Hi Alissa, After following the discussion, I thought that I would share my thoughts. I hope that you find them constructive. The document seems almost complete from a technical perspective. I'm reasonably happy that the details of how private information is stored is (almost) correct. Procedural issues are more difficult. Some structural and cosmetic changes might help. Public process: A separation of the public process (contributions), from the supplementary stuff (meeting registration payments, tools, datatracker, etc...) might help. These two groupings have fundamentally different principles. Taking that separation into later sections might also help. Abstract/Intro: I'm guessing that you have the complaints about density covered- I see that you've taken Bob Hinden's simple introduction to heart. That's good. It would be good if the abstract alone provided sufficient information for someone to understand the general gist of the policy. ---8<--- Abstract The IETF provides a public forum for the development of Internet Standards. Contributions[1] you make to this process are made public and retained indefinitely. The IETF[2] might collect other personal information as part of its operations. Information that does not directly contribute to the IETF process is treated with respect for the privacy of individuals. This policy describes how personal data is collected, used, stored and distributed by the IETF. --->8--- [1] Cite the definition of "contribution" from the note well...in the body of the document. [2] You might also expand this to included IASA, IAOC, but it isn't worth getting caught up on semantics in an abstract. Expand on this in the body. Purpose: It seems that one of the causes of tension in this debate is the lack of agreement over the purpose of the policy. Privacy policies do serve a range of purposes, but is it possible to identify why this particular one is most important? I certainly don't think that you are doing this to provide any legal protection to the IETF, it's not a legal compliance thing or any other such cynical reason. If the purpose is to establish a common understanding of what the privacy expectations of all those involved with the IETF, say so. I think that you are aiming at two levels: the general framework: do we respect privacy or not; and the specific: what happens with my email address. My wordsmith-fu is weak today, but you might include something like: ---8<--- 2. Purpose This privacy policy describes the principles of the IETF toward privacy. People who interact with the IETF can use this document to understand the principles that are applied in dealing with their private information. This document provides details on how specific items of private information are collected, used, stored and distributed. --->8--- I know that the debate raised the issue of whether the specifics should not be made separate (and given the IAOC). I don't really have an opinion on that aspect. At this stage, I see no harm in keeping the two together. A purpose statement should be sufficient justification for the document. Appeal to authority (The Fair Information Practices) seems unnecessary. The practices are a great guide to those who wish to build and review such a policy. However, they contribute little to the goal of the document, which is to cover those categories, not list them. Nits: There is an error in the current draft regarding meeting registrations. Your name, affiliation and country are all made public. Do we say SSL in the IETF? This is where we build TLS after all. --Martin (The other one) _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf