Re: Proposed IETF Privacy Policy for Review

[Alissa Cooper <alissa@cooperw.in>]

Thanks for putting this together. Having attempted this once before [1], I’m glad to see it getting picked up again. I have a few comments to offer.

1) Non-public information
In addition to Adrian’s point about registration data, people provide details in order to obtain letters of invitation, which includes passport number, date of birth, etc. It’s important for people to know these details will not become public.

If we have data retention policies about the various types of non-public information, those should be stated.

2) Third-party sharing
I agree with Jordi that we need to say something about third-party data sharing and why we do or do not do it. It sounds like we do use a third-party payment processor, so it would not be accurate to say that we do not share any personal data with third parties. In any event I think a dedicated short section about sharing of personal data would be a good addition.

3) Tracking technologies
The policy talks about cookies and DNT (agree with Adam wrt to the DNT language), but many organizations these days are providing more detail about tracking technologies that they do and do not use, including flash cookies, local storage and other browser storage, pixels/beacons. I would suggest that we provide details about these (may be as simple as saying that we do not use them, or that we do and why).

4) Links to third party sites
Many privacy policies give a little information about the implications of clicking on links to third-party sites. I think that would be warranted here. E.g., if people join an IESG telechat using the webex link at http://ietf.org/iesg/ <http://ietf.org/iesg/> then data about them will be collected by Cisco, and not just the audio of the meeting but other data governed by the WebEx privacy statement. I’m assuming this is the same for MeetEcho and other services one might arrive at by navigating from a site hosted at ietf.org. One or two sentences about using third-party tools from the IETF site or in the context of an IETF meeting would be warranted.

5) Other organizations
In addition to Lars’ point about the IRTF, I was wondering about the RFC Editor and rfc-editor.org.

6) Jabber
I think it would be useful to be explicit about whether chats hosted on jabber.ietf.org are covered by this policy.

7) Law enforcement requests
Some organizations are in a position to make stronger statements about how they deal with law enforcement requests than what is included here. I would suggest taking a look at Section 4 of the I-D linked below to see if we’re able to say anything about appropriateness of legal standards or notice to individuals.

Thanks,
Alissa

[1] https://tools.ietf.org/html/draft-cooper-privacy-policy-01 <https://tools.ietf.org/html/draft-cooper-privacy-policy-01>



> On Mar 16, 2016, at 10:02 AM, IETF Administrative Director <iad@ietf.org> wrote:
> 
> The IAOC would like community input on a proposed IETF Privacy Policy.
> 
> We are required by California law (and good net citizenship) to have
> an accurate privacy policy on our websites.  Counsel have reviewed
> this statement for compliance with US and EU privacy regulations.  
> 
> The policy discusses the following:
>  1.  General – Most Personal Data Submitted to IETF Will Become Public
>  2.  You Consent to International Transmission of Your Data
>  3.  Exceptions – Information That We Do Not Release to the Public
>  4.  Security
>  5.  Children
>  6.  Inquiries
>  7.  Compliance
>  8.  Other Organizations
>  9.  Consent
> 
> The proposed Privacy Policy is located here:
> http://iaoc.ietf.org/documents/IETF-General-Privacy-Statement-2016-02-24-02.htm
> 
> The IAOC will consider all comments received by 31 March 2016.
> 
> Ray Pelletier
> IETF Administrative Director
>