Hi,
I think this is an excellent straw man for an IETF privacy policy. I have,
however, two issues with its adoption that makes me question the wisdom of
an unqualified "+1".
First, I'm not quite sure whether the IETf should adopt such a document
without providing clear guidelines to its I* people, the secretariat, or WG
chairs. In the absence of such guidelines, those people could be seen as
responsible of upholding the policy without knowing the practical "how to",
which may create a certain personal liability on their side, to which they
may not have signed up to. I believe that the pool of people on the hook
for this implementation is too big, to unstructured, and perhaps not
sufficiently trained (especially when it comes to the fine details) of the
implementation of the policy. In other words, my fear is that we may
promise something to the outside world of which the people responsible are
not certain how exactly it needs to be delivered--which puts them into an
unenviable position.
Second, I fear that the draft policy (-01 draft) provides occasionally the
impression of a certain safety of private data, where no such safety exists.
For example, equipment that stores log files is moved frequently into areas
where US law does not apply. I would assume (without knowing for certain)
that the machines dealing with on-site information do keep some sensitive
information on their local hard drives--which are outside the US for many of
our meetings. And so on.
The second point may be easily addressable by adding sufficiently broad
disclaimers to the policy, and/or by documenting the corner cases mentioned
(I would not be surprised if there were many more of those). The first
point would require a guidelines document for the mentioned officials, and I
think that the development of such a document needs to go hand-in-hand with
the development of the policy itself. Alternatively, the first point could
be addressed by phrasing the policy as a statement of intent, rather than a
"bill of rights". Of course, its value goes way down when doing so.
I personally couldn't care less how and where a privacy policy and its
accompanying guideline docs is being developed. However, I do have an
observation to make with respect to the form of the document. Even
single-national organizations (like my bank, or my insurers) do change their
privacy policy quite often--several times per decade. They have to in order
to comply with the development of the local law. I do not see that the IETF
would not have to do the same, once we have a first policy in place. And
that does not count the implications of, in practice, being an international
organization doing business in places such as the US and China--just to make
two examples with fundamentally different privacy law and practice--and our
lack of experience and shortness of legal resources in creating one. All
that would speak for an easily updateable format, and RFCs are not known to
fall into that category. We will have a buggy document at the beginning,
and we need ways to fix it, quickly.
Regards,
Stephan
On 7.5.2010 09:05 , "Alissa Cooper" <acooper(_at_)cdt(_dot_)org> wrote:
A few months ago I drew up a strawman proposal for a public-facing
IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt
). I've submitted an update based on feedback received:
http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt
In discussing the policy with the IAOC and others, it seems clear that
the RFC model is probably not the best model for maintaining and
updating a document like this. It is more likely to fall within the
scope of the IAOC and/or the Trust. In order for the IAOC to consider
taking this on and devoting resources to figuring out what its format
should be, they need to hear from the community that a public-facing
privacy policy is something that the community wants. So I have two
requests for those with any interest in this:
1) Respond on this list if you support the idea of the IETF having a
privacy policy (a simple "+1" will do).
2) If you have comments and suggestions about the policy itself, send
them to this list.
Thanks,
Alissa
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf