Tag Archives: Privacy

Post-mortem: LA SNCB met en ligne les coordonnées de 1.400.000 clients

Update: 29 Dec 2012

Ce samedi 22 décembre, un internaute lambda utilisait Google pour confirmer l’adresse d’expédition de ses cartes de voeux. A sa grande surprise, Google lui retourne dans les résultats de recherche un fichier contenant 1.460.734 clients de la  SNCB-Europe, avec leurs noms, adresse e-mail, adresse postale, téléphone(s), date de naissance et identifiant de connexion (mais pas le mot de passe). Pas de hacking, juste une ENORME bévue de la SNCB, qui a placé sur son site public un document qui aurait dû être traité selon la législation en vigueur.

Le plus étonnant est la réaction de la SNCB qui, au lieu de présenter ses excuses et de jouer la transparence, se retranche dans une attitude du type “c’est pas moi, M’sieur”, digne d’une cour de récréation. Débusquons donc les allégations fantaisistes de la SNCB. Une superficielle analyse technique démontre que la SNCB veut volontairement noyer le poisson. Read more »

ICANN consultations on the Registrar Accreditation Agreement

ICANN has started a new round of consultations with regard to the Registrar Accreditation Agreement. The consultation is open through 4 August 2008. I submitted the following comment:

3.3 Public Access to Data on Registered Names

This section of the RAA has been left untouched, although it is well known to ICANN and its community that this contravenes several national and international laws.

See http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2003/wp76_en.pdf
and http://www.icann.org/correspondence/schaar-to-cerf-12mar07.pdf

Quoting this last letter: “Privacy issues stemming from the making available of personal data in the context of the operation of the WHOIS services should be solved through amendments to the registrar accreditation agreement that would offer at least to those registrars located in EU member countries to comply with EU data protection legislation in accordance with the basic principles of data protection and privacy.”

How can ICANN justify that it forces, by contract, other parties to break the law ?

Of course, one could say that it is customary in most European countries laws that contract clauses which go against the laws are considered void. As an example, both the French and Belgian Civil Codes define in article 1133 that “La cause est illicite, quand elle est prohibée par la loi […]“. Hence, European registrars could invoke the legal requirement to not publish data about individuals in their whois database , and to inform ICANN they are not able to fully comply with article 3.3.  Most don’t, but rather have registrants accept terms by which they agree to see their data published. This lack of courage has always amazed me.