Re: Proposed IETF Privacy Policy for Review

S Moonesamy <> Fri, 18 March 2016 10:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8592612D847 for <>; Fri, 18 Mar 2016 03:33:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.092
X-Spam-Status: No, score=-0.092 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=bmDx71aL; dkim=pass (1024-bit key) header.b=M++Tno/2
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id S98VAUrG2h65 for <>; Fri, 18 Mar 2016 03:33:05 -0700 (PDT)
Received: from ( [IPv6:2001:470:f329:1::1]) by (Postfix) with ESMTP id A73B412D83F for <>; Fri, 18 Mar 2016 03:33:05 -0700 (PDT)
Received: from ([]) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id u2IAWraO005884 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Fri, 18 Mar 2016 03:33:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail2010; t=1458297184; x=1458383584; bh=ITdCoKj/7Fkg+u64xFYhEeJCOQgHiI7Pb6nY13Va6I0=; h=Date:To:From:Subject:In-Reply-To:References; b=bmDx71aLfNYdYGN0gGct4orWxzbpSQxcOKcW9M5Gk1v5XDpZ7slTQ73q5LRmzJqos nBdrmJo9tnf9pG3ooviJjyzYD2/9rTym66ENpHaC/M94TLOnc5Lm0z/xRbovCSOXyl 9yetaTwjhrLM5znZFx1NO7uS9kwicMaEGlQR/N8c=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1458297184; x=1458383584;; bh=ITdCoKj/7Fkg+u64xFYhEeJCOQgHiI7Pb6nY13Va6I0=; h=Date:To:From:Subject:In-Reply-To:References; b=M++Tno/2Aca2wqsCvuVAVkiR1iZbM/sKXh8kEpXiWnztBM2Xj8H1TFonfbrXIsewC Rk+ENfSCieWO/e7J/WUyChdlnWScoPTdxnJMvbwIO/U7DAlQ1q9R0BEMzldYbIggot SxE7KzT9NsZOeB/nnl2iDwn9NN9Xedg/lE0ozqUc=
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Fri, 18 Mar 2016 03:28:16 -0700
From: S Moonesamy <>
Subject: Re: Proposed IETF Privacy Policy for Review
In-Reply-To: <>
References: <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Mar 2016 10:33:08 -0000

At 10:02 16-03-2016, IETF Administrative Director wrote:
>The IAOC would like community input on a proposed IETF Privacy Policy.

The above says "Privacy Policy" whereas the "IETF Draft 24 Feb. 2016" 
says "Statement Concerning Personal Data".

According to the "Internet Engineering Task Force (IETF) 
is an organized activity of the Internet Society".  Who is the 
operator of

I'll use "personal data" to refer to "personally identifiable 
information" as it might be easier to understand.  The following is 
considered as personal data:

   (a) first and last name
   (b) home address
   (c) e-mail address
   (d) Any other identifier that permits the physical or online contacting
       of a specific individual

IETF online participation requires (a) and (c) [1].  IETF attendance 
requires more personal data, e.g. payment information.  There is also 
the audio and video recordings.  According to the Attorney General, 
California Department of Justice, the United States "Federal Trade 
Commission (FTC) has called for improved data practice transparency,
encouraging privacy policy statements that are 'clearer, shorter, and 
more standardized
to enable better comprehension and comparison of privacy 
practices'.  I suggest having a subdivision so that the participant 
can easily find which personal data he/she has to provide.  There 
would be a separate division for an attendee as other personal data 
may be required. A third division would be for the (web) visitor.

There isn't any information in the draft about data use and 
sharing.  The draft mentions that it is possible "to request 
information regarding our disclosure of your Personal Data to third 
parties for direct marketing purposes".  I suggest explicitly asking 
for consent before sharing personal data with third parties.

   "We believe that we have implemented commercially reasonable precautions
    to prevent the unauthorized use, disclosure and alteration of Non-Public
    Information. However, no data security measures can guarantee complete
    data security, and IETF does not guaranty the confidentiality of anything
    that you submit to IETF."

Does that mean that the IETF will not notify a person affected by a 
data breach?  What is the difference between "commercially reasonable 
precautions" and "reasonable precautions"?

This draft is better than the draft which was posted in February 2015.

S. Moonesamy

1. I skipped the exceptions.