Re: What does a privacy policy mean ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think privacy policies originally emerged as a means to inform people about how their data is collected, used, shared, and stored. The perception that the collection of information about people in secret is a privacy threat has motivated increased disclosure about what happens to data about people.

Over time, I think many privacy policies have strayed away from this original goal and have come to instead to act as disclaimers of legal liability or internal compliance guidelines, or both. I think the average corporate privacy policy these days probably does a good job of giving corporations legal cover and a decent job of instructing their employees about what they may or may not do with data, but is not easy for laypeople to understand ([1] provides some more information from the US context).

I think the IETF can do better.

AFAIK, right now the IETF has neither a public-facing statement that informs people about what happens to their data nor a disclaimer of legal liability nor an internal compliance document. There is the Trust records management policy, which in theory serves all three purposes (although I would argue that it isn't really accessible enough to laypeople to serve the first function). But limiting data retention is only one aspect of privacy protection, as the strawman policy demonstrates.

I think the IETF could (and should) have a public-facing policy that is understandable and a (likely separate) internal compliance document that explains to those who handle data collected in conjunction with IETF activities about what they may or may not do with it. The strawman policy attempts to achieve the former. I don't have a strong opinion about whether the IETF needs a disclaimer of legal liability. Notably, the IETF has survived this long without one.

Beyond legal remedies for non-performance, however, having a clear privacy policy would allow a strong community remedy for non- performance. If the IETF states its privacy policy clearly, and then violates that policy, there could well be strong discussion and disapproval on this mailing list and at plenary sessions during IETF meetings. The community has a pretty good ability to force the powers- that-be to explain their actions and develop new policies to correct mistakes, should they arise. So wholly apart from legal remedies, I think there is strong value in having a clearly stated privacy policy.

Alissa

[1] http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf

On Jul 7, 2010, at 4:51 AM, John Levine wrote:

I think we all agree that having a privacy policy would be desirable,
in the sense that we are in favor of good, and opposed to evil.  But I
don't know what it means to implement a privacy policy, and I don't
think anyone else does either.

A privacy policy is basically a set of assertions about what the IETF
will do with your personal information.  To invent a strawman, let's
say that the privacy policy says that registration information will be
kept in confidence, and some newly hired clerk who's a little unclear
on the concept gives a list of registrants' e-mail addresses to a
conference sponsor so they can e-mail everyone an offer for a free
IETF tee shirt.

Then what happens?  Is a privacy policy a contract, and if it is, what
remedies do IETF participants have for non-performance?  And if it's
not, and there aren't remedies, what's the point?

R's,
John
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


--
----------------------------------------------------
Alissa Cooper
Chief Computer Scientist
Center for Democracy and Technology
+44 (0)785 916 0031
Skype: alissacooper













_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]