brad@looking.on.ca (Brad Templeton) (05/14/91)
There have been a number of interesting points raised recently in news.admin and comp.risks that EFF hangers-on might want to look at. They involve some British laws about databases. In one case a site has queried the database registry office about what databases must be registered. (Apparently the law requires that if you keep a collection of information about people on a computer, you have to register it, and other laws allow people to look at the data) They kept asking if X should be registered and always got yes. Examples of X: The uucp maps and alias databases for sites and users Hostname databases for the internet And speculation was that you would also have to register The /etc/passwd file and equivalents All E-mail mailing lists and more. Thus creating a typical net site might involve the registration (presumably with fees and paperwork) of a significant number of databases. ---------- In comp.risks, comment has been made that some institutions, fearful of the laws which govern computer databases -- including a possible right-to-see law -- have been deliberately keeping their databases on paper. That means processing the information on comptuer, but in the end printing it and erasing the electronic records forthwith. Included were Newspaper obituary databases, and academic record databases. All I can say is *sigh*. And perhaps "if databases are outlawed, only outlaws will have databases..." -- Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473
rick@cstr.ed.ac.uk (Rick Innis) (05/15/91)
In article <1991May14.040427.10453@looking.on.ca> brad@looking.on.ca (Brad Templeton) writes:
There have been a number of interesting points raised recently in
news.admin and comp.risks that EFF hangers-on might want to look at.
They involve some British laws about databases.
The law in question is the Data Protection Act. This was a piece of
legislation enacted to fulfill the requirements of a European Commission
Directive on access to and security of data - in fact all data, not merely
that stored on computer.
EC Directives state a number of requirements which member states of the EEC
are required to enact in law. The exact wording of the law is up the
individual member states; hence the effect can be different from one state to
another.
Typically, the British Government, obssessed with secrecy, enacted this in
such a way as to make it extremely difficult for indiciduals to access
information held about them, and left plenty of boltholes for keeping
information protected. (For example, it's very difficult to find out what's
on a police computer, if I recall rightly.)
Perhaps there's someone out there who knows the DPA more thouroughly than I
do, who'd like to comment?
--Rick.
--
JANET: rick@uk.ac.ed.cstr | Rick Innis, CSTR,
Internet: rick@cstr.ed.ac.uk | University of Edinburgh,
UUCP: ..mcsun!ukc!cstr!rick | Edinburgh, Scotland EH1 1HN.
Thought for the day: If you were happy every day of your life, you wouldn't
be a human being - you'd be a game show host. Jim.Fraas@buscard.FIDONET.ORG (Jim Fraas) (05/15/91)
In a message to All <05-14-91 06:53> Brad Templeton wrote: BT> Message-ID: <1991May14.040427.10453@looking.on.ca> BT> Newsgroups: comp.org.eff.talk BT> There have been a number of interesting points raised BT> recently in BT> news.admin and comp.risks that EFF hangers-on might want to BT> look at. BT> They involve some British laws about databases. OK Keep going BT> In one case a site has queried the database registry office BT> about what BT> databases must be registered. (Apparently the law ....... BT> They kept asking if X should be registered and always got BT> yes. Examples BT> of X: BT> The uucp maps and alias databases for sites and BT> users BT> Hostname databases for the internet BT> And speculation was that you would also have to register BT> The /etc/passwd file and equivalents BT> All E-mail mailing lists BT> and more. Would this mean you would have to make avalable ALL passwords on a BBS to anyone who would want them? Like a hacker.....? Thank goodness I live in the USA! --- QuickBBS 2.66 - - We REALLY Mean Business! * Origin: The Business Card - Lawrence, MA - (508) 682-5329 (1:324/121) -- Jim Fraas - via FidoNet node 1:324/121 (UUCP/UseNet<->FidoNet gateway) UUCP: wizvax!buscard!Jim.Fraas ARPA: Jim.Fraas@buscard.FIDONET.ORG \wizvax!buscard!Jim.Fraas
john@gna.axis-design.fr (John Hughes) (05/17/91)
In article <1991May14.040427.10453@looking.on.ca> brad@looking.on.ca (Brad Templeton) writes:
There have been a number of interesting points raised recently in
news.admin and comp.risks that EFF hangers-on might want to look at.
They involve some British laws about databases.
In one case a site has queried the database registry office about what
databases must be registered. (Apparently the law requires that if you
keep a collection of information about people on a computer, you have to
register it, and other laws allow people to look at the data)
They kept asking if X should be registered and always got yes. Examples
of X:
The uucp maps and alias databases for sites and users
Hostname databases for the internet
And speculation was that you would also have to register
The /etc/passwd file and equivalents
All E-mail mailing lists
and more.
Thus creating a typical net site might involve the registration (presumably
with fees and paperwork) of a significant number of databases.
Yup, you (and that means ANY OF YOU, no exceptions for size) MUST
register any database that contains "personal information" about
living people. Of course we al know that the law is an ass, so real
people (as opposed to companies, organisations, etc) just ignore it.
However, the law has no exceptions for real people, so just 'cos you
DO ignore it doesn't mean you CAN, or SHOULD.
John Hughesbrad@looking.on.ca (Brad Templeton) (05/17/91)
Actually, the real trick would be not to ignore it, but to organize full compliance -- swamping them. Problem is this probably costs money. For example, I have hundreds of mail folders collecting mail I have received and mail I have sent. Megabytes of stuff which includes people who have corresponded with me on certain topics. This is a database of people and their opinions. My /etc/passwd is a database of people and their full names and addresses and shells etc. My filing cabinet is a paper version. If people complied fully, you might get dozens or hundreds of databases per person. What would they do? -- Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473
simona@panix.uucp (Simona Nass) (05/18/91)
In article <RICK.91May15101241@watt.cstr.ed.ac.uk> rick@cstr.ed.ac.uk (Rick Innis) writes: >In article <1991May14.040427.10453@looking.on.ca> brad@looking.on.ca (Brad Templeton) writes: > > There have been a number of interesting points raised recently in > news.admin and comp.risks that EFF hangers-on might want to look at. > They involve some British laws about databases. > >The law in question is the Data Protection Act. This was a piece of >legislation enacted to fulfill the requirements of a European Commission >Directive on access to and security of data - in fact all data, not merely >that stored on computer. > >EC Directives state a number of requirements which member states of the EEC >are required to enact in law. [REST DELETED] I also understand that if a non-member state, such as the U.S.A., is doing business within the territory of a member state, the non-member state must comply with the Directives of the member state to an "adequate" extent. Anyone have more info? I think the Economist recently had an article about this aspect, but I haven't tracked it down. -S. -- ( rutgers!cmcl2!panix!simona, uunet!jyacc!david, simona@panix.uucp )
gordon@sneaky.lonestar.org (Gordon Burditt) (05/18/91)
>In one case a site has queried the database registry office about what >databases must be registered. (Apparently the law requires that if you >keep a collection of information about people on a computer, you have to >register it, and other laws allow people to look at the data) > >They kept asking if X should be registered and always got yes. Examples >of X: > The uucp maps and alias databases for sites and users > Hostname databases for the internet Does the registration for a database have to be registered, if it is prepared on a computer? To how many levels of recursion? Or can a registration of a database include registration of the registration? I got in a discussion about a year ago about certain proposals to regulate databases, complaining that these proposals (mostly anti-credit-bureau and anti-mailing-list-vendor proposals for use in the USA) outlawed the Personal Address Book. Nobody took the complaint seriously. It seems the UK has implemented it. The only way we are going to get sane laws on the subject, which balance privacy rights against government intrusion into everything, is to write the law in such a way that it does not in any way refer to computers. If it's illegal to do with computers, you can't do it with paper or stone tablets either. Computerized versions of the personal address book shouldn't be any more illegal than the paper kind. You should be able to use either as a mailing list for Christmas cards, but perhaps not as a mailing list for selling insurance. Also, it has to apply to the government as much or more so than to corporations and individuals. What are the consequences of a registration under the UK Data Protection Act that goes something like this: Data collected: everything we can get our hands on, up to and including name, address, credit information, sexual history and videotapes thereof, telephone calling records and recordings of telephone conversations, urine tests based on samples flushed down the toilet, anything good for blackmail, all financial transactions, copies of all mail received and sent, and anything else. Distribution of data: Intergalactic, to all known adult sentient beings, except for people who pay us NOT to send it to them, and so far nobody has that much money. Gordon L. Burditt sneaky.lonestar.org!gordon