RE: IETF privacy policy - update
On July 08, 2010 12:42 AM joel jaeggli wrote: > On 2010-07-07 12:53, Ole Jacobsen wrote: >> >> Sam, >> >> I view this more or less as "standard boilerplate", something you find >> in a lot of "online places". I think it is reasonable to expect that >> if you register for a meeting your personal info (e-mail address >> mostly) won't be sold/used/harvested by someone for purposes other >> than what you think you signed up for. > > the fact that you signed up for the meeting is publicly available so > that we don't sell mailing lists to spammers seems sort of irrelevant. This is the way things are *now*. Discussion of a privacy statement may lead to changes, such as keeping the attendee list confidential, and destroying it on the Monday following the meeting. I personally don't care if the whole world knows I've been to an IETF meeting, but the decision to publish the list on the website has privacy consequences. Without a privacy policy, it's hard to say whether that is acceptable or not. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 07/07/2010 06:57 PM, Iljitsch van Beijnum wrote: In the meantime, BGP and HTTP, to name just two of the protocols without which the internet and the web wouldn't exist, still don't have standard status. > What do we want to spend our time on? Create more text that people will end up reading that doesn't add anything to their life or the good of the internet, or make some progress on our chartered work? Didn't you post a message earlier today criticising IETF navel-gazing? And now you suggest that changing an adjective in the boilerplate on the first page of an RFC would be "progress"? Arnt ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
(Wearing no hats) On 08/07/2010 10:59, Yoav Nir wrote: > > On July 08, 2010 12:42 AM joel jaeggli wrote: >> the fact that you signed up for the meeting is publicly available so that >> we don't sell mailing lists to spammers seems sort of irrelevant. The attendee list does not contain email adresses, making it a lot less useful for spammers than a list of working email addresses. > This is the way things are *now*. Discussion of a privacy statement may lead > to changes, such as keeping the attendee list confidential, and destroying it > on the Monday following the meeting. I'm not sure what problem we are trying to solve but I don't think that it will solve it anyway. The documents related to the meeting (ID's, minutes, WG pages, WG mail archives) are full with names and, in most cases, detailed contact information such as email, phone and postal address. Nobody seems to have a problem with that, removing those details from the documents is a lot of work and will make the resulting docs useless. > I personally don't care if the whole world knows I've been to an IETF > meeting, I think this should be the basic assumption. The IETF is a public event, you will have to walk around with a name badge and your name will be in the meeting materials. There is an easy solution if you don't like this. Henk -- -- Henk Uijterwaal Email: henk.uijterwaal(at)ripe.net RIPE Network Coordination Centre http://www.xs4all.nl/~henku P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The NetherlandsThe NetherlandsMobile: +31.6.55861746 -- I confirm today what I denied yesterday.Anonymous Politician. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Thu, Jul 08, 2010 at 11:59:12AM +0300, Yoav Nir wrote: > Without a privacy policy, it's hard to say whether that is > acceptable or not. I keep seeing arguments of this sort in the current thread, and it seems to me to be backwards. Surely it is not the privacy _policy_ that determines whether something is acceptable. For instance, imagine a website privacy policy that says, "We take your personal information, including your credit card number, expiry date, and CCD number, and post it on our website." The existence of that privacy policy would not make the actions somehow better or defensible: it would be a bad policy. I suppose posting somewhere that you're going to do that would be better than just doing it without any warning, but the action would be unacceptable regardless. If the current no-written-policy arrangement is working, it is presumably because people are making the right choices. One analysis of that is that there is an implicit policy, that it is acceptable, and that the present effort to write down a policy is just a way of making that implicit policy explicit. But writing the policy down does not in itself do anything about whether a given activity with a given bit of PII is ok. On the larger topic of whether a privacy policy is actually needed, I am undecided. On the one hand, it does seem to me to be a good idea to have one place where the IETF states what it is going to do with any PII. On the other hand, I can easily imagine that such a privacy policy could end up being used as a mechanism to justify bad ideas in the event something comes up: it will be more work to change the policy if it turns out to be inadequate than it will be to accept the inadequacy. The present arrangement means that, if a bad idea crops up, it can be dealt with on its own (de)merits without dragging in a meta-issue about whether the proposal is consistent with some holy policy document. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 2010-07-08 01:59, Yoav Nir wrote: > I personally don't care if the whole world knows I've been to an IETF meeting, but the decision to publish the list on the website has privacy consequences. Without a privacy policy, it's hard to say whether that is acceptable or not. Or you could just refer to the RFC series since the contents of the proceedings are described in the tao. e.g. 4677 4.12 1718 2.13 etc. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
RE: [dispatch] VIPR - proposed charter version 3
> > Paul of course I've read them, though the PVP document is uniquely > dense and gave me a headache. Security by ID Obscurity. > > My assertion still stands. In the absence of any linkage in the PVP to > the E164 numbering authorities and or databases any assertion about > verification and validation of a E.164 is in essence self validation. > The charter does NOT state that. My point is the proposed charter is badly > written and implies a trust model that does not exist. I guess your "no-SS7" hat doesn't fit anymore? RS> Well I have to swap it from time to time with my NO PRI hat. I'm still trying to kill it off SS7 if someone will let me put metadata in ENUM databases. :-) That trust model which "does not exist" is exactly the trust model that we all use, daily, whenever we dial the pizza joint across the street, the paint contractor with the spiffy one-page advertisement in the yellow pages, pay FedEx or the postal service to deliver a package, or pay a shipper to send a crate full of Champagne from France to some other country, or call the Sears & Roebuck catalog number give them our credit card and expect them to use a shipper (FedEx/postal service/UPS/DHL) to send us the product. RS> There is a reasonable trust model in the PSTN that relies on several factors ..first the regulatory structure that says "you will route e164 transactions by law if you are a licenced carrier" and access to the root numbering structures and databases which in North America are the LERG and the NPAC GTT etc. You can determine who is the responsible carrier of record for nearly any E.164 number out there. You just have real trouble determining who was issued that number. I agree that trust model is imperfect. But that trust model is what delivers almost all of the commerce and business in the world. To assert that this trust model "does not exist" is a false assertion. RS> You cannot authoritatively determine a binding between a phone number and a consumer (domain) without access to the databases. > You make a phone call if it answers and you hopefully get a caller ID > that > hasn't been spoofed then maybe you are OK and maybe you hope the TTL is > set > to some interval that doesn't cause number hijacking. But gee what > happens when the number is disconnected from the PSTN? Hu Similar disconnections (and resales) of telephone numbers happen, today, on the PSTN. I dial a restaurant (now out of business) which has taken over the same physical location (oh my gosh, Identity Thieves!) and paid to acquire the previous restaurant's phone number. Other, non-restaurant businesses do similar things. SBC bought the assets of AT&T including its brand name, doing something similar with the att.com domain itself and, I'm sure, with its 800 services. But the routing data aka the DPC's were updated to reflect those transactions. So, it's not as if querying SS7 would provide some magic sauce to prevent the problem. The problem is different, to be sure, just as IP addresses, domain names, physical (street) addresses, email addresses, telephone numbers, are not all quite exactly "the same". But each is considered an "identity" to a varying degree. > The use of the term validation and or verification here implies > authentication and my assertion is that any authentication of the > responsible domain for a E.164 number outside of the PSTN service > provider > or national numbering authority is not possible under the current > regulatory circumstances. Consequently the charter implies an > ability to develop a solution which we all know is impossible. I disagree. > Solution rewrite the charter to note that fact that this is, in fact, > "best efforts" only, "full disclosure" or "caveat emptor" to be > precise. Once I know someone owned an E.164 and I can, afterwards, do crypto to ensure I know I'm talking to the same entity -- that is *far* more reliable than what occurs, today, on the PSTN. The PSTN where phone numbers are bought and sold willy-nilly. RS> for the 352nd time you don't own E.164 numbers. They are not property by treaty. RS> Well this could go on forever. My point is still that the charter as written implies a service level and trust binding that unrealistic and what is proposed is essentially a "best efforts" service. Ok there is nothing wrong with that. TCP? The underlying DHT technology here has been demonstrated to work in the past but to imply that ViPR is some way cool new new thing I'm going to rely on just because it made a successful PSTN call with a ill determined TTL binding .. please. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 11:15 AM, Andrew Sullivan wrote: On Thu, Jul 08, 2010 at 11:59:12AM +0300, Yoav Nir wrote: Without a privacy policy, it's hard to say whether that is acceptable or not. I keep seeing arguments of this sort in the current thread, and it seems to me to be backwards. Surely it is not the privacy _policy_ that determines whether something is acceptable. For instance, imagine a website privacy policy that says, "We take your personal information, including your credit card number, expiry date, and CCD number, and post it on our website." The existence of that privacy policy would not make the actions somehow better or defensible: it would be a bad policy. I suppose posting somewhere that you're going to do that would be better than just doing it without any warning, but the action would be unacceptable regardless. If the current no-written-policy arrangement is working, it is presumably because people are making the right choices. One analysis of that is that there is an implicit policy, that it is acceptable, and that the present effort to write down a policy is just a way of making that implicit policy explicit. But writing the policy down does not in itself do anything about whether a given activity with a given bit of PII is ok. I see this as a normal part of an organization growing up. Small, young, organizations