Re: IAOC requesting input on (potential) meeting cities

Rich Kulawiec <rsk@gsp.org> Mon, 03 April 2017 15:26 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4383B1200C1 for <ietf@ietfa.amsl.com>; Mon, 3 Apr 2017 08:26:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Alr38UdD70P5 for <ietf@ietfa.amsl.com>; Mon, 3 Apr 2017 08:26:27 -0700 (PDT)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76BC11287A7 for <ietf@ietf.org>; Mon, 3 Apr 2017 08:26:27 -0700 (PDT)
Received: from gsp.org (localhost [127.0.0.1]) by taos.firemountain.net (8.15.1/8.14.9) with SMTP id v33FQOxk009674 for <ietf@ietf.org>; Mon, 3 Apr 2017 11:26:25 -0400 (EDT)
Date: Mon, 3 Apr 2017 11:26:24 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: ietf@ietf.org
Subject: Re: IAOC requesting input on (potential) meeting cities
Message-ID: <20170403152624.GA11714@gsp.org>
References: <149096990336.4276.3480662759931758139.idtracker@ietfa.amsl.com> <9fee9874-1306-07a2-a84a-4e09381a5336@cisco.com> <E67FDB14-9895-48E0-A334-167172D322DB@nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E67FDB14-9895-48E0-A334-167172D322DB@nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/CBE43UWfNN25iEs60brVHcB3dhU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 15:26:29 -0000

On Fri, Mar 31, 2017 at 11:59:49AM -0500, Paul Wouters wrote:
> I don't know when I will be refused entry for not handing out
> passwords or pins.

This is worth noting on an equal basis with the question of
whether travelers will be refused entry or only permitted entry
after considerable delays, interrogation, and abuse.  There is
at this moment no articulated, consistent, and uniform policy
in place specifying:

	- who will be asked for passwords
	- why they'll be asked
	- who will do the asking
	- under what circumstances they'll be asked
	- what the ramifications of refusal are
	- what the ramifications of not remembering them are
	- what the ramifications of agreement are
	- what use will be made of them
	- what use will be made of any data they provide access to
	- if they'll be retained
	- if the data they provide access to will be retained
	- if they'll be shared with other US agencies
	- if they'll be shared with other non-US agencies
	- if computing devices will be confiscated
	- if computing devices will be searched
	- if computing devices will be returned
	- if the contents of computing devices will be copied
	- who will have access to that data
	- what use will be made of that data
	- if that data will be retained
	- if that data will be shared with US agencies
	- if that data will be shared with non-US agencies
	- what auditing controls (if any) exist to prevent mis-use
	- when any retained passwords/data will be destroyed (if ever)
	- etc.

Moreover, the ad hoc policies that are in place are used very
inconsistently -- at the personal whims of those enforcing them --
and are subject to change not only without advance notice,
but without any notice of any kind.

Because of this, asking anyone to come to the US at this time is
equivalent to asking them to incur unknown but possibly very large
privacy and security risks, as well the financial risk of losing
any/all computing devices they bring with them.

---rsk