Re: [ietf-privacy] Deletion request a couple of months ago

[Jay Daley <exec-director@ietf.org>]

(apologies for the off-topic post - will try to redirect to admin-discuss)

Kate

The IETF position on archiving and publication of email messages, along with the other contributions made to the IETF, has been thoroughly vetted by specialist GDPR lawyers and it is fully compliant.  I do not intend to get into a discussion about the details, that is best left to lawyers talking to lawyers, but I will note that GDPR is significantly more complex than most people understand it to be, for example, the various exemptions.

As I made clear in my note copied in the message you referred to (and as Ted has pointed out):

> the process for producing immutable published
> documents (i.e., the RFCs) requires accurate, public records to be kept of
> all contributions, submissions, statements and messages sent to the IETF as
> part of the standards development process, for several years after they are
> received.  The entire manner in which the standards are developed is
> designed around this requirement for a transparent and accurate archive of
> the standards development process.

Also as Ted has pointed out, you can always reach out to me directly, or you can raise this on the admin-discuss mailing list.

cheers
Jay

> On 29 Sep 2022, at 23:20, kate_9023+rfc@systemli.org wrote:
> 
> Hello,
> 
> I'm sorry, I couldn't find the original posting in mailbox. I refer to this post: https://mailarchive.ietf.org/arch/msg/ietf-privacy/KvLlmoaQDKulyHJCWKLM5HWx0Zg/
> 
> But I guess it makes sense to start a new thread anyway. I'm finally able to give this post the attention it deserves.
> 
> Side note: Sometimes the email traffic at the IETF is quite fast moving and my inbox gets so flooded by this that it is impossible for me to follow the mailing list alongside job and other projects or reply in time.
> 
> Back to the topic: Even though I see that the email and the name of the questioner have been removed in compliance with the GDPR, I would like to say something about it.
> 
> Warning, the following is no legal advice. It may contain misinformation, but it's written in the best of my knowledge. 
> 
> Basically, I agree with the person and it is also something I realized negatively that the IETF does not fully inform what is public and what is not. In addition, there may be a different understanding in the US on the subject of "deleting data which is public". In Europe, we have the right to have this data being removed as well and this is strengthened by the GDPR. For us, personal data and data worth protecting also includes the name and the e-mail and even the IP address. Therefore, we are not allowed to simply publish e-mails without extensive information and explicit consent and even if this consent has been obtained, the person has the right to have his data deleted (also, for example, in forums). Whether a name or e-mail is mentioned is irrelevant for the traceability of the topic.
> 
> Side note: I have noticed that the IETF simply archives everything permanently, even for more than 30 years. This is not really in the sense of data hygiene. Unfortunately, I have often found outdated information that I thought was up to date when I searched for it and acted on it, only to figure out later from members of the community that it was outdated. This means it blocked me in my work and lead to more confusion. This included trying to contact people who had once published an RFC draft, but the email went back due to now being invalid. I would have saved myself a lot of work on my draft if this information would have been deleted. On MastodonPurge the topic of data hygiene is described as: "Remove parts of your personal history from the internet: Maybe you regret having written something publicly or privately, which new users shoud not see anymore. We all change our opinions over time. Be sure nobody gets's a wrong impression based on outdated posts." I agree with that and I also think that some (without naming anyone) are (hopefully) ashamed of insults/harassments they've done on this list in the future. Who knows, they might even have problems with job applications / future employers because of it. I don't believe that someone who said [insert insult here] to someone else 30 years ago should have any relevance today and they don't belong in a permanent archive either (also with the respect of the person who was insulted).
> 
> The GDPR also encourages IT services to be set up according to the current state of the art. This also includes effective spam protection and protection of e-mail addresses by spammers. I have already talked to some IETF people about this, but I haven't had time to work out a "improve not being spammed" draft yet.  Therefore I agree with the questioner. I also have generated an "extra email" for IETF and can see how heavily this is now being used by spam scrapers and I receive about 30 emails a day in my inbox just from the mailing list and the draft. There are many better and modern ways of protection here.
> 
> I know that now many of you will say that the GDPR does not apply in the US but I consider the IETF an institution to look up to, which (in my opinion - correct me if I am wrong) at some time had on its agenda to make the Internet a better place and which is still looked up to today.  Therefore it would be a very good step to implement the idea here as it is an important protection law.
> 
> Protecting against data theft, promoting secure IT systems, keeping only relevant data and more.
> 
> And which wouldn't be a better place to start with on increasing privacy and implementing already proven best-practices then on a privacy list itself.
> 
> tl;dr
> 
> I think it is important and right to respect and implement deletion requests.
> 
> - Kate
> 
> 
> 
> 
> 

-- 
Jay Daley
IETF Executive Director
exec-director@ietf.org