Brian,
I suggest that your standard dealings with local hosts should include
requiring them to perform a local check on
whether the standard "Note Well" takes account of all local legal
requirements, including for example
consent to publication of images. If it doesn't, the host should provide an
augmented "Note Well" for use
during meeting registration.
Rather than going this route, we might consider some better balance between
privacy and standard-settings. Taking and publishing a person's image is a step
above listing their names. Do we really need that for the purpose of standard
making, let alone Internet Engineering? How about answering the classic privacy
checklist:
1) How much personal information do we collect, and for what purpose? The rule
here should be to collect the strict minimum necessary for the purpose.
Pictures don't appear to meet that bar.
2) How do we process that information? Who in the IETF has access to it?
3) Do we make that information available to third parties? Under which
guidelines? Again, there is a big difference between answering a subpoena and
publishing on a web page.
4) How do we safeguard that information? Is it available to any hacker who
sneaks his way into our database?
5) How long do we keep the information? Why?
6) How do we dispose of the expired information?
These look like the right questions to the IAOC.
-- Christian Huitema