privacy review for registry inclusion

[npdoty]

Requirements we should clarify for conducting privacy review for protocols to be included in a registry.

• review would be done by the Privacy Working Group, not the Privacy Interest Group (no longer exists).
• privacy review needs to be completed, and issues need to be meaningfully addressed, in concordance with the recommendations of the threat model/privacy considerations document (conducting a privacy review and ignoring all the raised issues isn't the point)

I would also add something about process, although I'm not sure this would have as broad consensus in the group at the moment.

• protocols listed in the registry should be developed through an open process allowing impacted stakeholders to participate, review and provide feedback on the potential implications for privacy and other human rights

(The registry inclusion update PR got merged before I could list out these issues.)

[johannhof]

I'd like to bring this back up with the group as I believe it impacts the privacy considerations - should there be a clear set of recommendations for how to evaluate these protocols in the spec?

[wseltzer]

Discussed 11 June minutes

[npdoty]

#260 fixes the name of the relevant group, but doesn't include normative requirements to address issues, or normative requirements regarding process.

[npdoty]

(Just being consistent on using privacy-tracker for a privacy issue that we are tracking and could be of relevance to external privacy review stage. -needs-resolution is for external reviewers indicating a particular level of importance; those kinds of decisions can come later and based on external review.)