IASA Experiments and responsibilities (was: Re: Some more background on the RFID experiment in Hiroshima)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ole,

I'd like to encourage you and your IAOC/Trustee colleagues to
think about this in a slightly different light, consistent with
other concerns I've expressed recently.

Without taking any position about the idea itself, some
significant fraction of the community seems to believe that this
type of RFID experiment is a policy matter.  Another portion,
perhaps overlapping, believes that a version of the "eat our own
dogfood" principle says that we should set an example by
utilizing RFID only properly and with due consideration.  Some
of that group believes that "properly and with due
consideration" includes at least some technical security and
privacy issues, others (again possibly overlapping) believe that
the IETF should not be performing experiments with information
collection that can even potentially identify individuals unless
there are clear and public privacy policies in place.

I can find nothing in BCP 101 that encourages or authorizes the
IASA to go off and perform policy experiments on its own
initiative.  I haven't seen any signs of a proposal for a 3933
process experiment in this area.  Such a proposal, or an
IESG-initiated effort with a Last Call, presumably would have
involved an I-D and a reasonable possibility for the community
to determine whether the relevant ducks were lined up.

I also find nothing in the "guidelines [...]for regular
operational
decision making" (required by RFC 4071, Section 3.5, first
paragraph) that authorizes this sort of experiment.  Indeed,
despite that requirement, I'm not sure I can even find such
guidelines.  The only thing I can find is the "IAOC
Administrative Procedures" at
http://iaoc.ietf.org/documents/IAOC_Administrative_Procedures_7-17-08.pdf,
but they seem to be addressed to issues other than "regular
operational decision making" and, despite the date on the file,
the procedure document itself doesn't show an adoption date and
the Policy and Procedures page
(http://iaoc.ietf.org/policyandprocedures.html) seems to
indicate that they are just a draft.

In looking for that material, I did find the Communications
Policy, which appears to be a substitute for the Guidelines
called for by RFC 4071.   It makes interesting reading.  For
example:

	-- Section 5.3.4 calls for the IAOC to "adopt annual
	goals for the IASA and the IAD by December of each year
	for the succeeding year".  The Reports page of the web
	site (http://iaoc.ietf.org/reports.html) contains a line
	for such "Annual IASA Goals", but it isn't even a link,
	so apparently either there are no such goals or the IAOC
	doesn't believe that making them available to the
	community is a priority.
	
	-- Section 5.3.7 calls for an "Operations Report" to be
	submitted to the IAOC monthly and posted on the web
	site.  There is no evidence of integrated Operations
	Reports on the web site.  Not a single one.  There are,
	however, separate Financial Statements (three so far for
	2009 -- but those are covered separately in Section 5.2
	of the Communications Plan and are hence irrelevant to
	the Section 5.3.7 requirement) and Monthly Reports from
	the IANA (not the IAD).
	
	-- Section 5.3.8 says "The IAOC shall publish an IAOC,
	financial, and vendor performance report online one week
	before the IETF Meeting".  I don't recall seeing that
	report on a regular basis, only oral presentations at
	the IETF plenaries.   The "Plenary Reports" page
	(http://iaoc.ietf.org/plenary_reports.html) shows only
	IANA and RFC Editor reports associated with IETF
	meetings in the last several years.  Indeed, the last
	"IETF Ops Report" shown there is from IETF 68 (Prague in
	2007, before this Communications Policy was adopted)
	
	-- Section 5.3.10 calls for contracts or contract
	summaries to be posted on the web site within 14 days of
	execution.   I note, as an example, that AMS has been
	providing Secretariat Services for over 20 months now,
	but that the only Secretariat Services Contract posted
	is the December 2005 agreement with Neustar.  I don't
	suppose that I need to point out to the IAOC that 20
	months (and a contract date presumably somewhat earlier
	than that) is longer than 14 days.   I also note that
	not a single hotel contract, or summary thereof, has
	ever been posted.
	
	-- Section 6 calls for annual reviews of the
	Communications Policy, with community review and input
	"during the annual review cycle".  The Communications
	Policy was apparently adopted on July 12, 2007.  That
	suggests to me that there should have been two such
	reviews.  I'm not aware of either having occurred.  If
	the IAOC has concluded that the Communications Policy
	isn't practical, why hasn't the required review been
	initiated and the Policy been revised (with community
	review and input), rather than simply ignored in major
	respects?

I don't recall the community asking the IAOC or Secretariat to
initiate this RFID effort either.   I haven't gotten the
impression that the IAOC has so much spare time on its
collective hands that it should be making work for itself or the
community.  Certainly the list above strongly suggests that the
IAOC and IASA don't have sufficient time to even comply with the
policies that they adopted (or to effectively require that the
IAD comply with those tasks specifically assigned to him... many
of them by BCP 101 itself).

I do see a provision in BCP 101 (middle of Section 3.1) that
says:

	"The IAD shall ensure that personal data collected for
	legitimate purposes of the IASA are protected
	appropriately; at minimum, such data must be protected
	to a degree consistent with relevant legislation and
	applicable privacy policies."

Several people in the community with some experience on these
issues seem to believe that adequate protective procedures do
not appear to be in place, but we haven't heard from the IAD
about what measures are being taken.

So...

(1) To what extent does the IAOC believe it is reasonable to
adopt new and discretionary initiatives that require IAD and
IAOC supervision when the IAD and IAOC appear to be sufficient
overloaded so as to be unable to comply with a large number of
the IAOCs own procedures and requirements, both those explicitly
called for in BCP 101 and those which it adopted in December
2007.

(2) Is the IAOC supervising the IAD to be sure that adequate
protective procedures are in place for personally-identifiable
data as per the provisions above?

(3) Given that such procedures do not appear to be covered by
contractual provisions that justify secrecy, when does the
community get to review those procedures?

(4) For an experiment that was initiated by the IASA, without
the instruction, advice, or consent of the community, does the
IAOC have a procedure for determining how much "the ducks are
not lined up" or other negative feedback from the community is
sufficient to call the idea off?  Or is the IAOC's model such
that, having initiated this idea, no amount of feedback will
produce any change in behavior... i.e., that the experiment will
go forward and any evaluation will be performed after the fact?

The last question is particularly important because, if that is
the plan, everyone participating in the discussion on this
thread is wasting their time and yours.


I have not posted this inquiry as a Request for Review as
described in Section 3.5 of RFC 4071 for two reasons:

	(i) I do not consider the RFID experiment to be the main
	issue here, only the decision process that leads us into
	such experiments and the way of handling community
	review and comments.   If someone in the community who
	does consider the RFID experiment to be a main issue
	wants to use some of the text above to construct such a
	request for review, he or she should feel free but
	should note that RFC 4071 "normally" gives the IAOC 90
	days to respond.  By my rough count, 90 days would put
	us somewhere in December so that, if the IAOC decided to
	do so, it could simply ignore the Request for Review,
	carry out the experiment, and then indicate either that
	the Request for Review had become irrelevant or announce
	that it would adopt and follow new procedures sometime
	in the future.
	
	(ii) BCP 101 provides for Requests for Review of
	"decisions or action" of the IAD or the IAOC, not for
	massive non-feasance as outlined above.   One could
	potentially construct a Request for Review based on
	"...questions whether the IASA has created and
	maintained appropriate guidelines" but I don't have
	quite enough spare time on my hands right now to
	initiate that effort.  Again, if someone else is so
	inclined, feel free to borrow text as needed.

regards,
  john



_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]