Monitoring, Flow Stats (Re: spam whore, norcal-systems)

Jim Dixon jdd at
Wed Feb 3 17:25:21 UTC 1999

On Wed, 3 Feb 1999, Roeland M.J. Meyer wrote:

> Here is something germane to this thread.
> >Date: Tue, 02 Feb 1999 19:42:43 -0500
> >From: "vinton g. cerf" <vcerf at MCI.NET>
> >Subject: EC Directive on IP Addresses and Privacy

[Cerf quoting someone not named:]
> >"Yesterday, I learned from a very well-placed U.S. Government source that
> >European law enforcement officials have told their American counterparts
> >that they interpret the E.C. Data Protection Directive as prohibiting
> >Internet service providers from maintaining records of users' IP
> >addresses unless necessary for service or billing.  This position indicates
> >that E.C. officials consider both dynamic and static IP addresses to be
> >subject to the Directive as "personal data'...relating to an...identifiable
> >natural person" under Article 2(a) of the Directive.  Therefore, it is
> >being interpreted that the European Directive prohibits the retention of
> >dynamic IP addresses even by an ISP unless it is used for billing purposes
> >(which is rarely the case).
> >
> >If shared by others in the E.C., the position could have significant
> >implications for Internet business models." 

While it isn't clear exactly what a "European law enforcement
official" is or why they would be concerned with the Data Protection
Directive, I can assure you that not only do European ISPs maintain
Radius logs that tie dynamic IP addresses to user accounts but they
are also strongly encouraged to do this by their national governments
in most or all member states of the European Union.

In the UK, for example, the London Internet Exchange (the LINX) and 
ISPA UK, the trade association, have formally endorsed a Traceability 
BCP that includes as a recommended practice the archiving of Radius logs 
to allow spam and illegal content to be traced back to the responsible 
individual.  I understand that in France ISPs are *required* to archive
their Radius logs.

EuroISPA, the European ISP trade association, checked with 
officials at DG XV, the relevant directorate of the European 
Commission, for their opinion regarding the statements quoted above.  
So far their opinion appears to be that maintenance of such logs is 
OK so long as customers are aware that logs are being kept and the 
logs are not kept for too long.

We talked to DG XV this morning.  We will continue to pursue this
matter both with the European Commission and with the UK government
until we have a good understanding of what our position is.

Incidentally, to the best of my knowledge non-compliance with the Data
Protection Act is not a criminal matter.  If you don't comply, you get

Jim Dixon                  VBCnet GB Ltd 
tel +44 117 929 1316                             fax +44 117 927 2015

More information about the NANOG mailing list