Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns

John Levine <johnl@taugh.com> Fri, 12 February 2021 20:46 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 640E53A0E37 for <dmarc@ietfa.amsl.com>; Fri, 12 Feb 2021 12:46:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=bxlbSfnF; dkim=pass (2048-bit key) header.d=taugh.com header.b=zSsI27Or
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4SfaLw0gXPLf for <dmarc@ietfa.amsl.com>; Fri, 12 Feb 2021 12:46:26 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52E023A0E79 for <dmarc@ietf.org>; Fri, 12 Feb 2021 12:46:26 -0800 (PST)
Received: (qmail 94924 invoked from network); 12 Feb 2021 20:46:25 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=172ca.6026e921.k2102; bh=Jf0vcEx7fh8p1RelotQcCxupGo9qUJUkafW0IAD4ER8=; b=bxlbSfnFy5LsiIxjEDFHyPhL9D4lC0ymAHlfbyestlmaLzL97xWdcodktWfAAiMAcJrhClAbGF7PTJIAYHNzhS2nXlKtuiPvrxlewKgVYQTarQjc8+hJSYwyKOgPkL3xgUOlZ7tj9lGcMvZWy2epSlL686b5XUCi3AasauR1N25nlSwLkRNp/r/KMk5pVD51Pzk2R2SFjpDrGB46A37htpqXJ5i/wyXL7AjtfPSD0TG7NSs6/5oKMu0ZL+uuCZWrYmbmD2iErEH3VU5Rgpg4vmQ7GgzDlp15NkgOiXx39Uop8QYJsq0xjinH9kG8RPALcausgn/xpcT/VYc7cjZSOQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=172ca.6026e921.k2102; bh=Jf0vcEx7fh8p1RelotQcCxupGo9qUJUkafW0IAD4ER8=; b=zSsI27Or3U0YYy2yDckv1az/syzo7/zJDUOcgBrs4TCdlkf7lnuqZBP8t3TiIq9AYd2yjGqom2nJ79hy5AZlk54GFAPKtWsZIfA+GWV5mY0L4FeU+6vW76ZFhFnisApSrtQ2TugMStNMVlbRIlGziQ7hxTJ4VMXKgCb8i0HzKysmad2QVxfctOwOZuHjt1rHMoRYK7o17lwX/N3gmHB+BuehpNdnWsX3sHvXVegx2dIiJFX6mqdUGQHey+JDfbWj5P3RC51KhltT5/g5HQilzXKUPO5tfpCzS6XHChNCZCO43L3rQOxlvKYzZ7hh4GH8LqO8MOXoAmClBCOPQPTHTA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 12 Feb 2021 20:46:25 -0000
Received: by ary.qy (Postfix, from userid 501) id BD53A6DDB3F5; Fri, 12 Feb 2021 15:46:23 -0500 (EST)
Date: 12 Feb 2021 15:46:23 -0500
Message-Id: <20210212204624.BD53A6DDB3F5@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
Cc: Alex_Brotman@comcast.com
In-Reply-To: <MN2PR11MB435185A171029EF4282A2BF4F78B9@MN2PR11MB4351.namprd11.prod.outlook.com>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UgRhdCqdVXvgHLP9fSvS0HB3LPM>
Subject: Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 20:46:32 -0000

In article <MN2PR11MB435185A171029EF4282A2BF4F78B9@MN2PR11MB4351.namprd11.prod.outlook.com> you write:
>Hello folks,
>
>In ticket #64 (https://trac.ietf.org/trac/dmarc/ticket/64), it was suggested that a Privacy Considerations section may alleviate
>some concerns about the ownership of the data.  I created an initial attempt, and thought to get some feedback.  I didn't think
>we should go too far in depth, or raise corner cases.  Felt like doing so could lead down a rabbit hole of trying to cover all
>cases. This would go within a "Privacy Considerations" section.
>
>* Data Contained Within Reports (#64)
>
>Within the reports is contained an aggregated body of anonymized data pertaining
>to the sending domain.  The data is meant to aid the report processors
>and domain holders in verifying sources of messages pertaining to the
>5322.From Domain.  The data should not contain any identifying
>characteristics about individual senders or receivers.  An entity
>sending reports should not be concerned with the data contained as
>it should not contain PII (NIST reference for PII definition), such as email addresses or
>usernames.
>
>Does this seem a reasonable start?  Thanks for your time.

It's not clear which kind of report this is talking about.

If it's aggregate reports, they contain IP addresses of mail servers and domain names 
of SPF and DKIM identifiers, but nothing about the e-mail address or IP of the original senders.

If it's failure reports, they contain as much or as little as the reporter includes, possibly
an entire message sent by someome who may or may not be connected to the domain that receives the report.