Re: [ietf-privacy] Deletion request a couple of months ago

Howdy,

First, I don't believe you are addressing the right mailing list.  The IETF
LLC hires the lawyers who tell the IETF how to comply with the GDPR so you
need to talk to them when you want to suggest changes to compliance,
probably by reaching out to the executive director.

Second, you note that the  "IETF simply archives everything permanently"
and you seem to believe that this is problematic.  This is actually a
feature, and a very important one.  By keeping the mailing list traffic
available for later review, the IETF and others are better able to
understand what and who influenced the development of particular standards
to take specific shapes.  That's important in a variety of contexts, not
least by enabling the IETF  to build on previous work even when the
individuals involved are no longer able to participate.  This is in
addition to the obvious need to enable folks to join a standards effort
which has already begun but not completed, which also requires access to
the archives of conversations.
best regards,

Ted Hardie
(Not speaking on behalf of anyone else)

On Thu, Sep 29, 2022 at 11:21 PM <kate_9023+rfc@systemli.org> wrote:

> Hello,
>
> I'm sorry, I couldn't find the original posting in mailbox. I refer to
> this post:
> https://mailarchive.ietf.org/arch/msg/ietf-privacy/KvLlmoaQDKulyHJCWKLM5HWx0Zg/
>
> But I guess it makes sense to start a new thread anyway. I'm finally able
> to give this post the attention it deserves.
>
> Side note: Sometimes the email traffic at the IETF is quite fast moving
> and my inbox gets so flooded by this that it is impossible for me to follow
> the mailing list alongside job and other projects or reply in time.
>
> Back to the topic: Even though I see that the email and the name of the
> questioner have been removed in compliance with the GDPR, I would like to
> say something about it.
>
> Warning, the following is no legal advice. It may contain misinformation,
> but it's written in the best of my knowledge.
>
> Basically, I agree with the person and it is also something I realized
> negatively that the IETF does not fully inform what is public and what is
> not. In addition, there may be a different understanding in the US on the
> subject of "deleting data which is public". In Europe, we have the right to
> have this data being removed as well and this is strengthened by the GDPR.
> For us, personal data and data worth protecting also includes the name and
> the e-mail and even the IP address. Therefore, we are not allowed to simply
> publish e-mails without extensive information and explicit consent and even
> if this consent has been obtained, the person has the right to have his
> data deleted (also, for example, in forums). Whether a name or e-mail is
> mentioned is irrelevant for the traceability of the topic.
>
> Side note: I have noticed that the IETF simply archives everything
> permanently, even for more than 30 years. This is not really in the sense
> of data hygiene. Unfortunately, I have often found outdated information
> that I thought was up to date when I searched for it and acted on it, only
> to figure out later from members of the community that it was outdated.
> This means it blocked me in my work and lead to more confusion. This
> included trying to contact people who had once published an RFC draft, but
> the email went back due to now being invalid. I would have saved myself a
> lot of work on my draft if this information would have been deleted. On
> MastodonPurge the topic of data hygiene is described as: "Remove parts of
> your personal history from the internet: *Maybe you regret having written
> something publicly or privately, which new users shoud not see anymore. We
> all change our opinions over time. Be sure nobody gets's a wrong impression
> based on outdated posts."* I agree with that and I also think that some
> (without naming anyone) are (hopefully) ashamed of insults/harassments
> they've done on this list in the future. Who knows, they might even have
> problems with job applications / future employers because of it. I don't
> believe that someone who said [insert insult here] to someone else 30 years
> ago should have any relevance today and they don't belong in a permanent
> archive either (also with the respect of the person who was insulted).
>
> The GDPR also encourages IT services to be set up according to the current
> state of the art. This also includes effective spam protection and
> protection of e-mail addresses by spammers. I have already talked to some
> IETF people about this, but I haven't had time to work out a "improve not
> being spammed" draft yet.  Therefore I agree with the questioner. I also
> have generated an "extra email" for IETF and can see how heavily this is
> now being used by spam scrapers and I receive about 30 emails a day in my
> inbox just from the mailing list and the draft. There are many better and
> modern ways of protection here.
>
> I know that now many of you will say that the GDPR does not apply in the
> US but I consider the IETF an institution to look up to, which (in my
> opinion - correct me if I am wrong) at some time had on its agenda to make
> the Internet a better place and which is still looked up to today.
> Therefore it would be a very good step to implement the idea here as it is
> an important protection law.
>
> Protecting against data theft, promoting secure IT systems, keeping only
> relevant data and more.
>
> And which wouldn't be a better place to start with on increasing privacy
> and implementing already proven best-practices then on a privacy list
> itself.
>
> tl;dr
>
> I think it is important and right to respect and implement deletion
> requests.
>
> - Kate
>
>
>
>
> _______________________________________________
> ietf-privacy mailing list
> ietf-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf-privacy
>