At 4:52 PM -0400 7/7/10, John Morris wrote:
I understand your arguments to bascially be "we've never had an internal
privacy problem here at the IETF, and as far as I know no one decides not to
participate because of the lack of a privacy policy, so we have no need to
follow basic standards of privacy hygiene."
Why do you understand that? It is absolutely unrelated to what I said (and I
believe it is also unrelated to what Sam said, but he can speak to it). What I
said was a reflection of what Sam said: if we don't know the problem is
hurting, we can't weigh if the effort to form a solution is worthwhile. I never
said "we've never had an internal privacy problem" because we have no data at
all. I assume we do have some, but I have no idea if the result is trivial,
substantial, or monumental.
In the IETF privacy context, as far as I know, we have not had any significant
internal privacy problems at the IETF, probably because the powers-that-be are
generally pretty thoughtful, careful people.
And I have no idea whether anyone was so put off by the lack of a privacy
policy as to reduce their participation IETF -- probably no one (but that is
pretty unknowable).
Here we are in agreement.
But there is a risk -- indeed, as we see going into the next two IETF
meetings, there is a growing risk -- that the IETF will be collecting
information that could be misused, in ways that none of us can foresee now. A
privacy policy would not eliminate that risk, but it would help to guide
future efforts to minimize privacy risk, and it would tell IETF site visitors
how much they are tracked, etc., should they decide to use the site.
And we agree here. Where we don't seem to agree is whether this risk is worth
the effort to reduce it. We don't have agreement on what the effort will be, or
even who is going to do it.
So I, at least, would say to the IETF that (a) not having a privacy policy
increases the risk of a privacy mistake, (b) online best practices encourage
having a privacy policy, and so (c) unless you have a really really good
reason not to have a privacy policy, you should have one. And because lots of
developers look to the IETF for guidance in their work, I think the IETF's
lack of a policy sets a bad example.
Would you consider "we will try not to do stupid things with your private
information" to be sufficient? Because, basically, that's the value I see in
most privacy policies that I rely on. I can't think of a single privacy policy
from a non-regulated entity (like banks) that I use that has any punishment for
breaches other than the management needs to spend a few hours crafting a
contrite apology.
And I think it is possible that having a clear, public, and well-thought-out
set of principles and policies to guide the IETF's collection, retention, and
use of data might even reduce or at least constrain the debates we have on
this list every year or two about IETF data collection and retention....
How well has that worked out in other areas of IETF policy? Boilerplate
language, IPR, standards levels, RFC format: all have a clear, public, and
well-thought-out set of principles, none of which have had the result you
predict for "privacy policy".
Thus, spending what you view as wasted cycles now may well reduce wasted
cycles later. But even if it does not, I think any organization that
promulgates a series of documents named "Best Current Practices" (and hopes
that people will pay attention to them) should itself be prepared to follow
widely accepted "best current practices" for its operations, even if the
participants of the organization find those practices to be outside of the
core work of the group.
It feels to me that the IETF approximately follows the best current practices
for privacy without having a statement about them. If you believe that "having
a statement about them" is a best practice, you need to show why it is worth
the cost. If the cost is near-zero (and I don't think it is), then I agree that
tossing one up somewhere is probably worthwhile.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf