ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IETF privacy policy - update

2010-07-15 09:37:24
from [Alissa Cooper] [Permanent Link] 
Hi Stephan,

On Jul 6, 2010, at 3:53 PM, Stephan Wenger wrote:


Hi,
I think this is an excellent straw man for an IETF privacy policy. I have, however, two issues with its adoption that makes me question the wisdom of 
an unqualified "+1".



Thanks.
First, I'm not quite sure whether the IETf should adopt such a document without providing clear guidelines to its I* people, the secretariat, or WG chairs. In the absence of such guidelines, those people could be seen as responsible of upholding the policy without knowing the practical "how to", which may create a certain personal liability on their side, to which they may not have signed up to. I believe that the pool of people on the hook 
for this implementation is too big, to unstructured, and perhaps not
sufficiently trained (especially when it comes to the fine details) of the 
implementation of the policy.  In other words, my fear is that we may
promise something to the outside world of which the people responsible are not certain how exactly it needs to be delivered--which puts them into an 
unenviable position.
Point taken. The document currently lacks clarity about who is actually doing the data handling. I think the process of sorting that out will be highly instructive. Getting a general understanding of who is responsible for what will be the first step towards being able to give those people guidance about data handling.
Second, I fear that the draft policy (-01 draft) provides occasionally the impression of a certain safety of private data, where no such safety exists. For example, equipment that stores log files is moved frequently into areas where US law does not apply. I would assume (without knowing for certain) that the machines dealing with on-site information do keep some sensitive information on their local hard drives--which are outside the US for many of 
our meetings.
The jurisdiction of stored data is definitely one point that needs to be better documented, I agree. 


And so on.
If you have specific ideas of other spots where the document over- promises, a list would be appreciated. I can take further clarifications back to the secretariat or whoever the responsible party is. 

Thanks,
Alissa
The second point may be easily addressable by adding sufficiently broad disclaimers to the policy, and/or by documenting the corner cases mentioned (I would not be surprised if there were many more of those). The first point would require a guidelines document for the mentioned officials, and I think that the development of such a document needs to go hand-in- hand with the development of the policy itself. Alternatively, the first point could be addressed by phrasing the policy as a statement of intent, rather than a 
"bill of rights".  Of course, its value goes way down when doing so.

I personally couldn't care less how and where a privacy policy and its
accompanying guideline docs is being developed.  However, I do have an
observation to make with respect to the form of the document.  Even
single-national organizations (like my bank, or my insurers) do change their privacy policy quite often--several times per decade. They have to in order to comply with the development of the local law. I do not see that the IETF would not have to do the same, once we have a first policy in place. And that does not count the implications of, in practice, being an international organization doing business in places such as the US and China--just to make two examples with fundamentally different privacy law and practice-- and our lack of experience and shortness of legal resources in creating one. All that would speak for an easily updateable format, and RFCs are not known to fall into that category. We will have a buggy document at the beginning, 
and we need ways to fix it, quickly.

Regards,
Stephan


On 7.5.2010 09:05 , "Alissa Cooper" <acooper(_at_)cdt(_dot_)org> wrote:


A few months ago I drew up a strawman proposal for a public-facing
IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt
). I've submitted an update based on feedback received:
http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt
In discussing the policy with the IAOC and others, it seems clear that 
the RFC model is probably not the best model for maintaining and
updating a document like this. It is more likely to fall within the
scope of the IAOC and/or the Trust. In order for the IAOC to consider
taking this on and devoting resources to figuring out what its format
should be, they need to hear from the community that a public-facing
privacy policy is something that the community wants. So I have two
requests for those with any interest in this:

1) Respond on this list if you support the idea of the IETF having a
privacy policy (a simple "+1" will do).

2) If you have comments and suggestions about the policy itself, send
them to this list.


Thanks,
Alissa













_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf







_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: WG Review: Call Control UUI for SIP (cuss), Gonzalo Camarillo
Next by Date:  Re: Gen-ART LC Review of draft-ietf-tsvwg-ecn-tunnel-08, Bob Briscoe
Previous by Thread:  Re: IETF privacy policy - update, Stephan Wenger
Next by Thread:  Re: IETF privacy policy - update, Paul Hoffman
Indexes:  [Date] [Thread] [Top] [All Lists]