IETF Logo Mail Archive

Re: IETF privacy policy - update

todd glassey <tglassey@earthlink.net> Tue, 06 July 2010 15:50 UTC

Return-Path: <tglassey@earthlink.net>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED1093A69A3 for <ietf@core3.amsl.com>; Tue, 6 Jul 2010 08:50:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pROAiJqqCg+q for <ietf@core3.amsl.com>; Tue, 6 Jul 2010 08:50:23 -0700 (PDT)
Received: from elasmtp-scoter.atl.sa.earthlink.net (elasmtp-scoter.atl.sa.earthlink.net [209.86.89.67]) by core3.amsl.com (Postfix) with ESMTP id AF4A43A698C for <ietf@ietf.org>; Tue, 6 Jul 2010 08:50:23 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=MbsBsTl0KjW6EkAFLHoVwXCS/57NELp8TEQID27tK6MS3XP3aVlOt2zAb0hXh3Yy; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [67.180.133.66] (helo=[192.168.1.100]) by elasmtp-scoter.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <tglassey@earthlink.net>) id 1OWAPh-0004lL-Ka for ietf@ietf.org; Tue, 06 Jul 2010 11:50:25 -0400
Message-ID: <4C3350C2.7010403@earthlink.net>
Date: Tue, 06 Jul 2010 08:50:26 -0700
From: todd glassey <tglassey@earthlink.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: IETF privacy policy - update
References: <7022DEA1-7FC0-4D77-88CE-FA3788720B43@cdt.org> <4C3331D0.1000404@isoc.org>
In-Reply-To: <4C3331D0.1000404@isoc.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec79cd5c8777c85578bd4a4cea3ff125d79f350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 67.180.133.66
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 15:50:25 -0000

 On 7/6/2010 6:38 AM, Karen O'Donoghue wrote:
> +1 on the IETF having a privacy policy.
>
> I am undecided on the best mechanisms to develop, document, and
> maintain that policy.

I am not...  We need to create the Privacy Working Group and it will
produce a non-RFC based work product which is the Participation Privacy
Compliance Contract with the IETF's participants. There are certain
legal issues which the Founders never considered in their design of the
IETF which mandate a permanent type document status which is not part of
the Standards or Intellectual Property publication list unless it is a
specific template for other entities to use, and that would be out of
scope for the IETF.

What this means is we need a new class of legal framework document which
is not a RFC and all of the legal controls which have been
mis-implemented as "votable consensus" agreements are properly reduced
to policy and boiler plate so that anyone can easily figure out what
participation means.

That said, why is simply that since a privacy policy is something that
needs formal legal vetting and also something that a vote of the
officers of the Operating Board should weigh in on meaning that ISOC and
not the IETF's IAOC needs to formally ratify this since it is part of
the formal Charter Package of the IETF.

The privacy policy should be put together by a Working Group (lets call
it the PWG)  as a non-RFC type operating document. It is not a BCP
either, it is a statement of the legal controls pertaining to the
privacy of the parties participating in the IETF standards process.

Further in regard to the review of that document, since it is the ISOC
(and possibly the Trust) who is/are directly liable for damages therein
at this time, it is they who must embrace and assert those privacy
controls as operating policy. So they should have representation in this
special Privacy Working Group. And finally since the privacy controls
cannot set aside those laws in the EU and other places embracing strict
privacy controls since "it" (the IETF) must be compliant to all of those.

Think of it this way - Imaging having for parties in places in the EU
implement the Nevada State PCI DSS standards for information security
based on those privacy controls for someone collaborating on a
submission from both Nevada and another party in say Finland or Denmark
for instance.

Also realize that a one-size fits all type model will not work because
some people cannot contractually sign their right to privacy away and
for them a policy of "assignment obfuscating privacy" probably  also
doesn't work.

By the way - since the assignment of intellectual property rights has
provable cash money value, this is a real issue and it needs to be dealt
with both professionally and in a manner which makes the IETF more
transparent and less of a place where the politics of the day drive the
contract-controls on participation or use of the IETF intellectual
properties.

Todd Glassey
>
> Karen
>
> On 7/5/10 12:05 PM, Alissa Cooper wrote:
>> A few months ago I drew up a strawman proposal for a public-facing
>> IETF privacy policy
>> (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt). I've
>> submitted an update based on feedback received:
>> http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt
>>
>> In discussing the policy with the IAOC and others, it seems clear
>> that the RFC model is probably not the best model for maintaining and
>> updating a document like this. It is more likely to fall within the
>> scope of the IAOC and/or the Trust. In order for the IAOC to consider
>> taking this on and devoting resources to figuring out what its format
>> should be, they need to hear from the community that a public-facing
>> privacy policy is something that the community wants. So I have two
>> requests for those with any interest in this:
>>
>> 1) Respond on this list if you support the idea of the IETF having a
>> privacy policy (a simple "+1" will do).
>>
>> 2) If you have comments and suggestions about the policy itself, send
>> them to this list.
>>
>>
>> Thanks,
>> Alissa
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Ietf mailing list
>> Ietf@ietf.org
>> https://www.ietf.org/mailman/listinfo/ietf
>
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
>

v2.23.0 | Report a Bug | By Email