Re: Proposed IETF Privacy Policy for Review

Adam Roach <> Wed, 16 March 2016 18:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7C3C812DA4C; Wed, 16 Mar 2016 11:14:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bLaHv3_ArGZJ; Wed, 16 Mar 2016 11:14:27 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DAC7712DA5D; Wed, 16 Mar 2016 11:14:23 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.15.2/8.14.9) with ESMTPSA id u2GIEMIv023198 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 16 Mar 2016 13:14:23 -0500 (CDT) (envelope-from
X-Authentication-Warning: Host [] claimed to be
Subject: Re: Proposed IETF Privacy Policy for Review
References: <>
From: Adam Roach <>
Message-ID: <>
Date: Wed, 16 Mar 2016 13:14:17 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------080301050503080709090906"
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Mar 2016 18:14:29 -0000

On 3/16/16 12:02 PM, IETF Administrative Director wrote:
> The proposed Privacy Policy is located here:
> The IAOC will consider all comments received by 31 March 2016.

Thanks for soliciting input! I have two brief comments on the proposed 
privacy policy.

> IETF does not currently recognize browsers’ Do Not Track (DNT) 
> requests with respect to our web sites.

I believe (and sincerely hope) that this statement is based on a 
misunderstanding of the meaning of DNT.

If you look at the current specification, DNT is intended to prevent 
tracking user activity /across multiple organizations/. (From 
<>: "Tracking is the collection of 
data regarding a particular user's activity across multiple distinct 
contexts and the retention, use, or sharing of data derived from that 
activity outside the context in which it occurred. A context is a set of 
resources that are controlled by the same party or jointly controlled by 
a set of parties.").

This is the kind of tracking behavior that is typically engaged in by 
advertising networks and the websites that display their ads. (For 
example: might serve up advertising to both and Because of this 
arrangement, when you go to, it receives 
information, via, about your activity on

As far as I understand, this is not behavior the IETF does (or should) 
participate in.

I think it would be more accurate to revise this statement in the 
privacy policy to something more along the lines of: "The IETF does not 
engage in Tracking behavior, as that term is defined by the Do Not Track 
(DNT) specification. Consequently, IETF web sites do not alter their 
behavior according to the value of browsers' DNT requests."

> Some areas of the IETF web site and some IETF mailing lists require 
> you to create and enter a password.IETF will store these passwords and 
> does not make them available to the public.

I certainly hope that this means to say "IETF will store hashed versions 
of these passwords and does not make them available to the public."