RE: IETF privacy policy - update
I think is very likely (if not certain) that right now the IETF is operating in violation of the European Union's Data Protection Directive, nope, never while they're in the U.S. National data protection laws do not apply for someone operating entirely in a different country. I have no idea about to what extent the EU directive applies. But I would have thought it would be tricky to argue that the IETF is operating entirely in the US when it's about to meet and collect data in Maastricht. This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Hi Stephan, On Jul 6, 2010, at 3:53 PM, Stephan Wenger wrote: Hi, I think this is an excellent straw man for an IETF privacy policy. I have, however, two issues with its adoption that makes me question the wisdom of an unqualified +1. Thanks. First, I'm not quite sure whether the IETf should adopt such a document without providing clear guidelines to its I* people, the secretariat, or WG chairs. In the absence of such guidelines, those people could be seen as responsible of upholding the policy without knowing the practical how to, which may create a certain personal liability on their side, to which they may not have signed up to. I believe that the pool of people on the hook for this implementation is too big, to unstructured, and perhaps not sufficiently trained (especially when it comes to the fine details) of the implementation of the policy. In other words, my fear is that we may promise something to the outside world of which the people responsible are not certain how exactly it needs to be delivered--which puts them into an unenviable position. Point taken. The document currently lacks clarity about who is actually doing the data handling. I think the process of sorting that out will be highly instructive. Getting a general understanding of who is responsible for what will be the first step towards being able to give those people guidance about data handling. Second, I fear that the draft policy (-01 draft) provides occasionally the impression of a certain safety of private data, where no such safety exists. For example, equipment that stores log files is moved frequently into areas where US law does not apply. I would assume (without knowing for certain) that the machines dealing with on-site information do keep some sensitive information on their local hard drives--which are outside the US for many of our meetings. The jurisdiction of stored data is definitely one point that needs to be better documented, I agree. And so on. If you have specific ideas of other spots where the document over- promises, a list would be appreciated. I can take further clarifications back to the secretariat or whoever the responsible party is. Thanks, Alissa The second point may be easily addressable by adding sufficiently broad disclaimers to the policy, and/or by documenting the corner cases mentioned (I would not be surprised if there were many more of those). The first point would require a guidelines document for the mentioned officials, and I think that the development of such a document needs to go hand-in- hand with the development of the policy itself. Alternatively, the first point could be addressed by phrasing the policy as a statement of intent, rather than a bill of rights. Of course, its value goes way down when doing so. I personally couldn't care less how and where a privacy policy and its accompanying guideline docs is being developed. However, I do have an observation to make with respect to the form of the document. Even single-national organizations (like my bank, or my insurers) do change their privacy policy quite often--several times per decade. They have to in order to comply with the development of the local law. I do not see that the IETF would not have to do the same, once we have a first policy in place. And that does not count the implications of, in practice, being an international organization doing business in places such as the US and China--just to make two examples with fundamentally different privacy law and practice-- and our lack of experience and shortness of legal resources in creating one. All that would speak for an easily updateable format, and RFCs are not known to fall into that category. We will have a buggy document at the beginning, and we need ways to fix it, quickly. Regards, Stephan On 7.5.2010 09:05 , Alissa Cooper acoo...@cdt.org wrote: A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt ). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). 2) If you have comments and suggestions about the policy itself, send them to this list. Thanks, Alissa
Re: IETF privacy policy - update
At 3:36 PM +0100 7/15/10, Alissa Cooper wrote: If you have specific ideas of other spots where the document over-promises, a list would be appreciated. I can take further clarifications back to the secretariat or whoever the responsible party is. For me, the biggest over-promise is that someone reading the document might think that there is some remedy if the I* fails to live up to it. The line between principles and promises in your document is quite unclear. Very specifically: I don't want the IETF to adopt your document if it opens up an avenue for an aggrieved participant (which, in the IETF, is anyone who knows how to subscribe to a mailing list, even this one) can cause damage to the IETF if the IETF doesn't meet the promise in that person's eyes. If you feel that it is valuable to list privacy principles for an organization like the IETF, great. If you want the IETF to promise something that would cost us money or, possibly worse, much lost time from the I*, please don't move this forwards. There are already many reasons why some people don't participate in the IETF. For some, the IETF is too informal for their comfort; those folks gravitate towards other SDOs who have more formal membership and rules. For some, the inability to rant freely on mailing lists without being barred is too high a bar. For some, If we lose a few people (and it does seem like a very few) for lack of a privacy policy that could be enforced by civil law or threat of civil lawsuits, that may be an acceptable risk. --Paul Hoffman, Director --VPN Consortium ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
At 3:36 PM +0100 7/15/10, Alissa Cooper wrote: If you have specific ideas of other spots where the document over-promises, a list would be appreciated. I can take further clarifications back to the secretariat or whoever the responsible party is. For me, the biggest over-promise is that someone reading the document might think that there is some remedy if the I* fails to live up to it. There is and its litigation. Also not having the policy also causes the same liability and there is significant precedent to prove this... So it doesnt matter from a liability standard whether the IETF puts this in place or not, the IETF is liable already The best part is the intentional destruction of evidence of anything is very very expensive these days and the IETF needs to 'get' that the people in this WG have no real interest in making the IETF legally functional - they have the interest in providing as much smoke and mirrors as it takes to say we have a policy so go away... http://www.google.com/search?q=spoliation+sanctionssourceid=ie7rls=com.microsoft:en-us:IE-SearchBoxie=oe= and the above search should give you what you need to see this is true... Todd Glassey The line between principles and promises in your document is quite unclear. Very specifically: I don't want the IETF to adopt your document if it opens up an avenue for an aggrieved participant (which, in the IETF, is anyone who knows how to subscribe to a mailing list, even this one) can cause damage to the IETF if the IETF doesn't meet the promise in that person's eyes. If you feel that it is valuable to list privacy principles for an organization like the IETF, great. If you want the IETF to promise something that would cost us money or, possibly worse, much lost time from the I*, please don't move this forwards. There are already many reasons why some people don't participate in the IETF. For some, the IETF is too informal for their comfort; those folks gravitate towards other SDOs who have more formal membership and rules. For some, the inability to rant freely on mailing lists without being barred is too high a bar. For some, If we lose a few people (and it does seem like a very few) for lack of a privacy policy that could be enforced by civil law or threat of civil lawsuits, that may be an acceptable risk. --Paul Hoffman, Director --VPN Consortium ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Paul, You appear to be concerned about exposing the IETF to risk by the adoption of a privacy policy (but apologies if I am misunderstanding the concern you expressed). The absence of a privacy policy, however, actually increases risk to the IETF in at least three ways: 1. As a general matter, many organizations that interact with lots of people (especially collecting financial information from them) use a broad range of written policies to reduce risk, by plainly stating a position on an issue so that employees have clear guidance about how to act or respond in a given situation. Policies could be particularly useful (for example) during a busy crush of new in-person registrations for an IETF meeting, when there are lots of interactions with personal data but senior management may not be immediately available in-person to give guidance if an unusual situation arises. Having written policies in that kind of situation reduces risk. 2. We have many examples of leading banks, stores, and others mishandling credit card and other records, so unless the IETF has come up with some secret security sauce to eliminate all possibility of a human or technical screwup with personal info, there is clear risk that the IETF could mishandle data and be at the wrong end of a litigation. The IETF would likely face liability risk with or without a privacy policy, but the fact that it could not even be bothered to have such a policy would certainly be used by the plaintiffs to argue for an increase in the damages that the IETF might have to pay. Having a written privacy policy would avoid this particular risk, and might even reduce the risk of a screwup in the first place. 3. And, although my legal expertise is limited to U.S. law, I think is very likely (if not certain) that right now the IETF is operating in violation of the European Union's Data Protection Directive, which requires that any entity that collects personal information must provide clear prior notice to affected individuals about the data collection. The EU is particularly sensitive when European citizens' data is collected by U.S. entities, which happens all of the time when European citizens register with the IETF's California-based administrative secretariat. (There is similar risk with regard to the California Online Privacy Protection Act, which specifically requires the posting of a privacy policy by entities that collect personal information online from California citizens - there is a good chance the law would not apply to the IETF, but there is some risk that it would.) Having a privacy policy would help the IETF comply with European law, which would reduce risk (and the uncertainly about the California law would be avoided). So if one's goal is to reduce risk to the IETF so the IETF is not harmed by legal liability, I think there are very strong arguments to have a privacy policy. Indeed, the legal-risk-related arguments in favor of a having a privacy policy are so strong that I believe the powers-that-be should move to promulgate such a policy even if there is not consensus in the broader IETF community (just like, I assume, the powers-that-be have purchased a range of standard business insurance policies without ever having consulted the IETF community). The draft of a proposed privacy policy was submitted as an I-D and circulated to the ietf@ietf.org mailing list simply because that was suggested to be the most appropriate way for individual members of the IETF community to raise this issue. A decision to adopt a privacy policy is not one, IMO, that should rise or fall on a community hum (although in the end, I think there been more +1s than -1s put forward on this list). John On Jul 15, 2010, at 4:26 PM, Paul Hoffman wrote: At 3:36 PM +0100 7/15/10, Alissa Cooper wrote: If you have specific ideas of other spots where the document over- promises, a list would be appreciated. I can take further clarifications back to the secretariat or whoever the responsible party is. For me, the biggest over-promise is that someone reading the document might think that there is some remedy if the I* fails to live up to it. The line between principles and promises in your document is quite unclear. Very specifically: I don't want the IETF to adopt your document if it opens up an avenue for an aggrieved participant (which, in the IETF, is anyone who knows how to subscribe to a mailing list, even this one) can cause damage to the IETF if the IETF doesn't meet the promise in that person's eyes. If you feel that it is valuable to list privacy principles for an organization like the IETF, great. If you want the IETF to promise something that would cost us money or, possibly worse, much lost time from the I*, please don't move this forwards. There are already many reasons why some people don't participate in
Re: IETF privacy policy - update
I'm not really keen on getting involved in this discussion any more than I have been, but I can't help noting one thing: On Thu, Jul 15, 2010 at 11:50:58PM +0100, John Morris wrote: 2. We have many examples of leading banks, stores, and others mishandling credit card and other records, so unless the IETF has come up with some secret security sauce to eliminate all possibility of a human or technical screwup with personal info, there is clear risk that the IETF could mishandle data and be at the wrong end of a litigation. Given that practically every such leading back and store and so on had a rich, long, detailed, hard to read privacy policy, I fail completely to see how the having of a policy provides any value at all to the IETF in such cases. In the case of companies and so on, it has a value, because firing people for violating the policy is the sort of consequence that employers can use. But the IETF isn't like that. It isn't even a legal entity. So it doesn't have anyone to fire, c. As I've said before, I can see arguments in both directions on this topic. But I don't think it does us any good to keep saying, Everyone else has one. Everyone else is also incorporated. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
John Morris wrote: 1. As a general matter, many organizations that interact with lots of people (especially collecting financial information from them) use a broad range of written policies to reduce risk, by plainly stating a position on an issue so that employees have clear guidance about how to act or respond in a given situation. I think you misrepresent the purpose of these policies. The issues are 1. a blame-shifting tool for PR if something goes wrong 2. limit liabilities by disclaiming as much as legally possible, 3. have yet another means to fire an employee/clerk. How often have you seen it happening that an employee or clerk (or federal agent for that matter) pulls out a big binder of policies when being faced with a new situation and study them carefully while you (and others) wait paitently? 2. We have many examples of leading banks, stores, and others mishandling credit card and other records Yeah -- and that happens although all of these have big binders full of policies. so unless the IETF has come up with some secret security sauce to eliminate all possibility of a human or technical screwup with personal info, there is clear risk that the IETF could mishandle data and be at the wrong end of a litigation. The IETF would likely face liability risk with or without a privacy policy, but the fact that it could not even be bothered to have such a policy would certainly be used by the plaintiffs to argue for an increase in the damages that the IETF might have to pay. Having a written privacy policy would avoid this particular risk, and might even reduce the risk of a screwup in the first place. This is ridiculous. I have not seen a single privacy policy that is in the interest of the data subject. They're all in the interest of the data collector for 1+2+3 above. 3. And, although my legal expertise is limited to U.S. law it shows. I think is very likely (if not certain) that right now the IETF is operating in violation of the European Union's Data Protection Directive, nope, never while they're in the U.S. National data protection laws do not apply for someone operating entirely in a different country. which requires that any entity that collects personal information must provide clear prior notice to affected individuals about the data collection. While this is true in principle, there are some exemptions in that law. You can collect data that you need for billing an order placed by a data subject for the purpose of billing and for as long as you legally need it _without_ having to get a consent agreement from the data subject. btw. the EU data protection directive is a framework for which each national EU legislator has to create a national law. The EU is particularly sensitive when European citizens' data is collected by U.S. entities, which happens all of the time when European citizens register with the IETF's California-based administrative secretariat. The EU is particularly sensitive about passing on data that was collected _within_ the EU, potentially with a clear usage restriction, outside of the EU jurisdiction without consent of the data subject and without control whether the permitted usage is not exceeded and whether the data subjects can still exert its personal rights to that data granted by the EU data protection laws. So if one's goal is to reduce risk to the IETF so the IETF is not harmed by legal liability, I think there are very strong arguments to have a privacy policy. Indeed, the legal-risk-related arguments in favor of a having a privacy policy are so strong that I believe the powers-that-be should move to promulgate such a policy even if there is not consensus in the broader IETF community The world is going to end! News at 11:00 -Martin ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 16, 2010, at 12:59 AM, Martin Rex wrote: is very likely (if not certain) that right now the IETF is operating in violation of the European Union's Data Protection Directive, nope, never while they're in the U.S. National data protection laws do not apply for someone operating entirely in a different country. Without trying to response to your scattershot of assertions and attacks, I'll just ask: Where is the IETF meeting in 10 days? And citizens of what continent are most likely be walk-in registrants? And you think that the IETF is not subject to the laws in Europe? Good luck with that ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
my experience suggests that IETF WG mailing lists and participation lists in meetings will be used as evidence in litigation related to whether an individual or the organization which sponsored that individidual met the obligation of the relevant IETF patent policy now http://www.ietf.org/rfc/rfc3979.txt my concept of an SDO that is not open is one that limits membership and disallows membership for some party with a potential material interest to benefit the interests of the existing members. What is the specific reference that ITU has made w/r to IETF not being open? I would like to see it. Best Regards, George T. Willingmyre, P.E. President, GTW Associates 1012 Parrs Ridge Drive Spencerville, MD 20868 USA 1.301.421.4138 - Original Message - From: Fred Baker f...@cisco.com To: Melinda Shore sh...@arsc.edu Cc: Sam Hartman hartmans-i...@mit.edu; Paul Hoffman paul.hoff...@vpnc.org; IETF-Discussion list ietf@ietf.org Sent: Thursday, July 08, 2010 4:24 PM Subject: Re: IETF privacy policy - update On Jul 8, 2010, at 1:18 PM, Melinda Shore wrote: On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: Boy, would they dispute that. ITU has claimed that the IETF is not an open organization because a government cannot join it. Most membership organizations, RIPE, being an example, have a definition of how someone can become a member (members of RIPE are companies and pay a fee), and are considered open to that class of membership. But the IETF isn't a membership organization - isn't that at least in part what's meant by open, and why at least in part we don't have voting (in theory)? We don't have voting because we don't have members, yes. Definitions of open vary, and boil down to a statement of what kind of actor an organization is open to. IETF is open to individuals. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 08/07/2010 22:24, Fred Baker wrote: On Jul 8, 2010, at 1:18 PM, Melinda Shore wrote: On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: Boy, would they dispute that. ITU has claimed that the IETF is not an open organization because a government cannot join it. Most membership organizations, RIPE, being an example, have a definition of how someone can become a member (members of RIPE are companies and pay a fee), and are considered open to that class of membership. Wait... There are two organizations: RIPE and RIPE NCC. RIPE is an open group of people interested in IP based networks in Europe and surrounding areas. There is no formal membership, work is done by volunteers, anybody who is interested can join the mailing lists and participate, anybody who pays the meeting fee can attend the meeting and participate there. From an organizational point of view, it is pretty similar to the IETF. RIPE NCC is an organization established to do whatever ISP's and other network providers have to organize as a group, even though they are competitors, on a professional basis. It is a membership organization open to everybody who meets the criteria (which is essential: run a network). The RIPE NCC has an annual meeting, where the members decide on what activities will be carried out in the next year. This meeting is open to members only, which makes a lot of sense as the members also write the checks to cover the costs. And to answer the original question: yes, if you register for the RIPE or RIPE NCC meetings, your name will appear on the public attendees list. Henk -- -- Henk Uijterwaal Email: henk.uijterwaal(at)ripe.net RIPE Network Coordination Centre http://www.xs4all.nl/~henku P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The NetherlandsThe NetherlandsMobile: +31.6.55861746 -- I confirm today what I denied yesterday.Anonymous Politician. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 9 jul 2010, at 08.06, Henk Uijterwaal wrote: On 08/07/2010 22:24, Fred Baker wrote: On Jul 8, 2010, at 1:18 PM, Melinda Shore wrote: On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: Boy, would they dispute that. ITU has claimed that the IETF is not an open organization because a government cannot join it. Most membership organizations, RIPE, being an example, have a definition of how someone can become a member (members of RIPE are companies and pay a fee), and are considered open to that class of membership. Wait... There are two organizations: RIPE and RIPE NCC. RIPE is an open group of people interested in IP based networks in Europe and surrounding areas. There is no formal membership, work is done by volunteers, anybody who is interested can join the mailing lists and participate, anybody who pays the meeting fee can attend the meeting and participate there. From an organizational point of view, it is pretty similar to the IETF. RIPE NCC is an organization established to do whatever ISP's and other network providers have to organize as a group, even though they are competitors, on a professional basis. It is a membership organization open to everybody who meets the criteria (which is essential: run a network). The RIPE NCC has an annual meeting, where the members decide on what activities will be carried out in the next year. This meeting is open to members only, which makes a lot of sense as the members also write the checks to cover the costs. And to answer the original question: yes, if you register for the RIPE or RIPE NCC meetings, your name will appear on the public attendees list. Thanks Henk. Let me just add that the policies and rules RIPE NCC follow are developed in the open RIPE process. Patrik PGP.sig Description: This is a digitally signed message part ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 11:06 PM, Henk Uijterwaal wrote: RIPE is an open group of people interested in IP based networks in Europe and surrounding areas. There is no formal membership, work is done by volunteers, anybody who is interested can join the mailing lists and participate, anybody who pays the meeting fee can attend the meeting and participate there. From an organizational point of view, it is pretty similar to the IETF. This is getting fairly far afield of the topic, but let me explain where I'm coming from. I did a google search for privacy statements, and came to http://labs.ripe.net/node/49. Poking around, I found http://www.ripe.net/membership/gm/gm-may2010/evoting-announcement.html, which is about RIPE NCC membership, attendees, and voting. I also found another statement that said it was from RIPE (as opposed to the RIPE NCC) and listed members, voting, and attendees, but now I'm not dredging that up. To bring matters back to the topic, the discussion was on Alissa's draft, and I was looking for comparable privacy statements to compare. My question was is this a reasonable statement? Are there things it could have said more simply? Are there things it left out? Are there things it should not have included? ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Fri, Jul 9, 2010 at 6:45 PM, Fred Baker f...@cisco.com wrote: To bring matters back to the topic, the discussion was on Alissa's draft, and I was looking for comparable privacy statements to compare. My question was is this a reasonable statement? Are there things it could have said more simply? Are there things it left out? Are there things it should not have included? Would a pointer to the W3C's help? It is actually a collection, found here: http://www.w3.org/Consortium/Legal/privacy-statement-2612 regards, Ted Hardie ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
A few more privacy policies for comparison: ISO -- http://www.iso.org/iso/support/privacy_policy.htm IEEE -- http://www.ieee.org/security_privacy.html?WT.mc_id=hpf_priv Note that IEEE uses a layered notice to some extent, which is fairly popular among privacy policy authors these days -- a layered policy shows the essential information on one page or at the top of the page and includes links to other pages or sections with further information. That could certainly be an option for the IETF. IEEE also includes a section on law enforcement requests for data. In my strawman, I was aiming to be as comprehensive as possible on the theory that it would be easier to take things out than to dig them up and add them later. I used a few models (most obviously CDT's policy -- http://cdt.org/content/privacy-policy) and cribbed some language directly from the ISOC policy. Alissa On Jul 9, 2010, at 10:45 AM, Fred Baker wrote: On Jul 8, 2010, at 11:06 PM, Henk Uijterwaal wrote: RIPE is an open group of people interested in IP based networks in Europe and surrounding areas. There is no formal membership, work is done by volunteers, anybody who is interested can join the mailing lists and participate, anybody who pays the meeting fee can attend the meeting and participate there. From an organizational point of view, it is pretty similar to the IETF. This is getting fairly far afield of the topic, but let me explain where I'm coming from. I did a google search for privacy statements, and came to http://labs.ripe.net/node/49 . Poking around, I found http://www.ripe.net/membership/gm/gm-may2010/evoting-announcement.html , which is about RIPE NCC membership, attendees, and voting. I also found another statement that said it was from RIPE (as opposed to the RIPE NCC) and listed members, voting, and attendees, but now I'm not dredging that up. To bring matters back to the topic, the discussion was on Alissa's draft, and I was looking for comparable privacy statements to compare. My question was is this a reasonable statement? Are there things it could have said more simply? Are there things it left out? Are there things it should not have included? ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
RE: IETF privacy policy - update
+1 also Monique -Original Message- From: ietf-boun...@ietf.org on behalf of Fred Baker (fred) Sent: Thu 7/8/2010 12:07 PM To: IETF-Discussion list Subject: Re: IETF privacy policy - update +1 for a privacy policy. As to the question of this particular one, I'm going to profess some level of ignorance. I suggested starting from Google, Cisco, and/or ISOC's privacy policies and editing from there, and someone said I should pick a more appropriate starting point. What would be appropriate privacy policies to compare/contrast? Personally, apart from references to ISOC-specific things, I thought ISOC's privacy policy was relatively simple and covered the major points. The draft is more detailed and more complete. The differences may be a matter of taste: look at http://www.isoc.org/help/privacy/ and ask yourself whether the provisions in what do we collect and what do we do with it are reflected in the draft, and I think you might agree that they are, with the draft being more explicit in different areas. But I think that the ISOC rules, when considered in an IETF light, are actually the same. We collect things that are standardly collected, but we don't share them, and we do use them to make our internal processes work better. If there are others to compare/contrast, to see if we have missed a point or are stating for something not usually said, I'd be interested to know. I would agree that this statement should be made by someone in I* leadership, either the IESG, IAOC, or perhaps IAB, and that it belongs on a web page as opposed to being in an RFC. I would suggest that a consensus be called for via a hum over VoIPv6. But the web page should be in flat ASCII with no graphics other than ASCII-art. On Jul 7, 2010, at 11:00 PM, Cullen Jennings wrote: On Jul 5, 2010, at 10:05 AM, Alissa Cooper wrote: A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). +1 2) If you have comments and suggestions about the policy itself, send them to this list. I would be very happy if the IETF adopted the privacy policy proposed in your draft. It seems to me the work of writing an acceptable policy is 90% done and the arguments that creating a privacy policy will detract from other work are pretty weak. It's a volunteer organization, people vote with their feet with what they want to work on. Just because Alissa spend time writing a policy document does not mean that time would be directed to other things if we did not want to do a privacy policy document. I don't think that having a privacy policy is going to bring a bunch of new contributors to the IETF, but I can imagine a case where the lack of a privacy policy caused some administrative group to do something really unfortunate which resulted in some good people leaving the IETF. A privacy policy is not something the IETF typically has a lot of people that are really experienced and qualified to draft. But we are very lucky here - we have multiple people that understand IETF culture and values, understand internet privacy policies and laws, and are willing to write a proposal. Unless this proposal is deeply flawed in some way I can't see, why wouldn't we just do it. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf http://www.ipinc.net/IPv4.GIF ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 5, 2010, at 10:05 AM, Alissa Cooper wrote: A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). +1 2) If you have comments and suggestions about the policy itself, send them to this list. I would be very happy if the IETF adopted the privacy policy proposed in your draft. It seems to me the work of writing an acceptable policy is 90% done and the arguments that creating a privacy policy will detract from other work are pretty weak. It's a volunteer organization, people vote with their feet with what they want to work on. Just because Alissa spend time writing a policy document does not mean that time would be directed to other things if we did not want to do a privacy policy document. I don't think that having a privacy policy is going to bring a bunch of new contributors to the IETF, but I can imagine a case where the lack of a privacy policy caused some administrative group to do something really unfortunate which resulted in some good people leaving the IETF. A privacy policy is not something the IETF typically has a lot of people that are really experienced and qualified to draft. But we are very lucky here - we have multiple people that understand IETF culture and values, understand internet privacy policies and laws, and are willing to write a proposal. Unless this proposal is deeply flawed in some way I can't see, why wouldn't we just do it. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 2010-07-07 12:59, Paul Hoffman wrote: Do some people not come to IETF meetings because of the current null privacy policy? Do some people not come because attendance is a matter of public record? Do they say less than they would have if we had a typical non-null policy? do people not speak or participate, due to the note well, audio recording in the meeting rooms or the mailing list policy? If either of those two are answered yes, would those people contribute better knowing that the IETF had a policy but no real way to enforce it other than by apologizing when it failed to follow the policy? practices that result in the retention of pii information seem by in large fairly well documented as part of the ietf process (consider nomcom for example). to the extent that there are gaps they appear to be associated with secretarial tasks not with the ietf activity itself which by in large favors transparency through publication. If having a privacy policy, even one where there was no real enforcement mechanism, was free, nearly everyone would want it. Given that getting such a policy is not free, and will cause cycles to be lost from other IETF work, is the tradeoff worth it? At this point, I would say no, but mostly because I don't know of anyone who contributes less due to the current null policy. --Paul Hoffman, Director --VPN Consortium ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
RE: IETF privacy policy - update
On July 08, 2010 12:42 AM joel jaeggli wrote: On 2010-07-07 12:53, Ole Jacobsen wrote: Sam, I view this more or less as standard boilerplate, something you find in a lot of online places. I think it is reasonable to expect that if you register for a meeting your personal info (e-mail address mostly) won't be sold/used/harvested by someone for purposes other than what you think you signed up for. the fact that you signed up for the meeting is publicly available so that we don't sell mailing lists to spammers seems sort of irrelevant. This is the way things are *now*. Discussion of a privacy statement may lead to changes, such as keeping the attendee list confidential, and destroying it on the Monday following the meeting. I personally don't care if the whole world knows I've been to an IETF meeting, but the decision to publish the list on the website has privacy consequences. Without a privacy policy, it's hard to say whether that is acceptable or not. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 07/07/2010 06:57 PM, Iljitsch van Beijnum wrote: In the meantime, BGP and HTTP, to name just two of the protocols without which the internet and the web wouldn't exist, still don't have standard status. What do we want to spend our time on? Create more text that people will end up reading that doesn't add anything to their life or the good of the internet, or make some progress on our chartered work? Didn't you post a message earlier today criticising IETF navel-gazing? And now you suggest that changing an adjective in the boilerplate on the first page of an RFC would be progress? Arnt ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
(Wearing no hats) On 08/07/2010 10:59, Yoav Nir wrote: On July 08, 2010 12:42 AM joel jaeggli wrote: the fact that you signed up for the meeting is publicly available so that we don't sell mailing lists to spammers seems sort of irrelevant. The attendee list does not contain email adresses, making it a lot less useful for spammers than a list of working email addresses. This is the way things are *now*. Discussion of a privacy statement may lead to changes, such as keeping the attendee list confidential, and destroying it on the Monday following the meeting. I'm not sure what problem we are trying to solve but I don't think that it will solve it anyway. The documents related to the meeting (ID's, minutes, WG pages, WG mail archives) are full with names and, in most cases, detailed contact information such as email, phone and postal address. Nobody seems to have a problem with that, removing those details from the documents is a lot of work and will make the resulting docs useless. I personally don't care if the whole world knows I've been to an IETF meeting, I think this should be the basic assumption. The IETF is a public event, you will have to walk around with a name badge and your name will be in the meeting materials. There is an easy solution if you don't like this. Henk -- -- Henk Uijterwaal Email: henk.uijterwaal(at)ripe.net RIPE Network Coordination Centre http://www.xs4all.nl/~henku P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The NetherlandsThe NetherlandsMobile: +31.6.55861746 -- I confirm today what I denied yesterday.Anonymous Politician. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Thu, Jul 08, 2010 at 11:59:12AM +0300, Yoav Nir wrote: Without a privacy policy, it's hard to say whether that is acceptable or not. I keep seeing arguments of this sort in the current thread, and it seems to me to be backwards. Surely it is not the privacy _policy_ that determines whether something is acceptable. For instance, imagine a website privacy policy that says, We take your personal information, including your credit card number, expiry date, and CCD number, and post it on our website. The existence of that privacy policy would not make the actions somehow better or defensible: it would be a bad policy. I suppose posting somewhere that you're going to do that would be better than just doing it without any warning, but the action would be unacceptable regardless. If the current no-written-policy arrangement is working, it is presumably because people are making the right choices. One analysis of that is that there is an implicit policy, that it is acceptable, and that the present effort to write down a policy is just a way of making that implicit policy explicit. But writing the policy down does not in itself do anything about whether a given activity with a given bit of PII is ok. On the larger topic of whether a privacy policy is actually needed, I am undecided. On the one hand, it does seem to me to be a good idea to have one place where the IETF states what it is going to do with any PII. On the other hand, I can easily imagine that such a privacy policy could end up being used as a mechanism to justify bad ideas in the event something comes up: it will be more work to change the policy if it turns out to be inadequate than it will be to accept the inadequacy. The present arrangement means that, if a bad idea crops up, it can be dealt with on its own (de)merits without dragging in a meta-issue about whether the proposal is consistent with some holy policy document. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 2010-07-08 01:59, Yoav Nir wrote: I personally don't care if the whole world knows I've been to an IETF meeting, but the decision to publish the list on the website has privacy consequences. Without a privacy policy, it's hard to say whether that is acceptable or not. Or you could just refer to the RFC series since the contents of the proceedings are described in the tao. e.g. 4677 4.12 1718 2.13 etc. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 11:15 AM, Andrew Sullivan wrote: On Thu, Jul 08, 2010 at 11:59:12AM +0300, Yoav Nir wrote: Without a privacy policy, it's hard to say whether that is acceptable or not. I keep seeing arguments of this sort in the current thread, and it seems to me to be backwards. Surely it is not the privacy _policy_ that determines whether something is acceptable. For instance, imagine a website privacy policy that says, We take your personal information, including your credit card number, expiry date, and CCD number, and post it on our website. The existence of that privacy policy would not make the actions somehow better or defensible: it would be a bad policy. I suppose posting somewhere that you're going to do that would be better than just doing it without any warning, but the action would be unacceptable regardless. If the current no-written-policy arrangement is working, it is presumably because people are making the right choices. One analysis of that is that there is an implicit policy, that it is acceptable, and that the present effort to write down a policy is just a way of making that implicit policy explicit. But writing the policy down does not in itself do anything about whether a given activity with a given bit of PII is ok. I see this as a normal part of an organization growing up. Small, young, organizations don't typically need much structure, as everyone knows everybody, people trust each other, and everything tends to be in people's heads. That doesn't scale. Putting implicit policies down in writing is an attempt to make sure that the organization doesn't change in adverse ways as it grows and matures. Regards Marshall On the larger topic of whether a privacy policy is actually needed, I am undecided. On the one hand, it does seem to me to be a good idea to have one place where the IETF states what it is going to do with any PII. On the other hand, I can easily imagine that such a privacy policy could end up being used as a mechanism to justify bad ideas in the event something comes up: it will be more work to change the policy if it turns out to be inadequate than it will be to accept the inadequacy. The present arrangement means that, if a bad idea crops up, it can be dealt with on its own (de)merits without dragging in a meta-issue about whether the proposal is consistent with some holy policy document. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
I tend to agree with Andrew and Marshall. However, from our own JEDI's (so-labelled Jefsey's disciples) experience I would suggest some kind of ietf privacy netiquette. It could be equivalen to architectural quotes like dumb network, end to end, protocol on the wire, rough consensus, etc. It could be added to the Tao. This way everyone would know-where he/she comes and can behave equally. This could concern the so-called puppets, negative privacy (ad hominem have a perpetual impact on private reputation), disclosed/non-disclosed affiliations, who paid for the travel tickets and attendance fees, architectural perspective, mailing list participations, etc. I think this could be proactive if the information is not protected but personally and optionally disclosed. There could be a database where every IETF participant could document what he/she wants on him/herself. I am sure that what would not be disclosed would eventually inform more than what is disclosed and help better debates, avoiding misunderstandings, and focusing on concepts rathers than on percepts. Portzamparc 2010/7/8 Marshall Eubanks t...@americafree.tv On Jul 8, 2010, at 11:15 AM, Andrew Sullivan wrote: On Thu, Jul 08, 2010 at 11:59:12AM +0300, Yoav Nir wrote: Without a privacy policy, it's hard to say whether that is acceptable or not. I keep seeing arguments of this sort in the current thread, and it seems to me to be backwards. Surely it is not the privacy _policy_ that determines whether something is acceptable. For instance, imagine a website privacy policy that says, We take your personal information, including your credit card number, expiry date, and CCD number, and post it on our website. The existence of that privacy policy would not make the actions somehow better or defensible: it would be a bad policy. I suppose posting somewhere that you're going to do that would be better than just doing it without any warning, but the action would be unacceptable regardless. If the current no-written-policy arrangement is working, it is presumably because people are making the right choices. One analysis of that is that there is an implicit policy, that it is acceptable, and that the present effort to write down a policy is just a way of making that implicit policy explicit. But writing the policy down does not in itself do anything about whether a given activity with a given bit of PII is ok. I see this as a normal part of an organization growing up. Small, young, organizations don't typically need much structure, as everyone knows everybody, people trust each other, and everything tends to be in people's heads. That doesn't scale. Putting implicit policies down in writing is an attempt to make sure that the organization doesn't change in adverse ways as it grows and matures. Regards Marshall On the larger topic of whether a privacy policy is actually needed, I am undecided. On the one hand, it does seem to me to be a good idea to have one place where the IETF states what it is going to do with any PII. On the other hand, I can easily imagine that such a privacy policy could end up being used as a mechanism to justify bad ideas in the event something comes up: it will be more work to change the policy if it turns out to be inadequate than it will be to accept the inadequacy. The present arrangement means that, if a bad idea crops up, it can be dealt with on its own (de)merits without dragging in a meta-issue about whether the proposal is consistent with some holy policy document. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
+1 for a privacy policy. As to the question of this particular one, I'm going to profess some level of ignorance. I suggested starting from Google, Cisco, and/or ISOC's privacy policies and editing from there, and someone said I should pick a more appropriate starting point. What would be appropriate privacy policies to compare/contrast? Personally, apart from references to ISOC-specific things, I thought ISOC's privacy policy was relatively simple and covered the major points. The draft is more detailed and more complete. The differences may be a matter of taste: look at http://www.isoc.org/help/privacy/ and ask yourself whether the provisions in what do we collect and what do we do with it are reflected in the draft, and I think you might agree that they are, with the draft being more explicit in different areas. But I think that the ISOC rules, when considered in an IETF light, are actually the same. We collect things that are standardly collected, but we don't share them, and we do use them to make our internal processes work better. If there are others to compare/contrast, to see if we have missed a point or are stating for something not usually said, I'd be interested to know. I would agree that this statement should be made by someone in I* leadership, either the IESG, IAOC, or perhaps IAB, and that it belongs on a web page as opposed to being in an RFC. I would suggest that a consensus be called for via a hum over VoIPv6. But the web page should be in flat ASCII with no graphics other than ASCII-art. On Jul 7, 2010, at 11:00 PM, Cullen Jennings wrote: On Jul 5, 2010, at 10:05 AM, Alissa Cooper wrote: A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). +1 2) If you have comments and suggestions about the policy itself, send them to this list. I would be very happy if the IETF adopted the privacy policy proposed in your draft. It seems to me the work of writing an acceptable policy is 90% done and the arguments that creating a privacy policy will detract from other work are pretty weak. It's a volunteer organization, people vote with their feet with what they want to work on. Just because Alissa spend time writing a policy document does not mean that time would be directed to other things if we did not want to do a privacy policy document. I don't think that having a privacy policy is going to bring a bunch of new contributors to the IETF, but I can imagine a case where the lack of a privacy policy caused some administrative group to do something really unfortunate which resulted in some good people leaving the IETF. A privacy policy is not something the IETF typically has a lot of people that are really experienced and qualified to draft. But we are very lucky here - we have multiple people that understand IETF culture and values, understand internet privacy policies and laws, and are willing to write a proposal. Unless this proposal is deeply flawed in some way I can't see, why wouldn't we just do it. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf http://www.ipinc.net/IPv4.GIF ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
+1 on all counts. Now looking forward to a debate over the ASCII art... ;-) On 7/8/10 1:07 PM, Fred Baker wrote: +1 for a privacy policy. As to the question of this particular one, I'm going to profess some level of ignorance. I suggested starting from Google, Cisco, and/or ISOC's privacy policies and editing from there, and someone said I should pick a more appropriate starting point. What would be appropriate privacy policies to compare/contrast? Personally, apart from references to ISOC-specific things, I thought ISOC's privacy policy was relatively simple and covered the major points. The draft is more detailed and more complete. The differences may be a matter of taste: look at http://www.isoc.org/help/privacy/ and ask yourself whether the provisions in what do we collect and what do we do with it are reflected in the draft, and I think you might agree that they are, with the draft being more explicit in different areas. But I think that the ISOC rules, when considered in an IETF light, are actually the same. We collect things that are standardly collected, but we don't share them, and we do use them to make our internal processes work better. If there are others to compare/contrast, to see if we have missed a point or are stating for something not usually said, I'd be interested to know. I would agree that this statement should be made by someone in I* leadership, either the IESG, IAOC, or perhaps IAB, and that it belongs on a web page as opposed to being in an RFC. I would suggest that a consensus be called for via a hum over VoIPv6. But the web page should be in flat ASCII with no graphics other than ASCII-art. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 11:05 AM, jean-michel bernier de portzamparc wrote: However, from our own JEDI's (so-labelled Jefsey's disciples) experience I would suggest some kind of ietf privacy netiquette. It could be equivalen to architectural quotes like dumb network, end to end, protocol on the wire, rough consensus, etc. I'm not sure I'd want to go the good-soundbite-but-low- compliance route. Either writing it up and making it explicit or dropping it completely and never again speaking of it seem like better options and likely to lead to fewer problems in the future. Melinda ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 7, 2010, at 10:11 PM, joel jaeggli wrote: Do some people not come because attendance is a matter of public record? Frankly, if people are not attending for that reason and that reason alone, I have some questions. I would have to assume it is the only forum in the world in which they expect that level of anonymity, which raises the question of whether it is a rational expectation. Walking into an ITU meeting, I have to show a passport and have a permanent photographic record taken. If I want to participate in RIPE's general meeting, I have to register, and I can expect to find myself in RIPE's attendee list. That is true in a wide variety of places. - ? ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 11:25 AM, Fred Baker wrote: Walking into an ITU meeting, I have to show a passport and have a permanent photographic record taken. If I want to participate in RIPE's general meeting, I have to register, and I can expect to find myself in RIPE's attendee list. That is true in a wide variety of places. I think there's actually a slightly different question in there. Those are not open organizations. The IETF is. I think that there might be a question about what open participation means and whether or not there's an expectation that participants will identify themselves, and if so, what the expectations are around the identity being presented. Melinda ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 2010-07-08 12:25, Fred Baker wrote: On Jul 7, 2010, at 10:11 PM, joel jaeggli wrote: Do some people not come because attendance is a matter of public record? Frankly, if people are not attending for that reason and that reason alone, I have some questions. I would have to assume it is the only forum in the world in which they expect that level of anonymity, which raises the question of whether it is a rational expectation. I meant the question as a rhetorical exercise. 3979 5378 and their explication through note well are collectively unequivocal as to the rational and requirement for the public record. I've made the note well statement so many times now that I can do it in my sleep. Walking into an ITU meeting, I have to show a passport and have a permanent photographic record taken. If I want to participate in RIPE's general meeting, I have to register, and I can expect to find myself in RIPE's attendee list. That is true in a wide variety of places. - ? ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 12:32 PM, Melinda Shore wrote: On Jul 8, 2010, at 11:25 AM, Fred Baker wrote: Walking into an ITU meeting, I have to show a passport and have a permanent photographic record taken. If I want to participate in RIPE's general meeting, I have to register, and I can expect to find myself in RIPE's attendee list. That is true in a wide variety of places. I think there's actually a slightly different question in there. Those are not open organizations. The IETF is. Boy, would they dispute that. ITU has claimed that the IETF is not an open organization because a government cannot join it. Most membership organizations, RIPE, being an example, have a definition of how someone can become a member (members of RIPE are companies and pay a fee), and are considered open to that class of membership. I think that there might be a question about what open participation means and whether or not there's an expectation that participants will identify themselves, and if so, what the expectations are around the identity being presented. That is of course true. I think my comment stands. If the IETF is not the only organization in the world in which otherwise rational people expect to pay money for privileges, make material contributions that might change the world, and might have companies off suing each other over IPR, and none-the-less expect to remain absolutely anonymous, it is one of a very small number. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: Boy, would they dispute that. ITU has claimed that the IETF is not an open organization because a government cannot join it. Most membership organizations, RIPE, being an example, have a definition of how someone can become a member (members of RIPE are companies and pay a fee), and are considered open to that class of membership. But the IETF isn't a membership organization - isn't that at least in part what's meant by open, and why at least in part we don't have voting (in theory)? That is of course true. I think my comment stands. If the IETF is not the only organization in the world in which otherwise rational people expect to pay money for privileges, make material contributions that might change the world, and might have companies off suing each other over IPR, and none-the-less expect to remain absolutely anonymous, it is one of a very small number. I'm not a big fan of anonymity here, mostly because I don't know how consensus would work - in practice - with anonymous participants, as well as several of the issues you've identified. I don't think that nobody else does it is a good argument, unless what it actually means is few companies will allow their employees to contribute to an organization with those kinds of policies, which is a very compelling argument. But I don't think privacy are that tightly coupled and I wonder what a privacy policy should say about that. Melinda ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 8, 2010, at 1:18 PM, Melinda Shore wrote: On Jul 8, 2010, at 12:08 PM, Fred Baker wrote: Boy, would they dispute that. ITU has claimed that the IETF is not an open organization because a government cannot join it. Most membership organizations, RIPE, being an example, have a definition of how someone can become a member (members of RIPE are companies and pay a fee), and are considered open to that class of membership. But the IETF isn't a membership organization - isn't that at least in part what's meant by open, and why at least in part we don't have voting (in theory)? We don't have voting because we don't have members, yes. Definitions of open vary, and boil down to a statement of what kind of actor an organization is open to. IETF is open to individuals. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Thu, 8 Jul 2010, Larry Smith wrote: Appears to me this conversation/thread is leaning toward open being used synonymous to anonymous Not to me ... open means any can participate ... doesn't mean that other participants can't know who they are. People come with experience and resumes which document that experience. If I don't know who is speaking, their credibility (to me) is limited. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
I would have to assume it is the only forum in the world in which they expect that level of anonymity aside from payment possibly uncloaking you, i am not aware of an ops meeting that checks id or even considers the issue interesting. randy ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
jean-michel bernier de portzamparc wrote: However, from our own JEDI's (so-labelled Jefsey's disciples) experience I would suggest some kind of ietf privacy netiquette. It could be equivalen to architectural quotes like dumb network, end to end, protocol on the wire, rough consensus, etc. It could be added to the Tao. +1 The IETF used to be an organization running on respect for the guidance provide by their leaders. Policies and their enforcement are means of control for rulers/government in the absence of respect. A written down privacy policy does not define what is acceptable, it can only define what is compliant (with that policy). Acceptable means different things to different people. Someone suggested we could start with the privacy policy from Google and work from there, but forgot the Sarcasm tags. On my scale, Google is a serious and probably the largest privacy offender world-wide. example: Google Street View I'm also being a little confused about seeing a solution (a privacy policy draft) being proposed before there is consent on what exactly is the problem that should be solved and whether it is really worth solving. I might have missed it, but all I remeber about the problem being stated was we don't have such a document, but almost everybody else has one. But for solving the lack of paper problem, a document with a neat title IETF Privacy Policy, and a crisp content We care. might be equally sufficient. -Martin ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 6 jul 2010, at 23:45, joel jaeggli wrote: What I'm missing is what happens with the information described under Registering to attend a meeting or social event:, there are no retention periods mentioned (that I noticed). the trust's records retention policy already deals with registration. So? If you're going to have a privacy policy it should have this in it. Currently, there's not even a pointer. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Data retention is addressed explicitly in section 5: 5. Data retention All log files of automatically collected data about our site visitors are deleted every 1-3 months on average. Aggregated data about visitors to our web site which cannot be linked back to individual visitors may be retained permanently. Some of this data is viewable at [6]. Meeting registration information other than credit card information is permanently retained (including cancelled registrations). Credit card processing records are retained for 18 months. Letter of invitation information, including passport and date of birth information, is permanently retained. Blue sheets and IPR Disclosures are permanently retained. IETF Tools inputs are retained for 1 month on average (the exact retention period depends on the size of the log file for each tools site). More information about IETF data retention policies can be found in the IETF Trust Records Retention Policy [7]. ... [7] IETF Trust, IETF Trust Records Retention and Management Policy, http://trustee.ietf.org/docs/ IETF_Trust_Records_Retention_Policy_(Complete_Final).pdf, 2007. What's missing? Alissa On Jul 7, 2010, at 12:52 PM, Iljitsch van Beijnum wrote: On 6 jul 2010, at 23:45, joel jaeggli wrote: What I'm missing is what happens with the information described under Registering to attend a meeting or social event:, there are no retention periods mentioned (that I noticed). the trust's records retention policy already deals with registration. So? If you're going to have a privacy policy it should have this in it. Currently, there's not even a pointer. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 7 jul 2010, at 14:02, Alissa Cooper wrote: Data retention is addressed explicitly in section 5: What's missing? What I said: the stuff that gets asked for during registration and payment. Apparently I didn't notice the link to the IETF trust. However, I don't see the point of having a document like this if it only provides a subset of all information, there shouldn't be a separate privacy policy for the trust. Or perhaps it's better to just forego this effort, as spends a lot of text kicking in open doors. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
The draft, and the message that you responded to (but failed to quote fully), says: Meeting registration information other than credit card information is permanently retained (including cancelled registrations). Credit card processing records are retained for 18 months. This seems to address precisely what you claim is missing: the stuff that gets asked for during registration and payment What stuff does this not address? And, if you indeed think that something is missing, perhaps you could suggest some language to address your concern, rather than just dismiss the entire effort. On Jul 7, 2010, at 10:14 AM, Iljitsch van Beijnum wrote: On 7 jul 2010, at 14:02, Alissa Cooper wrote: Data retention is addressed explicitly in section 5: What's missing? What I said: the stuff that gets asked for during registration and payment. Apparently I didn't notice the link to the IETF trust. However, I don't see the point of having a document like this if it only provides a subset of all information, there shouldn't be a separate privacy policy for the trust. Or perhaps it's better to just forego this effort, as spends a lot of text kicking in open doors. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 7 jul 2010, at 16:32, John Morris wrote: And, if you indeed think that something is missing, perhaps you could suggest some language to address your concern, rather than just dismiss the entire effort. I think it's completely legitimate to question whether efforts like this are worth the resources they soak up. The first time I went to an IETF meeting I was shocked by the amount of talk about the internals of the IETF itself that went on. We should really try to minimize this navel gazing and only indulge in it when clearly needed, something that hasn't been shown to be the case here. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Well, as someone who believes that *all* websites and online-operating organizations should have a clear and accessible privacy policy, I think it is beyond embarrassing that the IETF does not have one. As an organization that tries pretty hard to be sensitive to the privacy impacts of the technologies it creates, it is disappointing that the IETF does not itself meet even the most basic of privacy best practices, that is, having a privacy policy. But I appreciate that others may view privacy policies as navel gazing. In this case, however, the gazing could be fairly short and focused -- there is already a draft policy that is in a second version, with an author who has sought to work closely with the powers- that-be to understand the IETF's current practices (and who is willing to finish that work). The most important thing that needs to be decided is what form should a policy take, and I think there were a number of good ideas on that point on the list. So I would urge us to gaze into our navels just a little bit more to make this happen. On Jul 7, 2010, at 10:42 AM, Iljitsch van Beijnum wrote: On 7 jul 2010, at 16:32, John Morris wrote: And, if you indeed think that something is missing, perhaps you could suggest some language to address your concern, rather than just dismiss the entire effort. I think it's completely legitimate to question whether efforts like this are worth the resources they soak up. The first time I went to an IETF meeting I was shocked by the amount of talk about the internals of the IETF itself that went on. We should really try to minimize this navel gazing and only indulge in it when clearly needed, something that hasn't been shown to be the case here. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 7 jul 2010, at 17:23, John Morris wrote: Well, as someone who believes that *all* websites and online-operating organizations should have a clear and accessible privacy policy, I think it is beyond embarrassing that the IETF does not have one. The IETF got along without one for two decades just fine. In the meantime, BGP and HTTP, to name just two of the protocols without which the internet and the web wouldn't exist, still don't have standard status. What do we want to spend our time on? Create more text that people will end up reading that doesn't add anything to their life or the good of the internet, or make some progress on our chartered work? ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 7, 2010, at 8:57 AM, Iljitsch van Beijnum wrote: In the meantime, BGP and HTTP, to name just two of the protocols without which the internet and the web wouldn't exist, still don't have standard status. I think I'd probably argue that the context has changed. It wasn't *that* long ago that there were publicly-available systems with no root password that everybody knew about, too. But anyway, I don't think it's at all clear to me that navel- gazing is impeding progress on BGP or HTTP. I think it's possible that more navel-gazing may be called for, actually, to solve problems like this. I think there has been a sufficiently large number of ridiculous legal threats thrown around to suggest that getting policies nailed down and written up isn't a bad idea. Melinda ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Iljitsch == Iljitsch van Beijnum iljit...@muada.com writes: Iljitsch On 7 jul 2010, at 17:23, John Morris wrote: Well, as someone who believes that *all* websites and online-operating organizations should have a clear and accessible privacy policy, I think it is beyond embarrassing that the IETF does not have one. Iljitsch The IETF got along without one for two decades just fine. Generally when I look for an idea of whether work is a good idea I look for a clear statement of benefit. I'll admit that I don't find privacy policies so valuable that I think everyone should have one. So, I'll ask how will or work be improved or what problem are we running into that a privacy policy will solve? If that cannot clearly we be answered, we should not engage in this activity. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Sam, I view this more or less as standard boilerplate, something you find in a lot of online places. I think it is reasonable to expect that if you register for a meeting your personal info (e-mail address mostly) won't be sold/used/harvested by someone for purposes other than what you think you signed up for. It's probably useful for us to have such a statement. Ole On Wed, 7 Jul 2010, Sam Hartman wrote: Generally when I look for an idea of whether work is a good idea I look for a clear statement of benefit. I'll admit that I don't find privacy policies so valuable that I think everyone should have one. So, I'll ask how will or work be improved or what problem are we running into that a privacy policy will solve? If that cannot clearly we be answered, we should not engage in this activity. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
At 3:49 PM -0400 7/7/10, Sam Hartman wrote: Generally when I look for an idea of whether work is a good idea I look for a clear statement of benefit. I'll admit that I don't find privacy policies so valuable that I think everyone should have one. So, I'll ask how will or work be improved or what problem are we running into that a privacy policy will solve? If that cannot clearly we be answered, we should not engage in this activity. At 3:51 AM + 7/7/10, John Levine wrote: I think we all agree that having a privacy policy would be desirable, in the sense that we are in favor of good, and opposed to evil. But I don't know what it means to implement a privacy policy, and I don't think anyone else does either. A privacy policy is basically a set of assertions about what the IETF will do with your personal information. To invent a strawman, let's say that the privacy policy says that registration information will be kept in confidence, and some newly hired clerk who's a little unclear on the concept gives a list of registrants' e-mail addresses to a conference sponsor so they can e-mail everyone an offer for a free IETF tee shirt. Then what happens? Is a privacy policy a contract, and if it is, what remedies do IETF participants have for non-performance? And if it's not, and there aren't remedies, what's the point? Thank you, Sam and John. Do some people not come to IETF meetings because of the current null privacy policy? Do they say less than they would have if we had a typical non-null policy? If either of those two are answered yes, would those people contribute better knowing that the IETF had a policy but no real way to enforce it other than by apologizing when it failed to follow the policy? If having a privacy policy, even one where there was no real enforcement mechanism, was free, nearly everyone would want it. Given that getting such a policy is not free, and will cause cycles to be lost from other IETF work, is the tradeoff worth it? At this point, I would say no, but mostly because I don't know of anyone who contributes less due to the current null policy. --Paul Hoffman, Director --VPN Consortium ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 7, 2010, at 11:59 AM, Paul Hoffman wrote: Given that getting such a policy is not free, and will cause cycles to be lost from other IETF work, [ ... ] That's the second time I've seen someone suggest that and I wonder how true it is. Melinda ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Ole == Ole Jacobsen o...@cisco.com writes: Ole Sam, Ole I view this more or less as standard boilerplate, something Ole you find in a lot of online places. I think it is reasonable Ole to expect that if you register for a meeting your personal info Ole (e-mail address mostly) won't be sold/used/harvested by someone Ole for purposes other than what you think you signed up for. It's Ole probably useful for us to have such a statement. I agree with the above. however, the above doesn't sound like a compelling justification to develop or review such a statement--just a reason why we wouldn't mind having one. For the development cost, I don't care if people who want such a statement go off and build one. however, at least the IAOC has to review it. I don't think that the above justification is sufficient to place the review very high on the priority list, nor do I think that in this instance the fact that someone goes and spends time developing it should raise the review priority. If the IAOC believes it needs to suck the rest of us into a review, I think that pushes the priority even lower. Now, there are things that in my mind would push the priority up: * The IAOC isn't sure whether to use information in some way * The community and IAOC disagree about how information is being used * Something else ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Paul, Sam, I understand your arguments to bascially be we've never had an internal privacy problem here at the IETF, and as far as I know no one decides not to participate because of the lack of a privacy policy, so we have no need to follow basic standards of privacy hygiene. What would you say to a network operator who maintains an open mail relay, but says we've never had any spam abuse on my open relay, and as far as I know I have never lost any business because of my relay, and so I have no need to follow basic standards of SMTP hygiene (as set out in RFCs 2505 and 5321)? I would say to the network operator that (a) open mail relays create a risk of abuse, (b) industry best practices discourage such relays to help minimize that risk, and so (c) unless you have a really really good reason to maintain an open relay, you should not do so. And if the network operator were a prominent participant in the industry, I would add that maintaining an open relay sets a really bad example for other industry players and developers. In the IETF privacy context, as far as I know, we have not had any significant internal privacy problems at the IETF, probably because the powers-that-be are generally pretty thoughtful, careful people. And I have no idea whether anyone was so put off by the lack of a privacy policy as to reduce their participation IETF -- probably no one (but that is pretty unknowable). But there is a risk -- indeed, as we see going into the next two IETF meetings, there is a growing risk -- that the IETF will be collecting information that could be misused, in ways that none of us can foresee now. A privacy policy would not eliminate that risk, but it would help to guide future efforts to minimize privacy risk, and it would tell IETF site visitors how much they are tracked, etc., should they decide to use the site. So I, at least, would say to the IETF that (a) not having a privacy policy increases the risk of a privacy mistake, (b) online best practices encourage having a privacy policy, and so (c) unless you have a really really good reason not to have a privacy policy, you should have one. And because lots of developers look to the IETF for guidance in their work, I think the IETF's lack of a policy sets a bad example. And I think it is possible that having a clear, public, and well- thought-out set of principles and policies to guide the IETF's collection, retention, and use of data might even reduce or at least constrain the debates we have on this list every year or two about IETF data collection and retention Thus, spending what you view as wasted cycles now may well reduce wasted cycles later. But even if it does not, I think any organization that promulgates a series of documents named Best Current Practices (and hopes that people will pay attention to them) should itself be prepared to follow widely accepted best current practices for its operations, even if the participants of the organization find those practices to be outside of the core work of the group. John On Jul 7, 2010, at 3:59 PM, Paul Hoffman wrote: At 3:49 PM -0400 7/7/10, Sam Hartman wrote: Generally when I look for an idea of whether work is a good idea I look for a clear statement of benefit. I'll admit that I don't find privacy policies so valuable that I think everyone should have one. So, I'll ask how will or work be improved or what problem are we running into that a privacy policy will solve? If that cannot clearly we be answered, we should not engage in this activity. At 3:51 AM + 7/7/10, John Levine wrote: I think we all agree that having a privacy policy would be desirable, in the sense that we are in favor of good, and opposed to evil. But I don't know what it means to implement a privacy policy, and I don't think anyone else does either. A privacy policy is basically a set of assertions about what the IETF will do with your personal information. To invent a strawman, let's say that the privacy policy says that registration information will be kept in confidence, and some newly hired clerk who's a little unclear on the concept gives a list of registrants' e-mail addresses to a conference sponsor so they can e-mail everyone an offer for a free IETF tee shirt. Then what happens? Is a privacy policy a contract, and if it is, what remedies do IETF participants have for non-performance? And if it's not, and there aren't remedies, what's the point? Thank you, Sam and John. Do some people not come to IETF meetings because of the current null privacy policy? Do they say less than they would have if we had a typical non-null policy? If either of those two are answered yes, would those people contribute better knowing that the IETF had a policy but no real way to enforce it other than by apologizing when it failed to follow the policy? If having a privacy policy, even one
Re: IETF privacy policy - update
At 4:52 PM -0400 7/7/10, John Morris wrote: I understand your arguments to bascially be we've never had an internal privacy problem here at the IETF, and as far as I know no one decides not to participate because of the lack of a privacy policy, so we have no need to follow basic standards of privacy hygiene. Why do you understand that? It is absolutely unrelated to what I said (and I believe it is also unrelated to what Sam said, but he can speak to it). What I said was a reflection of what Sam said: if we don't know the problem is hurting, we can't weigh if the effort to form a solution is worthwhile. I never said we've never had an internal privacy problem because we have no data at all. I assume we do have some, but I have no idea if the result is trivial, substantial, or monumental. In the IETF privacy context, as far as I know, we have not had any significant internal privacy problems at the IETF, probably because the powers-that-be are generally pretty thoughtful, careful people. And I have no idea whether anyone was so put off by the lack of a privacy policy as to reduce their participation IETF -- probably no one (but that is pretty unknowable). Here we are in agreement. But there is a risk -- indeed, as we see going into the next two IETF meetings, there is a growing risk -- that the IETF will be collecting information that could be misused, in ways that none of us can foresee now. A privacy policy would not eliminate that risk, but it would help to guide future efforts to minimize privacy risk, and it would tell IETF site visitors how much they are tracked, etc., should they decide to use the site. And we agree here. Where we don't seem to agree is whether this risk is worth the effort to reduce it. We don't have agreement on what the effort will be, or even who is going to do it. So I, at least, would say to the IETF that (a) not having a privacy policy increases the risk of a privacy mistake, (b) online best practices encourage having a privacy policy, and so (c) unless you have a really really good reason not to have a privacy policy, you should have one. And because lots of developers look to the IETF for guidance in their work, I think the IETF's lack of a policy sets a bad example. Would you consider we will try not to do stupid things with your private information to be sufficient? Because, basically, that's the value I see in most privacy policies that I rely on. I can't think of a single privacy policy from a non-regulated entity (like banks) that I use that has any punishment for breaches other than the management needs to spend a few hours crafting a contrite apology. And I think it is possible that having a clear, public, and well-thought-out set of principles and policies to guide the IETF's collection, retention, and use of data might even reduce or at least constrain the debates we have on this list every year or two about IETF data collection and retention How well has that worked out in other areas of IETF policy? Boilerplate language, IPR, standards levels, RFC format: all have a clear, public, and well-thought-out set of principles, none of which have had the result you predict for privacy policy. Thus, spending what you view as wasted cycles now may well reduce wasted cycles later. But even if it does not, I think any organization that promulgates a series of documents named Best Current Practices (and hopes that people will pay attention to them) should itself be prepared to follow widely accepted best current practices for its operations, even if the participants of the organization find those practices to be outside of the core work of the group. It feels to me that the IETF approximately follows the best current practices for privacy without having a statement about them. If you believe that having a statement about them is a best practice, you need to show why it is worth the cost. If the cost is near-zero (and I don't think it is), then I agree that tossing one up somewhere is probably worthwhile. --Paul Hoffman, Director --VPN Consortium ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 2010-07-07 12:53, Ole Jacobsen wrote: Sam, I view this more or less as standard boilerplate, something you find in a lot of online places. I think it is reasonable to expect that if you register for a meeting your personal info (e-mail address mostly) won't be sold/used/harvested by someone for purposes other than what you think you signed up for. the fact that you signed up for the meeting is publicly available so that we don't sell mailing lists to spammers seems sort of irrelevant. It's probably useful for us to have such a statement. Ole On Wed, 7 Jul 2010, Sam Hartman wrote: Generally when I look for an idea of whether work is a good idea I look for a clear statement of benefit. I'll admit that I don't find privacy policies so valuable that I think everyone should have one. So, I'll ask how will or work be improved or what problem are we running into that a privacy policy will solve? If that cannot clearly we be answered, we should not engage in this activity. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
John == John Morris jmorris-li...@cdt.org writes: John Paul, Sam, I understand your arguments to bascially be we've John never had an internal privacy problem here at the IETF, and as John far as I know no one decides not to participate because of the John lack of a privacy policy, so we have no need to follow basic John standards of privacy hygiene. This is not an accurate characterization of my argument. I substantially agree with Paul's message in response. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Hi Paul, On Jul 7, 2010, at 8:59 PM, Paul Hoffman wrote: Do some people not come to IETF meetings because of the current null privacy policy? Perhaps the better question is, do some people not sign the blue sheets because of whatever they think the current privacy policy is? The issue of what happens when the IETF receives a subpoena for blue sheet information is what originally kicked off this entire effort. Organizations have choices about how they respond to government and civil-litigation-related demands for data. One policy option is to respond to every single demand no matter who it is from or whether it shows any signs of judicial oversight or legality. Another is to only respond to lawful orders. Most organizations that I know of at least state what their policies are in this regard, so that people who become interested in which kinds of requests their data may be subject to can find out. The IETF seems to have some sort of latent policy on this, but it is not written down. Questions about this have already been raised (outside of the blue sheet context) with respect to the upcoming admission control procedures [1]. A number of different privacy questions were also raised about the RFID experiment, and in both cases the IAOC has spent substantial time on the list trying to explain to the community what the latent policies are (and, in the RFID case, even updating and publishing the policy). It's impossible to calculate how many cycles have been lost to these discussions, but I think it's inaccurate to say that if there was no time spent on documenting the privacy policy, there would be no time spent on privacy issues at all. Writing the policy down should help save cycles down the road. Alissa [1] https://www.ietf.org/ibin/c5i?mid=6rid=49gid=0k1=933k2=52199tid=1278564156 Do they say less than they would have if we had a typical non-null policy? If either of those two are answered yes, would those people contribute better knowing that the IETF had a policy but no real way to enforce it other than by apologizing when it failed to follow the policy? If having a privacy policy, even one where there was no real enforcement mechanism, was free, nearly everyone would want it. Given that getting such a policy is not free, and will cause cycles to be lost from other IETF work, is the tradeoff worth it? At this point, I would say no, but mostly because I don't know of anyone who contributes less due to the current null policy. --Paul Hoffman, Director --VPN Consortium ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf -- Alissa Cooper Chief Computer Scientist Center for Democracy and Technology +44 (0)785 916 0031 Skype: alissacooper ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Wed, Jul 07, 2010 at 02:30:30PM -0700, Paul Hoffman wrote: If the cost is near-zero Given the number of messages so far, the denial of the antecedent is already assured. There is a clearly non-zero cost to this effort. (This is not an argument about whether a privacy policy is needed; it's simply an empirical observation about whether associated costs are near-zero.) A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Sam, Paul, I did not mean to misrepresent your positions. I honestly understood them to be as I stated, but I was wrong. My apologies for that. And yes, I agree with Paul that privacy policies are generally not worth all that much -- indeed, my organization (as well as, for example, the U.S. Federal Trade Commission and others) argue that we need stronger laws/regulations in the U.S. because of the failure of the privacy policy approach. We want data collectors to be much more responsible (legally and otherwise) on privacy. But privacy policies reflect the barest minimum that any responsible organization should do. It is depressing, at least to me, that the dominant argument on this issue on this list - expressed by respected community members - is that the IETF should not expend the cycles to do even this barest minimum. John On Jul 7, 2010, at 5:58 PM, Sam Hartman wrote: John == John Morris jmorris-li...@cdt.org writes: John Paul, Sam, I understand your arguments to bascially be we've John never had an internal privacy problem here at the IETF, and as John far as I know no one decides not to participate because of the John lack of a privacy policy, so we have no need to follow basic John standards of privacy hygiene. This is not an accurate characterization of my argument. I substantially agree with Paul's message in response. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Perhaps the better question is, do some people not sign the blue sheets because of whatever they think the current privacy policy is? or use bogus sig on blue sheet. yes. the rfid discussion pushed me over the tolerance line on this class of issues in the ietf. randy ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Alissa, Thanks very much for your elaboration. I would agree with your conclusion at the bottom of your note: With that said, laying out the core of the policy in an RFC and then having a speedier mechanism to publish changes (which can also be incorporated into the core policy when the RFC publication schedule allows) seems like a decent option. A good policy allows for appropriate levels of delegation of authority and flexibility. It also allows the community to set bars beyond which those charged with decisions may not go. For instance, it may be the case that the community values privacy so much that it would not be possible to meet both the IETF privacy policy and local laws of certain places, leading to an understanding of what venues would be available, and what venues would not. Eliot ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 5 jul 2010, at 18:05, Alissa Cooper wrote: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). I'm torn between good to have this written down and do we really need to go out and look for more process work. 2) If you have comments and suggestions about the policy itself, send them to this list. What I'm missing is what happens with the information described under Registering to attend a meeting or social event:, there are no retention periods mentioned (that I noticed). ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Jul 5, 2010, at 12:05 PM, Alissa Cooper wrote: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). +1. It's surprising it took us this long. And this is one of the few groups where people might actually read such a policy! ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
+1 on the IETF having a privacy policy. I am undecided on the best mechanisms to develop, document, and maintain that policy. Karen On 7/5/10 12:05 PM, Alissa Cooper wrote: A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). 2) If you have comments and suggestions about the policy itself, send them to this list. Thanks, Alissa ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Hi, I think this is an excellent straw man for an IETF privacy policy. I have, however, two issues with its adoption that makes me question the wisdom of an unqualified +1. First, I'm not quite sure whether the IETf should adopt such a document without providing clear guidelines to its I* people, the secretariat, or WG chairs. In the absence of such guidelines, those people could be seen as responsible of upholding the policy without knowing the practical how to, which may create a certain personal liability on their side, to which they may not have signed up to. I believe that the pool of people on the hook for this implementation is too big, to unstructured, and perhaps not sufficiently trained (especially when it comes to the fine details) of the implementation of the policy. In other words, my fear is that we may promise something to the outside world of which the people responsible are not certain how exactly it needs to be delivered--which puts them into an unenviable position. Second, I fear that the draft policy (-01 draft) provides occasionally the impression of a certain safety of private data, where no such safety exists. For example, equipment that stores log files is moved frequently into areas where US law does not apply. I would assume (without knowing for certain) that the machines dealing with on-site information do keep some sensitive information on their local hard drives--which are outside the US for many of our meetings. And so on. The second point may be easily addressable by adding sufficiently broad disclaimers to the policy, and/or by documenting the corner cases mentioned (I would not be surprised if there were many more of those). The first point would require a guidelines document for the mentioned officials, and I think that the development of such a document needs to go hand-in-hand with the development of the policy itself. Alternatively, the first point could be addressed by phrasing the policy as a statement of intent, rather than a bill of rights. Of course, its value goes way down when doing so. I personally couldn't care less how and where a privacy policy and its accompanying guideline docs is being developed. However, I do have an observation to make with respect to the form of the document. Even single-national organizations (like my bank, or my insurers) do change their privacy policy quite often--several times per decade. They have to in order to comply with the development of the local law. I do not see that the IETF would not have to do the same, once we have a first policy in place. And that does not count the implications of, in practice, being an international organization doing business in places such as the US and China--just to make two examples with fundamentally different privacy law and practice--and our lack of experience and shortness of legal resources in creating one. All that would speak for an easily updateable format, and RFCs are not known to fall into that category. We will have a buggy document at the beginning, and we need ways to fix it, quickly. Regards, Stephan On 7.5.2010 09:05 , Alissa Cooper acoo...@cdt.org wrote: A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt ). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). 2) If you have comments and suggestions about the policy itself, send them to this list. Thanks, Alissa ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
this makes sense to me, fwiw. john --On Monday, July 05, 2010 2:28 PM -0400 Marshall Eubanks t...@americafree.tv wrote: wearing no hats ... I assume (for I do not know) that people are worried about time involved in bringing a new RFC to publication. I don't see why this couldn't be divided in the way that the Trust Legal Provisions have been : - a RFC to set the _goals_ and basic framework of the privacy policy, which might change something like every 5 years (or less often if we are lucky) and - an IAOC document for the actual privacy policy itself, which could be changed very quickly if (say) lawyers started beating down the doors. Regards Marshall Please clarify. Thanks. d/ ps. I, too, like the idea of having the policy. I'm only asking about its form. -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 7/6/2010 6:38 AM, Karen O'Donoghue wrote: +1 on the IETF having a privacy policy. I am undecided on the best mechanisms to develop, document, and maintain that policy. I am not... We need to create the Privacy Working Group and it will produce a non-RFC based work product which is the Participation Privacy Compliance Contract with the IETF's participants. There are certain legal issues which the Founders never considered in their design of the IETF which mandate a permanent type document status which is not part of the Standards or Intellectual Property publication list unless it is a specific template for other entities to use, and that would be out of scope for the IETF. What this means is we need a new class of legal framework document which is not a RFC and all of the legal controls which have been mis-implemented as votable consensus agreements are properly reduced to policy and boiler plate so that anyone can easily figure out what participation means. That said, why is simply that since a privacy policy is something that needs formal legal vetting and also something that a vote of the officers of the Operating Board should weigh in on meaning that ISOC and not the IETF's IAOC needs to formally ratify this since it is part of the formal Charter Package of the IETF. The privacy policy should be put together by a Working Group (lets call it the PWG) as a non-RFC type operating document. It is not a BCP either, it is a statement of the legal controls pertaining to the privacy of the parties participating in the IETF standards process. Further in regard to the review of that document, since it is the ISOC (and possibly the Trust) who is/are directly liable for damages therein at this time, it is they who must embrace and assert those privacy controls as operating policy. So they should have representation in this special Privacy Working Group. And finally since the privacy controls cannot set aside those laws in the EU and other places embracing strict privacy controls since it (the IETF) must be compliant to all of those. Think of it this way - Imaging having for parties in places in the EU implement the Nevada State PCI DSS standards for information security based on those privacy controls for someone collaborating on a submission from both Nevada and another party in say Finland or Denmark for instance. Also realize that a one-size fits all type model will not work because some people cannot contractually sign their right to privacy away and for them a policy of assignment obfuscating privacy probably also doesn't work. By the way - since the assignment of intellectual property rights has provable cash money value, this is a real issue and it needs to be dealt with both professionally and in a manner which makes the IETF more transparent and less of a place where the politics of the day drive the contract-controls on participation or use of the IETF intellectual properties. Todd Glassey Karen On 7/5/10 12:05 PM, Alissa Cooper wrote: A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). 2) If you have comments and suggestions about the policy itself, send them to this list. Thanks, Alissa ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On Tue, Jul 6, 2010 at 1:11 AM, Alissa Cooper acoo...@cdt.org wrote: Obviously, I started this process as an I-D, so I'm not necessarily opposed to having the privacy policy exist as an RFC. But in conversations with the IAOC and others, it seemed as though the RFC process might have two drawbacks for this kind of document: First, I strongly support having the privacy policy written down. On several occasions we've had folks conduct experiments where there was an obvious need for a guiding policy. Thanks for taking on the work. But a bit more below. 1) While the RFC process is community consensus-based, the designation of IETF policies about personal data handling is not necessarily so. The policies around the RFID experiment at IETF 76 [1] and the policies around admission control data for IETF 78 and 79 [2] are both examples of this -- these policies were developed by the IAOC and others, and while in some cases they may have been put out to the community for comment after they were developed, their initial development was certainly not done via the community consensus-based model. Ideally the IETF privacy policy would document all of these policies before they come into force. If the privacy policy was an RFC, the substance of these policies would be subject to community review and would require consensus as well. 2) If the privacy policy is to be accurate, I do think it would change more often than an average RFC (considering things like the RFID experiment and But changing the policy to deal with things like the experiments is not where I would want us to go. Ideally, those constructing the experiments do so within the framework of the policy, so that there is no need for a change. On some level, you may still need an elaboration if there is a judgment call about whether some piece of data has specific characteristics, and I am happy for that process to have a very quick resolution time (though I suspect an appeals mechanism will be necessary). Furthermore, even if changes are infrequent, they may come up quickly. A good privacy policy would document these changes before they occur. I think the argument can be made that if the policy has to go through the RFC process for each change, the changes may not be documented before they actually occur. With that said, laying out the core of the policy in an RFC and then having a speedier mechanism to publish changes (which can also be incorporated into the core policy when the RFC publication schedule allows) seems like a decent option. If we construct your statement above as either to publish elaborations or to publish understanding of the privacy sensitivity of specific data, I think we're in agreement. regards, Ted Hardie Alissa On Jul 6, 2010, at 2:39 AM, John C Klensin wrote: --On Monday, July 05, 2010 11:40 AM -0700 Dave CROCKER d...@dcrocker.net wrote: Marshall, On 7/5/2010 11:28 AM, Marshall Eubanks wrote: I assume (for I do not know) that people are worried about time involved in bringing a new RFC to publication. The IESG often states that it is not difficult to bring an RFC to publication. In any event, what makes this document more urgent, and in need of less scrutiny and processing, that any other potential RFC? Personally, I would expect a document that attends to explicitly and complexly legal concerns to need /more/ scrutiny than an entry-level technical specification, not less. Agreed. I don't see why this couldn't be divided in the way that the Trust Legal Provisions have been : - a RFC to set the _goals_ and basic framework of the privacy policy, which might change something like every 5 years (or less often if we are lucky) and You expect the privacy policy, itself, to change more frequently than this? I would hope not (either), but experience indicates that we have even more trouble getting legal documents right than we do protocol documents. Having a lightweight and speedy mechanism for correcting an incorrect realization of a policy outline laid out by the IETF seems reasonable. While I agree with you (Dave) that getting the policy principles in place should not be so urgent as to justify being done in haste, our experience (especially in the IPR area, which is likely to involve the same lawyers, both professional and amateur) has been that, sometimes, making a correction to specific mechanisms already deployed may be urgent. Also, the implication of your suggestion is that we would have a goals and framework document /after/ we have actual policies. This seems a bit, u, backward. It would make more sense to have the two in one document, absent some expectation of one being more stable than the other. I did not read that into Marshall's note but assumed that we would lay out the policy principles (the goals and framework document) in the IETF first and then proceed to instruct the IASA to generate a specific policy statement
Re: IETF privacy policy - update
On 2010-07-06 03:56, Iljitsch van Beijnum wrote: On 5 jul 2010, at 18:05, Alissa Cooper wrote: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). I'm torn between good to have this written down and do we really need to go out and look for more process work. 2) If you have comments and suggestions about the policy itself, send them to this list. What I'm missing is what happens with the information described under Registering to attend a meeting or social event:, there are no retention periods mentioned (that I noticed). the trust's records retention policy already deals with registration. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 7/6/2010 2:45 PM, joel jaeggli wrote: On 2010-07-06 03:56, Iljitsch van Beijnum wrote: On 5 jul 2010, at 18:05, Alissa Cooper wrote: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). I'm torn between good to have this written down and do we really need to go out and look for more process work. 2) If you have comments and suggestions about the policy itself, send them to this list. What I'm missing is what happens with the information described under Registering to attend a meeting or social event:, there are no retention periods mentioned (that I noticed). the trust's records retention policy already deals with registration. These records are constrained by a number of privacy statutes which cannot be signed away. That is why this must be done outside the IETF's normal process. What should happen is that a committee should produce this and then that be formally disclosed to the entire IETF membership - meaning every member of every list, the IESG, IRTF, and IAOC as well. That way positive disclosure can be accomplished. This also should be redone on a yearly basis to reinforce this mandate. Todd ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Alissa Cooper wrote: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). +1 It's time, I think. Melinda ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
--On Monday, July 05, 2010 5:05 PM +0100 Alissa Cooper acoo...@cdt.org wrote: A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). 2) If you have comments and suggestions about the policy itself, send them to this list. Alissa, It is hard, and maybe impossible, to argue against the IETF having an established privacy policy, so I agree with Melinda's about time. However, while administering such a policy (to the degree to which such a thing is needed) is a reasonable task for the IETF community to assign to the IAOC (or Trust), those bodies are quite explicitly not supposed to be represent or determine community consensus: they are administrative, administrative only, and part of a structure erected to handle administrative tasks. So, while the RFC process may not be appropriate for handling a privacy policy (I'm actually not convinced it is not, but that is another matter), unless we are really going top-down around here, the responsibility for determining community consensus about such a policy for the IETF community and setting it has to stay with the IESG. I just don't see any way to avoid that. john ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 7/5/2010 9:05 AM, Alissa Cooper wrote: In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. While I could imagine that you are correct, the answer isn't at all clear to me. Presumably it should represent community consensus and should not change all that often. And having an archival copy makes sense. So I'm not understanding why it should not be published as an RFC. Please clarify. Thanks. d/ ps. I, too, like the idea of having the policy. I'm only asking about its form. -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
wearing no hats On Jul 5, 2010, at 2:16 PM, Dave CROCKER wrote: On 7/5/2010 9:05 AM, Alissa Cooper wrote: In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. While I could imagine that you are correct, the answer isn't at all clear to me. Presumably it should represent community consensus and should not change all that often. And having an archival copy makes sense. So I'm not understanding why it should not be published as an RFC. I assume (for I do not know) that people are worried about time involved in bringing a new RFC to publication. I don't see why this couldn't be divided in the way that the Trust Legal Provisions have been : - a RFC to set the _goals_ and basic framework of the privacy policy, which might change something like every 5 years (or less often if we are lucky) and - an IAOC document for the actual privacy policy itself, which could be changed very quickly if (say) lawyers started beating down the doors. Regards Marshall Please clarify. Thanks. d/ ps. I, too, like the idea of having the policy. I'm only asking about its form. -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Marshall, On 7/5/2010 11:28 AM, Marshall Eubanks wrote: I assume (for I do not know) that people are worried about time involved in bringing a new RFC to publication. The IESG often states that it is not difficult to bring an RFC to publication. In any event, what makes this document more urgent, and in need of less scrutiny and processing, that any other potential RFC? Personally, I would expect a document that attends to explicitly and complexly legal concerns to need /more/ scrutiny than an entry-level technical specification, not less. I don't see why this couldn't be divided in the way that the Trust Legal Provisions have been : - a RFC to set the _goals_ and basic framework of the privacy policy, which might change something like every 5 years (or less often if we are lucky) and You expect the privacy policy, itself, to change more frequently than this? Also, the implication of your suggestion is that we would have a goals and framework document /after/ we have actual policies. This seems a bit, u, backward. It would make more sense to have the two in one document, absent some expectation of one being more stable than the other. - an IAOC document for the actual privacy policy itself, which could be changed very quickly if (say) lawyers started beating down the doors. if? so we really don't have an urgent requirement? d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
Hi Alissa, At 09:05 05-07-10, Alissa Cooper wrote: A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt ). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this: A BCP represents community consensus. I don't see how using the RFC publication is not the best model for maintaining and updating a document. According to BCP 101: The IETF undertakes its technical activities as an ongoing, open, consensus-based process. The IETF Administrative Support Activity (IASA) provides the administrative structure required to support the IETF standards process and to support the IETF's technical activities. The IAOC determines what IETF administrative functions are to be performed, and how or where they should be performed (whether internally within the IASA or by outside organizations), so as to maintain an optimal balance of functional performance and cost of each such function. The IAOC should document all such decisions, and the justification for them, for review by the community. I doubt that it is up to the IAOC to determine whether there is consensus on a privacy policy as it is a policy and not an administrative matter. According to BCP 78: The IETF Trust was recently formed to act as the administrative custodian of all copyrights and other intellectual property rights relating to the IETF Standards Process that had previously been held by ISOC and the Corporation for National Research Initiatives (CNRI) If you want community support, ask for the I-D to be published as a RFC by putting in a request to the IETF Chair. Regards, -sm ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
--On Monday, July 05, 2010 11:40 AM -0700 Dave CROCKER d...@dcrocker.net wrote: Marshall, On 7/5/2010 11:28 AM, Marshall Eubanks wrote: I assume (for I do not know) that people are worried about time involved in bringing a new RFC to publication. The IESG often states that it is not difficult to bring an RFC to publication. In any event, what makes this document more urgent, and in need of less scrutiny and processing, that any other potential RFC? Personally, I would expect a document that attends to explicitly and complexly legal concerns to need /more/ scrutiny than an entry-level technical specification, not less. Agreed. I don't see why this couldn't be divided in the way that the Trust Legal Provisions have been : - a RFC to set the _goals_ and basic framework of the privacy policy, which might change something like every 5 years (or less often if we are lucky) and You expect the privacy policy, itself, to change more frequently than this? I would hope not (either), but experience indicates that we have even more trouble getting legal documents right than we do protocol documents. Having a lightweight and speedy mechanism for correcting an incorrect realization of a policy outline laid out by the IETF seems reasonable. While I agree with you (Dave) that getting the policy principles in place should not be so urgent as to justify being done in haste, our experience (especially in the IPR area, which is likely to involve the same lawyers, both professional and amateur) has been that, sometimes, making a correction to specific mechanisms already deployed may be urgent. Also, the implication of your suggestion is that we would have a goals and framework document /after/ we have actual policies. This seems a bit, u, backward. It would make more sense to have the two in one document, absent some expectation of one being more stable than the other. I did not read that into Marshall's note but assumed that we would lay out the policy principles (the goals and framework document) in the IETF first and then proceed to instruct the IASA to generate a specific policy statement for community review. Policies first would seem backwards to me too... to put it mildly. john ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IETF privacy policy - update
On 7/5/10 6:05 PM, Alissa Cooper wrote: 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple +1 will do). +1. 2) If you have comments and suggestions about the policy itself, send them to this list. Our lingua franca are internet-drafts RFCs. Eliot ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf