Hi, I think this is an excellent straw man for an IETF privacy policy. I have, however, two issues with its adoption that makes me question the wisdom of an unqualified "+1". First, I'm not quite sure whether the IETf should adopt such a document without providing clear guidelines to its I* people, the secretariat, or WG chairs. In the absence of such guidelines, those people could be seen as responsible of upholding the policy without knowing the practical "how to", which may create a certain personal liability on their side, to which they may not have signed up to. I believe that the pool of people on the hook for this implementation is too big, to unstructured, and perhaps not sufficiently trained (especially when it comes to the fine details) of the implementation of the policy. In other words, my fear is that we may promise something to the outside world of which the people responsible are not certain how exactly it needs to be delivered--which puts them into an unenviable position. Second, I fear that the draft policy (-01 draft) provides occasionally the impression of a certain safety of private data, where no such safety exists. For example, equipment that stores log files is moved frequently into areas where US law does not apply. I would assume (without knowing for certain) that the machines dealing with on-site information do keep some sensitive information on their local hard drives--which are outside the US for many of our meetings. And so on. The second point may be easily addressable by adding sufficiently broad disclaimers to the policy, and/or by documenting the corner cases mentioned (I would not be surprised if there were many more of those). The first point would require a guidelines document for the mentioned officials, and I think that the development of such a document needs to go hand-in-hand with the development of the policy itself. Alternatively, the first point could be addressed by phrasing the policy as a statement of intent, rather than a "bill of rights". Of course, its value goes way down when doing so. I personally couldn't care less how and where a privacy policy and its accompanying guideline docs is being developed. However, I do have an observation to make with respect to the form of the document. Even single-national organizations (like my bank, or my insurers) do change their privacy policy quite often--several times per decade. They have to in order to comply with the development of the local law. I do not see that the IETF would not have to do the same, once we have a first policy in place. And that does not count the implications of, in practice, being an international organization doing business in places such as the US and China--just to make two examples with fundamentally different privacy law and practice--and our lack of experience and shortness of legal resources in creating one. All that would speak for an easily updateable format, and RFCs are not known to fall into that category. We will have a buggy document at the beginning, and we need ways to fix it, quickly. Regards, Stephan On 7.5.2010 09:05 , "Alissa Cooper" <acooper@xxxxxxx> wrote: > A few months ago I drew up a strawman proposal for a public-facing > IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt > ). I've submitted an update based on feedback received: > http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt > > In discussing the policy with the IAOC and others, it seems clear that > the RFC model is probably not the best model for maintaining and > updating a document like this. It is more likely to fall within the > scope of the IAOC and/or the Trust. In order for the IAOC to consider > taking this on and devoting resources to figuring out what its format > should be, they need to hear from the community that a public-facing > privacy policy is something that the community wants. So I have two > requests for those with any interest in this: > > 1) Respond on this list if you support the idea of the IETF having a > privacy policy (a simple "+1" will do). > > 2) If you have comments and suggestions about the policy itself, send > them to this list. > > > Thanks, > Alissa > > > > > > > > > > > > > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf