IETF Logo Mail Archive

RE: Proposed IETF Websites Privacy Policy; Community Input Requested

James Gannon <james@cyberinvasion.net> Sun, 22 March 2015 20:57 UTC

Return-Path: <james@cyberinvasion.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 666E61A1AA1 for <ietf@ietfa.amsl.com>; Sun, 22 Mar 2015 13:57:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hwtejux9iqye for <ietf@ietfa.amsl.com>; Sun, 22 Mar 2015 13:57:17 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0799.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::799]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBFDF1A003B for <ietf@ietf.org>; Sun, 22 Mar 2015 13:57:16 -0700 (PDT)
Received: from DB3PR06MB219.eurprd06.prod.outlook.com (10.141.2.20) by DB3PR06MB217.eurprd06.prod.outlook.com (10.141.2.15) with Microsoft SMTP Server (TLS) id 15.1.112.19; Sun, 22 Mar 2015 20:56:57 +0000
Received: from DB3PR06MB219.eurprd06.prod.outlook.com ([169.254.14.42]) by DB3PR06MB219.eurprd06.prod.outlook.com ([169.254.14.42]) with mapi id 15.01.0118.021; Sun, 22 Mar 2015 20:56:57 +0000
From: James Gannon <james@cyberinvasion.net>
To: S Moonesamy <sm+ietf@elandsys.com>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: Proposed IETF Websites Privacy Policy; Community Input Requested
Thread-Topic: Proposed IETF Websites Privacy Policy; Community Input Requested
Thread-Index: AQIdtj8+T9YfEoszdjR/aKRxeiwH5gLKyHc7nHf/W7A=
Date: Sun, 22 Mar 2015 20:56:56 +0000
Message-ID: <DB3PR06MB2191D1A8985F910C8455840BF0C0@DB3PR06MB219.eurprd06.prod.outlook.com>
References: <20150203155217.2391.76679.idtracker@ietfa.amsl.com> <6.2.5.6.2.20150322122713.0e93c238@resistor.net>
In-Reply-To: <6.2.5.6.2.20150322122713.0e93c238@resistor.net>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [86.42.134.106]
authentication-results: elandsys.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB3PR06MB217;
x-microsoft-antispam-prvs: <DB3PR06MB2173FB5495BBBD2A2BC3173BF0C0@DB3PR06MB217.eurprd06.prod.outlook.com>
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(52164004)(377424004)(377454003)(24454002)(51704005)(13464003)(77156002)(33656002)(87936001)(50986999)(76176999)(62966003)(107886001)(74316001)(19580395003)(86362001)(19580405001)(54356999)(102836002)(92566002)(2656002)(76576001)(40100003)(2950100001)(2900100001)(106116001)(307094003)(66066001)(2501003)(46102003); DIR:OUT; SFP:1102; SCL:1; SRVR:DB3PR06MB217; H:DB3PR06MB219.eurprd06.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(5002010); SRVR:DB3PR06MB217; BCL:0; PCL:0; RULEID:; SRVR:DB3PR06MB217;
x-forefront-prvs: 0523CF0711
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cyberinvasion.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2015 20:56:56.9632 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d16a191d-a1e2-474f-9523-9f4888345fa6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR06MB217
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/Dud_4zKjxGTlAn4iDy7j_9gClQ4>
X-Mailman-Approved-At: Tue, 24 Mar 2015 08:05:52 -0700
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2015 20:57:19 -0000

Ill echo apologies for late comments I share some of the concerns namely:

> We do not sell, rent, or share any personally identifiable information supplied by visitors to the web site or subscribers to our community mailing list(s) with unaffiliated third parties

This language is quite ambiguous, is there a maintained list of current affiliated third parties that information may be shared with?

> Other email addresses, phone numbers, and contact information submitted by visitors in the course of inquiries and comments are used for purposes of taking action in relation to the nature of the inquiry or comment and will not be disclosed unless disclosure is required by law

Is there a retention period defined for this (Sensitive) information?
Has the IETF considered issuing a transparency report or using a warrant canary to inform participants of legal requests for information? (Not necessary but good practice)

I would also note that some areas of this policy may fall below the standards of EU Directive 95/46/EC, mainly not having an opt-out clause on transfer of information to (Affiliated) third parties. 

Overall its good but I would think that some work may still be needed.


-----Original Message-----
From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of S Moonesamy
Sent: Sunday, March 22, 2015 7:41 PM
To: ietf@ietf.org
Subject: Re: Proposed IETF Websites Privacy Policy; Community Input Requested

Hello,
At 08:52 03-02-2015, IETF Administrative Director wrote:
>The IAOC would like community input on a proposed IETF websites Privacy 
>Policy.
>
>We are required by California law (and good net citizenship) to have an 
>accurate privacy policy on our websites.  Counsel have reviewed this 
>statement for compliance with US and EU privacy regulations.

[snip]

>The IAOC will consider all comments received by 17 February 2015.

Apologies for the late response.

The proposed privacy policy for the IETF web site is four pages.  Most people probably won't read beyond "the Internet Engineering Task Force (IETF) is committed to protecting the privacy and security of the personal information of our participants and of visitors to our site".

What is the meaning of the following:

   "You also consent to our using the information to communicate with you further
    about your interaction with the site, programs, and services, hat IETF may offer
    to you, and your relationship with IETF."

   "If you provide personal data through this site, you acknowledge and agree that
    such personal data may be transferred from your current location to the offices
    and servers of the IETF and its affiliates, agents, and service providers located
    in the United States and in other countries."

In simple terms the person is agreeing to his/her personal data to be transferred anywhere in the world and to (unknown) affiliates of the IETF.

   "When you interact with the site, we strive to make your experience easy and
    meaningful. We may use cookies and other means to track user activity and
    collect site data."

The above text about cookies sounds like marketing.  I suggest explaining that the IETF uses cookies for purposes X, Y, etc and list some information about the cookies for the technically-inclined.

   "We offer specific opt-in and opt-out options so if you do not wish to receive
    such mailings, please inform the IETF by email, phone, or postal mail directed
    to the contact information provided at"

Doesn't the IETF use "opt-in" by default?

Regards,
S. Moonesamy

v2.23.0 | Report a Bug | By Email