Hi Stephen! A few answers below. > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@xxxxxxxxx] > Sent: Tuesday, May 21, 2019 11:43 AM > To: Roman Danyliw <rdd@xxxxxxxx>; ietf@xxxxxxxx > Subject: Re: Call for Community Input: Web Analytics on www.ietf.org > > > > On 21/05/2019 16:17, Roman Danyliw wrote: > > The IESG appreciates any input from the community on this proposal > > and will consider all input received by June 4, 2019. > > More tracking;-( > > I don't think this is particularly harmful though and do accept that people are > trying to do the right thing, but I'd argue to not bother with it myself. > > Assuming you do go ahead with it: > > - 13 months seems like a long time to keep logs. > What will be in those logs? Why 13 months? > > - I don't understand what IP address anonymisation > is planned. [1] has options, and doesn't explain > what happens with IPv6. > > > - I'd prefer if information was deleted as soon as > possible, and it's not clear to me that that is > the plan. I'll have to follow-up later with the details. > - Do the IESG plan to evaluate the utility of this > with the possibility to ditch it if it doesn't > in fact tell us something useful? If so, when? > How will you decide if it's worth keeping? In the "Implementation" section the proposal notes that "[f]ollowing finalization and implementation of the proposal, ... the web analytics and reports will be reviewed by the IETF Tools Team after one-year to confirm they are delivering anticipated results." The IETF Tools Team will bring a recommendation to the IESG. Whether these analytics are worth keeping will be determined by whether they informed site improvement (as outlined in the "Introduction" section). > - Will this new information be shared with anyone > else (e.g. ISOC as allowed for in [2]). The proposal outlines that the "IETF Secretariat, communications staff, and the IESG" will get access through an "analytics data dashboard"; and a "publicly-available summary of analytics data will be explored" to improve upon https://www.ietf.org/usagedata/. I'll have to follow-up on the additional users (ISOC) implied by [2]. > - Does this constitute tracking behaviour? The > current privacy policy [2] says we don't do that. My read is no. [3] says that "tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties." *.ietf.org servers are single context controlled by the same party (IETF). The proposed implementation plan is a self-hosted solution which does indeed collect activity data but NOT across "multiple, distinct contexts". > - To whom should I send my GDPR subject data access > request? I guess privacy@xxxxxxxx is it? Correct. Roman > There's no rush in getting answers to the above btw. > > Thanks, > S. > > [1] > https://matomo.org/docs/privacy/#step-1-automatically-anonymize-visitor- > ips > [2] https://www.ietf.org/privacy-statement/ [3] https://www.w3.org/TR/tracking-dnt/ > > > > > > Regards, Roman (as the IESG Tools Liaison) > > > >
