Christian,
On 2012-04-25 08:57, Christian Huitema wrote:
Brian,
I suggest that your standard dealings with local hosts should include
requiring them to perform a local check on
whether the standard "Note Well" takes account of all local legal
requirements, including for example
consent to publication of images. If it doesn't, the host should provide an
augmented "Note Well" for use
during meeting registration.
Rather than going this route, we might consider some better balance between
privacy and standard-settings. Taking and publishing a person's image is a
step above listing their names. Do we really need that for the purpose of
standard making, let alone Internet Engineering? How about answering the
classic privacy checklist:
These are excellent questions, and I support them being studied (perhaps
initially by a small group), but I think they are orthogonal to my
suggestion. Since privacy laws vary widely, I really think this issue
needs to be checked on a per-host-country basis, regardless of our general
policy.
Brian
1) How much personal information do we collect, and for what purpose? The
rule here should be to collect the strict minimum necessary for the purpose.
Pictures don't appear to meet that bar.
2) How do we process that information? Who in the IETF has access to it?
3) Do we make that information available to third parties? Under which
guidelines? Again, there is a big difference between answering a subpoena and
publishing on a web page.
4) How do we safeguard that information? Is it available to any hacker who
sneaks his way into our database?
5) How long do we keep the information? Why?
6) How do we dispose of the expired information?
These look like the right questions to the IAOC.
-- Christian Huitema