Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns

Dotzero <dotzero@gmail.com> Thu, 18 February 2021 21:07 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3C563A187B for <dmarc@ietfa.amsl.com>; Thu, 18 Feb 2021 13:07:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJVg2OKKAPLe for <dmarc@ietfa.amsl.com>; Thu, 18 Feb 2021 13:07:45 -0800 (PST)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 074E43A18DA for <dmarc@ietf.org>; Thu, 18 Feb 2021 13:07:06 -0800 (PST)
Received: by mail-qt1-x832.google.com with SMTP id z32so2468327qtd.8 for <dmarc@ietf.org>; Thu, 18 Feb 2021 13:07:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0TSt+c8IYTrfT3XJWLKQcPStOhj7wX+kO2EgQs/sV7k=; b=CL73q43i/+v9lOa7y2B3cSj8yuNneHYGqk86TdMOW63gzJ+J+wvnTWp8uDBNoBZqVJ v9Sl6Dkl/azTMlen2GEP9J4aPDIBpB0LBYufEytVif5eRBYagF/5piJz4vGsRFldyMGu NS0b+wETOjtgX9Io3cHY99TmVQEpbSj9wvI5tO0g/+WSUTXULohdxgn9GBAyAK5yPwXl VzUfCv5NSKNrydF1w9CFfm25kZDarGniE1J17w+gTR0m0JWvN4XV7YFHRwyZRAkcafTm j0vpI3wy5Y+J5+aw2cNoUig5vePb6ykL/e6ZMCRWbYe70jeR7qKN+xzuZGvVZl/kSEwk c41Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0TSt+c8IYTrfT3XJWLKQcPStOhj7wX+kO2EgQs/sV7k=; b=o1QV8X6ohbscoMIPeBUtiQcsYAwED5IQ74d4GxlifUeTzKYLbNDuB4IRLm7PbWjJ/F 2wPWt0Vk8RA+q+sVmwxMPgMAdpxJOqmYRWBy3Itx+Y13hiOPps1b9wGpb7dj59srGtKI zQG2pscEWfq/3QGdsrgmFpm97t6xArammAf2KNeli4uIjD7TEYuAuDzxQr+Q4+GyWYZD 1NNvUrtHA323x7/DKbsGVsJZdjL+dIzEjkIihOeI1lmC8EZXcBVs3WK7iWpqjuEaM7qw zEdcaoIs9y7lpJy4T3hksmFjn9DPSEHdVsKIyAz8+vwUNHqTajNiuIVsikDeKC0cUx7i ECFQ==
X-Gm-Message-State: AOAM5313anrEDUhV1chkPnwKfVu16YKrbQAhfoNLwVg2YepL/cQmpOrG vO4wB5RcWElffCUVzcFqXWV7zjwRnPqBlt04wKy7FXaP
X-Google-Smtp-Source: ABdhPJw/YBc21k3MKmSU3sUafUVOlBRmeFQLGysYOV3y7nFCJz8KRSkJyLVuZRnkwGUdC69IUHH0xiKWdTa5llQzzec=
X-Received: by 2002:ac8:70d5:: with SMTP id g21mr6110805qtp.267.1613682426001; Thu, 18 Feb 2021 13:07:06 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR01MB70538541D7ADE18A555B05D6C7869@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <20210218024606.4727B6E23874@ary.qy> <VI1PR01MB70530199B815F3216D64E9A2C7859@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <CABuGu1pC_rh2vDUuNsHF0dLgKGiR3nve8YE1P9trPM-wUi+EfA@mail.gmail.com> <d72d002a-be58-5f66-eddd-4e0bf6806dcf@tana.it> <MN2PR11MB4351A46D0D40ED33AA0FB911F7859@MN2PR11MB4351.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB4351A46D0D40ED33AA0FB911F7859@MN2PR11MB4351.namprd11.prod.outlook.com>
From: Dotzero <dotzero@gmail.com>
Date: Thu, 18 Feb 2021 16:06:53 -0500
Message-ID: <CAJ4XoYe0AhvH3-srRYw1g3aipmR7da46M4ye20cD9JGf3oQ1+A@mail.gmail.com>
To: "Brotman, Alex" <Alex_Brotman=40comcast.com@dmarc.ietf.org>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c83d0c05bba2b77d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/t9us-96TZTB7RuhlqRsy2wVYvq8>
Subject: Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2021 21:07:48 -0000

I'm comfortable with the language.

Michael Hammer

On Thu, Feb 18, 2021 at 3:40 PM Brotman, Alex <Alex_Brotman=
40comcast.com@dmarc.ietf.org> wrote:

> Aggregated comments:
>
> --------------------------
> Aggregate feedback reports contain aggregated data relating to messages
> purportedly originating from the Domain Owner. The data does not contain
> any identifying characteristics about individual users. No personal
> information such as individual email addresses, IP addresses of
> individuals, or the content of any messages, is included in reports.
>
> Mail Receivers should have no concerns in sending reports as they do not
> contain personal information. In all cases, the data within the reports
> relates to the domain-level authentication information provided by mail
> servers sending messages on behalf of the Domain Owner. This information is
> necessary to assist Domain Owners in implementing and maintaining DMARC.
>
> Domain Owners should have no concerns in receiving reports as they do not
> contain personal information. The reports only contain aggregated data
> related to the domain-level authentication details of messages claiming to
> originate from their domain. This information is essential for the proper
> implementation and operation of DMARC. Domain Owners who are unable to
> receive reports for organizational reasons, can choose to exclusively
> direct the reports to an external processor.
> --------------------------
>
> Agreeable?
>
> --
> Alex Brotman
> Sr. Engineer, Anti-Abuse & Messaging Policy
> Comcast
>
> > -----Original Message-----
> > From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Alessandro Vesely
> > Sent: Thursday, February 18, 2021 12:09 PM
> > To: Kurt Andersen (b) <kboth@drkurt.com>om>; Ken O'Driscoll
> > <ken=40wemonitoremail.com@dmarc.ietf.org>
> > Cc: dmarc@ietf.org; John Levine <johnl@taugh.com>
> > Subject: Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns
> >
> > On Thu 18/Feb/2021 17:52:55 +0100 Kurt Andersen (b) wrote:
> > > On Thu, Feb 18, 2021 at 7:09 AM Ken O'Driscoll <ken=
> > > 40wemonitoremail.com@dmarc.ietf.org> wrote:
> > >
> > >>
> > >> . . . I'd propose something like the below, which I think gets across
> > >> what we all want to say.
> > >>
> > >> =======
> > >> Aggregate feedback reports contain anonymized data relating to
> > >> messages purportedly originating from the Domain Owner. The data does
> > >> not contain any identifying characteristics about individual senders
> > >> or receivers. No personal information such as individual email
> > >> addresses, IP addresses of individuals, or the content of any
> messages, is
> > included in reports.
> > >>
> > >> Mail Receivers should have no concerns in sending reports as they do
> > >> not contain personal information. In all cases, the data within the
> > >> reports relates to the authentication information provided by mail
> > >> servers sending messages on behalf of the Domain Owner. This
> > >> information is necessary to assist Domain Owners in implementing and
> > maintaining DMARC.
> > >>
> > >> Domain Owners should have no concerns in receiving reports as they do
> > >> not contain personal information. The reports only contain aggregated
> > >> anonymized data related to the authentication details of messages
> > >> claiming to originate from their domain. This information is
> > >> essential for the proper implementation and operation of DMARC.
> > >> Domain Owners who are unable to receive reports for organizational
> > >> reasons, can choose to exclusively direct the reports to an external
> > processor.
> > >> =======
> > >>
> > >
> > > With a s/anonymized/aggregated/g change, this seems like reasonable
> > > language. In technical terms, there is no anonymization involved. The
> > > only other issue might be some ambiguity in the intepretation of the
> > > term "individual senders or receivers" because the IP addresses of the
> > > MTAs involved in the email interchange are definitely in the report.
> > > As someone has pointed out earlier in the thread, a compromised home
> > > computer which is able to send out on port 25 would indeed be exposed
> > > in such a scenario, though it is a rare case.
> >
> >
> > I'd s/individual senders or receivers/individual users/.
> >
> > Also s/authentication/domain-level authentication/.
> >
> >
> > Best
> > Ale
> > --
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > dmarc mailing list
> > dmarc@ietf.org
> >
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dmarc__
> ;!
> > !CQl3mcHX2A!QnQcMsS_KTWtqiiZuaapRUWc3xT1P55tS453rXWzE_lJElYm2DKE3
> > yW2lwFWuJZIJs-sye0H4w$
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>