Brian, > I suggest that your standard dealings with local hosts should include requiring them to perform a local check on > whether the standard "Note Well" takes account of all local legal requirements, including for example > consent to publication of images. If it doesn't, the host should provide an augmented "Note Well" for use > during meeting registration. Rather than going this route, we might consider some better balance between privacy and standard-settings. Taking and publishing a person's image is a step above listing their names. Do we really need that for the purpose of standard making, let alone Internet Engineering? How about answering the classic privacy checklist: 1) How much personal information do we collect, and for what purpose? The rule here should be to collect the strict minimum necessary for the purpose. Pictures don't appear to meet that bar. 2) How do we process that information? Who in the IETF has access to it? 3) Do we make that information available to third parties? Under which guidelines? Again, there is a big difference between answering a subpoena and publishing on a web page. 4) How do we safeguard that information? Is it available to any hacker who sneaks his way into our database? 5) How long do we keep the information? Why? 6) How do we dispose of the expired information? These look like the right questions to the IAOC. -- Christian Huitema