A two-week consultation [1] began on 4 December 2019 on proposed changes [2] to
the IETF Privacy Statement [3]. These proposed changes have been further
revised [4] in response to issues raised [5]. The new full list of changes
proposed to the existing IETF Privacy Statement are as follows:
1. Significant reordering, moving of text and changing of headings, with
minimal change in meaning, in order to make the statement clearer and easier to
understand.
2. The scope statement has changed from simply listing the IETF/IRTF/IAB to
identifying the specific groups that can legally be considered data controllers
in various data protection regimes, namely the LLC, IESG, IAB, IRSG and RFC
Editor, and being clear that their activities form a single privacy context.
The scope uses "IETF/IRTF/IAB" as a collective term for all these groups, even
though that is not the plainest English possible, as that is needed to convey
accurate structure in this statement. "_This statement sets out the privacy and
data protection policy of the following related organizations and groups: the
Internet Engineering Steering Group (“IESG”) representing the IETF; the
Internet Research Steering Group ("IRSG") representing the IRTF; the Internet
Architecture Board ("IAB"); and the common supporting organizations of the IETF
Administration LLC ("LLC") and the RFC Editor, which are collectively referred
to in this policy as the IETF/IRTF/IAB and individually as a Party and whose
collective activities constitute a single privacy context._"
3. The existing version contains a number of references to the Internet Society
(ISOC) given the legal structure that existed before the creation of the IETF
Administration LLC. Those references have all been removed as data will no
longer be shared with ISOC and a statement added for the avoidance of doubt:
"_For the avoidance of doubt, this policy does not apply to the Internet
Society ("ISOC") and its activities and practices constitute a separate privacy
context. ISOC should be regarded as a third-party for the purposes of this
policy._"
4. Two new elements have been added to the list of data that may be made
public, which reflects existing practice. These are "_metadata related to the
time and frequency of your interactions with any IETF system_" and "_message
headers_".
5. Added an additional example of personal data to be clear that email message
headers contain a lot of data "_the IP address of a message sender and details
of the device or service used to send the message, as found in email headers_".
6. Added a clear statement that we do not sell data "_We do not sell your
Personal Data nor do we monetize it in any way._"
7. Added a new bullet on what data we collect to cover web analytics and a new
paragraph that covers what we intend to do with that data. The bullet is
"_information provided when you interact with any IETF website_" and the
paragraph is "_We track your usage of our websites in order to understand how
our websites are used and how we can improve them. We do this using Javascript
based tracking code, which collects a limited set of technical data. If
Javascript is disabled or not available in your browser then this tracking will
not take place and your usage of our websites should not be affected._"
8. Section on Do Not Track (DNT) made clearer as previous version required you
to read the specification to understand it "_We do not enable or participate in
any third-party tracking of your website activity. As no third-party tracking
is enabled on our website, our websites do not alter their behavior according
to the value of a browser Do Not Track (DNT) setting._"
9. The section on the use of cookies for online transactions has been made
clearer "_When you log into one of our websites or initiate an online
transaction through one of our websites then we may use cookies to uniquely
identify you during that session, to record your preferences and to simplify
the establishment of new sessions. If you disable your web browser's ability
to accept cookies you will still be able to browse the site but authenticated
and transactional services may not function._"
10. A new section has been added to explain that if we collect demographic
information in a survey then that will only be published in an aggregated form
that does not allow individual identification. This addition is not needed to
enable collection of demographics, we can do that anyway, it is solely to
explain what we do if we do collect it. "_We may ask you to provide
demographic information (e.g. age, sex, country of residence) in surveys or
other information gathering activities. You are not required to provide that
information and your disclosure of that information to us is voluntary. We do
not disclose the demographic information of individuals. We may publish
aggregated information using demographic data as one dimension, in which case
we will aggregate at a sufficient level to prevent disaggregation or
deanonymization._"
11. A new section has been added to cover a range of processes regarding
specific individuals "_Applications for roles, awards/prizes, grants and
workshops_". This is intended to be generic enough to cover new processes of
this nature while also being specific enough to be clear. "_The IETF/IRTF/IAB
operates a number of processes where individuals may submit Personal Data about
themselves or others and where all information is kept confidential, including
any reviews, assessments, deliberations, interviews or other discussions,
except as specified below. These processes are:_
* _Applications for roles, except the names of applicants_
* _Feedback on individuals regarding a role application or performance in a
role_
* _Nominations for awards/prizes, except the names of award/prize winners_
* _Papers submitted for workshops, except the published papers_
* _Applications for travel grants, except the names of grant recipients._"
12. Updated the section on "_Audio, pictorial and video recordings_" to address
the use of red lanyards at IETF meetings: "_For some meetings we provide red
lanyards for attendees to wear to indicate that they do not wish to be
photographed individually or in small groups. Official IETF/IRTF/IAB
photographers comply with this indication and we use reasonable efforts to
ensure that all other photographers also comply. Photographs of large groups
may contain incidental images of attendees in red lanyards and individuals
wearing red lanyards will still be included in official video recordings._"
13. Updated the section on our use of Cloudflare to make it easier for anyone
who wishes to read the Cloudflare Privacy Policy to know what data they collect
and how it is, when providing this service: "_We use services from Cloudflare
to support some of our websites. In Cloudflare terminology that will make
anyone who accesses our websites an 'End User' and information on what data
Cloudflare collect from End Users and how they use it is explained in their
privacy policy. There is a link to the Cloudflare Privacy Policy on the
Cloudflare home page._"
This email is a reminder of the consultation on this revised statement, which
closes on Wednesday 18 December.
If you have any comments or questions then you can submit those by any of the
following methods:
* Raising an issue on the Github repository
https://github.com/ietf-llc/ietf-privacy-statement-consultation
* Direct to me at [email protected]
* To the [email protected] list
[1]
https://mailarchive.ietf.org/arch/msg/ietf-announce/tAoqjDVzb2_NwT5SD-hzvF9YB1w
[2]
https://github.com/ietf-llc/ietf-privacy-statement-consultation/blob/master/DRAFT%20IETF%20Privacy%20Statement%202019.md
[3] https://ietf.org/privacy-statement/
[4]
https://github.com/ietf-llc/ietf-privacy-statement-consultation/blob/latest-updates-from-consultation/DRAFT%20IETF%20Privacy%20Statement%202019.md
[5] https://github.com/ietf-llc/ietf-privacy-statement-consultation/issues
--
Jay Daley
IETF Executive Director
[email protected]
_______________________________________________
IETF-Announce mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-announce
