Re: What does a privacy policy mean ?
Alissa Cooper <acooper@cdt.org> Wed, 07 July 2010 14:33 UTC
Return-Path: <acooper@cdt.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEEB93A686C for <ietf@core3.amsl.com>; Wed, 7 Jul 2010 07:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.718
X-Spam-Level:
X-Spam-Status: No, score=-1.718 tagged_above=-999 required=5 tests=[AWL=-1.718, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YJtKKw+DkQf9 for <ietf@core3.amsl.com>; Wed, 7 Jul 2010 07:33:34 -0700 (PDT)
Received: from mail.maclaboratory.net (mail.maclaboratory.net [209.190.215.232]) by core3.amsl.com (Postfix) with ESMTP id A2D7E3A6842 for <ietf@ietf.org>; Wed, 7 Jul 2010 07:33:33 -0700 (PDT)
Received: from localhost ([127.0.0.1]) by mail.maclaboratory.net (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits)); Wed, 7 Jul 2010 10:33:34 -0400
Message-Id: <C3085251-CB55-401D-8CAB-2AF9178D3FD7@cdt.org>
From: Alissa Cooper <acooper@cdt.org>
To: John Levine <johnl@iecc.com>
In-Reply-To: <20100707035108.2236.qmail@joyce.lan>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Subject: Re: What does a privacy policy mean ?
Date: Wed, 07 Jul 2010 15:33:32 +0100
References: <20100707035108.2236.qmail@joyce.lan>
X-Mailer: Apple Mail (2.936)
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 14:33:36 -0000
I think privacy policies originally emerged as a means to inform people about how their data is collected, used, shared, and stored. The perception that the collection of information about people in secret is a privacy threat has motivated increased disclosure about what happens to data about people. Over time, I think many privacy policies have strayed away from this original goal and have come to instead to act as disclaimers of legal liability or internal compliance guidelines, or both. I think the average corporate privacy policy these days probably does a good job of giving corporations legal cover and a decent job of instructing their employees about what they may or may not do with data, but is not easy for laypeople to understand ([1] provides some more information from the US context). I think the IETF can do better. AFAIK, right now the IETF has neither a public-facing statement that informs people about what happens to their data nor a disclaimer of legal liability nor an internal compliance document. There is the Trust records management policy, which in theory serves all three purposes (although I would argue that it isn't really accessible enough to laypeople to serve the first function). But limiting data retention is only one aspect of privacy protection, as the strawman policy demonstrates. I think the IETF could (and should) have a public-facing policy that is understandable and a (likely separate) internal compliance document that explains to those who handle data collected in conjunction with IETF activities about what they may or may not do with it. The strawman policy attempts to achieve the former. I don't have a strong opinion about whether the IETF needs a disclaimer of legal liability. Notably, the IETF has survived this long without one. Beyond legal remedies for non-performance, however, having a clear privacy policy would allow a strong community remedy for non- performance. If the IETF states its privacy policy clearly, and then violates that policy, there could well be strong discussion and disapproval on this mailing list and at plenary sessions during IETF meetings. The community has a pretty good ability to force the powers- that-be to explain their actions and develop new policies to correct mistakes, should they arise. So wholly apart from legal remedies, I think there is strong value in having a clearly stated privacy policy. Alissa [1] http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf On Jul 7, 2010, at 4:51 AM, John Levine wrote: > I think we all agree that having a privacy policy would be desirable, > in the sense that we are in favor of good, and opposed to evil. But I > don't know what it means to implement a privacy policy, and I don't > think anyone else does either. > > A privacy policy is basically a set of assertions about what the IETF > will do with your personal information. To invent a strawman, let's > say that the privacy policy says that registration information will be > kept in confidence, and some newly hired clerk who's a little unclear > on the concept gives a list of registrants' e-mail addresses to a > conference sponsor so they can e-mail everyone an offer for a free > IETF tee shirt. > > Then what happens? Is a privacy policy a contract, and if it is, what > remedies do IETF participants have for non-performance? And if it's > not, and there aren't remedies, what's the point? > > R's, > John > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf > -- ---------------------------------------------------- Alissa Cooper Chief Computer Scientist Center for Democracy and Technology +44 (0)785 916 0031 Skype: alissacooper
- What does a privacy policy mean ? John Levine
- Re: What does a privacy policy mean ? Sabahattin Gucukoglu
- Re: What does a privacy policy mean ? Alissa Cooper
- Re: What does a privacy policy mean ? Marshall Eubanks
- Re: What does a privacy policy mean ? Dave CROCKER
- Re: What does a privacy policy mean ? todd glassey
- Re: What does a privacy policy mean ? todd glassey