don't typically need much structure, as everyone knows everybody, people trust each other, and everything tends to be in people's heads. That doesn't scale. Putting implicit policies down in writing is an attempt to make sure that the organization doesn't change in adverse ways as it grows and matures. Regards Marshall On the larger topic of whether a privacy policy is actually needed, I am undecided. On the one hand, it does seem to me to be a good idea to have one place where the IETF states what it is going to do with any PII. On the other hand, I can easily imagine that such a privacy policy could end up being used as a mechanism to justify bad ideas in the event something comes up: it will be more work to change the policy if it turns out to be inadequate than it will be to accept the inadequacy. The present arrangement means that, if a bad idea crops up, it can be dealt with on its own (de)merits without dragging in a meta-issue about whether the proposal is consistent with some holy policy document. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
I tend to agree with Andrew and Marshall. However, from our own JEDI's (so-labelled "Jefsey's disciples") experience I would suggest some kind of "ietf privacy netiquette". It could be equivalen to architectural quotes like "dumb network", "end to end", "protocol on the wire", "rough consensus", etc. It could be added to the Tao. This way everyone would know-where he/she comes and can behave equally. This could concern the so-called "puppets", negative privacy (ad hominem have a perpetual impact on private reputation), disclosed/non-disclosed affiliations, who paid for the travel tickets and attendance fees, architectural perspective, mailing list participations, etc. I think this could be proactive if the information is not "protected" but "personally and optionally disclosed". There could be a database where every IETF participant could document what he/she wants on him/herself. I am sure that what would not be disclosed would eventually inform more than what is disclosed and help better debates, avoiding misunderstandings, and focusing on concepts rathers than on percepts. Portzamparc 2010/7/8 Marshall Eubanks > > On Jul 8, 2010, at 11:15 AM, Andrew Sullivan wrote: > > On Thu, Jul 08, 2010 at 11:59:12AM +0300, Yoav Nir wrote: >> >> Without a privacy policy, it's hard to say whether that is >>> acceptable or not. >>> >> >> I keep seeing arguments of this sort in the current thread, and it >> seems to me to be backwards. Surely it is not the privacy _policy_ >> that determines whether something is acceptable. For instance, >> imagine a website privacy policy that says, "We take your personal >> information, including your credit card number, expiry date, and CCD >> number, and post it on our website." The existence of that privacy >> policy would not make the actions somehow better or defensible: it >> would be a bad policy. I suppose posting somewhere that you're going >> to do that would be better than just doing it without any warning, but >> the action would be unacceptable regardless. >> >> If the current no-written-policy arrangement is working, it is >> presumably because people are making the right choices. One analysis >> of that is that there is an implicit policy, that it is acceptable, >> and that the present effort to write down a policy is just a way of >> making that implicit policy explicit. But writing the policy down >> does not in itself do anything about whether a given activity with a >> given bit of PII is ok. >> > > I see this as a normal part of an organization growing up. Small, young, > organizations don't > typically need much structure, as everyone knows everybody, people trust > each other, > and everything tends to be in people's heads. That doesn't scale. Putting > implicit policies down in writing is an attempt to make sure that the > organization doesn't > change in adverse ways as it grows and matures. > > Regards > Marshall > > > > >> On the larger topic of whether a privacy policy is actually needed, I >> am undecided. On the one hand, it does seem to me to be a good idea >> to have one place where the IETF states what it is going to do with >> any PII. On the other hand, I can easily imagine that such a privacy >> policy could end up being used as a mechanism to justify bad ideas in >> the event something comes up: it will be more work to change the >> policy if it turns out to be inadequate than it will be to accept the >> inadequacy. The present arrangement means that, if a bad idea crops >> up, it can be dealt with on its own (de)merits without dragging in a >> meta-issue about whether the proposal is consistent with some holy >> policy document. >> >> A >> >> -- >> Andrew Sullivan >> a...@shinkuro.com >> Shinkuro, Inc. >> ___ >> Ietf mailing list >> Ietf@ietf.org >> https://www.ietf.org/mailman/listinfo/ietf >> >> > ___ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf > ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
+1 for a privacy policy. As to the question of this particular one, I'm going to profess some level of ignorance. I suggested starting from Google, Cisco, and/or ISOC's privacy policies and editing from there, and someone said I should pick a more appropriate starting point. What would be appropriate privacy policies to compare/contrast? Personally, apart from references to ISOC-specific things, I thought ISOC's privacy policy was relatively simple and covered the major points. The draft is more detailed and more complete. The differences may be a matter of taste: look at http://www.isoc.org/help/privacy/ and ask yourself whether the provisions in "what do we collect" and "what do we do with it" are reflected in the draft, and I think you might agree that they are, with the draft being more explicit in different areas. But I think that the ISOC rules, when considered in an IETF light, are actually the same. We collect things that are standardly collected, but we don't share them, and we do use them to make our internal processes work better. If there are others to compare/contrast, to see if we have missed a point or are stating for something not usually said, I'd be interested to know. I would agree that this statement should be made by someone in I* leadership, either the IESG, IAOC, or perhaps IAB, and that it belongs on a web page as opposed to being in an RFC. I would suggest that a consensus be called for via a hum over VoIPv6. But the web page should be in flat ASCII with no graphics other than ASCII-art. On Jul 7, 2010, at 11:00 PM, Cullen Jennings wrote: > > On Jul 5, 2010, at 10:05 AM, Alissa Cooper wrote: > >> A few months ago I drew up a strawman proposal for a public-facing IETF >> privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt). >> I've submitted an update based on feedback received: >> http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt >> >> In discussing the policy with the IAOC and others, it seems clear that the >> RFC model is probably not the best model for maintaining and updating a >> document like this. It is more likely to fall within the scope of the IAOC >> and/or the Trust. In order for the IAOC to consider taking this on and >> devoting resources to figuring out what its format should be, they need to >> hear from the community that a public-facing privacy policy is something >> that the community wants. So I have two requests for those with any interest >> in this: >> >> 1) Respond on this list if you support the idea of the IETF having a privacy >> policy (a simple "+1" will do). > > +1 > >> >> 2) If you have comments and suggestions about the policy itself, send them >> to this list. > > I would be very happy if the IETF adopted the privacy policy proposed in your > draft. > > It seems to me the work of writing an acceptable policy is 90% done and the > arguments that creating a privacy policy will detract from other work are > pretty weak. It's a volunteer organization, people vote with their feet with > what they want to work on. Just because Alissa spend time writing a policy > document does not mean that time would be directed to other things if we did > not want to do a privacy policy document. I don't think that having a privacy > policy is going to bring a bunch of new contributors to the IETF, but I can > imagine a case where the lack of a privacy policy caused some administrative > group to do something really unfortunate which resulted in some good people > leaving the IETF. > > A privacy policy is not something the IETF typically has a lot of people that > are really experienced and qualified to draft. But we are very lucky here - > we have multiple people that understand IETF culture and values, understand > internet privacy policies and laws, and are willing to write a proposal. > Unless this proposal is deeply flawed in some way I can't see, why wouldn't > we just do it. > > > ___ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf http://www.ipinc.net/IPv4.GIF ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
+1 on all counts. Now looking forward to a debate over the ASCII art... ;-) On 7/8/10 1:07 PM, Fred Baker wrote: > +1 for a privacy policy. As to the question of this particular one, > I'm going to profess some level of ignorance. I suggested starting > from Google, Cisco, and/or ISOC's privacy policies and editing from > there, and someone said I should pick a more appropriate starting > point. What would be appropriate privacy policies to > compare/contrast? > > Personally, apart from references to ISOC-specific things, I thought > ISOC's privacy policy was relatively simple and covered the major > points. The draft is more detailed and more complete. The differences > may be a matter of taste: look at http://www.isoc.org/help/privacy/ > and ask yourself whether the provisions in "what do we collect" and > "what do we do with it" are reflected in the draft, and I think you > might agree that they are, with the draft being more explicit in > different areas. But I think that the ISOC rules, when considered in > an IETF light, are actually the same. We collect things that are > standardly collected, but we don't share them, and we do use them to > make our internal processes work better. > > If there are others to compare/contrast, to see if we have missed a > point or are stating for something not usually said, I'd be > interested to know. > > I would agree that this statement should be made by someone in I* > leadership, either the IESG, IAOC, or perhaps IAB, and that it > belongs on a web page as opposed to being in an RFC. > > I would suggest that a consensus be called for via a hum over VoIPv6. > But the web page should be in flat ASCII with no graphics other than > ASCII-art. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 11:05 AM, jean-michel bernier de portzamparc wrote: > However, from our own JEDI's (so-labelled "Jefsey's disciples") experience I > would suggest some kind of "ietf privacy netiquette". It could be equivalen > to architectural quotes like "dumb network", "end to end", "protocol on the > wire", "rough consensus", etc. I'm not sure I'd want to go the good-soundbite-but-low- compliance route. Either writing it up and making it explicit or dropping it completely and never again speaking of it seem like better options and likely to lead to fewer problems in the future. Melinda ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 7, 2010, at 10:11 PM, joel jaeggli wrote: > Do some people not come because attendance is a matter of public record? Frankly, if people are not attending for that reason and that reason alone, I have some questions. I would have to assume it is the only forum in the world in which they expect that level of anonymity, which raises the question of whether it is a rational expectation. Walking into an ITU meeting, I have to show a passport and have a permanent photographic record taken. If I want to participate in RIPE's general meeting, I have to register, and I can expect to find myself in RIPE's attendee list. That is true in a wide variety of places. - ? ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 11:25 AM, Fred Baker wrote: > Walking into an ITU meeting, I have to show a passport and have a permanent > photographic record taken. If I want to participate in RIPE's general > meeting, I have to register, and I can expect to find myself in RIPE's > attendee list. That is true in a wide variety of places. I think there's actually a slightly different question in there. Those are not open organizations. The IETF is. I think that there might be a question about what "open participation" means and whether or not there's an expectation that participants will identify themselves, and if so, what the expectations are around the identity being presented. Melinda ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 2010-07-08 12:25, Fred Baker wrote: On Jul 7, 2010, at 10:11 PM, joel jaeggli wrote: Do some people not come because attendance is a matter of public record? Frankly, if people are not attending for that reason and that reason alone, I have some questions. I would have to assume it is the only forum in the world in which they expect that level of anonymity, which raises the question of whether it is a rational expectation. I meant the question as a rhetorical exercise. 3979 5378 and their explication through note well are collectively unequivocal as to the rational and requirement for the public record. I've made the note well statement so many times now that I can do it in my sleep. Walking into an ITU meeting, I have to show a passport and have a permanent photographic record taken. If I want to participate in RIPE's general meeting, I have to register, and I can expect to find myself in RIPE's attendee list. That is true in a wide variety of places. - ? ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 12:32 PM, Melinda Shore wrote: > On Jul 8, 2010, at 11:25 AM, Fred Baker wrote: >> Walking into an ITU meeting, I have to show a passport and have a permanent >> photographic record taken. If I want to participate in RIPE's general >> meeting, I have to register, and I can expect to find myself in RIPE's >> attendee list. That is true in a wide variety of places. > > I think there's actually a slightly different question in there. Those are > not open organizations. The IETF is. Boy, would they dispute that. ITU has claimed that the IETF is not an open organization because a government cannot join it. Most membership organizations, RIPE, being an example, have a definition of how someone can become a member (members of RIPE are companies and pay a fee), and are considered open to that class of membership. > I think that there might be a question about what "open participation" means > and whether or not there's an expectation that participants will identify > themselves, and if so, what the expectations are around the identity being > presented. That is of course true. I think my comment stands. If the IETF is not the only organization in the world in which otherwise rational people expect to pay money for privileges, make material contributions that might change the world, and might have companies off suing each other over IPR, and none-the-less expect to remain absolutely anonymous, it is one of a very small number. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: > Boy, would they dispute that. ITU has claimed that the IETF is not an open > organization because a government cannot join it. Most membership > organizations, RIPE, being an example, have a definition of how someone can > become a member (members of RIPE are companies and pay a fee), and are > considered open to that class of membership. But the IETF isn't a membership organization - isn't that at least in part what's meant by "open," and why at least in part we don't have voting (in theory)? > That is of course true. I think my comment stands. If the IETF is not the > only organization in the world in which otherwise rational people expect to > pay money for privileges, make material contributions that might change the > world, and might have companies off suing each other over IPR, and > none-the-less expect to remain absolutely anonymous, it is one of a very > small number. I'm not a big fan of anonymity here, mostly because I don't know how consensus would work - in practice - with anonymous participants, as well as several of the issues you've identified. I don't think that "nobody else does it" is a good argument, unless what it actually means is "few companies will allow their employees to contribute to an organization with those kinds of policies," which is a very compelling argument. But I don't think privacy are that tightly coupled and I wonder what a privacy policy should say about that. Melinda ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 1:18 PM, Melinda Shore wrote: > On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: >> Boy, would they dispute that. ITU has claimed that the IETF is not an open >> organization because a government cannot join it. Most membership >> organizations, RIPE, being an example, have a definition of how someone can >> become a member (members of RIPE are companies and pay a fee), and are >> considered open to that class of membership. > > But the IETF isn't a membership organization - isn't that > at least in part what's meant by "open," and why at least in > part we don't have voting (in theory)? We don't have voting because we don't have members, yes. Definitions of "open" vary, and boil down to a statement of what kind of actor an organization is open to. IETF is open to individuals. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Thu July 8 2010 15:24, Fred Baker wrote: > On Jul 8, 2010, at 1:18 PM, Melinda Shore wrote: > > On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: > >> Boy, would they dispute that. ITU has claimed that the IETF is not an > >> open organization because a government cannot join it. Most membership > >> organizations, RIPE, being an example, have a definition of how someone > >> can become a member (members of RIPE are companies and pay a fee), and > >> are considered open to that class of membership. > > > > But the IETF isn't a membership organization - isn't that > > at least in part what's meant by "open," and why at least in > > part we don't have voting (in theory)? > > We don't have voting because we don't have members, yes. Definitions of > "open" vary, and boil down to a statement of what kind of actor an > organization is open to. IETF is open to individuals. > Appears to me this conversation/thread is leaning toward "open" being used synonymous to "anonymous" -- Larry Smith lesm...@ecsis.net ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Comments on
Alissa, No hats on, these are my personal views. I have now read the draft. My overall comment is that I am not convinced if this is needed and am sympathetic to the views expressed on the mailing list that this is solving a problem the IETF doesn't have. Comments below. Bob General comments: If the IETF is to have a privacy policy, I would prefer it to be much simpler and of the form where it first starts with a general statement that the IETF does it's work in public and almost all information information supplied to the IETF is made public and will be available on the IETF (and other related) web sites. I would then list the exceptions. For example, credit card information for meeting registration and social tickets, and information for "letters of invitation". Note: As I read the draft, there is very little that actually falls into the private category. This leads to to wonder about the scope of the problem this draft is solving. The IETF goes to great length to tell people about how we do our work and what is considered a public contribution, via the Note Well. I would be surprised if anyone thought otherwise. Doing our work in public is essential to how the IETF works. Detailed Comments: I have issues with the Introduction. The first sentence says: In keeping with the goals and objectives of this standards body, the IETF is committed to the highest degree of respect for the privacy of IETF participants and site visitors. This makes it sound like the highest priority of the IETF is Privacy. I don't think this is true as I described above. The vast majority of what the IETF does in Public. There is very little that is Private. The IETF is careful about what needs to be kept private and does not disclose it. The Introduction says: This policy explains how the IETF applies the Fair Information Practices -- a widely accepted set of privacy principles [1] -- to the data we obtain. I don't know if it is appropriate that the IETF apply these practices. Or if there are other practices that would be more appropriate. The IETF is different from other organizations in that much of our data is public and not private. The rest of the Introduction appears to be a summary of the first reference: [1] Organization for Economic Cooperation and Development, "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data", http://www.oecd.org/document/18/ 0,3343,en_2649_34255_1815186_1_1_1_1,00.html, 1980. I don't know anything about this web page, who produced it, how stable it is, etc, etc. It is fairly long, around 21 pages. I don't know if this is appropriate for the IETF. I think it would better to not include this information as it is hard to judge how appropriate it is. Also, some of the practices seem to be at odds with normal IETF practices. For example, it implies that individuals have complete control of the data the IETF makes public. This isn't true in most cases. Section 2 and 3 A lot these section is a summary of what is defined in other places (References 2, 3, 4, 5, 7, 8). Other parts of the text are fairly generic, such as the information that a web server can learn about a web client. Not thing very IETF specific here. I don't see very much value repeating this. Section 4 The first paragraph: The IETF does not sell, rent, or exchange any information that we collect about our participants or site visitors. However, we will disclose information under the following circumstances: The first two "sell & rent" is true, but the "exchange" is not true as you state later in the section. Much of the data we collect is exchanged. Section 5 I am not really qualified to comment on the specifics here, such as how long credit card or letter of invitation information needs to be retained. I would have thought that all financial data needs to be kept for some number of years. This describes our current operational practices regarding log files. Including specific times for retention will make it hard to change this in the future. Also, if log files are going to be covered, what happens to the backups? Are we required to scrub the backups? This would be difficult and expensive. What about backups of credit card information? Section 10 In the acknowledgment section you cite the IAOC. The IAOC has not done any formal review of this draft. It is better if you cite the people in the IAOC you have discussed this with you and not list the IAOC. Now that I have written this, you can cite me if you choose :-) Section 11 I think most of the references are Normative, not Informative. That is, this draft depends on these documents. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Thu, 8 Jul 2010, Larry Smith wrote: > Appears to me this conversation/thread is leaning toward "open" being > used synonymous to "anonymous" Not to me ... open means any can participate ... doesn't mean that other participants can't know who they are. People come with experience and resumes which document that experience. If I don't know who is speaking, their credibility (to me) is limited. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
> I would have to assume it is the only forum in the world in which they > expect that level of anonymity aside from payment possibly uncloaking you, i am not aware of an ops meeting that checks id or even considers the issue interesting. randy ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: WG Review: Call Control UUI for SIP (cuss)
On Jul 3, 2010, at 7:33 AM, Alan Johnston wrote: > Many of us have worked hard on this approach over many years, and you have > been involved in this at every step of the way, in both SIPPING and DISPATCH. > For you to just try to block even the formation of a working group to > address this at this eleventh hour is just not right. For better or worse, the AD's voice do strongly impact others thinking on the many subjects at IETF. As an individual contributor, my review in IETF LC pretty much my current thoughts on it. However, if I had sent that same review when I was an AD this charter would have been very unlikely to get a fair shake at moving forward so I just would not have sent that email while I was AD. The ADs often can't express their own opinions because and instead have to just try and measure community consensus and go with that even if it does not match what they think is best. Really this is the first chance I've had to express an opinion on this where I was not one of the RAI AD. There discussion that has happened since my initial review has made me wish I had said a bit more about SIP-T in my first email. I'm not really proposing that someone should have to implement all of ISUP processing and SIP-T just to pass around the UUI field but from a thought experiment point of view, this does not sound like it is going to provide anything that we would not get if we did implement SIP-T to pass this data. It seems this will have all the limitations of SIP-T combined with the interoperability limitations of UUI in ISDN. I want to be clear, I'm not trying to stop us from doing some work that helps supports uses cases such as the one Laura sent to the list. I just don't see this charter as leading to any improvement in interoperability. If we agree that in theory we could more or less do this with SIP-T thought that is not a practical path from an implementation point of view, then I can see a path of some middle ground. If we don't agree on that then we proba bly need to think about what we need to add to the charter regardless of if I agree with or not that high lights the additional part of this problem that makes it so SIP-T can't solve it. The other things that has happened in this discussion is that I was assuming that the proponents of this felt that proxies needed to modify the data. From the email that came out it's became clear that not everyone believed that. If there was consensus on changing this such that UUI information is not meant for proxies, then I can start to see ways to rewrite the charter to have it reflect what I think people want to do. If the consensus is proxies need to look at this, I have a hard time seeing how it is not involved in call control. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
jean-michel bernier de portzamparc wrote: > > However, from our own JEDI's (so-labelled "Jefsey's disciples") experience I > would suggest some kind of "ietf privacy netiquette". It could be equivalen > to architectural quotes like "dumb network", "end to end", "protocol on the > wire", "rough consensus", etc. It could be added to the Tao. +1 The IETF used to be an organization running on respect for the guidance provide by their leaders. Policies and their enforcement are means of control for rulers/government in the absence of respect. A written down privacy policy does not define what is acceptable, it can only define what is compliant (with that policy). "Acceptable" means different things to different people. Someone suggested we could start with the privacy policy from Google and work from there, but forgot the Sarcasm tags. On my scale, Google is a serious and probably the largest privacy offender world-wide. example: "Google Street View" I'm also being a little confused about seeing a solution (a privacy policy draft) being proposed before there is consent on what exactly is the problem that should be solved and whether it is really worth solving. I might have missed it, but all I remeber about the problem being stated was "we don't have such a document, but almost everybody else has one". But for solving the "lack of paper" problem, a document with a neat title "IETF Privacy Policy", and a crisp content "We care." might be equally sufficient. -Martin ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Weekly posting summary for ietf@ietf.org
Total of 138 messages in the last 7 days. script run at: Fri Jul 9 00:53:03 EDT 2010 Messages | Bytes| Who +--++--+ 5.80% |8 | 11.18% | 115067 | rich...@shockey.us 5.80% |8 | 4.38% |45048 | joe...@bogus.com 2.90% |4 | 5.89% |60659 | peter.musgr...@magorcorp.com 3.62% |5 | 4.44% |45684 | john-i...@jck.com 2.90% |4 | 4.45% |45823 | flu...@cisco.com 4.35% |6 | 2.59% |26705 | iljit...@muada.com 3.62% |5 | 3.23% |33220 | tglas...@earthlink.net 2.90% |4 | 3.93% |40450 | s...@resistor.net 3.62% |5 | 3.11% |32008 | acoo...@cdt.org 3.62% |5 | 3.00% |30921 | jmorris-li...@cdt.org 3.62% |5 | 2.54% |26177 | d...@dcrocker.net 3.62% |5 | 2.46% |25361 | sh...@arsc.edu 2.90% |4 | 2.49% |25644 | f...@cisco.com 2.17% |3 | 2.15% |22086 | bob.hin...@gmail.com 2.17% |3 | 1.73% |17833 | t...@americafree.tv 1.45% |2 | 2.43% |25045 | chell...@pobox.com 2.17% |3 | 1.55% |15993 | a...@shinkuro.com 2.17% |3 | 1.53% |15796 | hartmans-i...@mit.edu 2.17% |3 | 1.41% |14505 | o...@cisco.com 0.72% |1 | 2.82% |29029 | alan.b.johns...@gmail.com 1.45% |2 | 1.71% |17622 | pkyzi...@cisco.com 1.45% |2 | 1.52% |15601 | hal...@gmail.com 1.45% |2 | 1.51% |15588 | twa...@juniper.net 1.45% |2 | 1.40% |14399 | paul.hoff...@vpnc.org 1.45% |2 | 1.11% |11462 | enrico.maro...@telecomitalia.it 1.45% |2 | 1.05% |10764 | a...@nostrum.com 1.45% |2 | 0.92% | 9471 | cy...@daboo.name 1.45% |2 | 0.90% | 9259 | l...@cisco.com 1.45% |2 | 0.86% | 8817 | ra...@psg.com 0.72% |1 | 1.54% |15898 | dw...@cisco.com 0.72% |1 | 1.48% |15231 | jma...@gmail.com 0.72% |1 | 1.38% |14180 | christer.holmb...@ericsson.com 0.72% |1 | 1.00% |10279 | ted.i...@gmail.com 0.72% |1 | 0.81% | 8291 | nar...@us.ibm.com 0.72% |1 | 0.78% | 8045 | laura.liess...@googlemail.com 0.72% |1 | 0.78% | 7978 | st...@stewe.org 0.72% |1 | 0.74% | 7656 | petit...@acm.org 0.72% |1 | 0.65% | 6676 | b...@nostrum.com 0.72% |1 | 0.64% | 6632 | m...@pobox.com 0.72% |1 | 0.64% | 6608 | rgm-i...@htt-consult.com 0.72% |1 | 0.63% | 6499 | h...@ripe.net 0.72% |1 | 0.62% | 6343 | ero...@cisco.com 0.72% |1 | 0.59% | 6119 | ty...@mit.edu 0.72% |1 | 0.53% | 5479 | y...@checkpoint.com 0.72% |1 | 0.52% | 5382 | i...@ietf.org 0.72% |1 | 0.52% | 5379 | stpe...@stpeter.im 0.72% |1 | 0.51% | 5286 | brian.e.carpen...@gmail.com 0.72% |1 | 0.51% | 5250 | jmp...@cisco.com 0.72% |1 | 0.50% | 5185 | agma...@gmail.com 0.72% |1 | 0.50% | 5167 | odonog...@isoc.org 0.72% |1 | 0.49% | 5058 | m...@sap.com 0.72% |1 | 0.49% | 5046 | do...@mail-abuse.org 0.72% |1 | 0.49% | 5018 | lesm...@ecsis.net 0.72% |1 | 0.46% | 4756 | melinda.sh...@gmail.com 0.72% |1 | 0.46% | 4742 | j...@jck.com 0.72% |1 | 0.46% | 4699 | a...@gulbrandsen.priv.no 0.72% |1 | 0.44% | 4549 | jo...@iecc.com 0.72% |1 | 0.44% | 4518 | d...@xpasc.com 0.72% |1 | 0.44% | 4497 | m...@sabahattin-gucukoglu.com 0.72% |1 | 0.44% | 4493 | dcroc...@bbiw.net 0.72% |1 | 0.41% | 4182 | g...@net-zen.net 0.72% |1 | 0.40% | 4127 | n...@guppylake.com 0.72% |1 | 0.39% | 3994 | julian.resc...@gmx.de +--++--+ 100.00% | 138 |100.00% | 1029279 | Total ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
my experience suggests that IETF WG mailing lists and participation lists in meetings will be used as evidence in litigation related to whether an individual or the organization which sponsored that individidual met the obligation of the relevant IETF patent policy now http://www.ietf.org/rfc/rfc3979.txt my concept of an SDO that is not "open" is one that limits membership and disallows membership for some party with a potential material interest to benefit the interests of the existing members. What is the specific reference that ITU has made w/r to IETF not being open? I would like to see it. Best Regards, George T. Willingmyre, P.E. President, GTW Associates 1012 Parrs Ridge Drive Spencerville, MD 20868 USA 1.301.421.4138 - Original Message - From: "Fred Baker" To: "Melinda Shore" Cc: "Sam Hartman" ; "Paul Hoffman" ; "IETF-Discussion list" Sent: Thursday, July 08, 2010 4:24 PM Subject: Re: IETF privacy policy - update On Jul 8, 2010, at 1:18 PM, Melinda Shore wrote: On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: Boy, would they dispute that. ITU has claimed that the IETF is not an open organization because a government cannot join it. Most membership organizations, RIPE, being an example, have a definition of how someone can become a member (members of RIPE are companies and pay a fee), and are considered open to that class of membership. But the IETF isn't a membership organization - isn't that at least in part what's meant by "open," and why at least in part we don't have voting (in theory)? We don't have voting because we don't have members, yes. Definitions of "open" vary, and boil down to a statement of what kind of actor an organization is open to. IETF is open to individuals. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 08/07/2010 22:24, Fred Baker wrote: > > On Jul 8, 2010, at 1:18 PM, Melinda Shore wrote: > >> On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: >>> Boy, would they dispute that. ITU has claimed that the IETF is not an >>> open organization because a government cannot join it. Most membership >>> organizations, RIPE, being an example, have a definition of how someone >>> can become a member (members of RIPE are companies and pay a fee), and >>> are considered open to that class of membership. Wait... There are two organizations: RIPE and RIPE NCC. RIPE is an open group of people interested in IP based networks in Europe and surrounding areas. There is no formal membership, work is done by volunteers, anybody who is interested can join the mailing lists and participate, anybody who pays the meeting fee can attend the meeting and participate there. From an organizational point of view, it is pretty similar to the IETF. RIPE NCC is an organization established to do whatever ISP's and other network providers have to organize as a group, even though they are competitors, on a professional basis. It is a membership organization open to everybody who meets the criteria (which is essential: run a network). The RIPE NCC has an annual meeting, where the members decide on what activities will be carried out in the next year. This meeting is open to members only, which makes a lot of sense as the members also write the checks to cover the costs. And to answer the original question: yes, if you register for the RIPE or RIPE NCC meetings, your name will appear on the public attendees list. Henk -- -- Henk Uijterwaal Email: henk.uijterwaal(at)ripe.net RIPE Network Coordination Centre http://www.xs4all.nl/~henku P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The NetherlandsThe NetherlandsMobile: +31.6.55861746 -- I confirm today what I denied yesterday.Anonymous Politician. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
