I'm not really keen on getting involved in this discussion any more than I have been, but I can't help noting one thing: On Thu, Jul 15, 2010 at 11:50:58PM +0100, John Morris wrote: > 2. We have many examples of leading banks, stores, and others > mishandling credit card and other records, so unless the IETF has come > up with some secret security sauce to eliminate all possibility of a > human or technical screwup with personal info, there is clear risk that > the IETF could mishandle data and be at the wrong end of a litigation. Given that practically every such leading back and store and so on had a rich, long, detailed, hard to read privacy policy, I fail completely to see how the having of a policy provides any value at all to the IETF in such cases. In the case of companies and so on, it has a value, because firing people for violating the policy is the sort of consequence that employers can use. But the IETF isn't like that. It isn't even a legal entity. So it doesn't have anyone to fire, &c. As I've said before, I can see arguments in both directions on this topic. But I don't think it does us any good to keep saying, "Everyone else has one." Everyone else is also incorporated. A -- Andrew Sullivan ajs@xxxxxxxxxxxx Shinkuro, Inc. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf