. 
It's more-or-less how phone number portability works anyway, from what
(little) I know.

- Matt


Re: EU Official: IP Is Personal

2008-01-25 Thread Hank Nussbacher


On Fri, 25 Jan 2008, [EMAIL PROTECTED] wrote:


On Thu, 24 Jan 2008 22:33:20 PST, Owen DeLong said:


And oddly enough, license plates on cars act *exactly the same way* - but
nobody seems at all surprised when police can work backwards from a plate
and come up with a suspect (who, admittedly, may not have been
involved if
the car was borrowed/stolen/etc).


In order to be using the license plate, you had to be physically
present in the car.


"It wasn't me at the hit-and-run, my car was stolen last night"

"It wasn't me, my PC got zombied"

Like I said, they work *exactly the same way*.

But I'm giving up.  We've got people here who work for companies that have
business models that boil down to "given an IP address, figure out who to
bill" - but although it identifies a person well enough to send them an
invoice, they think it isn't enough to identify them.


I wouldn't be suprised if in a few years some EU/US law mandates IP number 
portability, just like people have with their cellphones.  Imagine what 
that will do to the routing tables.  How many /32s can we get into the 
RIBs these days?  :-)


-Hank


The EU's and Google's official positions (was: EU Official: IP Is Personal)

2008-01-25 Thread michael.dillon


> In the case the german regulator is dealing with the ip 
> address is not be considered exclusive of the rest of a data 
> set. The question is given  a commercially valuable dataset 
> which contains ip addresses what is sufficient to anonymize 
> the users while maintaining the value of the data. The 
> regulator has one view, which is probably wrong and search 
> engine company (google is the one that is quoted) has another 
> which is also probably wrong.

First of all, this is not about the German data protection agency
but about the EU Committee on Civil Liberties, Justice and Home Affairs.

Secondly, there is no need to flail around wondering what is the
meaning of this one choice quote that an Associated Press reporter
built their story around. The EU publishes its position on its
website:
 
Peter Schaar is the Chairman of the group which produced this document.
Note that this came out in April of last year. The meeting that the
reporter attended was a public seminar discussing various case studies.

There is no transcript of the meeting and no formal submission from 
Peter Schaar or the German data protection agency so I assume that
the reported comments came during some discussion of Google's 
submission which is here:


If you want to see the program for the meeting, it is here:


It would be interesting to see some INFORMED discussion on the
EU's position or Google's position, because the EU and Google
are powerful organizations which matter. But there is really
no point in prolonged discussion of some reporter's choice
quote which may or may not have been taken out of context.

--Michael Dillon


Re: EU Official: IP Is Personal

2008-01-24 Thread Matt Palmer

On Thu, Jan 24, 2008 at 10:33:20PM -0800, Owen DeLong wrote:
> On Jan 24, 2008, at 8:55 PM, [EMAIL PROTECTED] wrote:
> >On Thu, 24 Jan 2008 20:39:53 PST, [EMAIL PROTECTED] said:
> >>What we can do with IP addresses is conclude that the user of the
> >>machine with an address is likely to be one of its usual users. We
> >>can't say that with 100% certainty, because there are any number of
> >>ways people can get "unusual" access. But even so, if one can show a
> >>pattern of usage, the usual suspects can probably figure out which of
> >>them, or what other "unusual" user, might have done this or that.
> >
> >And oddly enough, license plates on cars act *exactly the same way*  
> >- but
> >nobody seems at all surprised when police can work backwards from a  
> >plate
> >and come up with a suspect (who, admittedly, may not have been  
> >involved if
> >the car was borrowed/stolen/etc).
>
> In order to be using the license plate, you had to be physically  
> present in the car.
> 
> >You can work backwards from a phone number to a person, without a  
> >*guarantee*
> >that you have the right person - but I don't see anybody claiming that
> >phone numbers don't qualify as "personal information" under the EU  
> >definition.
>
> In order to be on the telephone number, you (almost always) need to be  
> present
> at the site where that phone number is terminated.
> 
> I don't know about your IP addresses, but, people can use my IP  
> addresses
> from a number of locations which are nowhere near the jurisdiction in  
> which
> my network operates, so, I don't really see the correlation here with  
> license
> plates or phone numbers.

In order to be using the IP address, your packets (almost always) have to
pass through the device allocated that address.

- Matt


Re: EU Official: IP Is Personal

2008-01-24 Thread Valdis . Kletnieks
On Thu, 24 Jan 2008 22:33:20 PST, Owen DeLong said:

> > And oddly enough, license plates on cars act *exactly the same way* - but
> > nobody seems at all surprised when police can work backwards from a plate
> > and come up with a suspect (who, admittedly, may not have been  
> > involved if
> > the car was borrowed/stolen/etc).
> >
> In order to be using the license plate, you had to be physically  
> present in the car.

"It wasn't me at the hit-and-run, my car was stolen last night"

"It wasn't me, my PC got zombied"

Like I said, they work *exactly the same way*.

But I'm giving up.  We've got people here who work for companies that have
business models that boil down to "given an IP address, figure out who to
bill" - but although it identifies a person well enough to send them an
invoice, they think it isn't enough to identify them.


pgpvks6ragu5h.pgp
Description: PGP signature


Re: EU Official: IP Is Personal

2008-01-24 Thread Owen DeLong



On Jan 24, 2008, at 8:55 PM, [EMAIL PROTECTED] wrote:


On Thu, 24 Jan 2008 20:39:53 PST, [EMAIL PROTECTED] said:


What we can do with IP addresses is conclude that the user of the
machine with an address is likely to be one of its usual users. We
can't say that with 100% certainty, because there are any number of
ways people can get "unusual" access. But even so, if one can show a
pattern of usage, the usual suspects can probably figure out which of
them, or what other "unusual" user, might have done this or that.


And oddly enough, license plates on cars act *exactly the same way*  
- but
nobody seems at all surprised when police can work backwards from a  
plate
and come up with a suspect (who, admittedly, may not have been  
involved if

the car was borrowed/stolen/etc).

In order to be using the license plate, you had to be physically  
present in the car.


You can work backwards from a phone number to a person, without a  
*guarantee*

that you have the right person - but I don't see anybody claiming that
phone numbers don't qualify as "personal information" under the EU  
definition.


In order to be on the telephone number, you (almost always) need to be  
present

at the site where that phone number is terminated.

I don't know about your IP addresses, but, people can use my IP  
addresses
from a number of locations which are nowhere near the jurisdiction in  
which
my network operates, so, I don't really see the correlation here with  
license

plates or phone numbers.

Owen



Re: EU Official: IP Is Personal

2008-01-24 Thread Valdis . Kletnieks
On Thu, 24 Jan 2008 20:39:53 PST, [EMAIL PROTECTED] said:

> What we can do with IP addresses is conclude that the user of the
> machine with an address is likely to be one of its usual users. We
> can't say that with 100% certainty, because there are any number of
> ways people can get "unusual" access. But even so, if one can show a
> pattern of usage, the usual suspects can probably figure out which of
> them, or what other "unusual" user, might have done this or that.

And oddly enough, license plates on cars act *exactly the same way* - but
nobody seems at all surprised when police can work backwards from a plate
and come up with a suspect (who, admittedly, may not have been involved if
the car was borrowed/stolen/etc).

You can work backwards from a phone number to a person, without a *guarantee*
that you have the right person - but I don't see anybody claiming that
phone numbers don't qualify as "personal information" under the EU definition.

So - if you can work backwards from license plate info, telephone numbers,
and IP addresses, and get a good idea of who the person is, and there's
general agreement that the first two are "personal information" that allows
(at least speculative) identification of the person, why are people having
trouble with the concept that the third is personally identifying information
as well?


pgpvnIiK2fiyy.pgp
Description: PGP signature


Re: EU Official: IP Is Personal

2008-01-24 Thread fred

>I dunno. I think I have a pretty good guess of who 192.159.10.227 is, or
>at least who it was as of 14:35 -0800 today.

Well, let me ask you you think 171.70.120.60 is. I'll give you a hint;
at this instant, there are 72 of us.

Here's another question. Whom would you suspect 171.71.241.89 is?  At
this point in time, I am in Barcelona; if I were home, that would be my
address as you would see it, but my address as I would see it would be
in 10.32.244.216/29. There might be several hundred people you would
see using 171.71.241.89;

One of the big issues with the Tsinghua SAVA proposal in the IETF is
specifically the confusion of the application layer with the IP layer.
They propose to embed personal identity into the IP address, and in
that there are a number of issues. Internet Address != application
layer identification.

What we can do with IP addresses is conclude that the user of the
machine with an address is likely to be one of its usual users. We
can't say that with 100% certainty, because there are any number of
ways people can get "unusual" access. But even so, if one can show a
pattern of usage, the usual suspects can probably figure out which of
them, or what other "unusual" user, might have done this or that.

That is the model forensic analysts follow. And the address is personal
information to the extent that it limits the set of usual suspects to a
set that includes you or I.


Re: EU Official: IP Is Personal

2008-01-24 Thread Scott Francis

On Jan 24, 2008 6:10 AM, Scott McGrath <[EMAIL PROTECTED]> wrote:
>
> We have a similar system based around Cisco's CNR which is a popular
> DHCP/DNS system used by large ISP's and other large organization and it
> is the IP+Timestamp coupled with the owner to MAC relationship which
> allows unique  identification of a user
[snip]

Let's not confuse identifying a person with identifying a particular
network interface. The disparity between the two may vary widely with
NAT, wifi, shared machines, etc.
-- 
[EMAIL PROTECTED],darkuncle.net} || 0x5537F527
  http://darkuncle.net/pubkey.asc for public key


Re: EU Official: IP Is Personal

2008-01-24 Thread Valdis . Kletnieks
On Thu, 24 Jan 2008 14:35:41 PST, Owen DeLong said:
> I'm sorry, but, I have a great deal of difficulty seeing how an IP can  
> be considered personally identifying.

I dunno. I think I have a pretty good guess of who 192.159.10.227 is, or
at least who it was as of 14:35 -0800 today.




pgpjmGn60dMUV.pgp
Description: PGP signature


Re: EU Official: IP Is Personal

2008-01-24 Thread Joel Jaeggli

Owen DeLong wrote:
> 
> I'm sorry, but, I have a great deal of difficulty seeing how an IP can
> be considered
> personally identifying.

In the case the german regulator is dealing with the ip address is not
be considered exclusive of the rest of a data set. The question is given
 a commercially valuable dataset which contains ip addresses what is
sufficient to anonymize the users while maintaining the value of the
data. The regulator has one view, which is probably wrong and search
engine company (google is the one that is quoted) has another which is
also probably wrong.

Can someone able to mine search engine log data pick out individual
users? Yes it's been demonstrated several times. Can you pick
individuals out of "anonymized" datasets? Yes to that too. Can an IP
address in exclusion to anything else be used to pick out an individual?
possibly under some circumstances, but definitely not with a high degree
of certainty.

> For example, in my home, I have static addresses.  However, the number of
> different people using those addresses would, to me, imply that you cannot
> personally identify anyone based solely on the IP address they are using
> within my network.  Certainly, you cannot say that I initiated all of
> the packets
> which came from my addresses.
> 
> Another example would be a retail store that I work with as a SCUBA
> Instructor.
> They also have static IP addresses, but, I would not say that any of the
> traffic
> coming from the store is necessarily personally identifiable.  Our entire
> staff (half a dozen instructors, a dozen or so divemasters and AIs, the
> owner, and at least one other retail assistant) source traffic from within
> that network.
> 
> The larger the business, the less identifiable the addresses become,
> generally.
> However, even in these ultra-small examples, I don't feel that the
> addresses
> are, in themselves, personally identifying.
> 
> Owen
> 



Re: EU Official: IP Is Personal

2008-01-24 Thread Owen DeLong


I'm sorry, but, I have a great deal of difficulty seeing how an IP can  
be considered

personally identifying.

For example, in my home, I have static addresses.  However, the number  
of
different people using those addresses would, to me, imply that you  
cannot

personally identify anyone based solely on the IP address they are using
within my network.  Certainly, you cannot say that I initiated all of  
the packets

which came from my addresses.

Another example would be a retail store that I work with as a SCUBA  
Instructor.
They also have static IP addresses, but, I would not say that any of  
the traffic
coming from the store is necessarily personally identifiable.  Our  
entire

staff (half a dozen instructors, a dozen or so divemasters and AIs, the
owner, and at least one other retail assistant) source traffic from  
within

that network.

The larger the business, the less identifiable the addresses become,  
generally.
However, even in these ultra-small examples, I don't feel that the  
addresses

are, in themselves, personally identifying.

Owen



Re: EU Official: IP Is Personal

2008-01-24 Thread J. Oquendo

Robin Stevens wrote:


Can IP addresses always identify a unique individual?  Definitely not,
not even to those of us with access to the logs.  NAT, MAC-spoofing,
shared/multi-user systems and so forth still get in the way from time to
time.  Newer technologies such as 802.11x will stop some means of
evasion in the future, and also make it easier for us to track directly 
by username rather than network interface.


Robin


Framing Private Ryan (a look at the dangers behind technology)
http://www.infiltrated.net/?p=77

--

J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E



smime.p7s
Description: S/MIME Cryptographic Signature


Re: EU Official: IP Is Personal

2008-01-24 Thread Robin Stevens

On Wed, Jan 23, 2008 at 04:44:55PM -0800, Lou Katz wrote:
> On Wed, Jan 23, 2008 at 05:52:41PM -0500, Sean Donelan wrote:
> > In the US, folks are fighting the RIAA claiming that an IP address isn't
> > enough to identify a person.
> > 
> > In Europe, folks are fighting the Google claiming that an IP address is
> > enough to identify a person.
> > 
> > I guess it depends on which side of the pond you are on.
> 
> They are both right. If you have a dynamic IP such as most college
> students have, it is here-today-gone-tomorrow.

In our environment it's common for the same system to retain the same
dynamic address for months or even years.  Our DHCP servers will try to
assign the same address to the same client for as long as possible.

For data protection purposes, we've long considered IP addresses to be
personal information.  They're often sufficient to track the same
user, and not infrequently identify a particular user without the need
for information other than a DNS lookup (people still seem fond of
unimaginative hostnames like fred-pc.dept.ox.ac.uk).  

Can IP addresses always identify a unique individual?  Definitely not,
not even to those of us with access to the logs.  NAT, MAC-spoofing,
shared/multi-user systems and so forth still get in the way from time to
time.  Newer technologies such as 802.11x will stop some means of
evasion in the future, and also make it easier for us to track directly 
by username rather than network interface.

Robin

-- 
Robin Stevens <[EMAIL PROTECTED]>Work (+44)(0)1865 273212
Networks & Telecommunications Group Fax (+44)(0)1865 273275
Oxford University Computing Services   http://www.cynic.org.uk/


RE: EU Official: IP Is Personal

2008-01-24 Thread Rod Beck
Hi Jeff, 

I agree. But gives a lot more information that most people will be comfortable 
disclosing. 

It may not guarantee identity, but it can help narrow it down to a household or 
billing account. 

I think it is time that privacy trump business interests. 

Roderick S. Beck
Director of European Sales
Hibernia Atlantic
1, Passage du Chantier, 75012 Paris
http://www.hiberniaatlantic.com
Wireless: 1-212-444-8829. 
Landline: 33-1-4346-3209.
French Wireless: 33-6-14-33-48-97.
AOL Messenger: GlobalBandwidth
[EMAIL PROTECTED]
[EMAIL PROTECTED]
``Unthinking respect for authority is the greatest enemy of truth.'' Albert 
Einstein. 



Re: EU Official: IP Is Personal

2008-01-24 Thread Scott McGrath


We have a similar system based around Cisco's CNR which is a popular 
DHCP/DNS system used by large ISP's and other large organization and it 
is the IP+Timestamp coupled with the owner to MAC relationship which 
allows unique  identification of a user and we have strict data 
retention policies so that after the data has been maintained for the 
interval specified by the Provost it is permanently removed from the 
database.


We treat IP/Mac information as personally identifiable information  and 
as such  limit access to this information to authorized users  only.


But there seems to be  a misapprehension  that  a  dynamically assigned 
address cannot be associated with a individual.


Eric Gauthier wrote:

Heya,

  

In the US, folks are fighting the RIAA claiming that an IP address isn't
enough to identify a person.

In Europe, folks are fighting the Google claiming that an IP address is
enough to identify a person.

I guess it depends on which side of the pond you are on.

  

They are both right. If you have a dynamic IP such as most college students
have, it is here-today-gone-tomorrow.




Our University uses dynamic addressing but we are able to identify likely users
in response to the RIAA stuff.  There is a hidden step in here, at least for our 
University, in the IP-to-Person mapping.  Our network essentially tracks the 
IP-to-MAC relationship and the MAC-to-Owner relationship.  For us, its not the 
IP that identifies a person, but the combination of IP plus Timestamp, which can 
be used to walk our database and produce a system owner.


I'm guessing that Google et. al. have a similar multi-factor token set (IP, 
time,
cookie, etc) which allows them to map back to a "person".

Eric :)
  


Re: EU Official: IP Is Personal

2008-01-24 Thread Roland Perry


In article <[EMAIL PROTECTED]>, Fred Baker 
<[EMAIL PROTECTED]> writes
no fundamental contradiction in the proposition that private sector 
information can be mandated to be kept for minimum periods, is 
confidential, but nevertheless can be acquired by lawful subpoena.


they are if the records are kept for no private sector purpose, which 
is the case here. The corollary that is being built on is telco call 
detail records, which were once used in billing. But the ISPs have no 
use for the data and storing it costs power, cooling, disk-or-other- 
storage, and so on. Get an ISP or other data center to give you an idea 
how many megawatts they go through and what that costs...


You make the assumption that the banks have some business purpose to 
keep data for more than 6 months? My online bank makes it hard for me to 
go back further than that, but I'm sure the regulator insists they do.


Your other objections are just "whose dollars" issue (ignoring the 
public policy debate, but this is a technical list).

--
Roland Perry


Re: EU Official: IP Is Personal

2008-01-24 Thread J. Oquendo

Rod Beck wrote:
With all due respect, it is easy back into a person's identity or a 
household's identity using the IP address together with other information.


It's done all the time by ISPs for law enforcement and it's fruitless 
for you to deny it.




No one said it wasn't easy all I'm saying is it's not definitive. Look 
at the case of the RIAA.


RIAA Sues the Dead
February 4, 2005
Thomas Mennecke

The RIAA's campaign against alleged music pirates has been 
well-criticized for being overly ruthless. In their plight to eradicate 
file-sharing, the RIAA has pursued children, grandmothers and the 
destitute. In a move that many consider to only add insult to injury, 
the RIAA has sued 83 year old Gertrude Walton. The only problem is, 
Gertrude has been dead since December of 2004.


...

Not only has the RIAA's legal tactics been criticized for its 
ruthlessness, but also the obvious inaccuracies that inevitably surface. 
While sharing information over a P2P network, there is no direct way for 
the RIAA to obtain your personal information. Under the guidelines of a 
"John Doe" lawsuit, the RIAA sues your IP address. The RIAA then goes to 
your ISP and matches the IP address with the date and time in question.


http://www.slyck.com/news.php?story=653
--

J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E



smime.p7s
Description: S/MIME Cryptographic Signature


Re: EU Official: IP Is Personal

2008-01-24 Thread Roland Perry


In article <[EMAIL PROTECTED]>, J. Oquendo 
<[EMAIL PROTECTED]> writes
Putting aside for a moment the issue of "whose dollars pay for it" 
there  is no fundamental contradiction in the proposition that private 
sector  information can be mandated to be kept for minimum periods, is 
confidential, but nevertheless can be acquired by lawful subpoena.
 Think about banking records, for example, which are confidential, 
routinely examined in criminal enquiries, and which have to be kept 
for  various minimum periods by accountancy law. Operationally, the 
banks  have had to invest in special departments to do just that, it's 
simply  part of the cost of doing business.


The difference with banking records and computer generated records is, 
you can literally track down whether by PIN on an ATM along with for 
the majority of times an image taken from a camera. Try doing this with 
IP generated information. While law enforcement subpoenas away 
information, there is no guarantee person X is definitively behind even 
a static IP address. Its hearsay no matter how you want to look at 
this. Outside of the fact that lawyers still up to this day and age 
can't seem to grasp an all-in-one argument to get IP address 
information thrown out, what's next? Perhaps law enforcement agencies 
forcing vendors to include enough memory on wireless devices to track 
who logged in on a hotspot?


Everyone sees the need for all sorts of accounting on the networking 
side of things but how legitimate is the information when anyone can 
share MAC addresses, jump into hotspots anonymously, quickly break into 
wireless networks, venture into an Internet cafe paying cash, throw on 
a bootable (throwaway) distribution of BSD/Linux/Solaris, do some dirty 
deed and leave it up to someone else to take the blame.


It's a bit like licence plates on a car. Seeing a bank robber jump into 
a car and then using the licence plate as a "best guess" where to find 
the perpetrator has a lot of reasons why it's not 100% accurate. Maybe 
the licence plate was entirely false, or perhaps cloned from another 
vehicle the model colour and age. But there are enough dumb crooks out 
there driving cars with real licence plates, that as a first 
approximation it's still worth insisting everyone *has* a licence plate, 
and some semblance of responsibility to keep real owner details on file.

--
Roland Perry


Re: EU Official: IP Is Personal

2008-01-24 Thread Jeff McAdams
Eric Gauthier wrote:
> Heya,
> 
>>> In the US, folks are fighting the RIAA claiming that an IP address isn't
>>> enough to identify a person.
>>>
>>> In Europe, folks are fighting the Google claiming that an IP address is
>>> enough to identify a person.
>>>
>>> I guess it depends on which side of the pond you are on.
>>>
>> They are both right. If you have a dynamic IP such as most college students
>> have, it is here-today-gone-tomorrow.

> Our University uses dynamic addressing but we are able to identify likely 
> users
> in response to the RIAA stuff.  There is a hidden step in here, at least for 
> our 
> University, in the IP-to-Person mapping.  Our network essentially tracks the 
> IP-to-MAC relationship and the MAC-to-Owner relationship.  For us, its not 
> the 
> IP that identifies a person, but the combination of IP plus Timestamp, which 
> can 
> be used to walk our database and produce a system owner.

There are a couple of ways that can break down.  "Hey, dude, lemme
borrow your laptop for a minute."  Or
"ifconfig eth0 ether aa:bb:cc:dd:ee:ff"

> I'm guessing that Google et. al. have a similar multi-factor token set (IP, 
> time,
> cookie, etc) which allows them to map back to a "person".

Which, for similar reasons, does not, in any absolutely reliable way,
identify a *person* at the keyboard.
-- 
Jeff McAdams
"They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety."
   -- Benjamin Franklin



signature.asc
Description: OpenPGP digital signature


Re: EU Official: IP Is Personal

2008-01-24 Thread J. Oquendo

Rod Beck wrote:

I refer you to the following posting:



It is easy to back into people's identity.


So simple even a caveman can do it
http://www.klcconsulting.net/smac/

--

J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E



smime.p7s
Description: S/MIME Cryptographic Signature


RE: EU Official: IP Is Personal

2008-01-24 Thread Rod Beck
I refer you to the following posting:

"Our University uses dynamic addressing but we are able to identify likely users
in response to the RIAA stuff.  There is a hidden step in here, at least for our
University, in the IP-to-Person mapping.  Our network essentially tracks the
IP-to-MAC relationship and the MAC-to-Owner relationship.  For us, its not the
IP that identifies a person, but the combination of IP plus Timestamp, which can
be used to walk our database and produce a system owner.

I'm guessing that Google et. al. have a similar multi-factor token set (IP, 
time,
cookie, etc) which allows them to map back to a "person"."

It is easy to back into people's identity. 

Regards, 

Roderick S. Beck
Director of European Sales
Hibernia Atlantic
1, Passage du Chantier, 75012 Paris
http://www.hiberniaatlantic.com
Wireless: 1-212-444-8829. 
Landline: 33-1-4346-3209.
French Wireless: 33-6-14-33-48-97.
AOL Messenger: GlobalBandwidth
[EMAIL PROTECTED]
[EMAIL PROTECTED]
``Unthinking respect for authority is the greatest enemy of truth.'' Albert 
Einstein. 



Re: EU Official: IP Is Personal

2008-01-24 Thread J. Oquendo

Rod Beck wrote:

I am frankly shocked that some people claim that you cannot identify 
people by the IP address. There was a scandal in the States where a well 
known ISP released search records and the New York Times was able to 
identify individuals using the IP address together with the search records.


And here is a shocker... Supposing I despised you enough to do something 
horrendous to your reputation. I despised you enough to perhaps surf 
around your neighborhood for an open wifi connection, if I connect to 
what I believe is yours even the better.


Since I despise you so much, I begin say, spreading viruses, spreading 
malware, attempting to break into banks, maybe chatting with minors. 
Remember now, I am in close proximity to your home, who knows maybe I 
was lucky enough to stumble upon your wireless connection. Should I go 
on with this?


I see no difference between a static IP address and a credit card 
number. Neither are the individual's property, but that doesn't mean 
there should not be legal or ethical obligations surrounding them. 


There is a humongous difference. There is nothing more then a broad 
assumption that you are the individual sitting behind your IP address. 
There can only be proof if its shown that it was impossible for someone 
to have connected via your home address. Wireless router throws 
everything out the door unless you're using WPA, WEP which even then 
there is the possibility of someone still breaking into your connection.


RADIUS accounting for say PPP? Oh... You'd like to verify my identity 
via caller ID? Caller ID spoofing defeats this too. So what's next? I'll 
respond offline, lest I get flamed, banned, shown the AUP again and have 
my fingers hit with a ruler... (sorry Alex, Martin)



--

J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E



smime.p7s
Description: S/MIME Cryptographic Signature


Re: EU Official: IP Is Personal

2008-01-24 Thread Fred Baker


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Jan 24, 2008, at 12:50 PM, Roland Perry wrote:

no fundamental contradiction in the proposition that private sector  
information can be mandated to be kept for minimum periods, is  
confidential, but nevertheless can be acquired by lawful subpoena.


they are if the records are kept for no private sector purpose, which  
is the case here. The corollary that is being built on is telco call  
detail records, which were once used in billing. But the ISPs have no  
use for the data and storing it costs power, cooling, disk-or-other- 
storage, and so on. Get an ISP or other data center to give you an  
idea how many megawatts they go through and what that costs...

-BEGIN PGP SIGNATURE-

iD8DBQFHmJTTbjEdbHIsm0MRAkawAKDnhoWSoMvmSkvYrGMKyjcOg479fACfY5IC
XPNxwAA1fsU6j5Z/r5REBLw=
=2fCn
-END PGP SIGNATURE-


RE: EU Official: IP Is Personal

2008-01-24 Thread Rod Beck
I am frankly shocked that some people claim that you cannot identify people by 
the IP address. There was a scandal in the States where a well known ISP 
released search records and the New York Times was able to identify individuals 
using the IP address together with the search records. 

If a daily newspaper can, I suspect just about any body can ...

I see no difference between a static IP address and a credit card number. 
Neither are the individual's property, but that doesn't mean there should not 
be legal or ethical obligations surrounding them.  

As always my opinions are my opinions and not official corporate policy 

Roderick S. Beck
Director of European Sales
Hibernia Atlantic
1, Passage du Chantier, 75012 Paris
http://www.hiberniaatlantic.com
Wireless: 1-212-444-8829. 
Landline: 33-1-4346-3209.
French Wireless: 33-6-14-33-48-97.
AOL Messenger: GlobalBandwidth
[EMAIL PROTECTED]
[EMAIL PROTECTED]
``Unthinking respect for authority is the greatest enemy of truth.'' Albert 
Einstein. 



-Original Message-
From: [EMAIL PROTECTED] on behalf of J. Oquendo
Sent: Thu 1/24/2008 12:57 PM
To: Roland Perry
Cc: nanog@merit.edu
Subject: Re: EU Official: IP Is Personal
 
Roland Perry wrote:

> Putting aside for a moment the issue of "whose dollars pay for it" there 
> is no fundamental contradiction in the proposition that private sector 
> information can be mandated to be kept for minimum periods, is 
> confidential, but nevertheless can be acquired by lawful subpoena.
> 
> Think about banking records, for example, which are confidential, 
> routinely examined in criminal enquiries, and which have to be kept for 
> various minimum periods by accountancy law. Operationally, the banks 
> have had to invest in special departments to do just that, it's simply 
> part of the cost of doing business.

The difference with banking records and computer generated records is, 
you can literally track down whether by PIN on an ATM along with for the 
majority of times an image taken from a camera. Try doing this with IP 
generated information. While law enforcement subpoenas away information, 
there is no guarantee person X is definitively behind even a static IP 
address. Its hearsay no matter how you want to look at this. Outside of 
the fact that lawyers still up to this day and age can't seem to grasp 
an all-in-one argument to get IP address information thrown out, what's 
next? Perhaps law enforcement agencies forcing vendors to include enough 
memory on wireless devices to track who logged in on a hotspot?

Everyone sees the need for all sorts of accounting on the networking 
side of things but how legitimate is the information when anyone can 
share MAC addresses, jump into hotspots anonymously, quickly break into 
wireless networks, venture into an Internet cafe paying cash, throw on a 
bootable (throwaway) distribution of BSD/Linux/Solaris, do some dirty 
deed and leave it up to someone else to take the blame.



-- 

J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E




Re: EU Official: IP Is Personal

2008-01-24 Thread Eric Gauthier

Heya,

> > In the US, folks are fighting the RIAA claiming that an IP address isn't
> > enough to identify a person.
> > 
> > In Europe, folks are fighting the Google claiming that an IP address is
> > enough to identify a person.
> > 
> > I guess it depends on which side of the pond you are on.
> > 
> 
> They are both right. If you have a dynamic IP such as most college students
> have, it is here-today-gone-tomorrow.


Our University uses dynamic addressing but we are able to identify likely users
in response to the RIAA stuff.  There is a hidden step in here, at least for 
our 
University, in the IP-to-Person mapping.  Our network essentially tracks the 
IP-to-MAC relationship and the MAC-to-Owner relationship.  For us, its not the 
IP that identifies a person, but the combination of IP plus Timestamp, which 
can 
be used to walk our database and produce a system owner.

I'm guessing that Google et. al. have a similar multi-factor token set (IP, 
time,
cookie, etc) which allows them to map back to a "person".

Eric :)



Re: EU Official: IP Is Personal

2008-01-24 Thread J. Oquendo

Roland Perry wrote:

Putting aside for a moment the issue of "whose dollars pay for it" there 
is no fundamental contradiction in the proposition that private sector 
information can be mandated to be kept for minimum periods, is 
confidential, but nevertheless can be acquired by lawful subpoena.


Think about banking records, for example, which are confidential, 
routinely examined in criminal enquiries, and which have to be kept for 
various minimum periods by accountancy law. Operationally, the banks 
have had to invest in special departments to do just that, it's simply 
part of the cost of doing business.


The difference with banking records and computer generated records is, 
you can literally track down whether by PIN on an ATM along with for the 
majority of times an image taken from a camera. Try doing this with IP 
generated information. While law enforcement subpoenas away information, 
there is no guarantee person X is definitively behind even a static IP 
address. Its hearsay no matter how you want to look at this. Outside of 
the fact that lawyers still up to this day and age can't seem to grasp 
an all-in-one argument to get IP address information thrown out, what's 
next? Perhaps law enforcement agencies forcing vendors to include enough 
memory on wireless devices to track who logged in on a hotspot?


Everyone sees the need for all sorts of accounting on the networking 
side of things but how legitimate is the information when anyone can 
share MAC addresses, jump into hotspots anonymously, quickly break into 
wireless networks, venture into an Internet cafe paying cash, throw on a 
bootable (throwaway) distribution of BSD/Linux/Solaris, do some dirty 
deed and leave it up to someone else to take the blame.




--

J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E



smime.p7s
Description: S/MIME Cryptographic Signature


Re: EU Official: IP Is Personal

2008-01-24 Thread Roland Perry


In article <[EMAIL PROTECTED]>, Sean 
Donelan <[EMAIL PROTECTED]> writes
In the US, folks are fighting the RIAA claiming that an IP address 
isn't

enough to identify a person.

In Europe, folks are fighting the Google claiming that an IP address is
enough to identify a person.

I guess it depends on which side of the pond you are on.


The European Data Protection perspective (which has been the same since
1999, and expressed quite robustly in 2000, no new ideas have suddenly
appeared) is this:

Many IP addresses *are* enough to identify a person.

Although sometimes you need additional information.

The law talks about "identifying directly or indirectly", the
latter as a result of having some *other* information
available[1]. It's not a case of getting a hit based on IP
address alone (which in any event needs at least a registry
lookup to turn into a person's name).

And therefore because *some* IP addresses indisputably identify
people, you must put in place precautions to handle *all* such
information appropriately (IP addresses don't come with a bit
set to say "I'm an identifiable user" or "I'm not").

That's just the way European Law works.

The American perspective might be (and I'm guessing here) that if only
*some* IP addresses identify people, you should assume that *all* IP
addresses are unreliable identifiers. [Many of the comments in this
thread express somewhat of that view].

That might even be a good idea in a shoot-first ask-questions-later
environment. My advice would be to try *not* to deploy such an
environment :)

[1] In the case of being a dial-up ISP, the RADIUS logs; others have
mentioned the association between commercial wifi connections and their
(roaming) subscribers.
--
Roland Perry


Re: EU Official: IP Is Personal

2008-01-24 Thread Roland Perry


In article <[EMAIL PROTECTED]>, Fred Baker 
<[EMAIL PROTECTED]> writes
What I find interesting here is the Jekyll/Hyde nature of it.  European 
ISPs are required to keep expensive logs of the behavior of subscribers 
for forensic data mining, accessible under subpoena, for extensive 
periods like 6-24 months (last I heard it was 7 years in Italy, but 
that may now be incorrect), but the information is deemed private and 
therefore inappropriate to keep under EU privacy rules. ISPs are 
required to keep inappropriate information at their own expense in case 
forensic authorities decide to pay an occasional pittance to access 
some small quantity of it.


Putting aside for a moment the issue of "whose dollars pay for it" there 
is no fundamental contradiction in the proposition that private sector 
information can be mandated to be kept for minimum periods, is 
confidential, but nevertheless can be acquired by lawful subpoena.


Think about banking records, for example, which are confidential, 
routinely examined in criminal enquiries, and which have to be kept for 
various minimum periods by accountancy law. Operationally, the banks 
have had to invest in special departments to do just that, it's simply 
part of the cost of doing business.

--
Roland Perry
Internet Policy Agency


Re: EU Official: IP Is Personal

2008-01-23 Thread Eric Brunner-Williams


Lou Katz wrote:
They are both right. If you have a dynamic IP such as most college 
students

have, it is here-today-gone-tomorrow.

If you have static IP (business, us slugs in the Swamp, etc) you are 
identifyable.
  


Hi Lou,

Long time.

The thing is this isn't an atemporal question. The association of an 
address and any other information that tends
to identify an individual (say my googling the complete works of the 
co-author of "Survey of Modern Algebra",
along with Saunders MacLaine, in particular reference [1], the 
"original" treatise on shaped charges, and my
groveling for clue in DNS ops, and my ...) tends to unique closure over 
finite time.


So, for a single datagram sourced from a just-allocated at random DHCP 
pool, wicked hard to make PII.
But for many hours or days of stream to a variety of data collectors, 
some of which share raw or correlated data,

the problem is not insoluable.

Eric

[1] Garret Birkhoff, et al. "Explosives With Lined Cavities". Journal of 
Applied Physics. June 1948, p. 563-582.


Re: EU Official: IP Is Personal

2008-01-23 Thread Fred Baker


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Jan 24, 2008, at 2:09 AM, Mikael Abrahamsson wrote:

The local antipiracy organization in Sweden needed a permit to  
collect/handle IP+timestamp and save it in their database, as this  
information was regarded as personal information. Since ISPs  
regularily save who has an IP at what time, IP+timestamp can be  
used to discern at least what access port a certain IP was at, or  
in case of PPPoE etc, what account was used to obtain the IP that  
that time.


I still think IP+timestamp doesn't imply what person did something


it doesn't, no any more than the association of your cell phone with  
a cell tower conclusively implies that the owner of a telephone used  
it to do something in particular. However, in forensic data retention  
and wiretap procedures, the assumption is made that the user of a  
telephone or a computer is *probably* a person who normally has  
access to it.


In the EU Data Retention model, I will argue that the only thing that  
makes sense to use as a "Session Detail Record" is an IPFIX/Netflow  
record correlated with with any knowledge the ISP might have of the  
person using the source and/or destination IP address at the time.  
When the address is temporarily or "permanently" assigned to a  
subscriber, such as a wireless address in a T-Mobile Hotspot (which  
one has to identify one's account when logging into, which  
presumptively identifies the subscriber) or the address assigned to a  
Cable Modem subscriber (home/SOHO), this tends to have a high degree  
of utility.


In the wiretap model, one similarly selects the traffic one  
intercepts on the presumption that a surveillance subject is probably  
the person using the computer.


For them, it's all about probability. It doesn't have to be "one" if  
it is reasonable to presume that it is in the neighborhood.


What I find interesting here is the Jekyll/Hyde nature of it.  
European ISPs are required to keep expensive logs of the behavior of  
subscribers for forensic data mining, accessible under subpoena, for  
extensive periods like 6-24 months (last I heard it was 7 years in  
Italy, but that may now be incorrect), but the information is deemed  
private and therefore inappropriate to keep under EU privacy rules.  
ISPs are required to keep inappropriate information at their own  
expense in case forensic authorities decide to pay an occasional  
pittance to access some small quantity of it.

-BEGIN PGP SIGNATURE-

iD8DBQFHmA3hbjEdbHIsm0MRAhsKAJ4+xXkJm/JM/lDL1YpufmUYZdhClACgrvxD
keX0Zsm+QtJG6RcCMrJcVqk=
=DpcR
-END PGP SIGNATURE-


Re: EU Official: IP Is Personal

2008-01-23 Thread Mikael Abrahamsson


On Wed, 23 Jan 2008, Lou Katz wrote:


They are both right. If you have a dynamic IP such as most college students
have, it is here-today-gone-tomorrow.


The local antipiracy organization in Sweden needed a permit to 
collect/handle IP+timestamp and save it in their database, as this 
information was regarded as personal information. Since ISPs regularily 
save who has an IP at what time, IP+timestamp can be used to discern at 
least what access port a certain IP was at, or in case of PPPoE etc, what 
account was used to obtain the IP that that time.


I still think IP+timestamp doesn't imply what person did something, 
license plate information tracking is also considered personal information 
even though it says nothing about who drove the car at that time, and I 
think IP+timestamp is approximately on the same level as a car license 
plate when it comes to level of personal information.


--
Mikael Abrahamssonemail: [EMAIL PROTECTED]


Re: EU Official: IP Is Personal

2008-01-23 Thread Lou Katz

On Wed, Jan 23, 2008 at 05:52:41PM -0500, Sean Donelan wrote:
> 
> On Wed, 23 Jan 2008, Florian Weimer wrote:
> >If IP addresses don't identify anything, why do they collect and keep
> >them?
> 
> In the US, folks are fighting the RIAA claiming that an IP address isn't
> enough to identify a person.
> 
> In Europe, folks are fighting the Google claiming that an IP address is
> enough to identify a person.
> 
> I guess it depends on which side of the pond you are on.
> 

They are both right. If you have a dynamic IP such as most college students
have, it is here-today-gone-tomorrow.

If you have static IP (business, us slugs in the Swamp, etc) you are 
identifyable.
-- 

-=[L]=-
I wouldn't take any advice, if I were you.


Re: EU Official: IP Is Personal

2008-01-23 Thread Joseph S D Yao

On Wed, Jan 23, 2008 at 05:26:09PM +, Paul Vixie wrote:
> 
> [EMAIL PROTECTED] (Hank Nussbacher) writes:
> 
> > http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900
> 
> they say it's personally identifiable information, not personal property.
> EU's concern is the privacy implications of data that google and others
> are saving, they are not making a statement related to address ownership.


Perhaps not.  But people will interpret it as they wish to.


-- 
Joe Yao
Qinetiq NA / Analex Contractor


Re: EU Official: IP Is Personal

2008-01-23 Thread Sean Donelan


On Wed, 23 Jan 2008, Florian Weimer wrote:

If IP addresses don't identify anything, why do they collect and keep
them?


In the US, folks are fighting the RIAA claiming that an IP address isn't
enough to identify a person.

In Europe, folks are fighting the Google claiming that an IP address is
enough to identify a person.

I guess it depends on which side of the pond you are on.




Re: EU Official: IP Is Personal

2008-01-23 Thread Joe Greco

> Paul Vixie wrote:
> > [EMAIL PROTECTED] (Hank Nussbacher) writes:
> >> http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900
> >
> > they say it's personally identifiable information, not personal property.
> > EU's concern is the privacy implications of data that google and others
> > are saving, they are not making a statement related to address ownership.
> 
> Correct. In the EU DP framework (see: 
> [...]
> P. S. How many bits in the mask are necessary to achieve the non-PII aim?

So, this could be basically a matter of dredging up someone with a /25 
allocated to them personally, in the EU service area.  I think I know 
some people like that.

I know for a fact that I know people with swamp C's here in the US.  That
would seem to set the bar higher than a mere 7 bits.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.


Re: EU Official: IP Is Personal

2008-01-23 Thread Florian Weimer

* Eric Brunner-Williams:

> However, Google/DoubleClick claim they have the right to collect PII
> data and disclose less than their complete data collection policy, and
> in particular, claim that endpoint identifiers do not tend to identify
> individuals. Further, they assert a property claim on such collected
> data.

If IP addresses don't identify anything, why do they collect and keep
them?

Anyway, mandatory data retention seems to change the consensus whose job
it is to retain a certain level of perceived anonymity.  Even if the
retention policies do not actually change that much, it's usually
assumed that the ISPs do no good job at protecting customer identity
anymore.  (You have to see this in a context where most of the consumer
Internet connections change their assigned IP address at least once a
day, which explains the old expectation to some degree.)  Now that ISPs
are out of the loop, the attention turns to folks at higher protocol
levels.  Some folks probably think that by complaining loadly enough,
they might be hosting a Google Privacy Research Center soon, or
something like that. *sigh*


Re: EU Official: IP Is Personal

2008-01-23 Thread Joel Jaeggli

Eric Brunner-Williams wrote:
> Correct. In the EU DP framework (see:
> http://ec.europa.eu/justice_home/fsj/privacy/), personal
> privacy doesn't arise from private law (contract or property), but from
> public law (the human rights
> statements contained in the treaty under which the EU is formed).
> 
> However, Google/DoubleClick claim they have the right to collect PII
> data and disclose less than
> their complete data collection policy, and in particular, claim that
> endpoint identifiers do not tend
> to identify individuals. Further, they assert a property claim on such
> collected data.
> 
> See the partialip definition in the W3C's P3P Spec for an attempt to
> straddle the fence at offset 7:
> 
> "a partialip element represents an IP version 4 address (only - not a
> version 6 address) which has
> had at least the last 7 bits of information removed"
> 
> The theory for partialip was that a full address (v4 or v6) was PII, and
> a partial (for v4 only, at 7bits)
> was not PII.
> 
> Eric
> 
> P. S. How many bits in the mask are necessary to achieve the non-PII aim?

One might observe that the ip address is not used in isolation. Some
other metadata is being collected whether it's the product of a search
query or a referrer url or whatever dataset contains the ips but that an
ip address anonymized by dropping 8 bits from the mask in conjunction
with the other information is probably more than enough to uniquely
identify an individual in the sorts of data sets that are being
discussed here.

this rather timely article has some pointers on the subject.

http://www.schneier.com/crypto-gram-0801.html#1




Re: EU Official: IP Is Personal

2008-01-23 Thread Eric Brunner-Williams


Paul Vixie wrote:

[EMAIL PROTECTED] (Hank Nussbacher) writes:

  

http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900



they say it's personally identifiable information, not personal property.
EU's concern is the privacy implications of data that google and others
are saving, they are not making a statement related to address ownership.
  


Correct. In the EU DP framework (see: 
http://ec.europa.eu/justice_home/fsj/privacy/), personal
privacy doesn't arise from private law (contract or property), but from 
public law (the human rights

statements contained in the treaty under which the EU is formed).

However, Google/DoubleClick claim they have the right to collect PII 
data and disclose less than
their complete data collection policy, and in particular, claim that 
endpoint identifiers do not tend
to identify individuals. Further, they assert a property claim on such 
collected data.


See the partialip definition in the W3C's P3P Spec for an attempt to 
straddle the fence at offset 7:


"a partialip element represents an IP version 4 address (only - not a 
version 6 address) which has

had at least the last 7 bits of information removed"

The theory for partialip was that a full address (v4 or v6) was PII, and 
a partial (for v4 only, at 7bits)

was not PII.

Eric

P. S. How many bits in the mask are necessary to achieve the non-PII aim?


Re: EU Official: IP Is Personal

2008-01-23 Thread Paul Vixie

[EMAIL PROTECTED] (Hank Nussbacher) writes:

> http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900

they say it's personally identifiable information, not personal property.
EU's concern is the privacy implications of data that google and others
are saving, they are not making a statement related to address ownership.
-- 
Paul Vixie


EU Official: IP Is Personal

2008-01-23 Thread Hank Nussbacher


http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900

-Hank