Re: [dns-privacy] Alissa Cooper's Discuss on draft-ietf-dprive-bcp-op-08: (with DISCUSS and COMMENT)
Allison Mankin <allison.mankin@gmail.com> Sun, 28 June 2020 20:16 UTC
Return-Path: <allison.mankin@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64BA73A0F0C; Sun, 28 Jun 2020 13:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hbx4_AMS6-gw; Sun, 28 Jun 2020 13:16:21 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7976B3A0F0A; Sun, 28 Jun 2020 13:16:20 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id b25so12203808ljp.6; Sun, 28 Jun 2020 13:16:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ODGLEnlq9T3ZSmDa9EN0qAGgDc7jF1TsbMsEEX3Jb4k=; b=FbRhovKab3DXE/UwAKTyJaDsgBGIr1pGTb6x4TeJcKvpN4t6ItfUqFBFHPOw3BcWsC x/xT3dTx2gGqf0Jk13u3KVMOSA/wuE8YhAIXfPveGvwPzaay0Rwd+gL46WSqP9RS7Q0f bLL2Ro9ynIRXtVKJonGWRNDiWn1APMSc6Gd13hq87rvaOsyVnCQpXb+xJoVPWKKgHuFB R0KJNaslMYX9Gwk3rnTtJvgu+yeoLnA6o6UDJsP3+GbK1NpoMS3AqTg9tyIldVwZ6wok p4aazmqPgLP+cGaqkoxwGjtD7AN9aZ2Nwfd1vS5CsLb4Ed1DbuR5LIl35ul74V2V2QPu WKoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ODGLEnlq9T3ZSmDa9EN0qAGgDc7jF1TsbMsEEX3Jb4k=; b=RN6nB59KeXtOpyAPCvyvks9FUtbrWpoXHuNxm67bRl32PrK9t59aRvXTwdbJbODiv6 s+mcnvwg30gMg15AFUwcEf8xHAjuDYDxgn1srAZmko8f9PKI9ox/3z6+QfdTb0DUZi23 CoTDjo0IJWByM0nrIiVKWS3puwt0Ws1bKpv2KVwOTjC1DEuKDhw9giWvmx8cykcMVKUi 4/ntCqEfCLqlLGCRHxxTLWLRVtdxztLzhAHzhjSwavR37QSOIruBrXAaaMXcUKkKaL6w /tUS1KnlLO8UDduwVOhq0ATVxJ39MPkuKUx5BnSoJziz8TRl8WrDAm7WyZLpDKV7A6ig 0+TQ==
X-Gm-Message-State: AOAM530N5KsFuvNUqE8zcwqbH/YGn3uOWDrGYGyLOSD6QtoS12INzcP8 pdguMm3uEg7HvZFfAs8Uy2QBO3fbkIQJTgSPJwM=
X-Google-Smtp-Source: ABdhPJxojBjrgrU437PSQ8hWGNTIQmUTmPPNe+uK6eDaTUHdaXHDKcb/9QIm6lp2fQgZS+RuHCcwaQL+BTPkINGJIgI=
X-Received: by 2002:a2e:854b:: with SMTP id u11mr3438899ljj.99.1593375378580; Sun, 28 Jun 2020 13:16:18 -0700 (PDT)
MIME-Version: 1.0
References: <9826D3BC-02B4-4249-81AF-D118543C69A1@cooperw.in> <A1E45CB9-FA53-4889-97BD-EFC42A0FBC4F@gmail.com>
In-Reply-To: <A1E45CB9-FA53-4889-97BD-EFC42A0FBC4F@gmail.com>
From: Allison Mankin <allison.mankin@gmail.com>
Date: Sun, 28 Jun 2020 16:16:07 -0400
Message-ID: <CAP8yD=t8UrFmKMuqpRjs9w-yho9Eptd74-cz2r3u924NXAfONg@mail.gmail.com>
To: Alissa Cooper <alissa@cooperw.in>
Cc: IESG <iesg@ietf.org>, Sara Dickinson <sara@sinodun.com>, Tim Wicinski <tjw.ietf@gmail.com>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, dns-privacy@ietf.org, dprive-chairs@ietf.org, draft-ietf-dprive-bcp-op@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006f27a605a92a9d30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/sI5uG1PvghejD6bkRlJBThClFLQ>
Subject: Re: [dns-privacy] Alissa Cooper's Discuss on draft-ietf-dprive-bcp-op-08: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jun 2020 20:16:25 -0000
Clarification: we no longer mention or imply mention of jurisdiction in the normative section. And to reiterate, we made 6.1.1 and 6.1.2 non-normative On Sun, Jun 28, 2020 at 16:11 Allison Mankin <allison.mankin@gmail.com> wrote: > Hi Alissa, > > Please read the -10 version. We've addressed this Discuss by omitting any > mention of jurisdiction and marking all texts in the DROP statement section > as non-normative. > > Sara references the change in the June 18 email with subject line: IESG > review of draft-IETF-DPRIVE-BCP-op > > Here's the new top of Section 6; is this enough to satisfy your Discuss? > > The contents of Section 6.1.1 <https://datatracker.ietf.org/doc/html/draft-ietf-dprive-bcp-op-10#section-6.1.1> and Section 6.1.2 <https://datatracker.ietf.org/doc/html/draft-ietf-dprive-bcp-op-10#section-6.1.2> are non-normative, > other than the order of the headings. Material under each topic is > present to assist the operator developing their own DROP statement > and: > > o Relates _only_ to matters around to the technical operation of DNS > privacy services, and not on any other matters. > > o Does not attempt to offer an exhaustive list for the contents of a > DROP statement. > > o Is not intended to form the basis of any legal/compliance > documentation. > > > On Jun 28, 2020, at 14:43, Alissa Cooper <alissa@cooperw.in> wrote: > > Hi Sara, > > > Thanks for your response and the updates to the document. I’ve trimmed my > DISCUSS down to the remaining issue. > > On Mar 4, 2020, at 8:29 AM, Sara Dickinson <sara@sinodun.com> wrote: > > > (3) I do not think item #5 in Section 6.1.2 belongs in this document. I > don't > see how it is within scope for the IETF to be specifying these sorts of > best > practices, which are not technical or operational in nature but focus on > legal > matters and likely require the involvement of lots of lawyers in order to > get > the provisions written. > > > I’m channelling Vittoro here (cc’ed) who as a Head of Policy helped to > formulate this text… > > The reason this was included is that the actual policy that will apply to > the data is the merge of the operator's privacy policy and of the relevant > jurisdiction's privacy laws, with the latter overriding the former in case > of conflict. Since the former is in scope for the DROP it seems reasonable > for the latter to be. If the goal here is to provide a document that > informs users of what will actually be done with their data, then outlining > which privacy laws will apply to them and how these laws will play out > seems reasonable. > > > I don’t really see how the above is responsive to my point. This is not > the IETF’s area of expertise and therefore we should not be specifying best > practices about it. Every IETF technology exists within a framework of laws > and regulations that vary by jurisdiction, but we don’t specify best > practices about them because they aren’t within our scope. We also don’t > want our RFCs to be obsolete because one country or region decides to > change its laws — we’re aiming for global significance. > > > Also, I think what > this section asks for is not the norm today and therefore it seems odd for > the > IETF to specify a best practice that operators may not have any chance of > being > able to comply with (e.g., listing specific law enforcement agencies, > privacy > laws, or countries where data centers will reside and the data will never > move > from them). > > > It's also not true that supplying this information is "not the norm > today". Any GDPR-compliant privacy policy must specify the legal entity > processing the information, its place of business, the user's rights, and > whether the information will be moved to third countries. Basically, points > 5.1-5.3 only turn into best practice what the GDPR mandates in Europe - and > there is little doubt among privacy experts that the GDPR is the current > global best practice in terms of privacy laws. > > > The IETF operates globally and I think endorsing the idea of fracturing > data management and protection along jurisdictional lines is far from a > best practice that the body of the IETF’s work endorses. > > > As for 5.4, there are already significant efforts for the disclosure of > law enforcement access, even in the US and even with creative ways to > circumvent legal issues (see https://en.wikipedia.org/wiki/Warrant_canary ). > It's not an issue that has no grounds in reality. > > > > Best, > Alissa > > > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Section 1: > > "This document does not, however, > define a particular Privacy statement, nor does it seek to provide > legal advice or recommendations as to the contents." > > This is not accurate. The document does make recommendations about the > contents. > > > Will remove ‘or recommendations’. > > > > Section 3: "the privacy of the DNS" strikes me as a bit of an odd term as > the > DNS itself doesn't have privacy needs. Perhaps this means the privacy > properties of the DNS. > > > Yes - will update. > > > Section 5.2.3: I think the table and its associated text belongs in > Appendix B. > It is not BCP material itself and is not readily understandable without the > rest of the text in Appendix B anyway. > > > Fair enough - will move this. > > > Section 5.2.4: "Resolvers _might_ receive client identifiers e.g. MAC > addresses in EDNS(0) options - some Customer-premises equipment (CPE) > devices > are known to add them." It would be great to add a citation there if one > exists. > > > Yes - will add. > > > Section 5.3.3: > > "Operators should not provide identifiable data to third-parties > without explicit consent from clients (we take the stance here that > simply using the resolution service itself does not constitute > consent)." > > I'm not convinced its appropriate for this document to be commenting on > what > constitutes consent. > > I also think that as a general matter the research in this area > demonstrates > that privacy-by-consent is broken and that the number of cases in which an > individual providing consent for identifiable data sharing actually reads, > understands, and agrees with the terms of the sharing is miniscule. > > It seems like the real best current practice mitigation here is to not > share > identifiable data. > > > I appreciate the difficulties with this, but several aspects of this draft > have got push back on the basis of how many operators actually employ the > ‘best practice’. The reality is that many of the large recursive operators > currently make some statement about the DNS service or in an umbrella > privacy statement to the effect that they will share data if they have > consent (and then completely fail to describe what that consent entails), > for example: > > https://www.cisco.com/c/en/us/about/legal/privacy-full.html (Overall > policy which appears to apply to OpenDNS - OpenDNS doesn’t seem to have a > specific one) > We may share your personal information with third parties for the purposes > of operating our business, delivering, improving, and customizing > our Solutions, sending marketing and other communications related to our > business, and for other legitimate purposes permitted by applicable law > or otherwise with your consent. > > > https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/ > Cloudflare will not sell, license, sublicense, or grant any rights to your > data that we collect from DNS queries to any other person or entity without > your consent. > > https://policies.google.com/privacy?hl=en (Overall policy referenced from > the Google Public DNS privacy policy page) > We’ll share personal information outside of Google when we have your > consent. > > > It is somewhat frustrating that this draft doesn't tackle this issue in > any meaningful way. We had previously included a clause in the DROP > statement where the operator was recommended to outline their specific > consent process (so in other words, not defining consent in this document > in any way, just requiring operators to clarify how _they_ define it given > they have used the word) but this received some push back. > > Adding an optimisation describing the ideal position (not sharing) seems > reasonable, as would adding any additional text to clarify the limitations > of the definition of consent in this document, but removing it completely > would mean virtually no large operators would ever be even minimally > compliant….. > > > > Section 6.1.1: "Make an explicit statement that IP addresses are treated as > PII." PII is a bit of a jurisdiction-specific term. I would recommend > using the > definition of personal data from RFC 6973. > > > Ack. > > > Section 6.2: This section should be an appendix. > > > That’s fine. > > > Section A.2: I don't understand why the reference to Section 8 of RFC 8484 > isn't just in the bulleted list with all the other documents, and why > there is > a generic note included with it when the specific privacy implications are > more > completely discussed in the referenced section of RFC 8484 (just like with > the > other documents in the list). > > > I think that text came in before RFC8484 was published and section 8 was > quite limited, happy to convert to a bullet point. > > Best regards > > Sara. > > >
- [dns-privacy] Alissa Cooper's Discuss on draft-ie… Alissa Cooper via Datatracker
- Re: [dns-privacy] Alissa Cooper's Discuss on draf… Sara Dickinson
- Re: [dns-privacy] Alissa Cooper's Discuss on draf… Alissa Cooper
- Re: [dns-privacy] Alissa Cooper's Discuss on draf… Allison Mankin
- Re: [dns-privacy] Alissa Cooper's Discuss on draf… Allison Mankin
- Re: [dns-privacy] Alissa Cooper's Discuss on draf… Alissa Cooper