Hi Alissa,
After following the discussion, I thought that I would share my thoughts. I
hope that you find them constructive.
The document seems almost complete from a technical perspective. I'm
reasonably happy that the details of how private information is stored is
(almost) correct. Procedural issues are more difficult. Some structural and
cosmetic changes might help.
Public process:
A separation of the public process (contributions), from the supplementary
stuff (meeting registration payments, tools, datatracker, etc...) might help.
These two groupings have fundamentally different principles. Taking that
separation into later sections might also help.
Abstract/Intro:
I'm guessing that you have the complaints about density covered- I see that
you've taken Bob Hinden's simple introduction to heart. That's good. It would
be good if the abstract alone provided sufficient information for someone to
understand the general gist of the policy.
---8<---
Abstract
The IETF provides a public forum for the development of Internet Standards.
Contributions[1] you make to this process are made public and retained
indefinitely.
The IETF[2] might collect other personal information as part of its operations.
Information that does not directly contribute to the IETF process is treated
with respect for the privacy of individuals.
This policy describes how personal data is collected, used, stored and
distributed by the IETF.
--->8---
[1] Cite the definition of "contribution" from the note well...in the body of
the document.
[2] You might also expand this to included IASA, IAOC, but it isn't worth
getting caught up on semantics in an abstract. Expand on this in the body.
Purpose:
It seems that one of the causes of tension in this debate is the lack of
agreement over the purpose of the policy. Privacy policies do serve a range of
purposes, but is it possible to identify why this particular one is most
important?
I certainly don't think that you are doing this to provide any legal protection
to the IETF, it's not a legal compliance thing or any other such cynical reason.
If the purpose is to establish a common understanding of what the privacy
expectations of all those involved with the IETF, say so. I think that you are
aiming at two levels: the general framework: do we respect privacy or not; and
the specific: what happens with my email address.
My wordsmith-fu is weak today, but you might include something like:
---8<---
2. Purpose
This privacy policy describes the principles of the IETF toward privacy.
People who interact with the IETF can use this document to understand the
principles that are applied in dealing with their private information.
This document provides details on how specific items of private information are
collected, used, stored and distributed.
--->8---
I know that the debate raised the issue of whether the specifics should not be
made separate (and given the IAOC). I don't really have an opinion on that
aspect. At this stage, I see no harm in keeping the two together.
A purpose statement should be sufficient justification for the document.
Appeal to authority (The Fair Information Practices) seems unnecessary. The
practices are a great guide to those who wish to build and review such a
policy. However, they contribute little to the goal of the document, which is
to cover those categories, not list them.
Nits:
There is an error in the current draft regarding meeting registrations. Your
name, affiliation and country are all made public.
Do we say SSL in the IETF? This is where we build TLS after all.
--Martin (The other one)
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf