Re: [Pearg] draft-irtf-pearg-safe-internet-measurement review, implied consent
Vittorio Bertola <vittorio.bertola@open-xchange.com> Tue, 11 July 2023 14:18 UTC
Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 670EAC14CE4D for <pearg@ietfa.amsl.com>; Tue, 11 Jul 2023 07:18:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvaZX4AUxOEx for <pearg@ietfa.amsl.com>; Tue, 11 Jul 2023 07:18:16 -0700 (PDT)
Received: from mx3.open-xchange.com (mx3.open-xchange.com [87.191.57.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B0CFC151090 for <pearg@irtf.org>; Tue, 11 Jul 2023 07:18:15 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id 1497D6A14A; Tue, 11 Jul 2023 16:18:13 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1689085093; bh=NCWzNwi6BcXxxSEyDfF6yL1pssltTZq8z/DsAHrVxJw=; h=Date:From:To:In-Reply-To:References:Subject:From; b=DilRprcyQySIgBC2MXf+ocs1O1w4eB0X2XxZC2+vASyvMK+iau74uHaCJ7/xCKuFc /b8jLiV/ExUR916TaNzvsoS6Pag+GoxOc4boefIPf+2GDJnkBOswZyfdpXNtVFFu06 wWybRAdhLxa+wxfHPusfIlSm/OUhXgIEPZgcuby8MkzPqAbWDc8QXQC3cTCjOkx7oV Vtktrf8gh654Oaq6iZufmXo2LVFeFhx7C7cBA4c4eAK1jaL51xQuQvYoiZJB4qPv0/ iurvBy5JIKOm3TAf42EBJpeh9C+F1f/lNmfImn1ccnFX9E2aNNIr/mGhwY44olzjeh KzMrojI2+73FA==
Received: from appsuite-gw1.open-xchange.com ([10.20.28.81]) by imap.open-xchange.com with ESMTPSA id da4VA6VkrWTqJg0A3c6Kzw (envelope-from <vittorio.bertola@open-xchange.com>); Tue, 11 Jul 2023 16:18:13 +0200
Date: Tue, 11 Jul 2023 16:18:12 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Nick Doty <ndoty=40cdt.org@dmarc.ietf.org>, pearg@irtf.org
Message-ID: <1920190530.13778.1689085092996@appsuite-gw1.open-xchange.com>
In-Reply-To: <CA+tYtvHQF7s3e-740jqjB0XEJp8OKin3xav6kheag00b1p6w1g@mail.gmail.com>
References: <CA+tYtvHQF7s3e-740jqjB0XEJp8OKin3xav6kheag00b1p6w1g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.6-Rev48
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/Urfr2O3qTtfq58CnaUFHKD0H2lc>
Subject: Re: [Pearg] draft-irtf-pearg-safe-internet-measurement review, implied consent
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2023 14:18:20 -0000
> Il 10/07/2023 21:58 CEST Nick Doty <ndoty=40cdt.org@dmarc.ietf.org> ha scritto: > > Similarly, under European and similar data protection law, consent > isn't universal, it's not that every data processing takes place with > some kind of consent, but rather that you need informed consent when > something of a particular weight is happening and there isn't another > justification and in other cases it's reasonable for you to do the > processing without getting consent (because it's not personal data, > say), not that you did have some implied consent. Well, if you get a direct connection from the host that you are gathering data from, so that you can see the IP address, then it's already personal data - the IP address certainly is, as it's often a pretty precise identifier at least of a household. And if you have personal data, in Europe you need consent unless you have a clear "legitimate interest" which is not just about making more money. (Whether getting consent is "practical" or not is legally irrelevant.) The draft should possibly include some recommendations about this; if you only aggregate the information, then you have no personal data any more, but still you got them at the start of your processing and so you needed legal grounds for that anyway. (This is a current, ongoing discussion in Italy: the government's official web analytics platform was recently moved onto AWS servers and so became incompliant with GDPR, at least until the new EU-US data privacy framework comes into effect and survives the upcoming legal challenges.) The above problem could be addressed by adopting the "oblivious" connection model, i.e. having a proxy in the middle that gets the IP address but cannot see the content, while the actual telemetry server only gets the content but not the IP address, and the two parties are mutually independent and do not exchange data. This is also something that could be mentioned as an option, but you could rather ask for help to the people championing that kind of model. -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy
- [Pearg] draft-irtf-pearg-safe-internet-measuremen… Nick Doty
- Re: [Pearg] draft-irtf-pearg-safe-internet-measur… Antoine FRESSANCOURT
- Re: [Pearg] draft-irtf-pearg-safe-internet-measur… Mallory Knodel
- Re: [Pearg] draft-irtf-pearg-safe-internet-measur… Vittorio Bertola
- Re: [Pearg] draft-irtf-pearg-safe-internet-measur… Mallory Knodel