Re: [ietf-privacy] IETF are intentionally leaking your email address by contributing to these IETF mailing lists
Day Jaley <day.jaley@gmail.com> Thu, 08 September 2022 18:54 UTC
Return-Path: <day.jaley@gmail.com>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2D9FC152701 for <ietf-privacy@ietfa.amsl.com>; Thu, 8 Sep 2022 11:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YMFcpb-an3u for <ietf-privacy@ietfa.amsl.com>; Thu, 8 Sep 2022 11:54:30 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78A0C1526E6 for <ietf-privacy@ietf.org>; Thu, 8 Sep 2022 11:54:30 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id p18so18798711plr.8 for <ietf-privacy@ietf.org>; Thu, 08 Sep 2022 11:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date; bh=1pBN5NOzyD4jnNZCnCcHXBgXjffdVjcoKc1GEZE8B4A=; b=jPCjIXns0yvczKfFw9m7VVImgNR7bi7nqITNy3T/VktvXQ7oI7hHE5HhhRC5YeYbsN ac3YUDl0CFcapf5UxVzVqeQgkPIi85jrjbY92TwHtiPxojHL63R9w7dICdugfnX+vvaw TavaCkwNFDVVD0igUT87GBp+M6eBYl0hMDzIvRmf3/kFNbI1NeMGVYSrvPO+/QDMZoEO b9AlIsyyT2G8zfTLVj6YpIQv9TT2+Gcn4z5FujcdcfzapdbQkmjuhSG9ZZciC9JXPC9F lq7YzjIsPLXOoAuid7icacgk+jVEnhY3lJIJz+ncAG2eDfA6d6dZW8mYdxUWwyn+5DlV Y1Mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date; bh=1pBN5NOzyD4jnNZCnCcHXBgXjffdVjcoKc1GEZE8B4A=; b=4nkUBRbLdDmzwoPzOIjKrH99n7X8FMVhpCYN/oUGOJZggEIM8t1jcrHfmxNh8HlD4g JrMJOMPi7VdF4fQrp1RaOdKJu8pWRvrSodd5o2ED3PXnz7pi6WuRzfIervJBaUqHpqPV He7NBkqiVeAKV2pNil4atydyRFeC/tJBbRmUJNM9mofGxPyRMpPzknS5NRPpxBlkQYLy 80majzXA/q04hmJyActUo+c+o5yCIfcO25h0ieDO/QhTeotyE97yzLHuqRNl+yzE94nC CNswn5SOVXjHYRzyxbhMHz6TtX+VcOYyeE3xXvH/6x+LWwohzOojePK5mqD3VFGxfRq5 CQPA==
X-Gm-Message-State: ACgBeo2IJzgBExsfGmzp14KRGs0O1ejNr79dU8FZwYL8nfqkH5Np//Ng M2Hf63xb7nGmDLSw4lGwN7s5kKcsx+lhZL90Qo/aGbT5BCHiF6gK
X-Google-Smtp-Source: AA6agR6dbiKXrfYdQo/wXtGVJJtfHLNGcMtZlADrbqcaJbl4K1pmfxSFvYZe2RDvbrruKEl2eKXHP54WsYbTNNLMztI=
X-Received: by 2002:a17:902:ebd2:b0:172:8eee:80f5 with SMTP id p18-20020a170902ebd200b001728eee80f5mr10018354plg.9.1662663269752; Thu, 08 Sep 2022 11:54:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAJAcEMpYyBfdF-gGGsSSbNoBOk4D6DPk7hnkrrj+8mcW8CoLsw@mail.gmail.com>
In-Reply-To: <CAJAcEMpYyBfdF-gGGsSSbNoBOk4D6DPk7hnkrrj+8mcW8CoLsw@mail.gmail.com>
From: Day Jaley <day.jaley@gmail.com>
Date: Fri, 09 Sep 2022 04:54:21 +1000
Message-ID: <CAJAcEMr5jKYHa4XAsD_CF_zZjJA=sgxKkeRZLC__C0JYMCwiNQ@mail.gmail.com>
To: ietf-privacy@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009324ae05e82ef5bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-privacy/KvLlmoaQDKulyHJCWKLM5HWx0Zg>
Subject: Re: [ietf-privacy] IETF are intentionally leaking your email address by contributing to these IETF mailing lists
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-privacy/>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2022 18:54:35 -0000
From: *Firstname* *Lastname* <*firstname*@*lastname*.com> To: privacy@ietf.org Subject: Information removal request Date: 8 September 2022 at 23:30 Body: Hi there, I have in the past contributed to an IETF mailing list without realising that my private email address would be made public Could you please remove my email address from the archive so that it does not show on search engines? https://mailarchive.ietf.org/arch/search/?q=*firstname*%40*lastname*.com https://ietf.topicbox-scratch.com/groups/*listname* Thank you *Firstname* *Lastname* ---- From: Jay Daley <exec-director@ietf.org> CC: privacy@ietf.org Date: 9 September 2022 at 00:15 Body: Hi *Firstname* We are in receipt of your request to delete personal information from our records. As the purpose of the IETF is to publish standards that are used for Internet interoperability, (and therefore the governing Internet standards affecting all users) the process for producing immutable published documents (i.e., the RFCs) requires accurate, public records to be kept of all contributions, submissions, statements and messages sent to the IETF as part of the standards development process, for several years after they are received. The entire manner in which the standards are developed is designed around this requirement for a transparent and accurate archive of the standards development process. For those reasons, the IETF will not delete your email address from any records of your participation in the IETF to date, as doing so would impair the integrity of the standards development process and the validity of the publications upon which the public depends for the continued operation of the Internet. kind regards Jay -- Jay Daley IETF Executive Director exec-director@ietf.org ---- From: *Firstname* *Lastname* <*firstname@lastname.com*> To: Jay Daley <exec-director@ietf.org> CC: privacy@ietf.org Date: 9 September 2022 at 02:16 Body: Hi Jay, Thanks for the quick response. I find this position you have taken to be wholly unfair, because at the time that I emailed, I didn't even realise it was a mailing list or that it would be posted publicly. Usually, emails are a private communication medium. I in fact attempted to email the email address listed on the RFC initially, but received no response, I then used a search engine to find an alternative way to contact and found https://www.rfc-editor.org/info/rfc7208 and this site at the time made no mention of how this email address is used or that it is a mailing list, only that I may "Send questions or comments to *listname*@ietf.org". I have written to them about the ambiguity of this statement as well. In particular, according to your own Privacy Policy - https://www.ietf.org/privacy-statement/ It states "Protection of Non-Public Information" and my personal email address is NOT intended to be Public Information. None of my comments have made it to or are likely to make it into an RFC. To be quite honest, I found the response to emails be quite useless. I hereby withdraw all comments that I have made to that mailing list - please delete them and any reference to them in the replies. The Privacy Policy makes provision under "Information That We Do Not Share" to have Personal Data kept confidential, except in limited circumstances (which this is not one listed). Under "Your consent to disclosure" under the Privacy Policy, it says you may use the Personal Data "for the purposes as described in this Statement" but then does not actually list any purposes, especially none which you claim in your email. Under "Contact and Compliance" under the Privacy Policy, it says that I can email you as I did, where "cease processing Personal Data" is possible. Under https://www.ietf.org/about/administration/policies-procedures/records-retention/ I am NOT a "Covered Individual" as a IETF Participant for Records Retention Policy. The Privacy Policy states that "reserve the right to decline any request to remove or alter information or to cease processing your Personal Data except to the extent that we are legally required to do so". As an *Country* citizen, my data is protected by the *Law* and the *Country* Privacy Principles, but rather than go through the legalise, can you please just do the right thing? Under "FTC fair information practice", which is where IETF is based, there was no Notice/Awareness & Choice/Consent According to rfc3098, Mailing Lists should "respect the privacy of customers. Keep a mailing list private." and "take steps to safeguard all of the personal information that is" According to rfc6973, "Disclosure can violate individuals' expectations of the confidentiality of the data they share. The threat of disclosure may deter people from engaging in certain activities for fear of reputational harm, or simply because they do not wish to be observed. Any observer or attacker that receives data about an initiator may engage in disclosure." There are also a whole bunch of articles online about being best practice not to publicise email addresses on websites out in the open where spambots can pick them up. At this point, I think that the right thing to do is not just to remove my email address, but to remove everyone's email address and shorten the name when viewed by a non-logged-in user. As per "Contact and Compliance" of the Privacy Statement - I hereby believe that you "are not following the procedures described in this Statement," And for the sake of clarity, I DO NOT consent to this email chain being published publicly. I am honestly surprised that you would take this ridiculous stance over what I would consider to be a mundane issue to just remove the Personal Data. If there are any actual data integrity issues, I am happy to replace my private email address with a public one, which maintains the content of the comments which were made. How do you handle cases of spam being sent to the mailing list, do they get published online too? According to this post - https://github.com/ietf-tools/mailarch/issues/1631 - they can be removed. Why should privacy be any different. According to https://www.ietf.org/about/open-records/ you may delete some records. I note that IETF members have written MANY RFCs related to privacy. According to https://www.ietf.org/policies/ it states "The IETF is committed to protecting the privacy and security of the personal information of our participants and of visitors to our website". I ask you to please consider your position, in that it may go directly against the deeply held beliefs of your membership and IETF's stated commitment to privacy, and it would be awfully embarrassing for you if this practice is exposed, especially if an RFC is ever made to combat the bad practices of the IETF leadership. Is this the "Good Governance" you claim on your profile? Yours Sincerely, *Firstname* *Lastname* ---- From: Jay Daley <exec-director@ietf.org> CC: privacy@ietf.org Date: 9 September 2022 at 02:58 Body: Hi *Firstname* As I have explained, it is absolutely critical to us that we maintain accurate, public records of all contributions, submissions, statements and messages sent to the IETF as part of the standards development process. Your emails, unlike spam, are related to the standards process and your subjective view about their impact does not change that. As our Privacy Statement says very clearly: > The IETF/IRTF/IAB operates in an open and transparent fashion. As a part of this transparency, any contributions, submissions, statements or communications that you make to any Party including any Personal Data, other than as expressly excepted in this statement, will be made public through electronic and other means. > > You should be aware of our transparent operation when communicating with us. Email, unlike say a web form, does not have any inline mechanism to explain to the sender how their email will be used, and consequently it is the duty of the sender to understand that before sending. It appears that you not unfamiliar with the concept of emails being published to maintain the integrity of an open process: *Jay posted a URL he found about me which is public record, under a different email address* To reiterate, we will not be redacting your email address or removing your posts, kind regards Jay ---- From: *Firstname* *Lastname* <*firstname@lastname.com*> To: Jay Daley <exec-director@ietf.org> CC: privacy@ietf.org Date: 9 September 2022 at 03:53 Body: Hi Jay, >From the link you were able to sleuth about me, you will see that I used a separate email address which I didn't mind becoming public. I was able to block that address from receiving spam. >From the email address you published, I am now receiving a significant amount of spam to my primary email address ever since that time, whereas previously I received none. Since you seem to have no concern about privacy and you think that it is all public record, I will publicise this interaction. However, I will still redact my information when I do, because I do care about privacy. Please do not expose my private information from this email to external parties, that would be a shockingly low blow. I am very disappointed in your behaviour to choose to violate my privacy like this, which you acknowledge had no mechanism to inform me of how it will be used. This is really the equivalent of " It was on display at the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying beware of the leopard." How Kafkaesque of you. Regards *Firstname* On Fri, 9 Sept 2022 at 04:50, Day Jaley <day.jaley@gmail.com> wrote: > Hello all, > I have just had a very troubling email conversation with your executive > director, Jay Daley, who has outright refused to honour a Personal Data > removal request. > > I had previously written into a mailing list without realising that it was > one, or that my email address would be publicly listed under > https://mailarchive.ietf.org/ for Search Engines and Spammers to slurp up. > > I have attempted to follow the proper channels to remove the data and make > my case, but despite this, Jay Daley has personally intervened to refuse > this request. He has responded extremely quickly, so I doubt that he has > consulted with others about this. > > So, if you have noticed an increasing amount of spam coming to your inbox, > you have the IETF to blame. > > With all the RFCs and Meta-RFCs, I am actually surprised that no one has > made one to enshrine Privacy of email addresses on open websites to reduce > spam, and IETF would themselves be privacy violators. > > The call it a "Request For Comment", that is they actively encourage you > to make a comment - but they don't tell you about how the metadata around > your comment is going to be used. > > Full email chain with my privacy protected to follow. > > >