Re: IETF privacy policy - update

Fred Baker <fred@cisco.com> Thu, 08 July 2010 19:07 UTC

Return-Path: <fred@cisco.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 639DF3A6B36 for <ietf@core3.amsl.com>; Thu, 8 Jul 2010 12:07:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cIzBIdG99cM for <ietf@core3.amsl.com>; Thu, 8 Jul 2010 12:07:10 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 497213A6B30 for <ietf@ietf.org>; Thu, 8 Jul 2010 12:07:10 -0700 (PDT)
Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEALK+NUyrR7Hu/2dsb2JhbACgMHGnLZp1hSUEg3mESQ
X-IronPort-AV: E=Sophos;i="4.53,560,1272844800"; d="scan'208";a="342236869"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-1.cisco.com with ESMTP; 08 Jul 2010 19:07:14 +0000
Received: from stealth-10-32-244-219.cisco.com (stealth-10-32-244-219.cisco.com [10.32.244.219]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o68J77Xh011457 for <ietf@ietf.org>; Thu, 8 Jul 2010 19:07:09 GMT
Received: from [127.0.0.1] by stealth-10-32-244-219.cisco.com (PGP Universal service); Thu, 08 Jul 2010 12:07:14 -0700
X-PGP-Universal: processed; by stealth-10-32-244-219.cisco.com on Thu, 08 Jul 2010 12:07:14 -0700
Mime-Version: 1.0 (Apple Message framework v1081)
Subject: Re: IETF privacy policy - update
From: Fred Baker <fred@cisco.com>
In-Reply-To: <47B5BFAE-6B2D-42EC-AFE6-58C18FED2D55@cisco.com>
Date: Thu, 08 Jul 2010 12:07:01 -0700
Message-Id: <0162225F-8900-4803-B7D6-5ACF3848572D@cisco.com>
References: <7022DEA1-7FC0-4D77-88CE-FA3788720B43@cdt.org> <47B5BFAE-6B2D-42EC-AFE6-58C18FED2D55@cisco.com>
To: IETF-Discussion list <ietf@ietf.org>
X-Mailer: Apple Mail (2.1081)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2010 19:07:11 -0000

+1 for a privacy policy. As to the question of this particular one, I'm going to profess some level of ignorance. I suggested starting from Google, Cisco, and/or ISOC's privacy policies and editing from there, and someone said I should pick a more appropriate starting point. What would be appropriate privacy policies to compare/contrast?

Personally, apart from references to ISOC-specific things, I thought ISOC's privacy policy was relatively simple and covered the major points. The draft is more detailed and more complete. The differences may be a matter of taste: look at http://www.isoc.org/help/privacy/ and ask yourself whether the provisions in "what do we collect" and "what do we do with it" are reflected in the draft, and I think you might agree that they are, with the draft being more explicit in different areas. But I think that the ISOC rules, when considered in an IETF light, are actually the same. We collect things that are standardly collected, but we don't share them, and we do use them to make our internal processes work better.

If there are others to compare/contrast, to see if we have missed a point or are stating for something not usually said, I'd be interested to know.

I would agree that this statement should be made by someone in I* leadership, either the IESG, IAOC, or perhaps IAB, and that it belongs on a web page as opposed to being in an RFC. 

I would suggest that a consensus be called for via a hum over VoIPv6. But the web page should be in flat ASCII with no graphics other than ASCII-art.


On Jul 7, 2010, at 11:00 PM, Cullen Jennings wrote:

> 
> On Jul 5, 2010, at 10:05 AM, Alissa Cooper wrote:
> 
>> A few months ago I drew up a strawman proposal for a public-facing IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt). I've submitted an update based on feedback received: http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt
>> 
>> In discussing the policy with the IAOC and others, it seems clear that the RFC model is probably not the best model for maintaining and updating a document like this. It is more likely to fall within the scope of the IAOC and/or the Trust. In order for the IAOC to consider taking this on and devoting resources to figuring out what its format should be, they need to hear from the community that a public-facing privacy policy is something that the community wants. So I have two requests for those with any interest in this:
>> 
>> 1) Respond on this list if you support the idea of the IETF having a privacy policy (a simple "+1" will do).
> 
> +1 
> 
>> 
>> 2) If you have comments and suggestions about the policy itself, send them to this list.
> 
> I would be very happy if the IETF adopted the privacy policy proposed in your draft.
> 
> It seems to me the work of writing an acceptable policy is 90% done and the arguments that creating a privacy policy will detract from other work are pretty weak. It's a volunteer organization, people vote with their feet with what they want to work on. Just because Alissa spend time writing a policy document does not mean that time would be directed to other things if we did not want to do a privacy policy document. I don't think that having a privacy policy is going to bring a bunch of new contributors to the IETF, but I can imagine a case where the lack of a privacy policy caused some administrative group to do something really unfortunate which resulted in some good people leaving the IETF. 
> 
> A privacy policy is not something the IETF typically has a lot of people that are really experienced and qualified to draft. But we are very lucky here - we have multiple people that understand IETF culture and values, understand internet privacy policies and laws, and are willing to write a proposal. Unless this proposal is deeply flawed in some way I can't see, why wouldn't we just do it.
> 
> 
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf

http://www.ipinc.net/IPv4.GIF