Re: What does a privacy policy mean?
I would prefer it if the IETF stopped publishing the phone numbers of every IETF attendee for IETF 52, and quite possibly some other meetings as well. This would appear to me to be a privacy issue. On Sat, Jul 24, 2010 at 9:37 PM, John R. Levine jo...@iecc.com wrote: What I don't understand is the amount of arm wrestling that happens on this list. You're certainly right, there's a culture of nitpicking. In this case I think some of the issues are nitpicks, while some are significant. The IETF is very peculiarly organized, which suggests that it would need a somewhat peculiar privacy policy. Here are some questions that I think are not nits: Although the IETF per se has no legal existence, ISOC, the IETF Trust, and perhaps other things I haven't noticed do. How should an IETF privacy policy relate to the ISOC's existing privacy policy? Does the IETF Trust need a privacy policy? The IETF potentially collects PII in various ways, including publication of Internet Drafts and RFCs, messages on mailing lists, registration info for meetings, and activities in meetings. Meeting activites include paper documents (meeting attendance sheets), electronic session presentation material, oral session material which is transmitted over the voice feeds, jabber chats, and random traffic sent over meeting networks. Are there other forms of PII? Should a privacy policy treat them all the same, or differently? Some people have argued that it should be possible to participate in some or all IETF processes while remaining partly or completely anonymous. Is this a reasonable expectation? R's, John ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf -- Website: http://hallambaker.com/ ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
What does a privacy policy mean?
What I don't understand is the amount of arm wrestling that happens on this list. You're certainly right, there's a culture of nitpicking. In this case I think some of the issues are nitpicks, while some are significant. The IETF is very peculiarly organized, which suggests that it would need a somewhat peculiar privacy policy. Here are some questions that I think are not nits: Although the IETF per se has no legal existence, ISOC, the IETF Trust, and perhaps other things I haven't noticed do. How should an IETF privacy policy relate to the ISOC's existing privacy policy? Does the IETF Trust need a privacy policy? The IETF potentially collects PII in various ways, including publication of Internet Drafts and RFCs, messages on mailing lists, registration info for meetings, and activities in meetings. Meeting activites include paper documents (meeting attendance sheets), electronic session presentation material, oral session material which is transmitted over the voice feeds, jabber chats, and random traffic sent over meeting networks. Are there other forms of PII? Should a privacy policy treat them all the same, or differently? Some people have argued that it should be possible to participate in some or all IETF processes while remaining partly or completely anonymous. Is this a reasonable expectation? R's, John ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: What does a privacy policy mean ?
On 7 Jul 2010, at 04:51, John Levine wrote: Then what happens? Is a privacy policy a contract, and if it is, what remedies do IETF participants have for non-performance? And if it's not, and there aren't remedies, what's the point? Trust? We've got to be honest and, even if it doesn't explicitly get stated in this BCP, say that there is uncertainty around what IETF participants expect to happen to their data. That's been true with particular emphasis on the meetings. Cheers, Sabahattin ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: What does a privacy policy mean ?
