Re: IETF privacy policy - update

[Alissa Cooper <acooper@cdt.org>]

Hi Stephan,

On Jul 6, 2010, at 3:53 PM, Stephan Wenger wrote:

> Hi,
>
> I think this is an excellent straw man for an IETF privacy policy.   
> I have,
> however, two issues with its adoption that makes me question the  
> wisdom of
> an unqualified "+1".
>

Thanks.

> First, I'm not quite sure whether the IETf should adopt such a  
> document
> without providing clear guidelines to its I* people, the  
> secretariat, or WG
> chairs.  In the absence of such guidelines, those people could be  
> seen as
> responsible of upholding the policy without knowing the practical  
> "how to",
> which may create a certain personal liability on their side, to  
> which they
> may not have signed up to.  I believe that the pool of people on the  
> hook
> for this implementation is too big, to unstructured, and perhaps not
> sufficiently trained (especially when it comes to the fine details)  
> of the
> implementation of the policy.  In other words, my fear is that we may
> promise something to the outside world of which the people  
> responsible are
> not certain how exactly it needs to be delivered--which puts them  
> into an
> unenviable position.

Point taken. The document currently lacks clarity about who is  
actually doing the data handling. I think the process of sorting that  
out will be highly instructive. Getting a general understanding of who  
is responsible for what will be the first step towards being able to  
give those people guidance about data handling.

>
> Second, I fear that the draft policy (-01 draft) provides  
> occasionally the
> impression of a certain safety of private data, where no such safety  
> exists.
> For example, equipment that stores log files is moved frequently  
> into areas
> where US law does not apply.  I would assume (without knowing for  
> certain)
> that the machines dealing with on-site information do keep some  
> sensitive
> information on their local hard drives--which are outside the US for  
> many of
> our meetings.

The jurisdiction of stored data is definitely one point that needs to  
be better documented, I agree.

> And so on.

If you have specific ideas of other spots where the document over- 
promises, a list would be appreciated. I can take further  
clarifications back to the secretariat or whoever the responsible  
party is.

Thanks,
Alissa


>
> The second point may be easily addressable by adding sufficiently  
> broad
> disclaimers to the policy, and/or by documenting the corner cases  
> mentioned
> (I would not be surprised if there were many more of those).  The  
> first
> point would require a guidelines document for the mentioned  
> officials, and I
> think that the development of such a document needs to go hand-in- 
> hand with
> the development of the policy itself.  Alternatively, the first  
> point could
> be addressed by phrasing the policy as a statement of intent, rather  
> than a
> "bill of rights".  Of course, its value goes way down when doing so.
>
> I personally couldn't care less how and where a privacy policy and its
> accompanying guideline docs is being developed.  However, I do have an
> observation to make with respect to the form of the document.  Even
> single-national organizations (like my bank, or my insurers) do  
> change their
> privacy policy quite often--several times per decade.  They have to  
> in order
> to comply with the development of the local law.  I do not see that  
> the IETF
> would not have to do the same, once we have a first policy in  
> place.  And
> that does not count the implications of, in practice, being an  
> international
> organization doing business in places such as the US and China--just  
> to make
> two examples with fundamentally different privacy law and practice-- 
> and our
> lack of experience and shortness of legal resources in creating  
> one.  All
> that would speak for an easily updateable format, and RFCs are not  
> known to
> fall into that category.  We will have a buggy document at the  
> beginning,
> and we need ways to fix it, quickly.
>
> Regards,
> Stephan
>
>
> On 7.5.2010 09:05 , "Alissa Cooper" <acooper@cdt.org> wrote:
>
>> A few months ago I drew up a strawman proposal for a public-facing
>> IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt
>> ). I've submitted an update based on feedback received:
>> http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt
>>
>> In discussing the policy with the IAOC and others, it seems clear  
>> that
>> the RFC model is probably not the best model for maintaining and
>> updating a document like this. It is more likely to fall within the
>> scope of the IAOC and/or the Trust. In order for the IAOC to consider
>> taking this on and devoting resources to figuring out what its format
>> should be, they need to hear from the community that a public-facing
>> privacy policy is something that the community wants. So I have two
>> requests for those with any interest in this:
>>
>> 1) Respond on this list if you support the idea of the IETF having a
>> privacy policy (a simple "+1" will do).
>>
>> 2) If you have comments and suggestions about the policy itself, send
>> them to this list.
>>
>>
>> Thanks,
>> Alissa
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Ietf mailing list
>> Ietf@ietf.org
>> https://www.ietf.org/mailman/listinfo/ietf
>
>
>