RE: Proposed IETF Privacy Policy for Review

"Adrian Farrel" <adrian@olddog.co.uk> Wed, 16 March 2016 18:02 UTC

Return-Path: <adrian@olddog.co.uk>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 546FD12D663; Wed, 16 Mar 2016 11:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMptD45k2DYI; Wed, 16 Mar 2016 11:02:38 -0700 (PDT)
Received: from asmtp1.iomartmail.com (asmtp1.iomartmail.com [62.128.201.248]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A662112D5B8; Wed, 16 Mar 2016 11:02:37 -0700 (PDT)
Received: from asmtp1.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp1.iomartmail.com (8.13.8/8.13.8) with ESMTP id u2GI2YeQ010925; Wed, 16 Mar 2016 18:02:34 GMT
Received: from 950129200 ([66.129.246.4]) (authenticated bits=0) by asmtp1.iomartmail.com (8.13.8/8.13.8) with ESMTP id u2GI2W2D010905 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 16 Mar 2016 18:02:33 GMT
From: "Adrian Farrel" <adrian@olddog.co.uk>
To: <ietf@ietf.org>, <iaoc@ietf.org>, "'IETF Announcement List'" <ietf-announce@ietf.org>
References: <20160316170239.30920.41218.idtracker@ietfa.amsl.com>
In-Reply-To: <20160316170239.30920.41218.idtracker@ietfa.amsl.com>
Subject: RE: Proposed IETF Privacy Policy for Review
Date: Wed, 16 Mar 2016 18:02:30 -0000
Message-ID: <036101d17fae$03350b20$099f2160$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGqHgJpSkwH6EN0dnciip6q6yy8Pp+rGxxQ
Content-Language: en-gb
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1679-8.0.0.1202-22198.001
X-TM-AS-Result: No--14.161-10.0-31-10
X-imss-scan-details: No--14.161-10.0-31-10
X-TMASE-MatchedRID: fE0JoqABJp0USvuFnv7eo4+YSzwl92XT6Jj6zYvfFAQjRiu1AuxJTKgT PHjMLlQlwdsGXYJq8mc65ruFXpKsmhQRatJn6ZBzfKKwlwDzZCSDpyu5raYMJBAjolhx4JJgHHU hgwxau3TXger9lDx7e7mr9zK970s05HdEezlP+3ijgR/5aaT3HTTeLjP3RyztNRxHh3F0g1fwWE aNOnlY9wGvfmDPCzLRTugiO6yIdorXFDY6Be2Llc+F1coRRWRy9p2lk/q5LLrCD3pwRkVmhliqA yk7LkbkohfqTyKZ4mOQgguZUjlwgVvw6XtH7KyK9UVHiwLx0/I3X6MftLYij7rtDe4+j0ojBfl8 eamOOGBrbVTcTDMHxbr6Ewnf/AiJYY3ozW+EngfvVbHa5Rs8txlgDfyCPcHE8mNrt28IdFijxYy RBa/qJaEwgORH8p/AjaPj0W1qn0Q7AFczfjr/7PEICAkKxK3XJgiavu1Hlblm61+Kx7iDTE/gZL PS8Ytya3FzPxj5k7M=
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/bZ-1IvGDHyroRciQzf7WKV4JodM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: adrian@olddog.co.uk
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 18:02:40 -0000

Ray,

While you talk about non-public mailing lists and give some examples, I think you need to consider other interactions:
- Direct mails to non-list IETF addresses
   - If I email nomcom-chair@ietf.org or chair@ietf.org etc. is my email private?
     Is that data retained within the IETF? If so, how is it held?
- RFC 7776 requires some retention of data in a confidential way (although
   the ombudsteam still needs to document the details)
- There is the usual stuff about contracts and commercial sensitivity. While that
   might not fit in "things you submit to the IETF" it is surely part of the data 
   retention and confidentiality information
- Registration requires or requests us to submit a number of things that are not
   part of the payment system and are (presumably) held on IETF servers. This 
   includes addresses and phone numbers (that may be personal contact
   details), dietary preference (that may be an indication of religion), and 
  information that may be an indication of gender or other personal characteristics
  (T-shirt size/type, gender) . Your draft text appears to say that this is public
  information: I do not think it should be.

Thanks,
Adrian

> -----Original Message-----
> From: IETF-Announce [mailto:ietf-announce-bounces@ietf.org] On Behalf Of
> IETF Administrative Director
> Sent: 16 March 2016 17:03
> To: IETF Announcement List
> Subject: Proposed IETF Privacy Policy for Review
> 
> The IAOC would like community input on a proposed IETF Privacy Policy.
> 
> We are required by California law (and good net citizenship) to have
> an accurate privacy policy on our websites.  Counsel have reviewed
> this statement for compliance with US and EU privacy regulations.
> 
> The policy discusses the following:
>   1.  General – Most Personal Data Submitted to IETF Will Become Public
>   2.  You Consent to International Transmission of Your Data
>   3.  Exceptions – Information That We Do Not Release to the Public
>   4.  Security
>   5.  Children
>   6.  Inquiries
>   7.  Compliance
>   8.  Other Organizations
>   9.  Consent
> 
> The proposed Privacy Policy is located here:
> http://iaoc.ietf.org/documents/IETF-General-Privacy-Statement-2016-02-24-
> 02.htm
> 
> The IAOC will consider all comments received by 31 March 2016.
> 
> Ray Pelletier
> IETF Administrative Director