On Thu, Feb 23, 2017 at 03:27:10PM -0800, IETF Administrative Director wrote:
The IAOC would like community input on a proposed IETF Statement
Concerning Personal Data. [snip]
The proposed Privacy Policy is located here:
https://iaoc.ietf.org/documents/Privacy-Statement-23Feb17.htm
1. The second paragraph (begins "The parties operate") includes
"(b) home address". I think it would be better to use "mailing address"
to encompass everyone who uses a business address or other address.
2. Under "Exceptions -- Information That We Do Not Release to the Public",
I think two changes are needed.
2a) Under "Non-Public Mailing Lists and direct mail to individuals
at the Parties", I think it would be good to note that the Parties
cannot control the disclosure of individual messages or entire
archives of these. The Parties can certainly request that members
of those lists keep them private, and can certainly impose sanctions
if it wishes on those who don't, but it can't stop that disclosure.
Also worth noting is that security issues -- whether affecting an
individual on one of those lists or the list mechanism/archive
itself, could result in full disclosure of their entire contents.
2b) I think it would be a good idea to stipulate that the Parties
will not disclose mailing list membership records: email addresses,
list memberships, date joined, date left, etc. To put it less
formally, the Parties won't out the lurkers. While most of us
don't have to be overly concerned about such disclosures, there
are some people for whom it could have negative consequences.
3. Under "Security", I believe there's a typo: "guaranty" should be
"guarantee".
4. Also under "Security", this phrase: "such release is required by
applicable law, regulation or judicial order" doesn't cover NSLs
or similar instruments, which are none of those. At the risk of opening
an infinite can of worms, what is the policy w.r.t. NSLs et.al.?
---rsk