Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns

"Brotman, Alex" <Alex_Brotman@comcast.com> Thu, 18 February 2021 20:39 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE2C73A1833 for <dmarc@ietfa.amsl.com>; Thu, 18 Feb 2021 12:39:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hV_4n_4USq-o for <dmarc@ietfa.amsl.com>; Thu, 18 Feb 2021 12:39:50 -0800 (PST)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8BBD3A1835 for <dmarc@ietf.org>; Thu, 18 Feb 2021 12:39:50 -0800 (PST)
Received: from pps.filterd (m0156892.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 11IKZoIS002082; Thu, 18 Feb 2021 15:39:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=20190412; bh=1TKaO/x5vDSA6bEj9//i7Q44rfdWX2Q8z7j6zatHF6U=; b=SVPSl2UGNtuVIHCo8atfDU5dUMvepd7iHPVLUvXb8U9kiD7+lHvSGSz8nl3hTO3Uvdot x/AE6nbvSGKZD9lM5P3IXp/cFwfRsk3HmCSe604fSbDDKp3D3aWd5MxXAv9b2A1yW+7c 23WswVbSu4n7mElU2DP1pMmercvUJtaiWEUGY2dOhcN0EEHwSGAcKcLVGVrjYlzvxcui 1vx27Z17Cz5HFx7iGt+cVWOFwmxAKk1vpjCjoJGApqDIR6TrTP6fHInXiF7Ydqum2d8s NQ3stBuicAn2d9WGY7s4O7J9fkeMRcRWuhkKU8Ve3zdRrLD74i47BymBAPNxkLgQPEVy Kw==
Received: from pacdcex50.cable.comcast.com (dlppfpt-wc-1p.slb.comcast.com [96.99.226.136]) by mx0a-00143702.pphosted.com with ESMTP id 36payq4wtq-9 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 15:39:49 -0500
Received: from PACDCEX56.cable.comcast.com (24.40.2.155) by PACDCEX50.cable.comcast.com (24.40.2.149) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 18 Feb 2021 15:39:46 -0500
Received: from PACDCEXEDGE01.cable.comcast.com (76.96.78.71) by PACDCEX56.cable.comcast.com (24.40.2.155) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 18 Feb 2021 15:39:46 -0500
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.169) by webmail.comcast.com (76.96.78.71) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 18 Feb 2021 15:39:33 -0500
Received: from MN2PR11MB4351.namprd11.prod.outlook.com (2603:10b6:208:193::31) by MN2PR11MB4255.namprd11.prod.outlook.com (2603:10b6:208:18a::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25; Thu, 18 Feb 2021 20:39:20 +0000
Received: from MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::2495:cfaf:88ca:6b2d]) by MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::2495:cfaf:88ca:6b2d%7]) with mapi id 15.20.3868.027; Thu, 18 Feb 2021 20:39:20 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: Alessandro Vesely <vesely@tana.it>, "Kurt Andersen (b)" <kboth@drkurt.com>, Ken O'Driscoll <ken=40wemonitoremail.com@dmarc.ietf.org>
CC: "dmarc@ietf.org" <dmarc@ietf.org>, John Levine <johnl@taugh.com>
Thread-Topic: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns
Thread-Index: AdcBfLdYcAd1ycC0TvWJKBD11cOyegCIhNKAAG9eXXAABJQJQAAMZ9qAABjkaCAABK7ggAAAkLEAAAdCehA=
