Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports

Dave Crocker <dcrocker@gmail.com> Thu, 07 January 2021 15:25 UTC

Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5F33A1211 for <dmarc@ietfa.amsl.com>; Thu, 7 Jan 2021 07:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.359
X-Spam-Level:
X-Spam-Status: No, score=-2.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.262, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i6-tKwiVxrz3 for <dmarc@ietfa.amsl.com>; Thu, 7 Jan 2021 07:25:07 -0800 (PST)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B512B3A0E54 for <dmarc@ietf.org>; Thu, 7 Jan 2021 07:25:07 -0800 (PST)
Received: by mail-pl1-x62b.google.com with SMTP id j1so3718210pld.3 for <dmarc@ietf.org>; Thu, 07 Jan 2021 07:25:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=zulgFfbZ6gv6nCvNtJgXjwbjwgvgIJRuISZU+j4jUXg=; b=PnlThfIU3F1zshAceVZaukNf+4puFS6zId3uJ7V4hcxT8g08L5GpMoEacNGN6WdnK2 vN1Ok3bM3Npi1j+TuRgjFoDjVvNkNS9TzjwHeU0PcKcQpn5rKlnRmin4xOSJ5wpLFsPa MH9Y+/fO9RyLJiVHfoPypIuF6Xa3O1xorhp2h0e/XQIR6zkqw6gfNccixWZJSM+9Ryph RFMlaWQpQzlcUDiNQgZLm+YWJP3P04UjYzoV4+MWu3GYKOLVe5mPfzym0xvJFutL763m 7XW/nuZ/T4TJUoCVlm446zLiLA2QzCFI3p5k7iixTk8WXk92c2e/GKtr4FxldJt+zzpz C1gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=zulgFfbZ6gv6nCvNtJgXjwbjwgvgIJRuISZU+j4jUXg=; b=hhxyZ7mNTlGTZQbFBtCieISB8Vnj4sIHBwaxTD7pHEk0jyiGaLI3D9RdKAtFusbAzL PTHSovBdSIov1xU8HoDmz/bUWNkvjLAjcdWNudENjVCLnhZiWabE3Zp0xGz3XGSeeas/ ju4E/oG7Kmfyiv3vDsKAneR8o8ewuf+epUVGL+zOqRmBLyiyQ5S+TtSZDf8ekNFYgJQU kdUXpHvCSZPMErPQX82IbJa9hv6ybRRnaBcHEfRdmE7XlhpRcpbNGtiBKDmpgDI2jKLr cPN2Nl+gcAxHKScPm/a9wFyjJlfRLLJec24mb10QUNIEenyxXw7CoGgJQafmR1id/1PR vPGA==
X-Gm-Message-State: AOAM5303UNjYqjRkeWUMtJXtVp+BJeEvJR230QitHpF58DfStEvmUGjK NUaQiKu6ZlZ7GjGNqz7TnkDYb9cwHao=
X-Google-Smtp-Source: ABdhPJz+BshdiMNM/7aiCatBYx7ue1Wmi/W/GDg6jvQdYTG6Rvj1zrSaMIM5dureeB+/yvfM00Rfmg==
X-Received: by 2002:a17:90a:8b8a:: with SMTP id z10mr9812311pjn.67.1610033107044; Thu, 07 Jan 2021 07:25:07 -0800 (PST)
Received: from [192.168.0.109] (c-24-130-62-181.hsd1.ca.comcast.net. [24.130.62.181]) by smtp.gmail.com with ESMTPSA id x15sm5998792pfi.184.2021.01.07.07.25.05 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 Jan 2021 07:25:06 -0800 (PST)
To: dmarc@ietf.org
References: <20210104174623.2545154CFF9F@ary.qy> <CABuGu1o2t7WaEOh+nsx3_MRUGgGHqKHzQ9302FM9-HL0GxvJvA@mail.gmail.com> <f15c8f53-8075-99a1-83c7-f687200e6a94@gmail.com> <f640ee95-ba0a-6aa7-1a14-2af1db151e27@mtcc.com> <050e8614-c088-a165-a733-35c5eee52eed@gmail.com> <cd3a41e8-cc4f-05eb-5c86-47b0047e8d08@mtcc.com> <d9e23994-8666-5c3f-3e42-9a12a2ed6daf@gmail.com> <974f9dcd-33ec-9d11-7857-3a473f994a2c@mtcc.com> <72d6bc7d-6862-8184-9f16-e1cc14120239@gmail.com> <f9244f50-8748-a395-a412-ca82bfe6bbea@mtcc.com> <4f2250f2-cc1c-5c3e-3d64-fa0e8b4ad086@gmail.com> <fcd84963-48dd-1fd0-a754-769f8cd7b58c@mtcc.com> <cba89cdb-40c6-48ff-45a0-287117a90385@gmail.com> <215493fa-a033-e5b0-ce8d-4a409ae93684@mtcc.com> <fa04ac5d-3a9f-5546-c77b-e6ddb5c1b1d4@gmail.com> <b3d77e5a-8024-218f-cd3c-6286f9ecd7dc@mtcc.com> <a7e6944a-363c-9d40-9cd9-1fe640ea6cfb@gmail.com> <e509cd25-19f9-ae75-ba62-30173af6857b@mtcc.com> <aee386fe-54ee-a01c-bd0c-80eb940ca185@gmail.com> <72e6d5f9-1dc2-1d32-25ce-e5b208895bd8@tana.it>
From: Dave Crocker <dcrocker@gmail.com>
Message-ID: <d45f26f1-92c6-762e-2334-fc2c2b9a89ec@gmail.com>
Date: Thu, 7 Jan 2021 07:25:05 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <72e6d5f9-1dc2-1d32-25ce-e5b208895bd8@tana.it>
Content-Type: multipart/alternative; boundary="------------7788D26D055D82F6B8B44026"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/NqMJal9ffEqaffwbpLGGtsmUGEY>
Subject: Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jan 2021 15:25:10 -0000

On 1/7/2021 2:14 AM, Alessandro Vesely wrote:
> On Wed 06/Jan/2021 00:55:41 +0100 Dave Crocker wrote:
>> On 1/5/2021 3:50 PM, Michael Thomas wrote:
>>>>
>>> Quit cutting out needed context to make your points. The study 
>>> directly contradicts your categorical statement.
>>
>> Except that it doesn't.
>>
>> Feel free to provide an serious explanation of why you think 
>> otherwise, but please put some effort into accurately representing 
>> what I said or what the study shows.  Attention to detail will help.  
>> Conclusions are less important than showing your work.
>
>
> The report says:
>     This returns the email-opening rate of 53.4% and 48.9%. Among 
> these users,
>     the corresponding click-through rates are 48.9% (without security
>     indicator) and 37.2% (with security indicator) respectively. The
>     results indicate that security indicators have a positive impact 
> to reduce
>     risky user actions.
> https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf 
>
>
>
> You said:
>     My point is that we have decades of belief that it's useful but no
>     demonstration that it actually is.  And we have history such as 
> the EV
>     effort, showing that it isn't.
> https://mailarchive.ietf.org/arch/msg/dmarc/r7unHaCXKKFeotbjU1pL-Jx4f_o


We've got roughly 25 years of anti-abuse effort.  This includes some 
that have attempted to use end-user trust indicators.  All have proved 
useless.  The entire anti-abuse industry relies on filtering engines, 
not end-user behavior. (End user 'education' is minor and generic.  
There is little or no evidence it has much effect.)

A single, small-sample study under somewhat-controlled conditions does 
not provide 'proof' of efficacy.  At very best, it suggest a line for 
further inquiry.

At the very least, note the Study Limitations section.  Then note that 
studies like these have very, very low correlation factors. A result of 
0.4 is about as good as it ever gets, and that's quite rare.  But it 
means that, at best, the study accounts of only 16% of the behavior, 
leaving 84% due to other factors.  This is not much of a foundation for 
the time and opportunity cost of a standards effort.

 From the cited paper:

> Visual Security Indicators. Security Indicators are
> commonly used in web or mobile browsers to warn users
> of unencrypted web sessions [25, 39, 61, 49], phishing
> web pages [21, 24, 69, 70], and malware sites [7]. Existing work shows 
> that users often ignore the security indicators due to a lack of 
> understanding of the attack [69] or
> the frequent exposure to false alarms [43]

It's significant that their text misses a variety of cognitive 
limitations that are also likely to account for the lack of efficacy.

d/


-- 
Dave Crocker
dcrocker@gmail.com
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crocker2@redcross.org