Hannes Tschofenig wrote: > > Yes, I understand what the document is trying to say. The insight > that the presence of NAT also requires you to log the port number > is certainly not a new insight. > > My worry with the document is that if you have to give someone who > deploys services such trivial information (as it is done with the > draft) then it is quite likely that they also need to be told > something about privacy. As the discussion around Web tracking > shows there is little understanding of meet the privacy > expectations of regulators. What this document describes will often be illegal in Germany, and you risk a fine up to 300000 Euro for doing it on an "Internet-Facing server". 3.5 years ago there was an illegal data privacy violation of a technically different kind that made the german news: http://content.stuttgarter-zeitung.de/stz/page/1629475_0_9223_-reinigungsrechnung-an-kundin-volksbank-macht-rueckzieher.html It was about some smelly mess (allegedly dog shit) on the floor near a bank's ATM, and the bank examined their video surveillance tapes to find who caused the mess and found out that it was from a 3 year old girl whose mother had withdrawn money at the ATM (and they got the mother's name from the ATMs log). They sent this mother a cleaning bill of 50 Euros. Besides the fact that childs below the age of 7 can not be legally held responsible for their actions in Germany--and their parents (or whoever was in charge of supervision) can only be held responsible in case of gross negligence, it was a violation of german privacy laws for the bank to examine the video and ATM logs to determine the mother's name. And although the bank back-pedaled the day _after_ this story made the news, their privacy violation resulted in a formal investigation by the public authorities against the bank. -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf