Question of privacy with reassigned resources

William Herrin bill at herrin.us
Wed Aug 4 16:49:42 CDT 2010


On Wed, Aug 4, 2010 at 3:42 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
> On Aug 4, 2010, at 1:35 17AM, William Herrin wrote:
>> For the latter, you're providing significant amounts of a public
>> resource (IP addresses) to a business whose contact information you're
>> contractually and ethically obligated to reveal. If a particular
>> complex is worried about publishing their location, they can always
>> rent a P.O. box. If you're the only one doing the worrying, don't.
>
> I strongly disagree -- you're revealing the precise address of any
> tenant in those buildings.  Don't do that...

Then discuss it with the apartment complex, Steven, and encourage them
to get a PO box to use in place of their physical address. Or just buy
a box from mail boxes etc. yourself and set up mail forwarding each
time you set up a new apartment complex. The main point of the
exercise is that the address consumer (the apartment management
company, a for-profit business) be identifiable and directly reachable
by phone, email and postal mail, not that they provide accurate
coordinates for targeting the nukes. Plenty of reasonable ways to meet
the spirit of the rules. The letter too.




On Wed, Aug 4, 2010 at 4:08 PM, Eric Brunner-Williams
<brunner at nic-naa.net> wrote:
> During the P3P too-and-fro on what constituted PII I lost the argument that
> masking off the last bits constituted acceptable non-disclosure of PII.

Whole other ball game, Eric. In the platform for privacy preferences
(P3P) one participant in a data flow asserts that he will keep the
other participant's behavior confidential. P3P examines what knowledge
the asserter may glean and publish from that data flow without
violating that confidentiality. You rightly lost the argument because
the subnet, plus other information that doesn't by itself identify a
user, can often be combined to identify a specific user and his
behavior with a relatively high level of confidence. So can
algorithmic one-way hashes of the address and most other variants on
the meme that could reasonably facilitate reconstructing a particular
user's data flow.

No such agreement exists with respect to the public permitting
for-profit businesses the exclusive use of a portion of the public's
IP addresses. Quite the contrary, that public (as it expressed itself
to ARIN repeatedly for a decade and a half and as recently as ARIN's
public meeting earlier this year) insists that for-profit businesses
granted the exclusive use of 8 or more of the public's IP addresses
publicly reveal who they are and how to directly contact them.

Public. Get it?

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




More information about the NANOG mailing list