On Thu, Feb 23, 2017 at 03:27:10PM -0800, IETF Administrative Director wrote: > The IAOC would like community input on a proposed IETF Statement > Concerning Personal Data. [snip] > > The proposed Privacy Policy is located here: > https://iaoc.ietf.org/documents/Privacy-Statement-23Feb17.htm 1. The second paragraph (begins "The parties operate") includes "(b) home address". I think it would be better to use "mailing address" to encompass everyone who uses a business address or other address. 2. Under "Exceptions -- Information That We Do Not Release to the Public", I think two changes are needed. 2a) Under "Non-Public Mailing Lists and direct mail to individuals at the Parties", I think it would be good to note that the Parties cannot control the disclosure of individual messages or entire archives of these. The Parties can certainly request that members of those lists keep them private, and can certainly impose sanctions if it wishes on those who don't, but it can't stop that disclosure. Also worth noting is that security issues -- whether affecting an individual on one of those lists or the list mechanism/archive itself, could result in full disclosure of their entire contents. 2b) I think it would be a good idea to stipulate that the Parties will not disclose mailing list membership records: email addresses, list memberships, date joined, date left, etc. To put it less formally, the Parties won't out the lurkers. While most of us don't have to be overly concerned about such disclosures, there are some people for whom it could have negative consequences. 3. Under "Security", I believe there's a typo: "guaranty" should be "guarantee". 4. Also under "Security", this phrase: "such release is required by applicable law, regulation or judicial order" doesn't cover NSLs or similar instruments, which are none of those. At the risk of opening an infinite can of worms, what is the policy w.r.t. NSLs et.al.? ---rsk