Thanks for putting this together. Having attempted this once before [1], I’m
glad to see it getting picked up again. I have a few comments to offer.
1) Non-public information
In addition to Adrian’s point about registration data, people provide details
in order to obtain letters of invitation, which includes passport number, date
of birth, etc. It’s important for people to know these details will not become
public.
If we have data retention policies about the various types of non-public
information, those should be stated.
2) Third-party sharing
I agree with Jordi that we need to say something about third-party data sharing
and why we do or do not do it. It sounds like we do use a third-party payment
processor, so it would not be accurate to say that we do not share any personal
data with third parties. In any event I think a dedicated short section about
sharing of personal data would be a good addition.
3) Tracking technologies
The policy talks about cookies and DNT (agree with Adam wrt to the DNT
language), but many organizations these days are providing more detail about
tracking technologies that they do and do not use, including flash cookies,
local storage and other browser storage, pixels/beacons. I would suggest that
we provide details about these (may be as simple as saying that we do not use
them, or that we do and why).
4) Links to third party sites
Many privacy policies give a little information about the implications of
clicking on links to third-party sites. I think that would be warranted here.
E.g., if people join an IESG telechat using the webex link at
http://ietf.org/iesg/ <http://ietf.org/iesg/> then data about them will be
collected by Cisco, and not just the audio of the meeting but other data
governed by the WebEx privacy statement. I’m assuming this is the same for
MeetEcho and other services one might arrive at by navigating from a site
hosted at ietf.org. One or two sentences about using third-party tools from the
IETF site or in the context of an IETF meeting would be warranted.
5) Other organizations
In addition to Lars’ point about the IRTF, I was wondering about the RFC Editor
and rfc-editor.org.
6) Jabber
I think it would be useful to be explicit about whether chats hosted on
jabber.ietf.org are covered by this policy.
7) Law enforcement requests
Some organizations are in a position to make stronger statements about how they
deal with law enforcement requests than what is included here. I would suggest
taking a look at Section 4 of the I-D linked below to see if we’re able to say
anything about appropriateness of legal standards or notice to individuals.
Thanks,
Alissa
[1] https://tools.ietf.org/html/draft-cooper-privacy-policy-01
<https://tools.ietf.org/html/draft-cooper-privacy-policy-01>
On Mar 16, 2016, at 10:02 AM, IETF Administrative Director
<iad(_at_)ietf(_dot_)org> wrote:
The IAOC would like community input on a proposed IETF Privacy Policy.
We are required by California law (and good net citizenship) to have
an accurate privacy policy on our websites. Counsel have reviewed
this statement for compliance with US and EU privacy regulations.
The policy discusses the following:
1. General – Most Personal Data Submitted to IETF Will Become Public
2. You Consent to International Transmission of Your Data
3. Exceptions – Information That We Do Not Release to the Public
4. Security
5. Children
6. Inquiries
7. Compliance
8. Other Organizations
9. Consent
The proposed Privacy Policy is located here:
http://iaoc.ietf.org/documents/IETF-General-Privacy-Statement-2016-02-24-02.htm
The IAOC will consider all comments received by 31 March 2016.
Ray Pelletier
IETF Administrative Director