John, The policy itself looks good. Making it public is a good first step.
It states that the OIDF regularly reviews it's compliance with our privacy policy. I think posting member PII to the public website is not in keeping with the policy. We should review the IPR process and any other process people have concerns about in accordance with the policy. I know it is not as exciting as arguing about nonces in GET. Is this part of the Legal WG's remit? Asking the membership and potential members if they have any concerns may also be a useful thing to catch other issues. Thanks John B. On 2010-01-27, at 9:51 PM, John Ehrig wrote: > Actually, we already do have an approved and actively in use OIDF privacy > policy (see the attached). A couple of issues: > 1) It is buried in the membership portal and only viewable when you first > sign up as a new member (which is why it took me so long to track it down) > 2) It seems to be written specifically as a member privacy policy (which may > not really be an issue if we are ok with it as is for that purpose) > > I can immediately fix issue #1 by posting it in an easy to find/view page. > > Longer term, we can use this existing policy as a stating point if we want to > improve or broaden it within the legal or privacy committee. > > From: [email protected] > [mailto:[email protected]] On Behalf Of John Bradley > Sent: Wednesday, January 27, 2010 10:00 AM > To: [email protected] > Subject: Re: [OpenID board] OIDF Privacy Policy > > I think that it would be fine to post redacted versions. > > I suspect that a page with the companies and individuals who have signed up > for WG is probably more useful than the scanned agreements themselves. > > I made a IPR declaration three years ago when the OIDF was formed and the > PAPE WG started. I don't recall anyone telling me it was going to be scanned > and posted. > > I like most people haven't thought about it in a while because there haven't > been new WG. > > If we are going to publish information that people give us we need to make > that clear at the time of collection. > > We may be violating privacy laws outside the US. I would prefer to make > sure it is not an issue for the membership. > > John B. > > > On 2010-01-27, at 2:47 PM, Mike Jones wrote: > > > It would be fine to post digital images with the signatures and address > information redacted – possibly by overlaying them with “Information on file > with OIDF” or something of that sort. (Sort of how elevators often contain > messages about the elevator license being on file at such-and-such place.) > > -- Mike > > From: [email protected] > [mailto:[email protected]] On Behalf Of David Recordon > Sent: Wednesday, January 27, 2010 9:40 AM > To: [email protected] > Subject: Re: [OpenID board] OIDF Privacy Policy > > Hey John, > I'm happy to have us reconsider the policy. > > The idea is to make it incredibly transparent around who has signed what > (when it comes to IP). So far you're the first person in three years to say > anything about it. > > Considering that there can be different versions of documents and some > documents with options, scanning them as PDFs seemed like the easiest and > most accurate method. 99% of the time it's also companies signing the > agreements and using corporate addresses versus personal. > > If Global Inventures is able to manage these agreements and keep up to date > online records, I'm less worried about each agreement being available online. > > That said, they should be made available upon request. > > --David > > On Wed, Jan 27, 2010 at 7:07 AM, John Bradley <[email protected]> wrote: > In the process of setting up the AX 1.1 WG a number of things have come to > light. > > One is some confusion around who needs to submit what sort of agreement, > Personal or Company. > Perhaps our new Secretary can have a look at that. > > The more important one is that the OIDF has a practice of positing scanned > documents publicly including peoples signature. > > A number of us don't think publicly posting our address info with a scan of > our signature is such a good idea. > > I think everyone agrees that who has signed contribution agreements and what > WG they apply to should be public. > > However there are ways to do that are less subject to identity theft and > other issues. > > I would like to recommend that one of our committees (perhaps the legal one) > or a sub committee. > > Review and publish the OIDF privacy policy and specifically if practices like > posting members PII publicly are appropriate. > > The board can then consider those recommendations. > > In the interim I would like GlobalInventures to redact my signature from any > and all of the IPR agreements they publish. > > I don't think we can be credible respecting peoples right to privacy on the > internet if we don't do a credible job with our own members. > > There may be other privacy issues I am not currently aware of as well. > > I think being proactive about privacy can only increase participation from > the community in general. > > Regards > John B. > _______________________________________________ > board mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-board > > > _______________________________________________ > board mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-board > > <Privacy Policy.doc>_______________________________________________ > board mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-board
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ board mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-board
