Hannes Tschofenig wrote:
Yes, I understand what the document is trying to say. The insight
that the presence of NAT also requires you to log the port number
is certainly not a new insight.
My worry with the document is that if you have to give someone who
deploys services such trivial information (as it is done with the
draft) then it is quite likely that they also need to be told
something about privacy. As the discussion around Web tracking
shows there is little understanding of meet the privacy
expectations of regulators.
What this document describes will often be illegal in Germany,
and you risk a fine up to 300000 Euro for doing it on an
"Internet-Facing server".
3.5 years ago there was an illegal data privacy violation of a technically
different kind that made the german news:
http://content.stuttgarter-zeitung.de/stz/page/1629475_0_9223_-reinigungsrechnung-an-kundin-volksbank-macht-rueckzieher.html
It was about some smelly mess (allegedly dog shit) on the floor near a
bank's ATM, and the bank examined their video surveillance tapes to find
who caused the mess and found out that it was from a 3 year old girl
whose mother had withdrawn money at the ATM (and they got the mother's
name from the ATMs log). They sent this mother a cleaning bill of 50 Euros.
Besides the fact that childs below the age of 7 can not be legally
held responsible for their actions in Germany--and their parents
(or whoever was in charge of supervision) can only be held responsible
in case of gross negligence, it was a violation of german privacy laws
for the bank to examine the video and ATM logs to determine the
mother's name. And although the bank back-pedaled the day _after_
this story made the news, their privacy violation resulted in a formal
investigation by the public authorities against the bank.
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf