IETF Logo Mail Archive

Re: [dns-privacy] Alissa Cooper's Discuss on draft-ietf-dprive-bcp-op-08: (with DISCUSS and COMMENT)

Allison Mankin <allison.mankin@gmail.com> Sun, 28 June 2020 20:16 UTC

Return-Path: <allison.mankin@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64BA73A0F0C; Sun, 28 Jun 2020 13:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hbx4_AMS6-gw; Sun, 28 Jun 2020 13:16:21 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7976B3A0F0A; Sun, 28 Jun 2020 13:16:20 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id b25so12203808ljp.6; Sun, 28 Jun 2020 13:16:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ODGLEnlq9T3ZSmDa9EN0qAGgDc7jF1TsbMsEEX3Jb4k=; b=FbRhovKab3DXE/UwAKTyJaDsgBGIr1pGTb6x4TeJcKvpN4t6ItfUqFBFHPOw3BcWsC x/xT3dTx2gGqf0Jk13u3KVMOSA/wuE8YhAIXfPveGvwPzaay0Rwd+gL46WSqP9RS7Q0f bLL2Ro9ynIRXtVKJonGWRNDiWn1APMSc6Gd13hq87rvaOsyVnCQpXb+xJoVPWKKgHuFB R0KJNaslMYX9Gwk3rnTtJvgu+yeoLnA6o6UDJsP3+GbK1NpoMS3AqTg9tyIldVwZ6wok p4aazmqPgLP+cGaqkoxwGjtD7AN9aZ2Nwfd1vS5CsLb4Ed1DbuR5LIl35ul74V2V2QPu WKoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ODGLEnlq9T3ZSmDa9EN0qAGgDc7jF1TsbMsEEX3Jb4k=; b=RN6nB59KeXtOpyAPCvyvks9FUtbrWpoXHuNxm67bRl32PrK9t59aRvXTwdbJbODiv6 s+mcnvwg30gMg15AFUwcEf8xHAjuDYDxgn1srAZmko8f9PKI9ox/3z6+QfdTb0DUZi23 CoTDjo0IJWByM0nrIiVKWS3puwt0Ws1bKpv2KVwOTjC1DEuKDhw9giWvmx8cykcMVKUi 4/ntCqEfCLqlLGCRHxxTLWLRVtdxztLzhAHzhjSwavR37QSOIruBrXAaaMXcUKkKaL6w /tUS1KnlLO8UDduwVOhq0ATVxJ39MPkuKUx5BnSoJziz8TRl8WrDAm7WyZLpDKV7A6ig 0+TQ==
X-Gm-Message-State: AOAM530N5KsFuvNUqE8zcwqbH/YGn3uOWDrGYGyLOSD6QtoS12INzcP8 pdguMm3uEg7HvZFfAs8Uy2QBO3fbkIQJTgSPJwM=
X-Google-Smtp-Source: ABdhPJxojBjrgrU437PSQ8hWGNTIQmUTmPPNe+uK6eDaTUHdaXHDKcb/9QIm6lp2fQgZS+RuHCcwaQL+BTPkINGJIgI=
X-Received: by 2002:a2e:854b:: with SMTP id u11mr3438899ljj.99.1593375378580; Sun, 28 Jun 2020 13:16:18 -0700 (PDT)
MIME-Version: 1.0
References: <9826D3BC-02B4-4249-81AF-D118543C69A1@cooperw.in> <A1E45CB9-FA53-4889-97BD-EFC42A0FBC4F@gmail.com>
In-Reply-To: <A1E45CB9-FA53-4889-97BD-EFC42A0FBC4F@gmail.com>
From: Allison Mankin <allison.mankin@gmail.com>
Date: Sun, 28 Jun 2020 16:16:07 -0400
Message-ID: <CAP8yD=t8UrFmKMuqpRjs9w-yho9Eptd74-cz2r3u924NXAfONg@mail.gmail.com>
To: Alissa Cooper <alissa@cooperw.in>
Cc: IESG <iesg@ietf.org>, Sara Dickinson <sara@sinodun.com>, Tim Wicinski <tjw.ietf@gmail.com>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, dns-privacy@ietf.org, dprive-chairs@ietf.org, draft-ietf-dprive-bcp-op@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006f27a605a92a9d30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/sI5uG1PvghejD6bkRlJBThClFLQ>
Subject: Re: [dns-privacy] Alissa Cooper's Discuss on draft-ietf-dprive-bcp-op-08: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jun 2020 20:16:25 -0000

Clarification: we no longer mention or imply mention of jurisdiction in the
normative section. And to reiterate, we made 6.1.1 and 6.1.2 non-normative

On Sun, Jun 28, 2020 at 16:11 Allison Mankin <allison.mankin@gmail.com>
wrote:

> Hi Alissa,
>
> Please read the -10 version. We've addressed this Discuss by omitting any
> mention of jurisdiction and marking all texts in the DROP statement section
> as non-normative.
>
> Sara references the change in the June 18 email with subject line:  IESG
> review of draft-IETF-DPRIVE-BCP-op
>
> Here's the new top of Section 6; is this enough to satisfy your Discuss?
>
> The contents of Section 6.1.1 <https://datatracker.ietf.org/doc/html/draft-ietf-dprive-bcp-op-10#section-6.1.1> and Section 6.1.2 <https://datatracker.ietf.org/doc/html/draft-ietf-dprive-bcp-op-10#section-6.1.2> are non-normative,
>    other than the order of the headings.  Material under each topic is
>    present to assist the operator developing their own DROP statement
>    and:
>
>    o  Relates _only_ to matters around to the technical operation of DNS
>       privacy services, and not on any other matters.
>
>    o  Does not attempt to offer an exhaustive list for the contents of a
>       DROP statement.
>
>    o  Is not intended to form the basis of any legal/compliance
>       documentation.
>
>
> On Jun 28, 2020, at 14:43, Alissa Cooper <alissa@cooperw.in> wrote:
>
> Hi Sara,
>
>
> Thanks for your response and the updates to the document. I’ve trimmed my
> DISCUSS down to the remaining issue.
>
> On Mar 4, 2020, at 8:29 AM, Sara Dickinson <sara@sinodun.com> wrote:
>
>
> (3) I do not think item #5 in Section 6.1.2 belongs in this document. I
> don't
> see how it is within scope for the IETF to be specifying these sorts of
> best
> practices, which are not technical or operational in nature but focus on
> legal
> matters and likely require the involvement of lots of lawyers in order to
> get
> the provisions written.
>
>
> I’m channelling Vittoro here (cc’ed) who as a Head of Policy helped to
> formulate this text…
>
> The reason this was included is that the actual policy that will apply to
> the data is the merge of the operator's privacy policy and of the relevant
> jurisdiction's privacy laws, with the latter overriding the former in case
> of conflict. Since the former is in scope for the DROP it seems reasonable
> for the latter to be. If the goal here is to provide a document that
> informs users of what will actually be done with their data, then outlining
> which privacy laws will apply to them and how these laws will play out
> seems reasonable.
>
>
> I don’t really see how the above is responsive to my point. This is not
> the IETF’s area of expertise and therefore we should not be specifying best
> practices about it. Every IETF technology exists within a framework of laws
> and regulations that vary by jurisdiction, but we don’t specify best
> practices about them because they aren’t within our scope. We also don’t
> want our RFCs to be obsolete because one country or region decides to
> change its laws — we’re aiming for global significance.
>
>
> Also, I think what
> this section asks for is not the norm today and therefore it seems odd for
> the
> IETF to specify a best practice that operators may not have any chance of
> being
> able to comply with (e.g., listing specific law enforcement agencies,
> privacy
> laws, or countries where data centers will reside and the data will never
> move
> from them).
>
>
> It's also not true that supplying this information is "not the norm
> today". Any GDPR-compliant privacy policy must specify the legal entity
> processing the information, its place of business, the user's rights, and
> whether the information will be moved to third countries. Basically, points
> 5.1-5.3 only turn into best practice what the GDPR mandates in Europe - and
> there is little doubt among privacy experts that the GDPR is the current
> global best practice in terms of privacy laws.
>
>
> The IETF operates globally and I think endorsing the idea of fracturing
> data management and protection along jurisdictional lines is far from a
> best practice that the body of the IETF’s work endorses.
>
>
> As for 5.4, there are already significant efforts for the disclosure of
> law enforcement access, even in the US and even with creative ways to
> circumvent legal issues (see https://en.wikipedia.org/wiki/Warrant_canary ).
> It's not an issue that has no grounds in reality.
>
>
>
> Best,
> Alissa
>
>
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Section 1:
>
> "This document does not, however,
>      define a particular Privacy statement, nor does it seek to provide
>      legal advice or recommendations as to the contents."
>
> This is not accurate. The document does make recommendations about the
> contents.
>
>
> Will remove ‘or recommendations’.
>
>
>
> Section 3: "the privacy of the DNS" strikes me as a bit of an odd term as
> the
> DNS itself doesn't have privacy needs. Perhaps this means the privacy
> properties of the DNS.
>
>
> Yes - will update.
>
>
> Section 5.2.3: I think the table and its associated text belongs in
> Appendix B.
> It is not BCP material itself and is not readily understandable without the
> rest of the text in Appendix B anyway.
>
>
> Fair enough - will move this.
>
>
> Section 5.2.4: "Resolvers _might_ receive client identifiers e.g.  MAC
> addresses in EDNS(0) options - some Customer-premises equipment (CPE)
> devices
> are known to add them." It would be great to add a citation there if one
> exists.
>
>
> Yes - will add.
>
>
> Section 5.3.3:
>
> "Operators should not provide identifiable data to third-parties
>   without explicit consent from clients (we take the stance here that
>   simply using the resolution service itself does not constitute
>   consent)."
>
> I'm not convinced its appropriate for this document to be commenting on
> what
> constitutes consent.
>
> I also think that as a general matter the research in this area
> demonstrates
> that privacy-by-consent is broken and that the number of cases in which an
> individual providing consent for identifiable data sharing actually reads,
> understands, and agrees with the terms of the sharing is miniscule.
>
> It seems like the real best current practice mitigation here is to not
> share
> identifiable data.
>
>
> I appreciate the difficulties with this, but several aspects of this draft
> have got push back on the basis of how many operators actually employ the
> ‘best practice’. The reality is that many of the large recursive operators
> currently make some statement about the DNS service or in an umbrella
> privacy statement to the effect that they will share data if they have
> consent (and then completely fail to describe what that consent entails),
> for example:
>
> https://www.cisco.com/c/en/us/about/legal/privacy-full.html  (Overall
> policy which appears to apply to OpenDNS - OpenDNS doesn’t seem to have a
> specific one)
> We may share your personal information with third parties for the purposes
> of operating our business, delivering, improving, and customizing
> our Solutions, sending marketing and other communications related to our
> business, and for other legitimate purposes permitted by applicable law
> or otherwise with your consent.
>
>
> https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/
> Cloudflare will not sell, license, sublicense, or grant any rights to your
> data that we collect from DNS queries to any other person or entity without
> your consent.
>
> https://policies.google.com/privacy?hl=en (Overall policy referenced from
> the Google Public DNS privacy policy page)
> We’ll share personal information outside of Google when we have your
> consent.
>
>
> It is somewhat frustrating that this draft doesn't tackle this issue in
> any meaningful way. We had previously included a clause in the DROP
> statement where the operator was recommended to outline their specific
> consent process (so in other words, not defining consent in this document
> in any way,  just requiring operators to clarify how _they_ define it given
> they have used the word) but this received some push back.
>
> Adding an optimisation describing the ideal position (not sharing) seems
> reasonable, as would adding any additional text to clarify the limitations
> of the definition of consent in this document, but removing it completely
> would mean virtually no large operators would ever be even minimally
> compliant…..
>
>
>
> Section 6.1.1: "Make an explicit statement that IP addresses are treated as
> PII." PII is a bit of a jurisdiction-specific term. I would recommend
> using the
> definition of personal data from RFC 6973.
>
>
> Ack.
>
>
> Section 6.2: This section should be an appendix.
>
>
> That’s fine.
>
>
> Section A.2: I don't understand why the reference to Section 8 of RFC 8484
> isn't just in the bulleted list with all the other documents, and why
> there is
> a generic note included with it when the specific privacy implications are
> more
> completely discussed in the referenced section of RFC 8484 (just like with
> the
> other documents in the list).
>
>
> I think that text came in before RFC8484 was published and section 8 was
> quite limited, happy to convert to a bullet point.
>
> Best regards
>
> Sara.
>
>
>

v2.23.0 | Report a Bug | By Email