Hi Paul,
On Jul 7, 2010, at 8:59 PM, Paul Hoffman wrote:
Do some people not come to IETF meetings because of the current null
privacy policy?
Perhaps the better question is, do some people not sign the blue
sheets because of whatever they think the current privacy policy is?
The issue of what happens when the IETF receives a subpoena for blue
sheet information is what originally kicked off this entire effort.
Organizations have choices about how they respond to government and
civil-litigation-related demands for data. One policy option is to
respond to every single demand no matter who it is from or whether it
shows any signs of judicial oversight or legality. Another is to only
respond to lawful orders.
Most organizations that I know of at least state what their policies
are in this regard, so that people who become interested in which
kinds of requests their data may be subject to can find out. The IETF
seems to have some sort of latent policy on this, but it is not
written down.
Questions about this have already been raised (outside of the blue
sheet context) with respect to the upcoming admission control
procedures [1]. A number of different privacy questions were also
raised about the RFID experiment, and in both cases the IAOC has spent
substantial time on the list trying to explain to the community what
the latent policies are (and, in the RFID case, even updating and
publishing the policy). It's impossible to calculate how many cycles
have been "lost" to these discussions, but I think it's inaccurate to
say that if there was no time spent on documenting the privacy policy,
there would be no time spent on privacy issues at all. Writing the
policy down should help save cycles down the road.
Alissa
[1] https://www.ietf.org/ibin/c5i?mid=6&rid=49&gid=0&k1=933&k2=52199&tid=1278564156
Do they say less than they would have if we had a typical non-null
policy? If either of those two are answered yes, would those people
contribute better knowing that the IETF had a policy but no real way
to enforce it other than by apologizing when it failed to follow the
policy?
If having a privacy policy, even one where there was no real
enforcement mechanism, was free, nearly everyone would want it.
Given that getting such a policy is not free, and will cause cycles
to be lost from other IETF work, is the tradeoff worth it? At this
point, I would say "no", but mostly because I don't know of anyone
who contributes less due to the current null policy.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
--
----------------------------------------------------
Alissa Cooper
Chief Computer Scientist
Center for Democracy and Technology
+44 (0)785 916 0031
Skype: alissacooper
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf