IETF Logo Mail Archive

Re: Comments on <draft-cooper-privacy-policy-01.txt>

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Fri, 09 July 2010 11:32 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4BAE3A6A10 for <ietf@core3.amsl.com>; Fri, 9 Jul 2010 04:32:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.989
X-Spam-Level:
X-Spam-Status: No, score=0.989 tagged_above=-999 required=5 tests=[AWL=0.988, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mBGieLCjd34i for <ietf@core3.amsl.com>; Fri, 9 Jul 2010 04:32:27 -0700 (PDT)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id BC27B3A6A1C for <ietf@ietf.org>; Fri, 9 Jul 2010 04:32:20 -0700 (PDT)
Received: (qmail 30167 invoked by uid 0); 9 Jul 2010 11:32:24 -0000
Received: from 212.95.22.202 by www166.gmx.net with HTTP; Fri, 09 Jul 2010 13:32:24 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Date: Fri, 09 Jul 2010 13:32:24 +0200
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
In-Reply-To: <47076F01-CC4C-45E6-803E-8E2516BE15AC@gmail.com>
Message-ID: <20100709113224.123900@gmx.net>
MIME-Version: 1.0
References: <7022DEA1-7FC0-4D77-88CE-FA3788720B43@cdt.org> <47076F01-CC4C-45E6-803E-8E2516BE15AC@gmail.com>
Subject: Re: Comments on <draft-cooper-privacy-policy-01.txt>
To: Bob Hinden <bob.hinden@gmail.com>, acooper@cdt.org
X-Authenticated: #29516787
X-Flags: 0001
X-Mailer: WWW-Mail 6100 (Global Message Exchange)
X-Priority: 3
X-Provags-ID: V01U2FsdGVkX18IHrEsRz0IPuavEG5cJAURi99P0K1SqLRu7gSqZ8 p9xS6fW7GSZXxYbewqlvM+e90Iy2BNFFoR2A==
Content-Transfer-Encoding: 8bit
X-GMX-UID: /DoOdFAFYW0tUpcQo2dpH4R8amthc9vu
X-FuHaFi: 0.60999999999999999
Cc: bob.hinden@gmail.com, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2010 11:32:30 -0000

Hi Bob, 

just a very quick reaction to your mail: 

~snip~ 
> 
> I have issues with the Introduction.  The first sentence says: 
> 
>    In keeping with the goals and objectives of this standards body, the
>    IETF is committed to the highest degree of respect for the privacy of
>    IETF participants and site visitors.
> 
> This makes it sound like the highest priority of the IETF is Privacy.  I
> don't think this is true as I described above.  The vast majority of what
> the IETF does in Public.  There is very little that is Private.  The IETF is
> careful about what needs to be kept private and does not disclose it.

The Fair Information Practices are a set of principles most of us are quite likely to believe in, such as (copied from the Alissa's draft):
"
  o  Collection Limitation: There should be limits to the collection of
      data about people.

   o  Data Quality: Personal data should be accurate, complete, up-to-
      date, and relevant to the purposes for which it was collected.

   o  Purpose Specification: The purpose of collecting personal data
      should be specified in advance of collection.

   o  Use Limitation: Personal data should only be used for the purposes
      for which it was collected.

   o  Security: Personal data should be protected by reasonable security
      safeguards against unauthorised access, use, and disclosure.

   o  Openness: Practices and policies with respect to personal data
      should be open and transparent.

   o  Individual Participation: Individuals should have choice, access,
      correction, and redress rights with respect to their data.

   o  Accountability: Those that collect and use data should be
      accountable for complying with the above principles.
"

When you read "privacy" then replace it with these principles and everything makes much more sense to you. 

As an example, imagine some researchers doing some interesting network testing and collect data that travels over the IETF network then these principles say that you should be transparent in what you do, you should tell people what you collect and why, etc. 

I think that this is something we want people to do. And "yes" we have researchers looking into the traffic, people storing all sorts of data, etc.

I don't think we have anything to hide. 

It would be a bad sign to say that the IETF is so special that we don't need to follow privacy principles (even if we try to consider privacy in the development of our protocols and tell other SDOs that it is really important to do so).

Ciao
Hannes

PS: If you do not know about the "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" then maybe some other folks have not heard about these privacy principles either. Maybe we should add privacy to our Sunday education program.

v2.23.0 | Report a Bug | By Email