Date: Thu, 18 Feb 2021 20:39:19 +0000
Message-ID: <MN2PR11MB4351A46D0D40ED33AA0FB911F7859@MN2PR11MB4351.namprd11.prod.outlook.com>
References: <VI1PR01MB70538541D7ADE18A555B05D6C7869@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <20210218024606.4727B6E23874@ary.qy> <VI1PR01MB70530199B815F3216D64E9A2C7859@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <CABuGu1pC_rh2vDUuNsHF0dLgKGiR3nve8YE1P9trPM-wUi+EfA@mail.gmail.com> <d72d002a-be58-5f66-eddd-4e0bf6806dcf@tana.it>
In-Reply-To: <d72d002a-be58-5f66-eddd-4e0bf6806dcf@tana.it>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: tana.it; dkim=none (message not signed) header.d=none;tana.it; dmarc=none action=none header.from=comcast.com;
x-originating-ip: [2601:43:101:380:3ce7:7bea:77c3:5c17]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a0c5240c-8c9b-4635-ace0-08d8d44d4487
x-ms-traffictypediagnostic: MN2PR11MB4255:
x-microsoft-antispam-prvs: <MN2PR11MB4255445B330C32DA06960C15F7859@MN2PR11MB4255.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3631;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MUd3Sd6GlnLtnBP0EUXSLWaqwp5qUX5ZXGoW04ESUf3BQBJ1Ecb/lVUxE6ekpq6CJ7l1RXXR45MSTnbFBnAFIRkUh4qP5UJQ1DC+oSa+YA8LDtgSks4GAx7IENt825R1ack2GzfyHBYsOYeveTOzCV8ivnhz53SyYL1mNGrO+fHUZHjDtCXIwdDxcxuLy3BoXv70r//6FDVBLjZRgUO71zjoAgjC7JILV/SGXM+6nCZPn1bkvxLIrPHzcrj6YBBuiD/amqNLkPATimJpeh/jjVhOaaQqhBlI70cXTtzVhEBzG3HsQO0fiIJfzkGJ9ACeYNNEig/I9MY9krW+5tUq5mohEoSXSFUKjAMzTNgl/yEyIK0CrNDSzNPK/IinJ1ytAcDxkK0sL0vzrEdQbv7BIK06kBo7lQ0uFIG7P/WKnK2amK6fjD95EvpqMykarj5KyQgSZXYmy4NURJq8WYd+HVJzmYvqETTVtd4PMYgrXyMOYWhk4FUtwkfLq0IJ/+umTbsPIvAYRsckDmoWXlgztRlVSwpfz5/84i+S2+M1Sicff/mdwwX/H4fknn/HiT4ognW+rCjlVDvYPR0oVbpYSG8GHXwfmdHhjBlx97maDCU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(136003)(346002)(396003)(39860400002)(33656002)(8936002)(966005)(5660300002)(66446008)(54906003)(110136005)(7696005)(186003)(8676002)(66556008)(76116006)(66946007)(55016002)(83380400001)(52536014)(2906002)(9686003)(66476007)(64756008)(316002)(6506007)(86362001)(71200400001)(4326008)(53546011)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?AmnGQv9pk1dPWAXvU5KOq2uVMoh0+cSa83FE5aWXIrejwRIW7dPl5YUUm6l2?= =?us-ascii?Q?A66nkF0MZyNH8agzOnko5wIrPu/0vvUUfIAcqmZEXiy/CTyD3nwxKwxhD/DI?= =?us-ascii?Q?qTDZ+147sfEltbWAvockTpcACZAIRehaJVEdIJxptKQU+Jjq3NtBNMJqYt3E?= =?us-ascii?Q?YwZIFkRj7JRox03YZjBa8oUB9yZ3SsYoYLZLMeWmyM0W4qI2UDeJO2pZ6yDD?= =?us-ascii?Q?00Uc/D5MOSDyCIdtonQ4oDxBM3YbWVDZM41eIej6WuedI4wqMCiSByuI6bMY?= =?us-ascii?Q?AOgzJuihm7J7lbulHAsKeFCBjJd3fFJ22dCWaUUJ+zGO6c4hMyHQ6DwIByQ/?= =?us-ascii?Q?/dXBNlXKRhmbEWAGpAiVZFMRbEqSti54gDsn4PAM/NqRQxxN5ZWjVcn164w0?= =?us-ascii?Q?pBxHnEwcZBg1RBILU+CwvTAzDw9RkKfOvWGAMP/j++hZP9IOzJusZUvjCxPF?= =?us-ascii?Q?WXnkBkumUS40tfYIxm/NjNYIE6lSKsfAhABL+9Y2A1pEJWbYjeH8fVftHYsl?= =?us-ascii?Q?6rGRIYUxmVvav6Sw8+sw5SsjwUiUuIO0gxUc+XjrFpBcK9TndN863nc9469L?= =?us-ascii?Q?518arsnnyUP5cl5G3xcgl7zyNAFItOxAs0J+I+5WDoBxApygC3zWlwLqDPcU?= =?us-ascii?Q?8hSUWthgVvIhgxZEY1rGrNLxe8p04dRHcV+pkFDfhXzvB/GmoOHKPWONgCqT?= =?us-ascii?Q?9K4BBMm/ywH861Ka1g7ag6XhEmEHh1bOekC0F5VTo7IntNAMf04os67Safxl?= =?us-ascii?Q?EsHyd2WMvZABjV8IL37xFeLGD+jn2A7EwD2kNyRtgipRm1tTOeSaNPbVZOVM?= =?us-ascii?Q?UZxJdNbHhK4y+oqNpPfRStCNz5Jb4XAO3rsYono/o9nmiPnASxbytJL8+UPD?= =?us-ascii?Q?4zZvzXSxjqSLFAtThnutMczGIJTCAwTrFoW2BNMHef03JBzFphHVxqgv04+7?= =?us-ascii?Q?5AhzwDrYUm9nJLL6vUis1eN7VGObEpwQ6bLcjmbKfaKvHz3RjffHIeBu9fnc?= =?us-ascii?Q?8bBS+MeHLRsv6ong05kRgLCx8Jd0EEEYMIdpuLXhynAKWG7M7gi6xKnGBr6c?= =?us-ascii?Q?5Fyu0L7Um6q2yY2HLn9NzrLAQC0qMhuaFkEKIYjspQ9XGHM6ub0oM4R53cda?= =?us-ascii?Q?tRPaQR1bKNtbwyDO02DlojIxP5IGvZwhmto5Ps1/KeKx+IfIIhTsh+bypo1F?= =?us-ascii?Q?wa8PEO4TtNSOGQjrxCJCThpv2LMi/nTD0lckpacqwxtKWjWBN8KG7tLnU/0S?= =?us-ascii?Q?PV43bYryIb4oyfCHWSnKQbBttZ9vL+joTa0K2as6/1OFgotEq4AvZ3mPxJdu?= =?us-ascii?Q?y6vPqWXw9U+HcIJggJDa1IlXGiMUJwdVmwNwwTO3Op0rSt4W2E22xJtQ6ZFO?= =?us-ascii?Q?GZ7zZnI=3D?=
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kXz2R7OWle1WxPyWnRWHv+SLlSEbxlxbFy1JvQmElpQot2bZuHBHANNEGpCFJcGNzBefpH7aFQBLlgrSdzjBuDTsU3ahyTpsQQHlU+M9GER+uOnQPEZqLhQuftpBMMekrYnMbYxBFvADdogcYMmryDdmszEqtHRho8gvixjAZysrfIohalXnw1Hlgo7Jrdk5csyUGKKatZ2ojYG73D1SJ5cVbUBAAf9sd6A/+GPHCe70LZERRXFtHY/4p8iUe9cevEH4RyEYTxe+snUzPMV+u+laCKMJqGwSzmwO9jtRl0t7rAz3VgmEFe2eB3hk30Vbmbx/W9s2GtuEdVCYIp957Q==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z01ragKalKm6uZZJrFxbuPGsXSVmZOeBill1+wXRIvU=; b=mfo1Oznq4iWEeatwncKdH/3zJip6A6cMkQxDvbB59y+cMTkZWxpbQZswlcLL2WvLg19FAhsqG+ILc4ESEQB7iXUC9b2KkC6OtaCi7cWXMVU5EzKMGtXstFWa+YbqD9gvIATEKCAxdhMaibjjwbRl3sJoe5E2h3LLbOfa7t+15vmQ9V4pmg3IoO4uudjHlPK5pHW8BGc0pEFQBO31Zn7unvCzUM3sky20m5Iak9WlyLtfqxmezZGerGxf7tgVeMdfwdEdeb/mXns4P46tTpU36NcWZynF7Wx7E9qcmr5sP8qoUCGirBs0jR4JimXmUzdpcVkXm5Ky6wUiN1mByeEakw==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: MN2PR11MB4351.namprd11.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: a0c5240c-8c9b-4635-ace0-08d8d44d4487
x-ms-exchange-crosstenant-originalarrivaltime: 18 Feb 2021 20:39:19.8588 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: FI2dgmxBPESIa4RhJdSZ4cDBdr8QEkSU+6SbpWb33isD5keu1FlHm1J/ZJnD5N5bzZmGXp8ZiSt6D7q6spo0H0R6Ch4ILnjfLQXeWLP/810=
x-ms-exchange-transport-crosstenantheadersstamped: MN2PR11MB4255
x-originatororg: comcast.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward AAETWS
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-18_09:2021-02-18, 2021-02-18 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jsC7wAoV0ssUNqpyb8IxZWpWdGY>
Subject: Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2021 20:39:53 -0000

Aggregated comments:

--------------------------
Aggregate feedback reports contain aggregated data relating to messages purportedly originating from the Domain Owner. The data does not contain any identifying characteristics about individual users. No personal information such as individual email addresses, IP addresses of individuals, or the content of any messages, is included in reports.

Mail Receivers should have no concerns in sending reports as they do not contain personal information. In all cases, the data within the reports relates to the domain-level authentication information provided by mail servers sending messages on behalf of the Domain Owner. This information is necessary to assist Domain Owners in implementing and maintaining DMARC.

Domain Owners should have no concerns in receiving reports as they do not contain personal information. The reports only contain aggregated data related to the domain-level authentication details of messages claiming to originate from their domain. This information is essential for the proper implementation and operation of DMARC. Domain Owners who are unable to receive reports for organizational reasons, can choose to exclusively direct the reports to an external processor.
--------------------------

Agreeable?

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

> -----Original Message-----
> From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Alessandro Vesely
> Sent: Thursday, February 18, 2021 12:09 PM
> To: Kurt Andersen (b) <kboth@drkurt.com>om>; Ken O'Driscoll
> <ken=40wemonitoremail.com@dmarc.ietf.org>
> Cc: dmarc@ietf.org; John Levine <johnl@taugh.com>
> Subject: Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns
>
> On Thu 18/Feb/2021 17:52:55 +0100 Kurt Andersen (b) wrote:
> > On Thu, Feb 18, 2021 at 7:09 AM Ken O'Driscoll <ken=
> > 40wemonitoremail.com@dmarc.ietf.org> wrote:
> >
> >>
> >> . . . I'd propose something like the below, which I think gets across
> >> what we all want to say.
> >>
> >> =======
> >> Aggregate feedback reports contain anonymized data relating to
> >> messages purportedly originating from the Domain Owner. The data does
> >> not contain any identifying characteristics about individual senders
> >> or receivers. No personal information such as individual email
> >> addresses, IP addresses of individuals, or the content of any messages, is
> included in reports.
> >>
> >> Mail Receivers should have no concerns in sending reports as they do
> >> not contain personal information. In all cases, the data within the
> >> reports relates to the authentication information provided by mail
> >> servers sending messages on behalf of the Domain Owner. This
> >> information is necessary to assist Domain Owners in implementing and
> maintaining DMARC.
> >>
> >> Domain Owners should have no concerns in receiving reports as they do
> >> not contain personal information. The reports only contain aggregated
> >> anonymized data related to the authentication details of messages
> >> claiming to originate from their domain. This information is
> >> essential for the proper implementation and operation of DMARC.
> >> Domain Owners who are unable to receive reports for organizational
> >> reasons, can choose to exclusively direct the reports to an external
> processor.
> >> =======
> >>
> >
> > With a s/anonymized/aggregated/g change, this seems like reasonable
> > language. In technical terms, there is no anonymization involved. The
> > only other issue might be some ambiguity in the intepretation of the
> > term "individual senders or receivers" because the IP addresses of the
> > MTAs involved in the email interchange are definitely in the report.
> > As someone has pointed out earlier in the thread, a compromised home
> > computer which is able to send out on port 25 would indeed be exposed
> > in such a scenario, though it is a rare case.
>
>
> I'd s/individual senders or receivers/individual users/.
>
> Also s/authentication/domain-level authentication/.
>
>
> Best
> Ale
> --
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dmarc__;!
> !CQl3mcHX2A!QnQcMsS_KTWtqiiZuaapRUWc3xT1P55tS453rXWzE_lJElYm2DKE3
> yW2lwFWuJZIJs-sye0H4w$