Hi Stephan,
On Jul 6, 2010, at 3:53 PM, Stephan Wenger wrote:
Hi,
I think this is an excellent straw man for an IETF privacy policy.
I have,
however, two issues with its adoption that makes me question the
wisdom of
an unqualified "+1".
Thanks.
First, I'm not quite sure whether the IETf should adopt such a
document
without providing clear guidelines to its I* people, the
secretariat, or WG
chairs. In the absence of such guidelines, those people could be
seen as
responsible of upholding the policy without knowing the practical
"how to",
which may create a certain personal liability on their side, to
which they
may not have signed up to. I believe that the pool of people on the
hook
for this implementation is too big, to unstructured, and perhaps not
sufficiently trained (especially when it comes to the fine details)
of the
implementation of the policy. In other words, my fear is that we may
promise something to the outside world of which the people
responsible are
not certain how exactly it needs to be delivered--which puts them
into an
unenviable position.
Point taken. The document currently lacks clarity about who is
actually doing the data handling. I think the process of sorting that
out will be highly instructive. Getting a general understanding of who
is responsible for what will be the first step towards being able to
give those people guidance about data handling.
Second, I fear that the draft policy (-01 draft) provides
occasionally the
impression of a certain safety of private data, where no such safety
exists.
For example, equipment that stores log files is moved frequently
into areas
where US law does not apply. I would assume (without knowing for
certain)
that the machines dealing with on-site information do keep some
sensitive
information on their local hard drives--which are outside the US for
many of
our meetings.
The jurisdiction of stored data is definitely one point that needs to
be better documented, I agree.
And so on.
If you have specific ideas of other spots where the document over-
promises, a list would be appreciated. I can take further
clarifications back to the secretariat or whoever the responsible
party is.
Thanks,
Alissa
The second point may be easily addressable by adding sufficiently
broad
disclaimers to the policy, and/or by documenting the corner cases
mentioned
(I would not be surprised if there were many more of those). The
first
point would require a guidelines document for the mentioned
officials, and I
think that the development of such a document needs to go hand-in-
hand with
the development of the policy itself. Alternatively, the first
point could
be addressed by phrasing the policy as a statement of intent, rather
than a
"bill of rights". Of course, its value goes way down when doing so.
I personally couldn't care less how and where a privacy policy and its
accompanying guideline docs is being developed. However, I do have an
observation to make with respect to the form of the document. Even
single-national organizations (like my bank, or my insurers) do
change their
privacy policy quite often--several times per decade. They have to
in order
to comply with the development of the local law. I do not see that
the IETF
would not have to do the same, once we have a first policy in
place. And
that does not count the implications of, in practice, being an
international
organization doing business in places such as the US and China--just
to make
two examples with fundamentally different privacy law and practice--
and our
lack of experience and shortness of legal resources in creating
one. All
that would speak for an easily updateable format, and RFCs are not
known to
fall into that category. We will have a buggy document at the
beginning,
and we need ways to fix it, quickly.
Regards,
Stephan
On 7.5.2010 09:05 , "Alissa Cooper" <acooper@xxxxxxx> wrote:
A few months ago I drew up a strawman proposal for a public-facing
IETF privacy policy (http://www.ietf.org/id/draft-cooper-privacy-policy-00.txt
). I've submitted an update based on feedback received:
http://www.ietf.org/id/draft-cooper-privacy-policy-01.txt
In discussing the policy with the IAOC and others, it seems clear
that
the RFC model is probably not the best model for maintaining and
updating a document like this. It is more likely to fall within the
scope of the IAOC and/or the Trust. In order for the IAOC to consider
taking this on and devoting resources to figuring out what its format
should be, they need to hear from the community that a public-facing
privacy policy is something that the community wants. So I have two
requests for those with any interest in this:
1) Respond on this list if you support the idea of the IETF having a
privacy policy (a simple "+1" will do).
2) If you have comments and suggestions about the policy itself, send
them to this list.
Thanks,
Alissa
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf