Re: IETF privacy policy - update
John Morris <jmorris-lists@cdt.org> Wed, 07 July 2010 20:52 UTC
Return-Path: <jmorris-lists@cdt.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BCA943A63D3 for <ietf@core3.amsl.com>; Wed, 7 Jul 2010 13:52:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dp727qS6znb5 for <ietf@core3.amsl.com>; Wed, 7 Jul 2010 13:52:20 -0700 (PDT)
Received: from mail.maclaboratory.net (mail.maclaboratory.net [209.190.215.232]) by core3.amsl.com (Postfix) with ESMTP id 233153A68F0 for <ietf@ietf.org>; Wed, 7 Jul 2010 13:52:20 -0700 (PDT)
Received: from localhost ([127.0.0.1]) by mail.maclaboratory.net (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Wed, 7 Jul 2010 16:52:11 -0400
Subject: Re: IETF privacy policy - update
Mime-Version: 1.0 (Apple Message framework v1075.2)
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
From: John Morris <jmorris-lists@cdt.org>
In-Reply-To: <p06240828c85a8b88005c@[10.20.30.158]>
Date: Wed, 07 Jul 2010 16:52:08 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <3FCBDD68-E847-4E31-9DD6-486BE549005F@cdt.org>
References: <7022DEA1-7FC0-4D77-88CE-FA3788720B43@cdt.org> <8FBEA0C7-9B80-4860-AFAE-FB5A19E660EF@muada.com> <4C33A406.1090801@bogus.com> <BBDFC939-2109-41BB-B4E1-BE2CEE43B8CA@muada.com> <9C72FA78-C9C2-4719-9BFD-112ABEFA7117@cdt.org> <56522CF0-088B-4027-AF45-A6075A7EA666@muada.com> <51D591B3-1954-47A6-A40A-7DCE6DDD5CF0@cdt.org> <A68985E3-A34B-47AB-A6A2-E6718E505652@muada.com> <B75D4F49-2361-4706-A24A-D5E7026EE58D@cdt.org> <573C3FFA-B8CA-4B71-9128-07863DF1CF2B@muada.com> <tsl630r6pj1.fsf@mit.edu> <p06240828c85a8b88005c@[10.20.30.158]>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1075.2)
Cc: Sam Hartman <hartmans-ietf@mit.edu>, IETF-Discussion list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 20:52:21 -0000
Paul, Sam, I understand your arguments to bascially be "we've never had an internal privacy problem here at the IETF, and as far as I know no one decides not to participate because of the lack of a privacy policy, so we have no need to follow basic standards of privacy hygiene." What would you say to a network operator who maintains an open mail relay, but says "we've never had any spam abuse on my open relay, and as far as I know I have never lost any business because of my relay, and so I have no need to follow basic standards of SMTP hygiene (as set out in RFCs 2505 and 5321)"? I would say to the network operator that (a) open mail relays create a risk of abuse, (b) industry best practices discourage such relays to help minimize that risk, and so (c) unless you have a really really good reason to maintain an open relay, you should not do so. And if the network operator were a prominent participant in the industry, I would add that maintaining an open relay sets a really bad example for other industry players and developers. In the IETF privacy context, as far as I know, we have not had any significant internal privacy problems at the IETF, probably because the powers-that-be are generally pretty thoughtful, careful people. And I have no idea whether anyone was so put off by the lack of a privacy policy as to reduce their participation IETF -- probably no one (but that is pretty unknowable). But there is a risk -- indeed, as we see going into the next two IETF meetings, there is a growing risk -- that the IETF will be collecting information that could be misused, in ways that none of us can foresee now. A privacy policy would not eliminate that risk, but it would help to guide future efforts to minimize privacy risk, and it would tell IETF site visitors how much they are tracked, etc., should they decide to use the site. So I, at least, would say to the IETF that (a) not having a privacy policy increases the risk of a privacy mistake, (b) online best practices encourage having a privacy policy, and so (c) unless you have a really really good reason not to have a privacy policy, you should have one. And because lots of developers look to the IETF for guidance in their work, I think the IETF's lack of a policy sets a bad example. And I think it is possible that having a clear, public, and well- thought-out set of principles and policies to guide the IETF's collection, retention, and use of data might even reduce or at least constrain the debates we have on this list every year or two about IETF data collection and retention.... Thus, spending what you view as wasted cycles now may well reduce wasted cycles later. But even if it does not, I think any organization that promulgates a series of documents named "Best Current Practices" (and hopes that people will pay attention to them) should itself be prepared to follow widely accepted "best current practices" for its operations, even if the participants of the organization find those practices to be outside of the core work of the group. John On Jul 7, 2010, at 3:59 PM, Paul Hoffman wrote: > At 3:49 PM -0400 7/7/10, Sam Hartman wrote: >> Generally when I look for an idea of whether work is a good idea I >> look >> for a clear statement of benefit. I'll admit that I don't find >> privacy >> policies so valuable that I think everyone should have one. So, I'll >> ask how will or work be improved or what problem are we running into >> that a privacy policy will solve? If that cannot clearly we be >> answered, we should not engage in this activity. > > At 3:51 AM +0000 7/7/10, John Levine wrote: >> I think we all agree that having a privacy policy would be desirable, >> in the sense that we are in favor of good, and opposed to evil. >> But I >> don't know what it means to implement a privacy policy, and I don't >> think anyone else does either. >> >> A privacy policy is basically a set of assertions about what the IETF >> will do with your personal information. To invent a strawman, let's >> say that the privacy policy says that registration information will >> be >> kept in confidence, and some newly hired clerk who's a little unclear >> on the concept gives a list of registrants' e-mail addresses to a >> conference sponsor so they can e-mail everyone an offer for a free >> IETF tee shirt. >> >> Then what happens? Is a privacy policy a contract, and if it is, >> what >> remedies do IETF participants have for non-performance? And if it's >> not, and there aren't remedies, what's the point? > > Thank you, Sam and John. > > Do some people not come to IETF meetings because of the current null > privacy policy? Do they say less than they would have if we had a > typical non-null policy? If either of those two are answered yes, > would those people contribute better knowing that the IETF had a > policy but no real way to enforce it other than by apologizing when > it failed to follow the policy? > > If having a privacy policy, even one where there was no real > enforcement mechanism, was free, nearly everyone would want it. > Given that getting such a policy is not free, and will cause cycles > to be lost from other IETF work, is the tradeoff worth it? At this > point, I would say "no", but mostly because I don't know of anyone > who contributes less due to the current null policy. > > --Paul Hoffman, Director > --VPN Consortium > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf >
- Re: IETF privacy policy - update Marshall Eubanks
- IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update John C Klensin
- Re: IETF privacy policy - update Dave CROCKER
- Re: IETF privacy policy - update Dave CROCKER
- Re: IETF privacy policy - update SM
- Re: IETF privacy policy - update John C Klensin
- Re: IETF privacy policy - update Eliot Lear
- Re: IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update Eliot Lear
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update Nathaniel Borenstein
- Re: IETF privacy policy - update Karen O'Donoghue
- Re: IETF privacy policy - update Stephan Wenger
- Re: IETF privacy policy - update John C Klensin
- Re: IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update todd glassey
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Bob Hinden
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Ted Hardie
- Re: IETF privacy policy - update joel jaeggli
- Re: IETF privacy policy - update todd glassey
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Larry Smith
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update Sam Hartman
- Re: IETF privacy policy - update Ole Jacobsen
- Re: IETF privacy policy - update Paul Hoffman
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update Sam Hartman
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Paul Hoffman
- Re: IETF privacy policy - update joel jaeggli
- Re: IETF privacy policy - update Sam Hartman
- Comments on <draft-cooper-privacy-policy-01.txt> Bob Hinden
- Re: IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update Andrew Sullivan
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Randy Bush
- Re: IETF privacy policy - update Cullen Jennings
- Re: IETF privacy policy - update joel jaeggli
- RE: IETF privacy policy - update Yoav Nir
- Re: IETF privacy policy - update David Morris
- Re: IETF privacy policy - update Arnt Gulbrandsen
- Re: IETF privacy policy - update Henk Uijterwaal
- Re: IETF privacy policy - update Andrew Sullivan
- Re: IETF privacy policy - update joel jaeggli
- Re: IETF privacy policy - update Marshall Eubanks
- Re: IETF privacy policy - update jean-michel bernier de portzamparc
- Re: IETF privacy policy - update Fred Baker
- Re: IETF privacy policy - update Peter Saint-Andre
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update Fred Baker
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update joel jaeggli
- Re: IETF privacy policy - update Fred Baker
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update Fred Baker
- Re: IETF privacy policy - update Randy Bush
- Re: IETF privacy policy - update Martin Rex
- Re: IETF privacy policy - update GTW
- Re: IETF privacy policy - update Henk Uijterwaal
- Re: IETF privacy policy - update Patrik Fältström
- Re: IETF privacy policy - update Fred Baker
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: IETF privacy policy - update Ted Hardie
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: IETF privacy policy - update Alissa Cooper
- Re: Comments on <draft-cooper-privacy-policy-01.t… todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Joel Jaeggli
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: Comments on <draft-cooper-privacy-policy-01.t… Fred Baker
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- RE: IETF privacy policy - update Monique Morrow (mmorrow)
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Donald Eastlake
- Re: Comments on <draft-cooper-privacy-policy-01.t… Joel Jaeggli
- Re: Comments on <draft-cooper-privacy-policy-01.t… Phillip Hallam-Baker
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Fred Baker
- Re: Comments on <draft-cooper-privacy-policy-01.t… Martin Rex
- Re: Comments on <draft-cooper-privacy-policy-01.t… todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… Martin Rex
- Re: Comments on <draft-cooper-privacy-policy-01.t… Joel Jaeggli
- Re: Comments on <draft-cooper-privacy-policy-01.t… todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Andrew Sullivan
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… John C Klensin
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update Paul Hoffman
- Re: Comments on <draft-cooper-privacy-policy-01.t… Alissa Cooper
- Re: Comments on <draft-cooper-privacy-policy-01.t… John C Klensin
- Re: Comments on <draft-cooper-privacy-policy-01.t… John C Klensin
- Re: IETF privacy policy - update Martin Rex
- Re: IETF privacy policy - update todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Andrew Sullivan
- Re: IETF privacy policy - still a bad idea John Levine
- RE: IETF privacy policy - update Dearlove, Christopher (UK)
- Re: IETF privacy policy - still a bad idea John R. Levine
- Re: IETF privacy policy - still a bad idea Marshall Eubanks
- Re: IETF privacy policy - still a bad idea Dave CROCKER
- Re: IETF privacy policy - still a bad idea Marshall Eubanks
- Re: IETF privacy policy - still a bad idea Dave CROCKER
- Re: IETF privacy policy - still a bad idea Phillip Hallam-Baker
- Re: IETF privacy policy - still a bad idea Phillip Hallam-Baker
- Re: IETF privacy policy - still a bad idea Andrew Sullivan
- Re: IETF privacy policy - still a bad idea Marshall Eubanks
- Re: IETF privacy policy - still a bad idea Andrew Sullivan
- Re: IETF privacy policy - still a bad idea Dave CROCKER
- Re: IETF privacy policy - still a bad idea Andrew Sullivan
- Re: IETF privacy policy - still a bad idea Fred Baker
- Re: IETF privacy policy - still a bad idea Ole Jacobsen
- Re: IETF privacy policy - still a bad idea Dave CROCKER
- Re: IETF privacy policy - still a bad idea Arnt Gulbrandsen
- Re: IETF privacy policy - still a bad idea Marshall Eubanks
- Re: IETF privacy policy - still a bad idea John R. Levine
- Re: IETF privacy policy - still a bad idea Fred Baker
- Re: IETF privacy policy - still a bad idea todd glassey
- What does a privacy policy mean? John R. Levine
- Re: What does a privacy policy mean? Phillip Hallam-Baker