ietf
[Top] [All Lists]

Re: IETF privacy policy - update

2010-07-07 23:49:46
Hi Paul,

On Jul 7, 2010, at 8:59 PM, Paul Hoffman wrote:

Do some people not come to IETF meetings because of the current null privacy policy?

Perhaps the better question is, do some people not sign the blue sheets because of whatever they think the current privacy policy is?

The issue of what happens when the IETF receives a subpoena for blue sheet information is what originally kicked off this entire effort. Organizations have choices about how they respond to government and civil-litigation-related demands for data. One policy option is to respond to every single demand no matter who it is from or whether it shows any signs of judicial oversight or legality. Another is to only respond to lawful orders.

Most organizations that I know of at least state what their policies are in this regard, so that people who become interested in which kinds of requests their data may be subject to can find out. The IETF seems to have some sort of latent policy on this, but it is not written down.

Questions about this have already been raised (outside of the blue sheet context) with respect to the upcoming admission control procedures [1]. A number of different privacy questions were also raised about the RFID experiment, and in both cases the IAOC has spent substantial time on the list trying to explain to the community what the latent policies are (and, in the RFID case, even updating and publishing the policy). It's impossible to calculate how many cycles have been "lost" to these discussions, but I think it's inaccurate to say that if there was no time spent on documenting the privacy policy, there would be no time spent on privacy issues at all. Writing the policy down should help save cycles down the road.

Alissa

[1] 
https://www.ietf.org/ibin/c5i?mid=6&rid=49&gid=0&k1=933&k2=52199&tid=1278564156

Do they say less than they would have if we had a typical non-null policy? If either of those two are answered yes, would those people contribute better knowing that the IETF had a policy but no real way to enforce it other than by apologizing when it failed to follow the policy?

If having a privacy policy, even one where there was no real enforcement mechanism, was free, nearly everyone would want it. Given that getting such a policy is not free, and will cause cycles to be lost from other IETF work, is the tradeoff worth it? At this point, I would say "no", but mostly because I don't know of anyone who contributes less due to the current null policy.

--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf


--
----------------------------------------------------
Alissa Cooper
Chief Computer Scientist
Center for Democracy and Technology
+44 (0)785 916 0031
Skype: alissacooper













_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>