Re: Important Information about IETF 76 Meeting Registration

I view having the policy in place as the first step. Once there's a  
policy, we can think about formalizing a process to update the policy.  
Ideally, when a new experiment introduces a new kind of data  
collection or use, we would think about the privacy impact in advance  
of launching the experiment, and adjust the policy accordingly. But it  
should no doubt be fluid.
This is not rocket science -- it's the process that many other  
organizations and companies use to address privacy. They develop a  
policy that covers existing practices, and when a new practice comes  
along, they analyze the impact of the new practice and whether the  
policy needs to change, and then they change the policy if necessary.  
This process might or might not result in constraining what happens to  
collected data, but the value is derived from having done the  
analysis, whether or not that analysis affects the ultimate outcome.
Alissa

On Sep 2, 2009, at 6:10 PM, Marshall Eubanks wrote:

> On Sep 1, 2009, at 11:04 AM, Alissa Cooper wrote:
>
> > This entire thread is perfectly illustrative of why the IETF needs  
> > a privacy policy. Without one, it is entirely unclear how the data  
> > collected about IETF participants is used, disclosed and protected,  
> > whether that data is part of an experiment or not. While the  
> > supplemental information about the RFID tagging experiment (http://www.ietf.org/meeting/76/ebluesheet.html 
> > ) is helpful, it is not complete (for example, how long the RFID- 
> > captured data is stored in electronic form is not disclosed), and  
> > nothing equivalent exists (to my knowledge) for other kinds of data  
> > about IETF participants, like registration data.
> > In our protocol development work, many of us try very hard to  
> > design privacy and security features in from the outset, whether  
> > we're designing a highly experimental prototype or a core protocol.  
> > The same should be true for the design of data collection  
> > mechanisms and practices associated with IETF meetings.
> I fully agree with you about the need for a privacy policy. However,  
> if we had one right now, it would likely not fully capture the full  
> possibilities and potential dangers of an experiment like this.
> In my opinion, these experiments are as much or more organizational  
> as they are technological. In fact, I would assume that the  
> technology is likely to work. The real questions concern the  
> organization, have to be brought to the surface, weighed and  
> discussed by the community, and the answers improved based on  
> experience. Or, to put it another way, I expect that the privacy  
> policy (and maybe the document retention policy) will be informed  
> and hopefully improved by the results of this experiment.
> Regards
> Marshall
>
> > Alissa
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Ietf mailing list
> > Ietf(_at_)ietf(_dot_)org
> > https://www.ietf.org/mailman/listinfo/ietf








_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf