Hello,
I'm sorry, I couldn't find the original posting in mailbox. I refer to
this post:
https://mailarchive.ietf.org/arch/msg/ietf-privacy/KvLlmoaQDKulyHJCWKLM5HWx0Zg/
But I guess it makes sense to start a new thread anyway. I'm finally
able to give this post the attention it deserves.
Side note: Sometimes the email traffic at the IETF is quite fast moving
and my inbox gets so flooded by this that it is impossible for me to
follow the mailing list alongside job and other projects or reply in time.
Back to the topic: Even though I see that the email and the name of the
questioner have been removed in compliance with the GDPR, I would like
to say something about it.
Warning, the following is no legal advice. It may contain
misinformation, but it's written in the best of my knowledge.
Basically, I agree with the person and it is also something I realized
negatively that the IETF does not fully inform what is public and what
is not. In addition, there may be a different understanding in the US on
the subject of "deleting data which is public". In Europe, we have the
right to have this data being removed as well and this is strengthened
by the GDPR. For us, personal data and data worth protecting also
includes the name and the e-mail and even the IP address. Therefore, we
are not allowed to simply publish e-mails without extensive information
and explicit consent and even if this consent has been obtained, the
person has the right to have his data deleted (also, for example, in
forums). Whether a name or e-mail is mentioned is irrelevant for the
traceability of the topic.
Side note: I have noticed that the IETF simply archives everything
permanently, even for more than 30 years. This is not really in the
sense of data hygiene. Unfortunately, I have often found outdated
information that I thought was up to date when I searched for it and
acted on it, only to figure out later from members of the community that
it was outdated. This means it blocked me in my work and lead to more
confusion. This included trying to contact people who had once published
an RFC draft, but the email went back due to now being invalid. I would
have saved myself a lot of work on my draft if this information would
have been deleted. On MastodonPurge the topic of data hygiene is
described as: "Remove parts of your personal history from the internet:
/Maybe you regret having written something publicly or privately, which
new users shoud not see anymore. We all change our opinions over time.
Be sure nobody gets's a wrong impression based on outdated posts."/ I
agree with that and I also think that some (without naming anyone) are
(hopefully) ashamed of insults/harassments they've done on this list in
the future. Who knows, they might even have problems with job
applications / future employers because of it. I don't believe that
someone who said [insert insult here] to someone else 30 years ago
should have any relevance today and they don't belong in a permanent
archive either (also with the respect of the person who was insulted).
The GDPR also encourages IT services to be set up according to the
current state of the art. This also includes effective spam protection
and protection of e-mail addresses by spammers. I have already talked to
some IETF people about this, but I haven't had time to work out a
"improve not being spammed" draft yet. Therefore I agree with the
questioner. I also have generated an "extra email" for IETF and can see
how heavily this is now being used by spam scrapers and I receive about
30 emails a day in my inbox just from the mailing list and the draft.
There are many better and modern ways of protection here.
I know that now many of you will say that the GDPR does not apply in the
US but I consider the IETF an institution to look up to, which (in my
opinion - correct me if I am wrong) at some time had on its agenda to
make the Internet a better place and which is still looked up to today.
Therefore it would be a very good step to implement the idea here as it
is an important protection law.
Protecting against data theft, promoting secure IT systems, keeping only
relevant data and more.
And which wouldn't be a better place to start with on increasing privacy
and implementing already proven best-practices then on a privacy list
itself.
tl;dr
I think it is important and right to respect and implement deletion
requests.
- Kate
_______________________________________________
ietf-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-privacy
