IETF Logo Mail Archive

Re: Comments on <draft-cooper-privacy-policy-01.txt>

Martin Rex <mrex@sap.com> Mon, 12 July 2010 20:37 UTC

Return-Path: <mrex@sap.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3AFD93A6863 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 13:37:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.918
X-Spam-Level:
X-Spam-Status: No, score=-7.918 tagged_above=-999 required=5 tests=[AWL=-0.269, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIAkZa6Y-cfH for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 13:37:27 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id A533C3A6BEF for <ietf@ietf.org>; Mon, 12 Jul 2010 13:37:26 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o6CKbOFV022141 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 12 Jul 2010 22:37:24 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201007122037.o6CKbOcU019940@fs4113.wdf.sap.corp>
Subject: Re: Comments on <draft-cooper-privacy-policy-01.txt>
To: dcrocker@bbiw.net
Date: Mon, 12 Jul 2010 22:37:24 +0200
In-Reply-To: <4C3A0C74.4080504@dcrocker.net> from "Dave CROCKER" at Jul 11, 10 11:24:52 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: Hannes.Tschofenig@gmx.net, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 20:37:28 -0000

Dave CROCKER wrote:
> 
> On 7/9/2010 4:32 AM, Hannes Tschofenig wrote:
> > The Fair Information Practices are a set of principles most of us are quite
> > likely to believe in, such as (copied from the Alissa's draft):
> 
> Likely, yes.  But do any of us know how to translate those principles into
> particular behaviors?  Is it likely that any two of us will make the same
> translation?  What about enough of us to constitute rough consensus?

Exactly.

As I previously mentioned, "acceptable" means different things to
different people.

Some people seem to hope that creation of a "privacy policy" is going
to improve things.  Personally, I don't think so.  Likely it will get
worse, and it may get *much* worse.  While a privacy policy may look
nice, it adds A LOT of wiggle room for lawyers.  Most companies
privacy policies are created for the "cover your ass" (CYA) purpose
by lawyers.


Going back to the Google example (because they made news several times here):

Excerpts from what they've posted:

http://www.google.com/intl/en/privacy.html

  We have 5 privacy principles that describe how we approach privacy
  and user information across all of our products:

   1. Use information to provide our users with valuable products and services.
   2. Develop products that reflect strong privacy standards and practices.
   3. Make the collection of personal information transparent.
   4. Give users meaningful choices to protect their privacy.
   5. Be a responsible steward of the information we hold. 

http://www.google.com/intl/en/privacypolicy.html

  At Google we recognize that privacy is important. This Privacy Policy
  applies to all of the products, services and websites offered by
  Google Inc. or its subsidiaries or affiliated companies except
  DoubleClick (DoubleClick Privacy Policy) and Postini (Postini Privacy
  Policy); collectively, Googles services.


But the reality actually looks like this:

  http://www.spiegel.de/international/zeitgeist/0,1518,626075,00.html
  http://www.spiegel.de/international/germany/0,1518,631149,00.html
  http://www.spiegel.de/international/business/0,1518,695718,00.html
  http://www.spiegel.de/international/germany/0,1518,645581,00.html

i.e. the government must step in to stop them from committing
large scale illegal privacy violations, because their own focus is
much more on their business model than on respect for the privacy of
the people about which they collect data.


I would be OK with consenting to very specific and explicit
PII usage scenarios within the IETF.  But many "privacy policies"
I've come across are simple inacceptable to _me_.  Probably every
"social networking site" out there, or businesses with ridiculous
policies, such as e.g. PayPal.


-Martin

v2.23.0 | Report a Bug | By Email