Hi,
How does this affect Blacklist- and Whitelist vendors or organisations like dnswl.org or our swinog blacklists ?
-- Martin
Hello!
Thanks for the pointer!
Quoting mbr@freebsd.org (08.09.10 14:14):
How does this affect Blacklist- and Whitelist vendors or organisations like dnswl.org or our swinog blacklists ?
From my point of view they are "anonymized". No chance to get a relation
between the entry in the RBL and a person (natuerliche oder juristische). But of course, lawyers have usually different ideas.
The fact that my access.log is now a collection of personal data scares me a bit. I have to check my webalizer if there are IPs popping up :-)
Beat
On Wed, 2010-09-08 at 14:24 +0200, Beat Rubischon wrote:
Hello!
Thanks for the pointer!
Quoting mbr@freebsd.org (08.09.10 14:14):
How does this affect Blacklist- and Whitelist vendors or organisations like dnswl.org or our swinog blacklists ?
From my point of view they are "anonymized". No chance to get a relation
between the entry in the RBL and a person (natuerliche oder juristische). But of course, lawyers have usually different ideas.
The fact that my access.log is now a collection of personal data scares me a bit. I have to check my webalizer if there are IPs popping up :-)
Beat
hello,
i think there will be some Common sense in this point, as it is quite different to collect and sell this kind of datas, and to use them as stats tools (have a look at the numerous fidelity cards we can find anywhere).
also maybe a publicly available stat... i dont know, but sounds like yes we would have to plan the writing of the accesslogs on a 9 pin printer inside a safe ;)
pschlumpf
i think there will be some Common sense in this point, as it is quite different to collect and sell this kind of datas, and to use them as stats tools (have a look at the numerous fidelity cards we can find anywhere).
also maybe a publicly available stat... i dont know, but sounds like yes we would have to plan the writing of the accesslogs on a 9 pin printer inside a safe ;)
Absolutely not. You mix two things here.
Stats are just stats, as long as they don't have personal data in them, it is fine. (but the IP is personal data, so you can't publish that).
As for fidelity cards, this is completely different, those people are your customers and have signed an agreement with you. People surfing your page did not sign an agreement to allow you to publish their IP.
Pascal
On Wed, 2010-09-08 at 16:15 +0200, Pascal Gloor wrote:
i think there will be some Common sense in this point, as it is quite different to collect and sell this kind of datas, and to use them as stats tools (have a look at the numerous fidelity cards we can find anywhere).
also maybe a publicly available stat... i dont know, but sounds like yes we would have to plan the writing of the accesslogs on a 9 pin printer inside a safe ;)
Absolutely not. You mix two things here.
Stats are just stats, as long as they don't have personal data in them, it is fine. (but the IP is personal data, so you can't publish that).
As for fidelity cards, this is completely different, those people are your customers and have signed an agreement with you. People surfing your page did not sign an agreement to allow you to publish their IP.
Pascal
agree,
i forgot the agreement, was bad on that point.
anyway i was not talking about publishing ips, but just using it internally as stats datas.is it also concerned ?
naz
I'm trying to make a list of all possible implications/problems that this ruling can make. Please send me a direct mail with your questions and I will forward them to a good lawyer (actually, the one involved in that case).
So far, questions/implications I've seen or came to me are:
---
Any statistics tool those results are public and contains IP addresses (webalizer for example).
This case if clear to me, no need to argue. You can't publish the IPs. Ensure that you set the correct option to avoid that part of the stats or maybe there's an anonymizer flag, or maybe, don't make them public.
---
Wikipedia, if hosted in Switzerland, cannot publish anymore the IP of anonymous editors.
This is also a very clear case, you link the IP with an activity and are therefor protected by the law.
---
Whatever Blacklists without consent of the admin of the IP..
That's an open question, these blacklists are often listing services IP (not personal computers with humans behind). I'm thinking about anti-spam blacklist, like that SwiNOG one!! I will clear that point with the lawyer.
---
Complete this list please, I want to be sure we can answer all questions at one. Maybe I'll setup a page to help people to understand the implications.
Pascal
I think it's far too early to jump into conclusions right now. The court didn't even state it's reasons in detail. As far as I understand it right now, this does only mean one has to take care about data that contains ip addresses - but not, that such data processing would be a legal problem at all...
Juerg
-----Original Message----- From: swinog-bounces@lists.swinog.ch
[mailto:swinog-bounces@lists.swinog.ch]
On Behalf Of Pascal Gloor Sent: Wednesday, September 08, 2010 4:17 PM To: swinog@lists.swinog.ch Subject: Re: [swinog] IP address are now personal data
I'm trying to make a list of all possible implications/problems that this ruling can make. Please send me a direct mail with your questions and I
will
forward them to a good lawyer (actually, the one involved in that case).
So far, questions/implications I've seen or came to me are:
Any statistics tool those results are public and contains IP addresses (webalizer for example).
This case if clear to me, no need to argue. You can't publish the IPs.
Ensure
that you set the correct option to avoid that part of the stats or maybe there's an anonymizer flag, or maybe, don't make them public.
Wikipedia, if hosted in Switzerland, cannot publish anymore the IP of anonymous editors.
This is also a very clear case, you link the IP with an activity and are therefor protected by the law.
Whatever Blacklists without consent of the admin of the IP..
That's an open question, these blacklists are often listing services IP
(not
personal computers with humans behind). I'm thinking about anti-spam blacklist, like that SwiNOG one!! I will clear that point with the lawyer.
Complete this list please, I want to be sure we can answer all questions
at
one. Maybe I'll setup a page to help people to understand the
implications.
Pascal
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
I think it's far too early to jump into conclusions right now. The court didn't even state it's reasons in detail. As far as I understand it right now, this does only mean one has to take care about data that contains ip addresses - but not, that such data processing would be a legal problem at all...
Well, the court doesn't state anything in detail in a press release. It's in the court decision document. But we're off-topic I think. Lets just aggregate all open questions and I'll get answers from a qualified person, a lawyer, not techies like us ;-)
Pascal
Well, the court doesn't state anything in detail in a press release. It's
in
the court decision document. But we're off-topic I think. Lets just
aggregate
all open questions and I'll get answers from a qualified person, a lawyer, not techies like us ;-)
What I ment is, why not wait until the court makes it's decision public where they explain in detail how they mean it, what probably will answer a lot of questions by itself... A lawyer would imho have to wait for this as well. But chances are of course, that I'm totally wrong ;-).
Juerg
Well actually it does - the processing of protected data requires a legal foundation or agreement of the person identified by that data. See DSG Art. 4 Abs. 1 and 4 http://www.admin.ch/ch/d/sr/235_1/a4.html Since IP addresses are now "schützenswerte Daten", processing these is subject to the laws of the DSG - you do not only have to "take care". There are even penalties mentioned in the DSG! But I think this will be explained in more detail when the verdict arrives in writing.
BTW: Todays verdict halts Logisteps business immediately. They are not even allowed to sell information collected up to today anymore.
Florian (twittered live from Lausanne today as @floheinstein)
On Wed, Sep 8, 2010 at 16:32, Juerg Reimann jr@jworld.ch wrote:
I think it's far too early to jump into conclusions right now. The court didn't even state it's reasons in detail. As far as I understand it right now, this does only mean one has to take care about data that contains ip addresses - but not, that such data processing would be a legal problem at all...
Juerg
-----Original Message----- From: swinog-bounces@lists.swinog.ch
[mailto:swinog-bounces@lists.swinog.ch]
On Behalf Of Pascal Gloor Sent: Wednesday, September 08, 2010 4:17 PM To: swinog@lists.swinog.ch Subject: Re: [swinog] IP address are now personal data
I'm trying to make a list of all possible implications/problems that this ruling can make. Please send me a direct mail with your questions and I
will
forward them to a good lawyer (actually, the one involved in that case).
So far, questions/implications I've seen or came to me are:
Any statistics tool those results are public and contains IP addresses (webalizer for example).
This case if clear to me, no need to argue. You can't publish the IPs.
Ensure
that you set the correct option to avoid that part of the stats or maybe there's an anonymizer flag, or maybe, don't make them public.
Wikipedia, if hosted in Switzerland, cannot publish anymore the IP of anonymous editors.
This is also a very clear case, you link the IP with an activity and are therefor protected by the law.
Whatever Blacklists without consent of the admin of the IP..
That's an open question, these blacklists are often listing services IP
(not
personal computers with humans behind). I'm thinking about anti-spam blacklist, like that SwiNOG one!! I will clear that point with the lawyer.
Complete this list please, I want to be sure we can answer all questions
at
one. Maybe I'll setup a page to help people to understand the
implications.
Pascal
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
If IPs are protected information, so how is this handled in E-Mails, on mailing-lists like this and alike?
Have messages to be stripped off IPs before they are delivered? Who's legally responsible for protecting the data?
Just an example: Company X could scan all header information from SwiNOG-list. The intention would to check who is using which ISP. Now everybody who's IP comes from company B receives a personalized e-mail with an offer to get a hosting product X cheaper. As I wrote: Just an example.
Now there would clearly be a commercial intention behind processing the IPs. My understanding is, that this would be illegal for a Swiss company.
But if a company abroad would do this, would it still be illegal? If so, the company couldn't be held responsible. The question is: Would, as a subsidiarily liability, the maintainer of the list or even the provider of the IPs, the ISP, be responsible for not protecting the personal data accordingly?
Guido
Am Wed, 8 Sep 2010 16:16:52 +0200 schrieb Pascal Gloor pascal.gloor@spale.com:
I'm trying to make a list of all possible implications/problems that this ruling can make. Please send me a direct mail with your questions and I will forward them to a good lawyer (actually, the one involved in that case).
So far, questions/implications I've seen or came to me are:
Any statistics tool those results are public and contains IP addresses (webalizer for example).
This case if clear to me, no need to argue. You can't publish the IPs. Ensure that you set the correct option to avoid that part of the stats or maybe there's an anonymizer flag, or maybe, don't make them public.
Wikipedia, if hosted in Switzerland, cannot publish anymore the IP of anonymous editors.
This is also a very clear case, you link the IP with an activity and are therefor protected by the law.
Whatever Blacklists without consent of the admin of the IP..
That's an open question, these blacklists are often listing services IP (not personal computers with humans behind). I'm thinking about anti-spam blacklist, like that SwiNOG one!! I will clear that point with the lawyer.
Complete this list please, I want to be sure we can answer all questions at one. Maybe I'll setup a page to help people to understand the implications.
Pascal
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
----- Original Message ----
From: rudolphi@212.55.212.115 To: swinog@lists.swinog.ch
If IPs are protected information, so how is this handled in E-Mails, on mailing-lists like this and alike?
very simple: all mailing lists are now illegal. As well as all IP routers.
If IPs are protected information, so how is this handled in E-Mails, on mailing-lists like this and alike?
very simple: all mailing lists are now illegal. As well as all IP routers.
Not at all. (Otherwise all telephony operators would also be illegal). As for the mail headers, its an open point I need to clarify.
I think its useless to continue this techie thread. I'll do my best to get an FAQ done asap backed up by one (or maybe two) lawyers so that all ISPs understand what really changed and if they need to adapt something or not.
Pascal
I have forwarded a mix of all open questions to the "Federal data protection and information commissioner". They will reply within a few days and also setup an FAQ on their website. Hope it helps!
;-) Pascal
-
Beat Rubischon -
Florian Mauchle -
Juerg Reimann -
Martin Blapp -
Pascal Gloor -
philippe Schlumpf -
rudolphi@netmon.ch -
Stanislav Sinyagin