Re: IETF privacy policy - update
Alissa Cooper <acooper@cdt.org> Thu, 15 July 2010 14:36 UTC
Return-Path: <acooper@cdt.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5074E3A68E8 for <ietf@core3.amsl.com>; Thu, 15 Jul 2010 07:36:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.293
X-Spam-Level:
X-Spam-Status: No, score=-1.293 tagged_above=-999 required=5 tests=[AWL=-1.294, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v3d99nZBDA6I for <ietf@core3.amsl.com>; Thu, 15 Jul 2010 07:36:55 -0700 (PDT)
Received: from mail.maclaboratory.net (mail.maclaboratory.net [209.190.215.232]) by core3.amsl.com (Postfix) with ESMTP id EBCB53A694E for <ietf@ietf.org>; Thu, 15 Jul 2010 07:36:54 -0700 (PDT)
Received: from localhost ([127.0.0.1]) by mail.maclaboratory.net (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Thu, 15 Jul 2010 10:36:57 -0400
Message-Id: <9885A682-95F5-4610-BC02-0F289EDDAA85@cdt.org>
From: Alissa Cooper <acooper@cdt.org>
To: Stephan Wenger <stewe@stewe.org>
In-Reply-To: <C858915E.22949%stewe@stewe.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Subject: Re: IETF privacy policy - update
Date: Thu, 15 Jul 2010 15:36:55 +0100
References: <C858915E.22949%stewe@stewe.org>
X-Mailer: Apple Mail (2.936)
Cc: IETF-Discussion list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 14:36:56 -0000
Hi Stephan, On Jul 6, 2010, at 3:53 PM, Stephan Wenger wrote: > Hi, > > I think this is an excellent straw man for an IETF privacy policy. > I have, > however, two issues with its adoption that makes me question the > wisdom of > an unqualified "+1". > Thanks. > First, I'm not quite sure whether the IETf should adopt such a > document > without providing clear guidelines to its I* people, the > secretariat, or WG > chairs. In the absence of such guidelines, those people could be > seen as > responsible of upholding the policy without knowing the practical > "how to", > which may create a certain personal liability on their side, to > which they > may not have signed up to. I believe that the pool of people on the > hook > for this implementation is too big, to unstructured, and perhaps not > sufficiently trained (especially when it comes to the fine details) > of the > implementation of the policy. In other words, my fear is that we may > promise something to the outside world of which the people > responsible are > not certain how exactly it needs to be delivered--which puts them > into an > unenviable position. Point taken. The document currently lacks clarity about who is actually doing the data handling. I think the process of sorting that out will be highly instructive. Getting a general understanding of who is responsible for what will be the first step towards being able to give those people guidance about data handling. > > Second, I fear that the draft policy (-01 draft) provides > occasionally the > impression of a certain safety of private data, where no such safety > exists. > For example, equipment that stores log files is moved frequently > into areas > where US law does not apply. I would assume (without knowing for > certain) > that the machines dealing with on-site information do keep some > sensitive > information on their local hard drives--which are outside the US for > many of > our meetings. The jurisdiction of stored data is definitely one point that needs to be better documented, I agree. > And so on. If you have specific ideas of other spots where the document over- promises, a list would be appreciated. I can take further clarifications back to the secretariat or whoever the responsible party is. Thanks, Alissa > > The second point may be easily addressable by adding sufficiently > broad > disclaimers to the policy, and/or by documenting the corner cases > mentioned > (I would not be surprised if there were many more of those). The > first > point would require a guidelines document for the mentioned > officials, and I > think that the development of such a document needs to go hand-in- > hand with > the development of the policy itself. Alternatively, the first > point could > be addressed by phrasing the policy as a statement of intent, rather > than a > "bill of rights". Of course, its value goes way down when doing so. > > I personally couldn't care less how and where a privacy policy and its > accompanying guideline docs is being developed. However, I do have an > observation to make with respect to the form of the document. Even > single-national organizations (like my bank, or my insurers) do > change their > privacy policy quite often--several times per decade. They have to > in order > to comply with the development of the local law. I do not see that > the IETF > would not have to do the same, once we have a first policy in > place. And > that does not count the implications of, in practice, being an > international > organization doing business in places such as the US and China--just > to make > two examples with fundamentally different privacy law and practice-- > and our > lack of experience and shortness of legal resources in creating > one. All > that would speak for an easily updateable format, and RFCs are not > known to > fall into that category. We will have a buggy document at the > beginning, > and we need ways to fix it, quickly. > > Regards, > Stephan > > > On 7.5.2010 09:05 , "Alissa Cooper" <acooper@cdt.org> wrote: > >> A few months ago I drew up a strawman proposal for a public-facing >> IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt >> ). I've submitted an update based on feedback received: >> http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt >> >> In discussing the policy with the IAOC and others, it seems clear >> that >> the RFC model is probably not the best model for maintaining and >> updating a document like this. It is more likely to fall within the >> scope of the IAOC and/or the Trust. In order for the IAOC to consider >> taking this on and devoting resources to figuring out what its format >> should be, they need to hear from the community that a public-facing >> privacy policy is something that the community wants. So I have two >> requests for those with any interest in this: >> >> 1) Respond on this list if you support the idea of the IETF having a >> privacy policy (a simple "+1" will do). >> >> 2) If you have comments and suggestions about the policy itself, send >> them to this list. >> >> >> Thanks, >> Alissa >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> Ietf mailing list >> Ietf@ietf.org >> https://www.ietf.org/mailman/listinfo/ietf > > >
- Re: IETF privacy policy - update Marshall Eubanks
- IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update John C Klensin
- Re: IETF privacy policy - update Dave CROCKER
- Re: IETF privacy policy - update Dave CROCKER
- Re: IETF privacy policy - update SM
- Re: IETF privacy policy - update John C Klensin
- Re: IETF privacy policy - update Eliot Lear
- Re: IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update Eliot Lear
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update Nathaniel Borenstein
- Re: IETF privacy policy - update Karen O'Donoghue
- Re: IETF privacy policy - update Stephan Wenger
- Re: IETF privacy policy - update John C Klensin
- Re: IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update todd glassey
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Bob Hinden
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Ted Hardie
- Re: IETF privacy policy - update joel jaeggli
- Re: IETF privacy policy - update todd glassey
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Larry Smith
- Re: IETF privacy policy - update Iljitsch van Beijnum
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update Sam Hartman
- Re: IETF privacy policy - update Ole Jacobsen
- Re: IETF privacy policy - update Paul Hoffman
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update Sam Hartman
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Paul Hoffman
- Re: IETF privacy policy - update joel jaeggli
- Re: IETF privacy policy - update Sam Hartman
- Comments on <draft-cooper-privacy-policy-01.txt> Bob Hinden
- Re: IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update Andrew Sullivan
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Randy Bush
- Re: IETF privacy policy - update Cullen Jennings
- Re: IETF privacy policy - update joel jaeggli
- RE: IETF privacy policy - update Yoav Nir
- Re: IETF privacy policy - update David Morris
- Re: IETF privacy policy - update Arnt Gulbrandsen
- Re: IETF privacy policy - update Henk Uijterwaal
- Re: IETF privacy policy - update Andrew Sullivan
- Re: IETF privacy policy - update joel jaeggli
- Re: IETF privacy policy - update Marshall Eubanks
- Re: IETF privacy policy - update jean-michel bernier de portzamparc
- Re: IETF privacy policy - update Fred Baker
- Re: IETF privacy policy - update Peter Saint-Andre
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update Fred Baker
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update joel jaeggli
- Re: IETF privacy policy - update Fred Baker
- Re: IETF privacy policy - update Melinda Shore
- Re: IETF privacy policy - update Fred Baker
- Re: IETF privacy policy - update Randy Bush
- Re: IETF privacy policy - update Martin Rex
- Re: IETF privacy policy - update GTW
- Re: IETF privacy policy - update Henk Uijterwaal
- Re: IETF privacy policy - update Patrik Fältström
- Re: IETF privacy policy - update Fred Baker
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: IETF privacy policy - update Ted Hardie
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: IETF privacy policy - update Alissa Cooper
- Re: Comments on <draft-cooper-privacy-policy-01.t… todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Joel Jaeggli
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: Comments on <draft-cooper-privacy-policy-01.t… Hannes Tschofenig
- Re: Comments on <draft-cooper-privacy-policy-01.t… Fred Baker
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- RE: IETF privacy policy - update Monique Morrow (mmorrow)
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Donald Eastlake
- Re: Comments on <draft-cooper-privacy-policy-01.t… Joel Jaeggli
- Re: Comments on <draft-cooper-privacy-policy-01.t… Phillip Hallam-Baker
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Fred Baker
- Re: Comments on <draft-cooper-privacy-policy-01.t… Martin Rex
- Re: Comments on <draft-cooper-privacy-policy-01.t… todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… Martin Rex
- Re: Comments on <draft-cooper-privacy-policy-01.t… Joel Jaeggli
- Re: Comments on <draft-cooper-privacy-policy-01.t… todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Andrew Sullivan
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… John C Klensin
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: Comments on <draft-cooper-privacy-policy-01.t… Randy Bush
- Re: IETF privacy policy - update Alissa Cooper
- Re: IETF privacy policy - update Paul Hoffman
- Re: Comments on <draft-cooper-privacy-policy-01.t… Alissa Cooper
- Re: Comments on <draft-cooper-privacy-policy-01.t… John C Klensin
- Re: Comments on <draft-cooper-privacy-policy-01.t… John C Klensin
- Re: IETF privacy policy - update Martin Rex
- Re: IETF privacy policy - update todd glassey
- Re: Comments on <draft-cooper-privacy-policy-01.t… Dave CROCKER
- Re: IETF privacy policy - update John Morris
- Re: IETF privacy policy - update Andrew Sullivan
- Re: IETF privacy policy - still a bad idea John Levine
- RE: IETF privacy policy - update Dearlove, Christopher (UK)
- Re: IETF privacy policy - still a bad idea John R. Levine
- Re: IETF privacy policy - still a bad idea Marshall Eubanks
- Re: IETF privacy policy - still a bad idea Dave CROCKER
- Re: IETF privacy policy - still a bad idea Marshall Eubanks
- Re: IETF privacy policy - still a bad idea Dave CROCKER
- Re: IETF privacy policy - still a bad idea Phillip Hallam-Baker
- Re: IETF privacy policy - still a bad idea Phillip Hallam-Baker
- Re: IETF privacy policy - still a bad idea Andrew Sullivan
- Re: IETF privacy policy - still a bad idea Marshall Eubanks
- Re: IETF privacy policy - still a bad idea Andrew Sullivan
- Re: IETF privacy policy - still a bad idea Dave CROCKER
- Re: IETF privacy policy - still a bad idea Andrew Sullivan
- Re: IETF privacy policy - still a bad idea Fred Baker
- Re: IETF privacy policy - still a bad idea Ole Jacobsen
- Re: IETF privacy policy - still a bad idea Dave CROCKER
- Re: IETF privacy policy - still a bad idea Arnt Gulbrandsen
- Re: IETF privacy policy - still a bad idea Marshall Eubanks
- Re: IETF privacy policy - still a bad idea John R. Levine
- Re: IETF privacy policy - still a bad idea Fred Baker
- Re: IETF privacy policy - still a bad idea todd glassey
- What does a privacy policy mean? John R. Levine
- Re: What does a privacy policy mean? Phillip Hallam-Baker