I think privacy policies originally emerged as a means to inform people about how their data is collected, used, shared, and stored. The perception that the collection of information about people in secret is a privacy threat has motivated increased disclosure about what happens to data about people. Over time, I think many privacy policies have strayed away from this original goal and have come to instead to act as disclaimers of legal liability or internal compliance guidelines, or both. I think the average corporate privacy policy these days probably does a good job of giving corporations legal cover and a decent job of instructing their employees about what they may or may not do with data, but is not easy for laypeople to understand ([1] provides some more information from the US context). I think the IETF can do better. AFAIK, right now the IETF has neither a public-facing statement that informs people about what happens to their data nor a disclaimer of legal liability nor an internal compliance document. There is the Trust records management policy, which in theory serves all three purposes (although I would argue that it isn't really accessible enough to laypeople to serve the first function). But limiting data retention is only one aspect of privacy protection, as the strawman policy demonstrates. I think the IETF could (and should) have a public-facing policy that is understandable and a (likely separate) internal compliance document that explains to those who handle data collected in conjunction with IETF activities about what they may or may not do with it. The strawman policy attempts to achieve the former. I don't have a strong opinion about whether the IETF needs a disclaimer of legal liability. Notably, the IETF has survived this long without one. Beyond legal remedies for non-performance, however, having a clear privacy policy would allow a strong community remedy for non- performance. If the IETF states its privacy policy clearly, and then violates that policy, there could well be strong discussion and disapproval on this mailing list and at plenary sessions during IETF meetings. The community has a pretty good ability to force the powers- that-be to explain their actions and develop new policies to correct mistakes, should they arise. So wholly apart from legal remedies, I think there is strong value in having a clearly stated privacy policy. Alissa [1] http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf On Jul 7, 2010, at 4:51 AM, John Levine wrote: I think we all agree that having a privacy policy would be desirable, in the sense that we are in favor of good, and opposed to evil. But I don't know what it means to implement a privacy policy, and I don't think anyone else does either. A privacy policy is basically a set of assertions about what the IETF will do with your personal information. To invent a strawman, let's say that the privacy policy says that registration information will be kept in confidence, and some newly hired clerk who's a little unclear on the concept gives a list of registrants' e-mail addresses to a conference sponsor so they can e-mail everyone an offer for a free IETF tee shirt. Then what happens? Is a privacy policy a contract, and if it is, what remedies do IETF participants have for non-performance? And if it's not, and there aren't remedies, what's the point? R's, John ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf -- Alissa Cooper Chief Computer Scientist Center for Democracy and Technology +44 (0)785 916 0031 Skype: alissacooper ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: What does a privacy policy mean ?
Again, wearing no hats. On Jul 6, 2010, at 11:51 PM, John Levine wrote: I think we all agree that having a privacy policy would be desirable, in the sense that we are in favor of good, and opposed to evil. But I don't know what it means to implement a privacy policy, and I don't think anyone else does either. A privacy policy is basically a set of assertions about what the IETF will do with your personal information. To invent a strawman, let's say that the privacy policy says that registration information will be kept in confidence, and some newly hired clerk who's a little unclear on the concept gives a list of registrants' e-mail addresses to a conference sponsor so they can e-mail everyone an offer for a free IETF tee shirt. A privacy policy should set internal guidelines. In your example, well, we don't have clerks, and those email addresses are already public, but a request (say) from a sponsor for attendee information would flow from the Secretariat to the IAD and then maybee (depending on the IAD's evaluation of it) to the IAOC. At some point in that chain, someone (probably the IAD) should evaluate it for its privacy implications. Having a privacy policy in places makes that more likely and gives the evaluator something to evaluate it against. Then what happens? In your example, if an employee did something on their own that clearly violated the privacy policy, I would expect that at a minimum to be featured in their next performance review, and it might be a firing offense in a very egregious case. Apologies to the offended parties and / or to the community might also be in order, as also might be mitigation (depending on just what the violation was). Is a privacy policy a contract, and if it is, what remedies do IETF participants have for non-performance? And if it's not, and there aren't remedies, what's the point? Having a privacy policy in place does two primary things IMO. It helps to inform and set policy and it gives others a metric to evaluate performance and a tool to improve performance. It also may have the useful effect of finding holes or inconsistencies in what we are doing, as it is reviewed and revised as technology and conditions change. In my opinion, this would help to empower the community. I oppose the IAOC's proposed program to monitor cookie consumption using RFID because it would violate our privacy policy will tend to be stronger than I oppose the proposed RFID cookie program because I don't like its privacy implications. Regards Marshall R's, John ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: What does a privacy policy mean ?
On 7/7/2010 8:46 AM, Marshall Eubanks wrote: Having a privacy policy in place does two primary things IMO. It helps to inform and set policy and it gives others a metric to evaluate performance and a tool to improve performance. It also may have the useful effect of finding holes or inconsistencies in what we are doing, as it is reviewed and revised as technology and conditions change. On its face, this line of thinking might appear to justify something that is explicitly toothless and, by implication, useless. In fact, there's plenty of precedence in the world for having formal clarity about a policy but without realistic enforcement power. A common example is non-disclosure agreements. Although they usually contain language that sounds like there is serious recourse, in practice there isn't. Rather, the document serves as an explicit statement of concerns and an acknowledgement by the signers that the concerns are understood. Frequently, just having the issues stated clearly and brought to a participant's attention is enough to get improved behavior. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: What does a privacy policy mean ?
On 7/7/2010 8:46 AM, Marshall Eubanks wrote: Again, wearing no hats. On Jul 6, 2010, at 11:51 PM, John Levine wrote: I think we all agree that having a privacy policy would be desirable, in the sense that we are in favor of good, and opposed to evil. But I don't know what it means to implement a privacy policy, and I don't think anyone else does either. A privacy policy is basically a set of assertions about what the IETF will do with your personal information. To invent a strawman, let's say that the privacy policy says that registration information will be kept in confidence, and some newly hired clerk who's a little unclear on the concept gives a list of registrants' e-mail addresses to a conference sponsor so they can e-mail everyone an offer for a free IETF tee shirt. A privacy policy should set internal guidelines. In your example, well, we don't have clerks, and those email addresses are already public, but a request (say) from a sponsor for attendee information would flow from the Secretariat to the IAD and then maybee (depending on the IAD's evaluation of it) to the IAOC. At some point in that chain, someone (probably the IAD) should evaluate it for its privacy implications. Having a privacy policy in places makes that more likely and gives the evaluator something to evaluate it against. Actually if the Attendee is sponsored by the sponsor in question then the attendee is their Work-For-Hire resource and so they (the Sponsor) have full legal rights to that attendance and participation information from NOTEWELL operations. Then what happens? In your example, if an employee did something on their own that clearly violated the privacy policy, I would expect that at a minimum to be featured in their next performance review, and it might be a firing offense in a very egregious case. Actually the Sponsor is responsible for their sponsored's actions no matter what they do... Apologies to the offended parties and / or to the community might also be in order, as also might be mitigation (depending on just what the violation was). you mean Litigation right? Todd Is a privacy policy a contract, and if it is, what remedies do IETF participants have for non-performance? And if it's not, and there aren't remedies, what's the point? Having a privacy policy in place does two primary things IMO. It helps to inform and set policy and it gives others a metric to evaluate performance and a tool to improve performance. It also may have the useful effect of finding holes or inconsistencies in what we are doing, as it is reviewed and revised as technology and conditions change. In my opinion, this would help to empower the community. I oppose the IAOC's proposed program to monitor cookie consumption using RFID because it would violate our privacy policy will tend to be stronger than I oppose the proposed RFID cookie program because I don't like its privacy implications. Regards Marshall R's, John ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: What does a privacy policy mean ?
On 7/7/2010 8:53 AM, Dave CROCKER wrote: On 7/7/2010 8:46 AM, Marshall Eubanks wrote: Having a privacy policy in place does two primary things IMO. It helps to inform and set policy and it gives others a metric to evaluate performance and a tool to improve performance. It also may have the useful effect of finding holes or inconsistencies in what we are doing, as it is reviewed and revised as technology and conditions change. On its face, this line of thinking might appear to justify something that is explicitly toothless and, by implication, useless. In fact, there's plenty of precedence in the world for having formal clarity about a policy but without realistic enforcement power. A common example is non-disclosure agreements. Although they usually contain language that sounds like there is serious recourse, in practice there isn't. Typical misrepresentation by an IPR group member... If you want to know about NDA's and their damage capabilities ask the folks at Rockwell who paid 65M in damages over the NDA used to convey the IP under the K56 Flex modem to them. Rather, the document serves as an explicit statement of concerns and an acknowledgement by the signers that the concerns are understood. Frequently, just having the issues stated clearly and brought to a participant's attention is enough to get improved behavior. Unenforceable policy based on the doctrine of impossibility are worthless. Having one creates a liability because it was designed to be unenforceable and as such the intent is clear. Todd d/ ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
What does a privacy policy mean ?
I think we all agree that having a privacy policy would be desirable, in the sense that we are in favor of good, and opposed to evil. But I don't know what it means to implement a privacy policy, and I don't think anyone else does either. A privacy policy is basically a set of assertions about what the IETF will do with your personal information. To invent a strawman, let's say that the privacy policy says that registration information will be kept in confidence, and some newly hired clerk who's a little unclear on the concept gives a list of registrants' e-mail addresses to a conference sponsor so they can e-mail everyone an offer for a free IETF tee shirt. Then what happens? Is a privacy policy a contract, and if it is, what remedies do IETF participants have for non-performance? And if it's not, and there aren't remedies, what's the point? R's, John ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf