I think privacy policies originally emerged as a means to inform
people about how their data is collected, used, shared, and stored.
The perception that the collection of information about people in
secret is a privacy threat has motivated increased disclosure about
what happens to data about people.
Over time, I think many privacy policies have strayed away from this
original goal and have come to instead to act as disclaimers of legal
liability or internal compliance guidelines, or both. I think the
average corporate privacy policy these days probably does a good job
of giving corporations legal cover and a decent job of instructing
their employees about what they may or may not do with data, but is
not easy for laypeople to understand ([1] provides some more
information from the US context).
I think the IETF can do better.
AFAIK, right now the IETF has neither a public-facing statement that
informs people about what happens to their data nor a disclaimer of
legal liability nor an internal compliance document. There is the
Trust records management policy, which in theory serves all three
purposes (although I would argue that it isn't really accessible
enough to laypeople to serve the first function). But limiting data
retention is only one aspect of privacy protection, as the strawman
policy demonstrates.
I think the IETF could (and should) have a public-facing policy that
is understandable and a (likely separate) internal compliance document
that explains to those who handle data collected in conjunction with
IETF activities about what they may or may not do with it. The
strawman policy attempts to achieve the former. I don't have a strong
opinion about whether the IETF needs a disclaimer of legal liability.
Notably, the IETF has survived this long without one.
Beyond legal remedies for non-performance, however, having a clear
privacy policy would allow a strong community remedy for non-
performance. If the IETF states its privacy policy clearly, and then
violates that policy, there could well be strong discussion and
disapproval on this mailing list and at plenary sessions during IETF
meetings. The community has a pretty good ability to force the powers-
that-be to explain their actions and develop new policies to correct
mistakes, should they arise. So wholly apart from legal remedies, I
think there is strong value in having a clearly stated privacy policy.
Alissa
[1] http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf
On Jul 7, 2010, at 4:51 AM, John Levine wrote:
I think we all agree that having a privacy policy would be desirable,
in the sense that we are in favor of good, and opposed to evil. But I
don't know what it means to implement a privacy policy, and I don't
think anyone else does either.
A privacy policy is basically a set of assertions about what the IETF
will do with your personal information. To invent a strawman, let's
say that the privacy policy says that registration information will be
kept in confidence, and some newly hired clerk who's a little unclear
on the concept gives a list of registrants' e-mail addresses to a
conference sponsor so they can e-mail everyone an offer for a free
IETF tee shirt.
Then what happens? Is a privacy policy a contract, and if it is, what
remedies do IETF participants have for non-performance? And if it's
not, and there aren't remedies, what's the point?
R's,
John
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
--
----------------------------------------------------
Alissa Cooper
Chief Computer Scientist
Center for Democracy and Technology
+44 (0)785 916 0031
Skype: alissacooper
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf