This statement sets out the privacy and data protection policy of the following related organizations and groups: the Internet Engineering Steering Group (“IESG”) representing the IETF; the Internet Research Steering Group ("IRSG") representing the IRTF; the Internet Architecture Board ("IAB"); and the common supporting organizations of the IETF Administration LLC ("LLC") and the RFC Editor, which are collectively referred to in this policy as the IETF/IRTF/IAB and individually as a Party and whose collective activities constitute a single privacy context.
For the avoidance of doubt, the Internet Society (“ISOC”) is not a Party and their activities constitute a separate privacy context. ISOC should be regarded as a third-party for the purposes of this statement.
Our Commitment to Transparency
The IETF/IRTF/IAB operates in an open and transparent fashion. As a part of this transparency, any contributions, submissions, statements or communications that you make to any Party including any Personal Data, other than as expressly excepted in this statement, will be made public through electronic and other means.
You should be aware of our transparent operation when communicating with us.
Management of Personal Data
The “Personal Data” we collect
The data that we collect and process (“Personal Data”) includes the following information that you provide to us when we specifically request that you do so in specific situations:
- any information that you provide when transacting through any IETF/IRTF/IAB website or other resource
- any information you enter on the Blue Sheet for an in-person or electronic meeting run by or for the IETF/IRTF/IAB.
Your Personal Data also includes the following data generated in your interactions with us:
- postings or other contributions you make to the IETF/IRTF/IAB websites
- messages sent to most mailing lists operated by the IETF/IRTF/IAB
- messages posted in instant messaging systems and chat rooms
- all Internet-Drafts or other contributions that you submit
- comments you send to us regarding the IETF/IRTF/IAB or a Party's documents
- intellectual property disclosures and updates
- requests for document authentication
- registrations for meetings arranged for or by any Party
- mailing list registrations (i.e. lists of the subscribers to IETF/IRTF/IAB-managed mailing lists made available to subscribers of the lists)
- metadata related to the time and frequency of your interactions with any IETF/IRTF/IAB system
- message headers
- and most other information that you send, submit or post to the IETF/IRTF/IAB, or on any service operated by the IETF/IRTF/IAB or in any forum operated by the IETF/IRTF/IAB.
Examples of Personal Data include:
- first and last name
- postal address, which may be included in postings or submissions (e.g., Internet-Drafts)
- email address and jabber ID
- the IP address of a message sender and details of the device or service used to send the message, as found in email headers
- any other identifier that permits the physical or online communications with a specific individual.
Your consent to disclosure
By providing us with your Personal Data, you are consenting to our disclosure and use of it for the purposes as described in this Statement.
Your consent to receiving communications
By subscribing to a mailing list managed by the IETF/IRTF/IAB or submitting a contribution to the IETF/IRTF/IAB, you consent to us using your Personal Data to communicate with you about your participation in our activities.
Audio, pictorial and video recordings
We also collect audio, pictorial and video recording, during and in connection with our events, meetings and conferences. All such information may be made public and used by us in connection with the activities of the IETF/IRTF/IAB.
For some meetings we provide red lanyards for attendees to wear to indicate that they do not wish to be photographed individually or in small groups. Official IETF/IRTF/IAB photographers comply with this indication and we use reasonable efforts to ensure that all other photographers also comply. Photographs of large groups may contain incidental images of attendees in red lanyards and individuals wearing red lanyards will still be included in official video recordings.
International transfer of data
Due to the nature of the Internet and our international operations, your communications and submissions may result in the transfer of your Personal Data and other information across national boundaries and outside of your country of residence. By communicating with a Party and submitting information to us, you consent to these transfers and to the use of your Personal Data and other information as described in this Statement.
Sale of data
We do not sell your Personal Data nor do we monetize it in any way.
Technical data will be collected in our web server logs such as, operating system, browser version, and IP address. We do not make such information available to the public.
We do not enable or participate in any third-party tracking of your website activity. As no third-party tracking is enabled on our website, our websites do not alter their behavior according to the value of a browser Do Not Track (DNT) setting.
We do not use browser storage, for example flash cookies, or other local storage.
Information That We Do Not Share
As an exception to the IETF/IRTF/IAB’s general policy of releasing information to the public, there are certain limited types of Personal Data that we do not share in the ordinary course of our operations ("Non-Public Information"). The categories of Non-Public Information that we currently recognize are described below.
Applications for roles, awards/prizes, grants and workshops
The IETF/IRTF/IAB operates a number of processes where individuals may submit Personal Data about themselves or others and where all information is kept confidential, including any reviews, assessments, deliberations, interviews or other discussions, except as specified below. These processes are:
- Applications for roles, except the names of applicants
- Feedback on individuals regarding a role application or performance in a role
- Nominations for awards/prizes, except the names of award/prize winners
- Papers submitted for workshops, except the published papers
- Applications for travel grants, except the names of grant recipients.
Payment information is not collected or stored on any servers operated by the IETF/IRTF/IAB. If you conduct transactions using our websites (e.g., meeting registration), payment and payment card information will be entered directly into a third-party processor's systems and is not transmitted through or stored by our websites. We make reasonable efforts to ensure that our third-party processors handle your non-public information responsibly.
We collect information from people who register for meetings. The attendee lists which are published in the meeting proceedings include the registrants, name, organization and ISO country code, a profile link (if provided in the registration) and whether the registration was local or remote. All other information we collect is only published, if at all, in summary form.
We may ask you to provide demographic information (e.g. age, sex, country of residence) in surveys or other information gathering activities. You are not required to provide that information and your disclosure of that information to us is voluntary. We do not disclose the demographic information of individuals. We may publish aggregated information using demographic data as one dimension, in which case we will aggregate at a sufficient level to prevent disaggregation or deanonymization.
Non-Public Mailing Lists
A small number of the mailing lists we operate are not available or disclosed to the public, nor are their contents made available to the public. These mailing lists are clearly indicated as non-public in their registration materials.
Direct emails to individuals connected with a Party
Email sent directly to an individual member, employee, contractor or director of a Party generally will not be made available to the public.
Information for letters of invitation
We delete the personal information that we collect to generate letters of invitation in a timely fashion after each meeting. We request that local organizations with whom we share this data to generate the letters also delete it in a timely fashion.
Protection of Non-Public Information
We have implemented commercially reasonable precautions that we believe are appropriate to prevent the unauthorized use, disclosure and alteration of Non-Public Information. However, no data security measures can guarantee complete data security, and we do not guarantee the confidentiality of anything that you submit to us. Please contact us if you believe that the security or integrity of any non-public information that you have submitted to us has been compromised.
Legally required disclosure
We may at times be required by law to release Non-Public Information, and we will do so if we believe in good faith that such release is required by applicable law, regulation or judicial order.
Our online services are not intended for use by children under 13 years old. We do not knowingly collect personally identifiable information from, or target our online services at, children under the age of 13. If we discover that a child under 13 has provided us with personally identifiable information, without the consent and participation of a parent or guardian, we will remove it from our systems.
Links to other sites
Occasionally, our website or communications will link to websites or services operated by third parties, for example, to conferencing services. We make no representation about the privacy policies of such sites.
Contact and Compliance
If you have any questions regarding this Statement or believe that we are not following the procedures described in this Statement, please contact firstname.lastname@example.org. You can also contact us if you have any concerns about the accuracy of, or wish to correct, your Personal Data, or if you wish us to cease processing your Personal Data. We reserve the right to decline any request to remove or alter information or to cease processing your Personal Data except to the extent that we are legally required to do so.
Updated December 23, 2019