Re: Proposed IETF Privacy Policy for Review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,
At 10:02 16-03-2016, IETF Administrative Director wrote:
The IAOC would like community input on a proposed IETF Privacy Policy.

The above says "Privacy Policy" whereas the "IETF Draft 24 Feb. 2016" says "Statement Concerning Personal Data".

According to www.ietf.org the "Internet Engineering Task Force (IETF) is an organized activity of the Internet Society". Who is the operator of www.ietf.org?

I'll use "personal data" to refer to "personally identifiable information" as it might be easier to understand. The following is considered as personal data:

  (a) first and last name
  (b) home address
  (c) e-mail address
  (d) Any other identifier that permits the physical or online contacting
      of a specific individual

IETF online participation requires (a) and (c) [1]. IETF attendance requires more personal data, e.g. payment information. There is also the audio and video recordings. According to the Attorney General, California Department of Justice, the United States "Federal Trade Commission (FTC) has called for improved data practice transparency, encouraging privacy policy statements that are 'clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices'. I suggest having a subdivision so that the participant can easily find which personal data he/she has to provide. There would be a separate division for an attendee as other personal data may be required. A third division would be for the (web) visitor.

There isn't any information in the draft about data use and sharing. The draft mentions that it is possible "to request information regarding our disclosure of your Personal Data to third parties for direct marketing purposes". I suggest explicitly asking for consent before sharing personal data with third parties.

  "We believe that we have implemented commercially reasonable precautions
   to prevent the unauthorized use, disclosure and alteration of Non-Public
   Information. However, no data security measures can guarantee complete
   data security, and IETF does not guaranty the confidentiality of anything
   that you submit to IETF."

Does that mean that the IETF will not notify a person affected by a data breach? What is the difference between "commercially reasonable precautions" and "reasonable precautions"?

This draft is better than the draft which was posted in February 2015.

Regards,
S. Moonesamy

1. I skipped the exceptions.



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]