Re: Proposed IETF Privacy Policy for Review

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 17 March 2016 10:36 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92B1312D506 for <ietf@ietfa.amsl.com>; Thu, 17 Mar 2016 03:36:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hx7rvAgSa2tN for <ietf@ietfa.amsl.com>; Thu, 17 Mar 2016 03:35:55 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C91112D636 for <ietf@ietf.org>; Thu, 17 Mar 2016 03:35:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 76532BE4C; Thu, 17 Mar 2016 10:35:52 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0s_xbu4EDeot; Thu, 17 Mar 2016 10:35:51 +0000 (GMT)
Received: from [10.87.49.100] (unknown [86.42.16.188]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 6D68BBE57; Thu, 17 Mar 2016 10:35:50 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1458210951; bh=ErF9QQDOuSRzjnwWvaMsS7fqz0pwXVhhbvoecRWn9OY=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=VuR2+Di4Xmw2LuNSpViMRvuWXir4b2eBBD9iRt5gw3Gul/nOiwPCUGUBeIY0JsWSP jr735uoXE4Jt9oq/nbT3XBhAeBQY+cB3X3avDkyvIJWUesE9zxPKMGyAIMkIUcxcP6 l09lpoXqjjvwbV313GgoMDnMCE1FAKUSlFt0ACcs=
Subject: Re: Proposed IETF Privacy Policy for Review
To: "Scott O. Bradner" <sob@sobco.com>
References: <20160316173701.25701.qmail@ary.lan> <DE878486-1E9E-46F3-8AE8-6D211E39D419@sobco.com> <085072B2-5BD9-45BE-8085-1A334B106F1D@sobco.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56EA8886.8010909@cs.tcd.ie>
Date: Thu, 17 Mar 2016 10:35:50 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <085072B2-5BD9-45BE-8085-1A334B106F1D@sobco.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030108030300000708090409"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/mu-e_0oI54uWr_ITBRY3yq0bCTQ>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2016 10:36:02 -0000

Hi Scott,

I agree with the other comments made and echo folks' thanks
for putting this out to review and for being willing to
iterate on it.

In addition:

- Was the concept of a warrant canary [1] or transparency
report [2] considered? Those are good things (tm) and it'd
be good for the IETF to be part of the leading edge on such
things I think. So I'd recommend that we do some such thing
in addition to this.

   [1] https://en.wikipedia.org/wiki/Warrant_canary
   [2] https://en.wikipedia.org/wiki/Transparency_report

- "disclosure of your Personal Data to third parties" I want
to strongly re-iterate that selling (or so-called "monetizing")
IETF participant data is something that should be anathema to
us (and the partners we choose) and I'd hope that the strongest
possible wording is used to say we won't be doing that. If any
current or future partner would have an issue with that, then I
think that needs to be disclosed to all IETF participants, so
it'd be good if this policy said that a public announcement is
required if any partner or service provider is (ab)using our
data in any such manner.

I'd also suggest that whoever is working on the next iteration
of this in response to comments would be wise to pass the text
by some of the folks who've commented in this thread. I think
there are likely some wording nits that might be better fixed
in that way before the next revision is sent to ietf-announce.

Cheers,
S.