Paul,
You appear to be concerned about exposing the IETF to risk by the
adoption of a privacy policy (but apologies if I am misunderstanding
the concern you expressed). The absence of a privacy policy, however,
actually increases risk to the IETF in at least three ways:
1. As a general matter, many organizations that interact with lots of
people (especially collecting financial information from them) use a
broad range of written policies to reduce risk, by plainly stating a
position on an issue so that employees have clear guidance about how
to act or respond in a given situation. Policies could be
particularly useful (for example) during a busy crush of new in-person
registrations for an IETF meeting, when there are lots of interactions
with personal data but senior management may not be immediately
available in-person to give guidance if an unusual situation arises.
Having written policies in that kind of situation reduces risk.
2. We have many examples of leading banks, stores, and others
mishandling credit card and other records, so unless the IETF has come
up with some secret security sauce to eliminate all possibility of a
human or technical screwup with personal info, there is clear risk
that the IETF could mishandle data and be at the wrong end of a
litigation. The IETF would likely face liability risk with or without
a privacy policy, but the fact that it could not even be bothered to
have such a policy would certainly be used by the plaintiffs to argue
for an increase in the damages that the IETF might have to pay.
Having a written privacy policy would avoid this particular risk, and
might even reduce the risk of a screwup in the first place.
3. And, although my legal expertise is limited to U.S. law, I think
is very likely (if not certain) that right now the IETF is operating
in violation of the European Union's Data Protection Directive, which
requires that any entity that collects personal information must
provide clear prior notice to affected individuals about the data
collection. The EU is particularly sensitive when European citizens'
data is collected by U.S. entities, which happens all of the time when
European citizens register with the IETF's California-based
administrative secretariat. (There is similar risk with regard to the
California Online Privacy Protection Act, which specifically requires
the posting of a privacy policy by entities that collect personal
information online from California citizens - there is a good chance
the law would not apply to the IETF, but there is some risk that it
would.) Having a privacy policy would help the IETF comply with
European law, which would reduce risk (and the uncertainly about the
California law would be avoided).
So if one's goal is to reduce risk to the IETF so the IETF is not
harmed by legal liability, I think there are very strong arguments to
have a privacy policy. Indeed, the legal-risk-related arguments in
favor of a having a privacy policy are so strong that I believe the
powers-that-be should move to promulgate such a policy even if there
is not consensus in the broader IETF community (just like, I assume,
the powers-that-be have purchased a range of standard business
insurance policies without ever having consulted the IETF community).
The draft of a proposed privacy policy was submitted as an I-D and
circulated to the ietf@xxxxxxxx mailing list simply because that was
suggested to be the most appropriate way for individual members of the
IETF community to raise this issue. A decision to adopt a privacy
policy is not one, IMO, that should rise or fall on a community hum
(although in the end, I think there been more +1s than -1s put forward
on this list).
John
On Jul 15, 2010, at 4:26 PM, Paul Hoffman wrote:
At 3:36 PM +0100 7/15/10, Alissa Cooper wrote:
If you have specific ideas of other spots where the document over-
promises, a list would be appreciated. I can take further
clarifications back to the secretariat or whoever the responsible
party is.
For me, the biggest over-promise is that someone reading the
document might think that there is some remedy if the I* fails to
live up to it. The line between principles and promises in your
document is quite unclear. Very specifically: I don't want the IETF
to adopt your document if it opens up an avenue for an aggrieved
participant (which, in the IETF, is anyone who knows how to
subscribe to a mailing list, even this one) can cause damage to the
IETF if the IETF doesn't meet the promise in that person's eyes.
If you feel that it is valuable to list privacy principles for an
organization like the IETF, great. If you want the IETF to promise
something that would cost us money or, possibly worse, much lost
time from the I*, please don't move this forwards.
There are already many reasons why some people don't participate in
the IETF. For some, the IETF is too informal for their comfort;
those folks gravitate towards other SDOs who have more formal
membership and rules. For some, the inability to rant freely on
mailing lists without being barred is too high a bar. For some, If
we lose a few people (and it does seem like a very few) for lack of
a privacy policy that could be enforced by civil law or threat of
civil lawsuits, that may be an acceptable risk.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf