Ole,
I'd like to encourage you and your IAOC/Trustee colleagues to
think about this in a slightly different light, consistent with
other concerns I've expressed recently.
Without taking any position about the idea itself, some
significant fraction of the community seems to believe that this
type of RFID experiment is a policy matter. Another portion,
perhaps overlapping, believes that a version of the "eat our own
dogfood" principle says that we should set an example by
utilizing RFID only properly and with due consideration. Some
of that group believes that "properly and with due
consideration" includes at least some technical security and
privacy issues, others (again possibly overlapping) believe that
the IETF should not be performing experiments with information
collection that can even potentially identify individuals unless
there are clear and public privacy policies in place.
I can find nothing in BCP 101 that encourages or authorizes the
IASA to go off and perform policy experiments on its own
initiative. I haven't seen any signs of a proposal for a 3933
process experiment in this area. Such a proposal, or an
IESG-initiated effort with a Last Call, presumably would have
involved an I-D and a reasonable possibility for the community
to determine whether the relevant ducks were lined up.
I also find nothing in the "guidelines [...]for regular
operational
decision making" (required by RFC 4071, Section 3.5, first
paragraph) that authorizes this sort of experiment. Indeed,
despite that requirement, I'm not sure I can even find such
guidelines. The only thing I can find is the "IAOC
Administrative Procedures" at
http://iaoc.ietf.org/documents/IAOC_Administrative_Procedures_7-17-08.pdf,
but they seem to be addressed to issues other than "regular
operational decision making" and, despite the date on the file,
the procedure document itself doesn't show an adoption date and
the Policy and Procedures page
(http://iaoc.ietf.org/policyandprocedures.html) seems to
indicate that they are just a draft.
In looking for that material, I did find the Communications
Policy, which appears to be a substitute for the Guidelines
called for by RFC 4071. It makes interesting reading. For
example:
-- Section 5.3.4 calls for the IAOC to "adopt annual
goals for the IASA and the IAD by December of each year
for the succeeding year". The Reports page of the web
site (http://iaoc.ietf.org/reports.html) contains a line
for such "Annual IASA Goals", but it isn't even a link,
so apparently either there are no such goals or the IAOC
doesn't believe that making them available to the
community is a priority.
-- Section 5.3.7 calls for an "Operations Report" to be
submitted to the IAOC monthly and posted on the web
site. There is no evidence of integrated Operations
Reports on the web site. Not a single one. There are,
however, separate Financial Statements (three so far for
2009 -- but those are covered separately in Section 5.2
of the Communications Plan and are hence irrelevant to
the Section 5.3.7 requirement) and Monthly Reports from
the IANA (not the IAD).
-- Section 5.3.8 says "The IAOC shall publish an IAOC,
financial, and vendor performance report online one week
before the IETF Meeting". I don't recall seeing that
report on a regular basis, only oral presentations at
the IETF plenaries. The "Plenary Reports" page
(http://iaoc.ietf.org/plenary_reports.html) shows only
IANA and RFC Editor reports associated with IETF
meetings in the last several years. Indeed, the last
"IETF Ops Report" shown there is from IETF 68 (Prague in
2007, before this Communications Policy was adopted)
-- Section 5.3.10 calls for contracts or contract
summaries to be posted on the web site within 14 days of
execution. I note, as an example, that AMS has been
providing Secretariat Services for over 20 months now,
but that the only Secretariat Services Contract posted
is the December 2005 agreement with Neustar. I don't
suppose that I need to point out to the IAOC that 20
months (and a contract date presumably somewhat earlier
than that) is longer than 14 days. I also note that
not a single hotel contract, or summary thereof, has
ever been posted.
-- Section 6 calls for annual reviews of the
Communications Policy, with community review and input
"during the annual review cycle". The Communications
Policy was apparently adopted on July 12, 2007. That
suggests to me that there should have been two such
reviews. I'm not aware of either having occurred. If
the IAOC has concluded that the Communications Policy
isn't practical, why hasn't the required review been
initiated and the Policy been revised (with community
review and input), rather than simply ignored in major
respects?
I don't recall the community asking the IAOC or Secretariat to
initiate this RFID effort either. I haven't gotten the
impression that the IAOC has so much spare time on its
collective hands that it should be making work for itself or the
community. Certainly the list above strongly suggests that the
IAOC and IASA don't have sufficient time to even comply with the
policies that they adopted (or to effectively require that the
IAD comply with those tasks specifically assigned to him... many
of them by BCP 101 itself).
I do see a provision in BCP 101 (middle of Section 3.1) that
says:
"The IAD shall ensure that personal data collected for
legitimate purposes of the IASA are protected
appropriately; at minimum, such data must be protected
to a degree consistent with relevant legislation and
applicable privacy policies."
Several people in the community with some experience on these
issues seem to believe that adequate protective procedures do
not appear to be in place, but we haven't heard from the IAD
about what measures are being taken.
So...
(1) To what extent does the IAOC believe it is reasonable to
adopt new and discretionary initiatives that require IAD and
IAOC supervision when the IAD and IAOC appear to be sufficient
overloaded so as to be unable to comply with a large number of
the IAOCs own procedures and requirements, both those explicitly
called for in BCP 101 and those which it adopted in December
2007.
(2) Is the IAOC supervising the IAD to be sure that adequate
protective procedures are in place for personally-identifiable
data as per the provisions above?
(3) Given that such procedures do not appear to be covered by
contractual provisions that justify secrecy, when does the
community get to review those procedures?
(4) For an experiment that was initiated by the IASA, without
the instruction, advice, or consent of the community, does the
IAOC have a procedure for determining how much "the ducks are
not lined up" or other negative feedback from the community is
sufficient to call the idea off? Or is the IAOC's model such
that, having initiated this idea, no amount of feedback will
produce any change in behavior... i.e., that the experiment will
go forward and any evaluation will be performed after the fact?
The last question is particularly important because, if that is
the plan, everyone participating in the discussion on this
thread is wasting their time and yours.
I have not posted this inquiry as a Request for Review as
described in Section 3.5 of RFC 4071 for two reasons:
(i) I do not consider the RFID experiment to be the main
issue here, only the decision process that leads us into
such experiments and the way of handling community
review and comments. If someone in the community who
does consider the RFID experiment to be a main issue
wants to use some of the text above to construct such a
request for review, he or she should feel free but
should note that RFC 4071 "normally" gives the IAOC 90
days to respond. By my rough count, 90 days would put
us somewhere in December so that, if the IAOC decided to
do so, it could simply ignore the Request for Review,
carry out the experiment, and then indicate either that
the Request for Review had become irrelevant or announce
that it would adopt and follow new procedures sometime
in the future.
(ii) BCP 101 provides for Requests for Review of
"decisions or action" of the IAD or the IAOC, not for
massive non-feasance as outlined above. One could
potentially construct a Request for Review based on
"...questions whether the IASA has created and
maintained appropriate guidelines" but I don't have
quite enough spare time on my hands right now to
initiate that effort. Again, if someone else is so
inclined, feel free to borrow text as needed.
regards,
john
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf