ietf
[Top] [All Lists]

Re: IETF privacy policy - update

2010-07-15 17:51:37
Paul,

You appear to be concerned about exposing the IETF to risk by the adoption of a privacy policy (but apologies if I am misunderstanding the concern you expressed). The absence of a privacy policy, however, actually increases risk to the IETF in at least three ways:

1. As a general matter, many organizations that interact with lots of people (especially collecting financial information from them) use a broad range of written policies to reduce risk, by plainly stating a position on an issue so that employees have clear guidance about how to act or respond in a given situation. Policies could be particularly useful (for example) during a busy crush of new in-person registrations for an IETF meeting, when there are lots of interactions with personal data but senior management may not be immediately available in-person to give guidance if an unusual situation arises. Having written policies in that kind of situation reduces risk.

2. We have many examples of leading banks, stores, and others mishandling credit card and other records, so unless the IETF has come up with some secret security sauce to eliminate all possibility of a human or technical screwup with personal info, there is clear risk that the IETF could mishandle data and be at the wrong end of a litigation. The IETF would likely face liability risk with or without a privacy policy, but the fact that it could not even be bothered to have such a policy would certainly be used by the plaintiffs to argue for an increase in the damages that the IETF might have to pay. Having a written privacy policy would avoid this particular risk, and might even reduce the risk of a screwup in the first place.

3. And, although my legal expertise is limited to U.S. law, I think is very likely (if not certain) that right now the IETF is operating in violation of the European Union's Data Protection Directive, which requires that any entity that collects personal information must provide clear prior notice to affected individuals about the data collection. The EU is particularly sensitive when European citizens' data is collected by U.S. entities, which happens all of the time when European citizens register with the IETF's California-based administrative secretariat. (There is similar risk with regard to the California Online Privacy Protection Act, which specifically requires the posting of a privacy policy by entities that collect personal information online from California citizens - there is a good chance the law would not apply to the IETF, but there is some risk that it would.) Having a privacy policy would help the IETF comply with European law, which would reduce risk (and the uncertainly about the California law would be avoided).

So if one's goal is to reduce risk to the IETF so the IETF is not harmed by legal liability, I think there are very strong arguments to have a privacy policy. Indeed, the legal-risk-related arguments in favor of a having a privacy policy are so strong that I believe the powers-that-be should move to promulgate such a policy even if there is not consensus in the broader IETF community (just like, I assume, the powers-that-be have purchased a range of standard business insurance policies without ever having consulted the IETF community). The draft of a proposed privacy policy was submitted as an I-D and circulated to the ietf(_at_)ietf(_dot_)org mailing list simply because that was suggested to be the most appropriate way for individual members of the IETF community to raise this issue. A decision to adopt a privacy policy is not one, IMO, that should rise or fall on a community hum (although in the end, I think there been more +1s than -1s put forward on this list).

John


On Jul 15, 2010, at 4:26 PM, Paul Hoffman wrote:

At 3:36 PM +0100 7/15/10, Alissa Cooper wrote:
If you have specific ideas of other spots where the document over- promises, a list would be appreciated. I can take further clarifications back to the secretariat or whoever the responsible party is.

For me, the biggest over-promise is that someone reading the document might think that there is some remedy if the I* fails to live up to it. The line between principles and promises in your document is quite unclear. Very specifically: I don't want the IETF to adopt your document if it opens up an avenue for an aggrieved participant (which, in the IETF, is anyone who knows how to subscribe to a mailing list, even this one) can cause damage to the IETF if the IETF doesn't meet the promise in that person's eyes.

If you feel that it is valuable to list privacy principles for an organization like the IETF, great. If you want the IETF to promise something that would cost us money or, possibly worse, much lost time from the I*, please don't move this forwards.

There are already many reasons why some people don't participate in the IETF. For some, the IETF is too informal for their comfort; those folks gravitate towards other SDOs who have more formal membership and rules. For some, the inability to rant freely on mailing lists without being barred is too high a bar. For some, If we lose a few people (and it does seem like a very few) for lack of a privacy policy that could be enforced by civil law or threat of civil lawsuits, that may be an acceptable risk.

--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf