Normally, I'd view this as rather cranky, since many implementations
have asked for this information for rather a long time. I usually
access them with the generic user "ftp", not "anonymous". I long
ago gave up an expectation of anonymity. I believe that the proper
security technique is through an anonymizing service.
Sites that I regularly visit even have a stated privacy policy saying:
your access will be monitored, if you don't like this please leave.
However, we should take warning from the recent clueless Boston judge
that foolishly granted "accelerated discovery" of non-defendants in
the CyberPatrol reverse engineering case, when the plaintiff asked for
access logs of many sites.
The IETF needs a formal privacy policy.
I recommend that we remove the "anonymous" user, leaving only the "ftp"
or "guest" users.
I recommend that we change the login message to have an explicit
privacy statement, saying that the required email response will be
used only for network administration purposes, destroyed after 3 days,
and never revealed to any third party.
Such are the exigencies of interaction with the US courts....
Do we have a WG that could write this up as a BCP?
Tim Salo wrote:
I'm concerned that by asking for an e-mail address prior to permitting
access to documents, the IETF may be projecting a poor public image of the
organization and its its efforts to assure online privacy. As an
organization, we pride ourselves on being more concerned than most about
privacy in a wired world. But, our ftp configuration could be interpreted
as an indication that our actual data practices aren't much better than
anyone else's.
WSimpson(_at_)UMich(_dot_)edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32