Re: [ietf-privacy] IETF are intentionally leaking your email address by contributing to these IETF mailing lists

Day Jaley <day.jaley@gmail.com> Thu, 08 September 2022 18:54 UTC

Return-Path: <day.jaley@gmail.com>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2D9FC152701 for <ietf-privacy@ietfa.amsl.com>; Thu, 8 Sep 2022 11:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YMFcpb-an3u for <ietf-privacy@ietfa.amsl.com>; Thu, 8 Sep 2022 11:54:30 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78A0C1526E6 for <ietf-privacy@ietf.org>; Thu, 8 Sep 2022 11:54:30 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id p18so18798711plr.8 for <ietf-privacy@ietf.org>; Thu, 08 Sep 2022 11:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date; bh=1pBN5NOzyD4jnNZCnCcHXBgXjffdVjcoKc1GEZE8B4A=; b=jPCjIXns0yvczKfFw9m7VVImgNR7bi7nqITNy3T/VktvXQ7oI7hHE5HhhRC5YeYbsN ac3YUDl0CFcapf5UxVzVqeQgkPIi85jrjbY92TwHtiPxojHL63R9w7dICdugfnX+vvaw TavaCkwNFDVVD0igUT87GBp+M6eBYl0hMDzIvRmf3/kFNbI1NeMGVYSrvPO+/QDMZoEO b9AlIsyyT2G8zfTLVj6YpIQv9TT2+Gcn4z5FujcdcfzapdbQkmjuhSG9ZZciC9JXPC9F lq7YzjIsPLXOoAuid7icacgk+jVEnhY3lJIJz+ncAG2eDfA6d6dZW8mYdxUWwyn+5DlV Y1Mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date; bh=1pBN5NOzyD4jnNZCnCcHXBgXjffdVjcoKc1GEZE8B4A=; b=4nkUBRbLdDmzwoPzOIjKrH99n7X8FMVhpCYN/oUGOJZggEIM8t1jcrHfmxNh8HlD4g JrMJOMPi7VdF4fQrp1RaOdKJu8pWRvrSodd5o2ED3PXnz7pi6WuRzfIervJBaUqHpqPV He7NBkqiVeAKV2pNil4atydyRFeC/tJBbRmUJNM9mofGxPyRMpPzknS5NRPpxBlkQYLy 80majzXA/q04hmJyActUo+c+o5yCIfcO25h0ieDO/QhTeotyE97yzLHuqRNl+yzE94nC CNswn5SOVXjHYRzyxbhMHz6TtX+VcOYyeE3xXvH/6x+LWwohzOojePK5mqD3VFGxfRq5 CQPA==
X-Gm-Message-State: ACgBeo2IJzgBExsfGmzp14KRGs0O1ejNr79dU8FZwYL8nfqkH5Np//Ng M2Hf63xb7nGmDLSw4lGwN7s5kKcsx+lhZL90Qo/aGbT5BCHiF6gK
X-Google-Smtp-Source: AA6agR6dbiKXrfYdQo/wXtGVJJtfHLNGcMtZlADrbqcaJbl4K1pmfxSFvYZe2RDvbrruKEl2eKXHP54WsYbTNNLMztI=
X-Received: by 2002:a17:902:ebd2:b0:172:8eee:80f5 with SMTP id p18-20020a170902ebd200b001728eee80f5mr10018354plg.9.1662663269752; Thu, 08 Sep 2022 11:54:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAJAcEMpYyBfdF-gGGsSSbNoBOk4D6DPk7hnkrrj+8mcW8CoLsw@mail.gmail.com>
In-Reply-To: <CAJAcEMpYyBfdF-gGGsSSbNoBOk4D6DPk7hnkrrj+8mcW8CoLsw@mail.gmail.com>
From: Day Jaley <day.jaley@gmail.com>
Date: Fri, 09 Sep 2022 04:54:21 +1000
Message-ID: <CAJAcEMr5jKYHa4XAsD_CF_zZjJA=sgxKkeRZLC__C0JYMCwiNQ@mail.gmail.com>
To: ietf-privacy@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009324ae05e82ef5bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-privacy/KvLlmoaQDKulyHJCWKLM5HWx0Zg>
Subject: Re: [ietf-privacy] IETF are intentionally leaking your email address by contributing to these IETF mailing lists
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-privacy/>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2022 18:54:35 -0000

From: *Firstname* *Lastname* <*firstname*@*lastname*.com>
To: privacy@ietf.org
Subject: Information removal request
Date: 8 September 2022 at 23:30
Body:
Hi there,
I have in the past contributed to an IETF mailing list without realising
that my private email address would be made public
Could you please remove my email address from the archive so that it does
not show on search engines?
https://mailarchive.ietf.org/arch/search/?q=*firstname*%40*lastname*.com
https://ietf.topicbox-scratch.com/groups/*listname*
Thank you
*Firstname* *Lastname*

----
From: Jay Daley <exec-director@ietf.org>
CC: privacy@ietf.org
Date: 9 September 2022 at 00:15
Body:

Hi *Firstname*
We are in receipt of your request to delete personal information from our
records.
As the purpose of the IETF is to publish standards that are used for
Internet interoperability, (and therefore the governing Internet standards
affecting all users) the process for producing immutable published
documents (i.e., the RFCs) requires accurate, public records to be kept of
all contributions, submissions, statements and messages sent to the IETF as
part of the standards development process, for several years after they are
received.  The entire manner in which the standards are developed is
designed around this requirement for a transparent and accurate archive of
the standards development process.
For those reasons, the IETF will not delete your email address from any
records of your participation in the IETF to date, as doing so would impair
the integrity of the standards development process and the validity of the
publications upon which the public depends for the continued operation of
the Internet.

kind regards
Jay
-- 
Jay Daley
IETF Executive Director
exec-director@ietf.org

----
From: *Firstname* *Lastname* <*firstname@lastname.com*>
To: Jay Daley <exec-director@ietf.org>
CC: privacy@ietf.org
Date: 9 September 2022 at 02:16
Body:
Hi Jay,
Thanks for the quick response.
I find this position you have taken to be wholly unfair, because at the
time that I emailed, I didn't even realise it was a mailing list or that it
would be posted publicly. Usually, emails are a private communication
medium.
I in fact attempted to email the email address listed on the RFC initially,
but received no response, I then used a search engine to find an
alternative way to contact and found https://www.rfc-editor.org/info/rfc7208
and this site at the time made no mention of how this email address is used
or that it is a mailing list, only that I may "Send questions or comments
to *listname*@ietf.org". I have written to them about the ambiguity of this
statement as well.
In particular, according to your own Privacy Policy -
https://www.ietf.org/privacy-statement/
It states "Protection of Non-Public Information" and my personal email
address is NOT intended to be Public Information.
None of my comments have made it to or are likely to make it into an RFC.
To be quite honest, I found the response to emails be quite useless. I
hereby withdraw all comments that I have made to that mailing list - please
delete them and any reference to them in the replies.

The Privacy Policy makes provision under "Information That We Do Not Share"
to have Personal Data kept confidential, except in limited circumstances
(which this is not one listed).

Under "Your consent to disclosure" under the Privacy Policy, it says you
may use the Personal Data "for the purposes as described in this Statement"
but then does not actually list any purposes, especially none which you
claim in your email.

Under "Contact and Compliance" under the Privacy Policy, it says that I can
email you as I did, where "cease processing Personal Data" is possible.

Under
https://www.ietf.org/about/administration/policies-procedures/records-retention/
I am NOT a "Covered Individual" as a IETF Participant for Records Retention
Policy.

The Privacy Policy states that "reserve the right to decline any request to
remove or alter information or to cease processing your Personal Data
except to the extent that we are legally required to do so".

As an *Country* citizen, my data is protected by the *Law* and the
*Country* Privacy Principles, but rather than go through the legalise, can
you please just do the right thing?

Under "FTC fair information practice", which is where IETF is based, there
was no Notice/Awareness & Choice/Consent

According to rfc3098, Mailing Lists should "respect the privacy of
customers.  Keep a mailing list private." and "take steps to safeguard all
of the personal information that is"

According to rfc6973, "Disclosure can violate individuals' expectations of
the confidentiality of the data they share.  The threat of disclosure may
deter people from engaging in
certain activities for fear of reputational harm, or simply because they do
not wish to be observed. Any observer or attacker that receives data about
an initiator may engage in disclosure."

There are also a whole bunch of articles online about being best practice
not to publicise email addresses on websites out in the open where spambots
can pick them up.

At this point, I think that the right thing to do is not just to remove my
email address, but to remove everyone's email address and shorten the name
when viewed by a non-logged-in user.

As per "Contact and Compliance" of the Privacy Statement - I hereby believe
that you "are not following the procedures described in this Statement,"

And for the sake of clarity, I DO NOT consent to this email chain being
published publicly.

I am honestly surprised that you would take this ridiculous stance over
what I would consider to be a mundane issue to just remove the Personal
Data.

If there are any actual data integrity issues, I am happy to replace my
private email address with a public one, which maintains the content of the
comments which were made.

How do you handle cases of spam being sent to the mailing list, do they get
published online too? According to this post -
https://github.com/ietf-tools/mailarch/issues/1631 - they can be removed.
Why should privacy be any different.

According to https://www.ietf.org/about/open-records/ you may delete some
records.

I note that IETF members have written MANY RFCs related to privacy.

According to https://www.ietf.org/policies/ it states "The IETF is
committed to protecting the privacy and security of the personal
information of our participants and of visitors to our website".

I ask you to please consider your position, in that it may go directly
against the deeply held beliefs of your membership and IETF's stated
commitment to privacy, and it would be awfully embarrassing for you if this
practice is exposed, especially if an RFC is ever made to combat the bad
practices of the IETF leadership.

Is this the "Good Governance" you claim on your profile?

Yours Sincerely,

*Firstname* *Lastname*

----
From: Jay Daley <exec-director@ietf.org>
CC: privacy@ietf.org
Date: 9 September 2022 at 02:58
Body:

Hi *Firstname*

As I have explained, it is absolutely critical to us that we maintain
accurate, public records of all contributions, submissions, statements and
messages sent to the IETF as part of the standards development process.
Your emails, unlike spam, are related to the standards process and your
subjective view about their impact does not change that.  As our Privacy
Statement says very clearly:

> The IETF/IRTF/IAB operates in an open and transparent fashion. As a part
of this transparency, any contributions, submissions, statements or
communications that you make to any Party including any Personal Data,
other than as expressly excepted in this statement, will be made public
through electronic and other means.
>
> You should be aware of our transparent operation when communicating with
us.

Email, unlike say a web form, does not have any inline mechanism to explain
to the sender how their email will be used, and consequently it is the duty
of the sender to understand that before sending.  It appears that you not
unfamiliar with the concept of emails being published to maintain the
integrity of an open process:

       *Jay posted a URL he found about me which is public record, under a
different email address*

To reiterate, we will not be redacting your email address or removing your
posts,

kind regards
Jay

----

From: *Firstname* *Lastname* <*firstname@lastname.com*>
To: Jay Daley <exec-director@ietf.org>
CC: privacy@ietf.org
Date: 9 September 2022 at 03:53
Body:

Hi Jay,
>From the link you were able to sleuth about me, you will see that I used a
separate email address which I didn't mind becoming public. I was able to
block that address from receiving spam.

>From the email address you published, I am now receiving a significant
amount of spam to my primary email address ever since that time, whereas
previously I received none.

Since you seem to have no concern about privacy and you think that it is
all public record, I will publicise this interaction.

However, I will still redact my information when I do, because I do care
about privacy.

Please do not expose my private information from this email to external
parties, that would be a shockingly low blow.

I am very disappointed in your behaviour to choose to violate my privacy
like this, which you acknowledge had no mechanism to inform me of how it
will be used.

This is really the equivalent of " It was on display at the bottom of a
locked filing cabinet stuck in a disused lavatory with a sign on the door
saying beware of the leopard."
How Kafkaesque of you.
Regards

*Firstname*

On Fri, 9 Sept 2022 at 04:50, Day Jaley <day.jaley@gmail.com> wrote:

> Hello all,
> I have just had a very troubling email conversation with your executive
> director, Jay Daley, who has outright refused to honour a Personal Data
> removal request.
>
> I had previously written into a mailing list without realising that it was
> one, or that my email address would be publicly listed under
> https://mailarchive.ietf.org/ for Search Engines and Spammers to slurp up.
>
> I have attempted to follow the proper channels to remove the data and make
> my case, but despite this, Jay Daley has personally intervened to refuse
> this request. He has responded extremely quickly, so I doubt that he has
> consulted with others about this.
>
> So, if you have noticed an increasing amount of spam coming to your inbox,
> you have the IETF to blame.
>
> With all the RFCs and Meta-RFCs, I am actually surprised that no one has
> made one to enshrine Privacy of email addresses on open websites to reduce
> spam, and IETF would themselves be privacy violators.
>
> The call it a "Request For Comment", that is they actively encourage you
> to make a comment - but they don't tell you about how the metadata around
> your comment is going to be used.
>
> Full email chain with my privacy protected to follow.
>
>
>