IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports

Michael Thomas <mike@mtcc.com> Tue, 22 December 2020 17:02 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58C1C3A1187 for <dmarc@ietfa.amsl.com>; Tue, 22 Dec 2020 09:02:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qBtKrMXYBqUi for <dmarc@ietfa.amsl.com>; Tue, 22 Dec 2020 09:02:13 -0800 (PST)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C40893A1183 for <dmarc@ietf.org>; Tue, 22 Dec 2020 09:02:13 -0800 (PST)
Received: by mail-pl1-x634.google.com with SMTP id g3so7741369plp.2 for <dmarc@ietf.org>; Tue, 22 Dec 2020 09:02:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=eGvWmUo2VWDDH7IAP0DO5dvorTjxW14lznAm2V+zBbw=; b=hRn6tbtnTvNFvfpsNv1zhsQPt0CTHem9WPT+MpxpTYhwk98mOJsQIMJRTDwLcMOkmG B6hR6QtfTTjDRN50F6ORUV1WHgjaeHhBqpGmZxOSfDoUoFvTKsTL9C38Oj0tLXuyy+Wc 80DcA00wbw078luWKI0tYVEta1JUVBr/cB27nU+m9CpFQl1o5nJx9pkDhRV8608j6cxB 9ePvCzAtmk7qqAqLLum6uGKR5WVnA1Lq8HzDaq3GfT1VJ1aJzWSZR2hmW7nArqI7vjXG 16R9mo16zz+RyC9+yFIpBFfOY1AICe+Kps7Ew5qtH41TPz8HZcO6pAEqG8HlDvGBIrXT 2AoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=eGvWmUo2VWDDH7IAP0DO5dvorTjxW14lznAm2V+zBbw=; b=b0Wb/dQFy7kkdMuA4v/XOCTaKvoCekEqZKwvVCBMnj2EGyK7kcmsG2+ogyWBk9faMY F+nWcvR/UOLNeNWTojku1OsJhUMxEl5GL9o9Su4JEr0ChDYwBWt55pIGJOgUUkhnN+Cj P30QqqeXES69R37wqFqt1wkeYQ1X7EZmLbV9l19u/XNV0QGV0yEtGRei4Ci4/8A36iSv cKURUiNYJ1COPHfeO4F1dGVCvIRTpVNVF7qw4PoiJhCdX5Es4ZRj745ArONqdgB2Rxq6 BTHlp46zZKDjD093mB1Ih/1BrzasWRHQ/NBDVOg7mVZ73xpuEHA+AWgCrzUBf2ewP7E8 DRrg==
X-Gm-Message-State: AOAM531WCerIwtjV2ioxUPDuhLE5wqgzYletGDxzkTbMsuP+ctGmkXak Zyh/WE36qu4Ro6UdBRuHVihO17zs/E6lDA==
X-Google-Smtp-Source: ABdhPJwwpdNT1IEeWglopWt6Fi2WV+xukL1KfD568DXY92jlul6EtV+E/26RfleLh1MIXgEbyxXoDw==
X-Received: by 2002:a17:90a:df12:: with SMTP id gp18mr22764855pjb.43.1608656532655; Tue, 22 Dec 2020 09:02:12 -0800 (PST)
Received: from mike-mac.lan ([107.182.37.0]) by smtp.gmail.com with ESMTPSA id y69sm20813017pfb.64.2020.12.22.09.02.11 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Dec 2020 09:02:11 -0800 (PST)
To: dmarc@ietf.org
References: <20201218023900.E73B82ACBB2B@ary.qy> <4a43ffaa-3987-c892-cce7-56f18888cdf5@tana.it> <39125012-e356-d62d-36fd-a7ff25a9f59f@taugh.com> <e6880ba9-f5f3-1050-25c0-658551187512@tana.it> <6bba023-d3d9-63a5-8441-11dac9a05e28@taugh.com> <74051a64-871a-db72-b5d9-1be374e23015@tana.it> <a323077-9b64-555b-3561-62cdc93819fd@taugh.com> <a8281e16-9417-5189-df73-79ea0a865fbd@tana.it> <c713b9ae-a364-1ae0-e79-55f61624aa3d@taugh.com> <3034face-b6fc-0ce2-fa1b-f59210bd6f5b@tana.it> <46339b38-3b24-bcb7-5e73-8a97038ed69@taugh.com> <3997c81d-3b30-0823-a752-fb1d60a44593@tana.it> <448eeae1-2d82-91d3-4adf-cb547acd427a@mtcc.com> <c929bfa4-9b32-5099-01fa-078c56191571@tana.it>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <0bf9fb2e-9974-4db3-3165-78508de3547c@mtcc.com>
Date: Tue, 22 Dec 2020 09:02:10 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <c929bfa4-9b32-5099-01fa-078c56191571@tana.it>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/SQvQr7Y-KoMxWmsAxPX3IwJjPfQ>
Subject: Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2020 17:02:15 -0000

On 12/22/20 8:50 AM, Alessandro Vesely wrote:
> On Tue 22/Dec/2020 17:16:05 +0100 Michael Thomas wrote:
>> On 12/22/20 1:22 AM, Alessandro Vesely wrote:
>>>
>>> NEW
>>>
>>>    Failure reports provide detailed information about the failure of 
>>> a single
>>>    message or a group of similar messages failing for the same 
>>> reason.  They
>>>    are meant to aid extreme cases where a domain owner is unable to 
>>> detect why
>>>    failures reported in aggregate form did occur.  As an extension 
>>> of other
>>>    kinds of failure notifications, these reports can contain either 
>>> the content
>>>    of a failed message or just its header.  The latter 
>>> characteristic entails
>>>    severe privacy concerns.  For that reason, and because it turned 
>>> out not to
>>>    be important, failure reporting is usually disabled.
>>>
>> I'm not understanding what this "severe privacy concerns" are. It 
>> looks like a glorified bounce message to me. My messages pass through 
>> the originating domain in the clear, but it only becomes a "severe 
>> privacy concern" when it is reflected back? How does that work?
>
>
> Unlike bounces, you're delivering PII info to a third party.
>
> In Europe, if you setup failure reporting that way, having a 
> third-party handling/ processing meta-data or even mail content 
> requires you to inform your customers about that, and ask permission.  
> If third-party is outside EU, since privacy shield got canceled last 
> July, there is not even a legal basis anymore that would allow you to 
> do so at all.  In all cases, you would be held responsible for your 
> customers data unless third-party is signing contracts with you to 
> accept EU privacy laws.  EU has severe penalty for companies which 
> breaking GDPR.
>
>
Sorry, having to ask for permission because of laws does not constitute 
a "severe privacy concern". That is completely outside of the scope of 
IETF and we should be pandering to it.

Mike

v2.23.0 | Report a Bug | By Email