[governance] Civil Society (was Re: caucus contribution, consultation and MAG meeting)

Roland Perry roland at internetpolicyagency.com
Mon Feb 18 05:31:40 EST 2013 

In message <E0F19B12-BEC5-42B6-86C3-B35B69556466 at hserus.net>, at 
14:47:28 on Mon, 18 Feb 2013, Suresh Ramasubramanian <suresh at hserus.net> 
writes
>I do this for a living .. so I can say you're correct

That's good to hear, because I have also done this for a living.

>My point is that a bare IP address is no use without accompanying 
>subpoena'd information from the ISP linking it to a customer's name and 
>address

In some cases it is of use without police intervention, because the IP 
address can be correlated with other information (for example emails the 
victim has received, one of whose senders might be the stalker).

>So, all the claims which I see touted by various privacy groups "ip 
>addresses are personal data" - and more so by the EU - just don't pass 
>my criteria for being based on facts.

The fact is that if *some* IP addresses are immediately traceable back 
to an inividual then that means *all* IP addresses must be treated *as 
if* they were personal data (because you can't treat some differently 
from others, and the European view is to take the most conservative 
approach). I'm aware that other jurisdictions lean more towards the idea 
that "if I can find just *one* IP address that doesn't lead back to an 
individual, then *none* of them can possibly be considered personal 
data".

>There are two actions when a cyberstalker situation is involved
>
>1. The ISP can determine that his actions are in violation of their 
>acceptable use policies and then end their relationship with him as a 
>customer - suspend his account from the service, which is a contractual 
>relationship with specific clauses on how such a relationship can be 
>ended.

That's not going to happen unless the ISP receives a complaint, and if 
we are talking about an access ISP then the victim will probably not 
have an IP address, only the social network site will have that, and 
because it's "personal data" they will not release it to the victim.

However, revealing the name (or other identifying details) of the 
perpetrator should be just as useful in pointing the victim in the right 
direction.

>2. The affected person complains to the police, who believe they have a 
>case they can take before a prosecutor with a reasonable chance of 
>getting a conviction - so they subpoena the ISP and get customer data 
>about the stalker, which they use in making an arrest.

In the UK there's no subpoena or prosecutor involved. The police have 
the right to ask for this information without.

>Either case - the customer information is not disclosed to any third 
>party (even law enforcement) without due process being followed, and a 
>stalker's IP address looks just the same as your IP,

Knowing the IP address can be helpful, although once again not 100% 
conclusive it can often reveal what country the perpetrator is from, and 
which ISP they use.

> or the IP of a local church's broadband connection

Or the IP of a business where the perpetrator works. Knowing the Church 
or the Business is often enough to work out who the perpetrator is - 
remember most stalkers are known to their victims (although not all of 
them are).

>- there's every possibility that a dynamic IP could be assigned to the 
>stalker, then to you, and then to the church, so IP + date and time 
>stamp of the incident need to be tied to the ISP's login and billing 
>data - which you're only going to get with a subpoena from law 
>enforcement..

Dynamic IP and carrier-grade NAT (as used by most mobile networks in the 
UK) make things more difficult, but none of this is a reason why IP 
Addresses should not be regarded as personal data (in the European/OECD 
model).

>On 18-Feb-2013, at 13:46, Roland Perry <roland at internetpolicyagency.com> wrote:
>
>> In message 
>><13ce62efbc4.2728.4f968dcf8ecd56c9cb8acab6370fcfe0 at hserus.net>, at 
>>08:55:09 on Sun, 17 Feb 2013, Suresh Ramasubramanian 
>><suresh at hserus.net> writes
>>> The ambiguity starts when you need to tie an IP to an actual 
>>>customers name which you can only do after a subpoena from law 
>>>enforcement
>>
>> That isn't ambiguity, it's a matter of lawful process. Here in the UK 
>>the police can make such enquiries from an ISP without a subpoena from 
>>a court. However, they first have to be investigating a crime, which 
>>is why it was important to clarify what forms of [cyber]stalking are 
>>in fact a crime.
>>

-- 
Roland Perry

-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list