Hi Bob,
just a very quick reaction to your mail:
~snip~
I have issues with the Introduction. The first sentence says:
In keeping with the goals and objectives of this standards body, the
IETF is committed to the highest degree of respect for the privacy of
IETF participants and site visitors.
This makes it sound like the highest priority of the IETF is Privacy. I
don't think this is true as I described above. The vast majority of what
the IETF does in Public. There is very little that is Private. The IETF is
careful about what needs to be kept private and does not disclose it.
The Fair Information Practices are a set of principles most of us are quite
likely to believe in, such as (copied from the Alissa's draft):
"
o Collection Limitation: There should be limits to the collection of
data about people.
o Data Quality: Personal data should be accurate, complete, up-to-
date, and relevant to the purposes for which it was collected.
o Purpose Specification: The purpose of collecting personal data
should be specified in advance of collection.
o Use Limitation: Personal data should only be used for the purposes
for which it was collected.
o Security: Personal data should be protected by reasonable security
safeguards against unauthorised access, use, and disclosure.
o Openness: Practices and policies with respect to personal data
should be open and transparent.
o Individual Participation: Individuals should have choice, access,
correction, and redress rights with respect to their data.
o Accountability: Those that collect and use data should be
accountable for complying with the above principles.
"
When you read "privacy" then replace it with these principles and everything
makes much more sense to you.
As an example, imagine some researchers doing some interesting network testing
and collect data that travels over the IETF network then these principles say
that you should be transparent in what you do, you should tell people what you
collect and why, etc.
I think that this is something we want people to do. And "yes" we have
researchers looking into the traffic, people storing all sorts of data, etc.
I don't think we have anything to hide.
It would be a bad sign to say that the IETF is so special that we don't need to
follow privacy principles (even if we try to consider privacy in the
development of our protocols and tell other SDOs that it is really important to
do so).
Ciao
Hannes
PS: If you do not know about the "OECD Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data" then maybe some other folks have not
heard about these privacy principles either. Maybe we should add privacy to our
Sunday education program.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf