John, I can back most of your statement and the things you do but that below is just absolutely absurd. The RFID badge thing originated in the >HOST< not in IASA. It is entirely within normal facilities arrangement and negotiation to use pre-existing badge arrangements, particularly where there is an easy opt out. An IETF meeting is not some computer cracker meeting trying to provide anonymity. However interesting the general case of various ID and information privacy arrangements may be, RFID or bar code or photo ID or color coded deely-bopper or whatever badges are perfectly reasonable as facilities provided by the HOST on a one time basis when it is easy to opt out. I request that you apologize to the long suffering volunteers that make the IETF meeting facilities work for your unwarranted abuse. Donald ============================= Donald E. Eastlake 3rd +1-508-634-2066 (home) 155 Beaver Street Milford, MA 01757 USA d3e3e3@xxxxxxxxx On Mon, Sep 14, 2009 at 12:31 AM, John C Klensin <john-ietf@xxxxxxx> wrote: > Ole, > > I'd like to encourage you and your IAOC/Trustee colleagues to > think about this in a slightly different light, consistent with > other concerns I've expressed recently. > > Without taking any position about the idea itself, some > significant fraction of the community seems to believe that this > type of RFID experiment is a policy matter. Another portion, > perhaps overlapping, believes that a version of the "eat our own > dogfood" principle says that we should set an example by > utilizing RFID only properly and with due consideration. Some > of that group believes that "properly and with due > consideration" includes at least some technical security and > privacy issues, others (again possibly overlapping) believe that > the IETF should not be performing experiments with information > collection that can even potentially identify individuals unless > there are clear and public privacy policies in place. > > I can find nothing in BCP 101 that encourages or authorizes the > IASA to go off and perform policy experiments on its own > initiative. I haven't seen any signs of a proposal for a 3933 > process experiment in this area. Such a proposal, or an > IESG-initiated effort with a Last Call, presumably would have > involved an I-D and a reasonable possibility for the community > to determine whether the relevant ducks were lined up. > > I also find nothing in the "guidelines [...]for regular > operational > decision making" (required by RFC 4071, Section 3.5, first > paragraph) that authorizes this sort of experiment. Indeed, > despite that requirement, I'm not sure I can even find such > guidelines. The only thing I can find is the "IAOC > Administrative Procedures" at > http://iaoc.ietf.org/documents/IAOC_Administrative_Procedures_7-17-08.pdf, > but they seem to be addressed to issues other than "regular > operational decision making" and, despite the date on the file, > the procedure document itself doesn't show an adoption date and > the Policy and Procedures page > (http://iaoc.ietf.org/policyandprocedures.html) seems to > indicate that they are just a draft. > > In looking for that material, I did find the Communications > Policy, which appears to be a substitute for the Guidelines > called for by RFC 4071. It makes interesting reading. For > example: > > -- Section 5.3.4 calls for the IAOC to "adopt annual > goals for the IASA and the IAD by December of each year > for the succeeding year". The Reports page of the web > site (http://iaoc.ietf.org/reports.html) contains a line > for such "Annual IASA Goals", but it isn't even a link, > so apparently either there are no such goals or the IAOC > doesn't believe that making them available to the > community is a priority. > > -- Section 5.3.7 calls for an "Operations Report" to be > submitted to the IAOC monthly and posted on the web > site. There is no evidence of integrated Operations > Reports on the web site. Not a single one. There are, > however, separate Financial Statements (three so far for > 2009 -- but those are covered separately in Section 5.2 > of the Communications Plan and are hence irrelevant to > the Section 5.3.7 requirement) and Monthly Reports from > the IANA (not the IAD). > > -- Section 5.3.8 says "The IAOC shall publish an IAOC, > financial, and vendor performance report online one week > before the IETF Meeting". I don't recall seeing that > report on a regular basis, only oral presentations at > the IETF plenaries. The "Plenary Reports" page > (http://iaoc.ietf.org/plenary_reports.html) shows only > IANA and RFC Editor reports associated with IETF > meetings in the last several years. Indeed, the last > "IETF Ops Report" shown there is from IETF 68 (Prague in > 2007, before this Communications Policy was adopted) > > -- Section 5.3.10 calls for contracts or contract > summaries to be posted on the web site within 14 days of > execution. I note, as an example, that AMS has been > providing Secretariat Services for over 20 months now, > but that the only Secretariat Services Contract posted > is the December 2005 agreement with Neustar. I don't > suppose that I need to point out to the IAOC that 20 > months (and a contract date presumably somewhat earlier > than that) is longer than 14 days. I also note that > not a single hotel contract, or summary thereof, has > ever been posted. > > -- Section 6 calls for annual reviews of the > Communications Policy, with community review and input > "during the annual review cycle". The Communications > Policy was apparently adopted on July 12, 2007. That > suggests to me that there should have been two such > reviews. I'm not aware of either having occurred. If > the IAOC has concluded that the Communications Policy > isn't practical, why hasn't the required review been > initiated and the Policy been revised (with community > review and input), rather than simply ignored in major > respects? > > I don't recall the community asking the IAOC or Secretariat to > initiate this RFID effort either. I haven't gotten the > impression that the IAOC has so much spare time on its > collective hands that it should be making work for itself or the > community. Certainly the list above strongly suggests that the > IAOC and IASA don't have sufficient time to even comply with the > policies that they adopted (or to effectively require that the > IAD comply with those tasks specifically assigned to him... many > of them by BCP 101 itself). > > I do see a provision in BCP 101 (middle of Section 3.1) that > says: > > "The IAD shall ensure that personal data collected for > legitimate purposes of the IASA are protected > appropriately; at minimum, such data must be protected > to a degree consistent with relevant legislation and > applicable privacy policies." > > Several people in the community with some experience on these > issues seem to believe that adequate protective procedures do > not appear to be in place, but we haven't heard from the IAD > about what measures are being taken. > > So... > > (1) To what extent does the IAOC believe it is reasonable to > adopt new and discretionary initiatives that require IAD and > IAOC supervision when the IAD and IAOC appear to be sufficient > overloaded so as to be unable to comply with a large number of > the IAOCs own procedures and requirements, both those explicitly > called for in BCP 101 and those which it adopted in December > 2007. > > (2) Is the IAOC supervising the IAD to be sure that adequate > protective procedures are in place for personally-identifiable > data as per the provisions above? > > (3) Given that such procedures do not appear to be covered by > contractual provisions that justify secrecy, when does the > community get to review those procedures? > > (4) For an experiment that was initiated by the IASA, without > the instruction, advice, or consent of the community, does the > IAOC have a procedure for determining how much "the ducks are > not lined up" or other negative feedback from the community is > sufficient to call the idea off? Or is the IAOC's model such > that, having initiated this idea, no amount of feedback will > produce any change in behavior... i.e., that the experiment will > go forward and any evaluation will be performed after the fact? > > The last question is particularly important because, if that is > the plan, everyone participating in the discussion on this > thread is wasting their time and yours. > > > I have not posted this inquiry as a Request for Review as > described in Section 3.5 of RFC 4071 for two reasons: > > (i) I do not consider the RFID experiment to be the main > issue here, only the decision process that leads us into > such experiments and the way of handling community > review and comments. If someone in the community who > does consider the RFID experiment to be a main issue > wants to use some of the text above to construct such a > request for review, he or she should feel free but > should note that RFC 4071 "normally" gives the IAOC 90 > days to respond. By my rough count, 90 days would put > us somewhere in December so that, if the IAOC decided to > do so, it could simply ignore the Request for Review, > carry out the experiment, and then indicate either that > the Request for Review had become irrelevant or announce > that it would adopt and follow new procedures sometime > in the future. > > (ii) BCP 101 provides for Requests for Review of > "decisions or action" of the IAD or the IAOC, not for > massive non-feasance as outlined above. One could > potentially construct a Request for Review based on > "...questions whether the IASA has created and > maintained appropriate guidelines" but I don't have > quite enough spare time on my hands right now to > initiate that effort. Again, if someone else is so > inclined, feel free to borrow text as needed. > > regards, > john > > > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf