Transcript Presentation

Database SIG
APNIC Database Privacy Issues
1 March 2001 APRICOT, Malaysia
Fabrina Hossain
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Background
 JPNIC raised privacy concerns in Brisbane
DB SIG
 Many residential users connecting to internet
through cable and ADSL services
 Such assignments need to be registered in a
public whois database
 Thus information of private residents being
disclosed
Address, phone, fax etc
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Background
 Current JPNIC registration policy
 Details collected and registered in database by
ISP for all residential user assignment blocks
 Postal addresses, ph and fax numbers of
admin contacts are not disclosed
 Proposal for APNIC to adopt similar policy
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Contact Persons
 Technical contact (tech-c)
 Responsible for technical operation of network
 Should be reachable by any means in case of
emergency, security incidents etc
 Administrative contact (admin-c)
 Responsible for financial, legal and content
matters (etc)
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC Current Practice
 Home LAN/SOHO end user assignment
 If assignment to end user is more than /30
Update APNIC database inetnum object
 Outlining user details in netname: and descr: fields
Include admin-c as end user contact if possible
 Onsite admin-c not mandatory, but recommended
Tech-c can be ISP contact
ISP should inform customer of whois registration
/30 assignment considered infrastructure
ASIA PACIFIC NETWORK
INFORMATION CENTRE
APNIC Current Practice
 Static assignment
 For verification purposes only
 If LIR assigns single static IP addresses to
residential users
Must update inetnum in database for each end user
assignment
Admin-c and tech-c can be ISP contacts
Or
When submitting address request APNIC will
request sample customer list with IP addresses
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Other RIR Policies
 ARIN
 ISP contacts permitted in Point Of Contacts
field (“Coordinator”)
Residential end users assumed to be contactable
via ISP
 IP assignment object records netname of end
user, town and state of residence
 Records “private residence” in street address
field
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Other RIR Policies
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Other RIR Policy
 RIPE NCC
 Similar to APNIC policy
 Update RIPE database
Onsite admin-c not mandatory, but recommended
Tech-c can be ISP contact
 Had recent discussions in db-wg mailing list
 Http://www.ripe.net/ripe/mail-archives/db-wg/2000100120010101/threads.html
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Implications
 Possible concerns for ISP
 ISP willing to be responsible for customer’s
network?
Implications of being an admin contact
Principle not different to dial-up users
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Privacy Laws – Overview (1)
 International law
 UN and OECD have defined a set of privacy
principles to guide national lawmakers
 Most privacy laws require that personal
information is:
 Obtained fairly and lawfully
 Used only for the original specified purpose
 Adequate, relevant and not excessive to purpose
 Accurate and up to date
 Destroyed after its purpose is completed.
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Privacy Laws – Overview (2)
 APNIC position
 Australian laws to come into effect at end of
2001
 Federal privacy law applies a “light-touch”
legislative framework
 Encourages business self-regulation
 Businesses/industries may develop their own
privacy codes
 Codes must be at least as strong as the 10 National
Privacy Principles (based on OECD principles)
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Privacy Principles – Key Points
 Collection
 collect only what is necessary
 ensure person is advised how the data is to be used
 Disclosure
 only disclose data in ways consistent with reasonable
expectation
 Security
 data must be securely protected
 Onward transfers
 Must take reasonable steps to ensure that information is only
transferred to those who will act in accordance with same
general principles
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Privacy Practices
 Practices should remain consistent with
general principles
 A cautious approach to personal information
in international law:
 Only collect what data is necessary
 Make full disclosure of how data is to be used
 Limit the use of, and access to, the data to what
is necessary
 Protect the data
ASIA PACIFIC NETWORK
INFORMATION CENTRE
Questions?
ASIA PACIFIC NETWORK
INFORMATION CENTRE